Cryptographic algorithms provide classes of encryption and decryption schemes for securing data. Encryption is often implemented with a block cipher, e.g., the Advanced Encryption Standard (AES), in which data is portioned into fixed-sized ciphertext blocks (typically 128-bits), and each block is decrypted with a decryption key. The internal implementation of a block cipher is typically divided into multiple rounds per ciphertext block, where each round uses an expanded round-key that is derived from the encryption key (e.g., AES-256 uses 14 rounds per ciphertext block). In one common mode of operation, the block cipher is used with the NIST Counter Mode, where the value of an incrementing counter is encrypted to create keystream blocks, and those keystream blocks are combined (e.g., XORed) with plaintext blocks to generate corresponding ciphertext blocks.
Commonly-assigned U.S. Pat. Nos. 5,768,372 and 5,915,017, each of which is hereby incorporated by reference herein in its respective entirety, describe the encryption of configuration data stored in nonvolatile storage and its decryption upon loading into a programmable device, including provision of an indicator to signal to the decryption circuit which of several possible encryption/decryption schemes was used to encrypt the configuration data and therefore should be used to decrypt the configuration data.
Someone intent on changing the operation of an integrated circuit without authorization may achieve his or her goal by substituting different programming of the integrated circuit. As merely one example, an attacker may replace or reprogram storage containing data for configuring at least parts of a programmable device. This may result in the programmable device loading unauthorized configuration data on its next power-up event. Programmable devices are frequently reconfigurable or partially reconfigurable during normal operation, so it may even be possible for the attacker to illicitly replace the configuration data in the storage and cause a reconfiguration without a power-up event.
To prevent such attacks, configuration data may be authenticated by inclusion of an authentication tag. The authentication tag may be based on a private authentication key that, in some cases, is programmed into the device. For example, the authentication tag could be generated with a known NIST HMAC algorithm based on a NIST SHA2 hash function. The device may then use its programmed private authentication key and the same authentication algorithm, e.g., HMAC, to verify that the authentication tag in the configuration data is valid, and thereby confirm that the configuration bitstream has not been tampered with.
One problem with this approach, however, is that an attacker may be able to extract the programmed authentication key from the device, and then generate a valid authentication tag for an unauthorized configuration bitstream. The attacker may extract the authentication key using various side-channel analysis (SCA) techniques, for example, by applying statistical analysis to side-channel information emitted from the device, such as power-supply fluctuations or electromagnetic emanations. Once the attacker is able to extract sufficient information about the internal state of the authentication process, he or she can mount attacks by spoofing authentication tags. An illustrative attack against HMAC authentication is described in the following article entitled “Differential Power Analysis of HMAC based on SHA-2, and Countermeasures” McEvoy, R. P., Tunstall, M., Murphy, C., and Marnane, W., WISA 07: 8th International Workshop on Information Security.