Programmable devices are well known. In one class of known PLDs, each device has a large number of logic gates, and a user programs the device to assume a particular configuration of those logic gates, typically by receiving configuration data from a configuration device. Configuration data has become increasingly complex in modern PLDs. As such, proprietary configuration data for various commonly-used functions (frequently referred to as “intellectual property cores”) have been sold either by device manufacturers or third parties, freeing the original customer from having to program those functions on its own. If a party provides such proprietary configuration data, it may want to protect this data from being read, as well as any internal data that may reveal the configuration data.
Commonly-assigned U.S. Pat. Nos. 5,768,372, and 5,915,017, each of which is hereby incorporated by reference herein in its respective entirety, describe the encryption of the configuration data and its decryption upon loading into the programmable device, including provision of an indicator to signal to the decryption circuit which of several possible encryption/decryption schemes was used to encrypt the configuration data and therefore should be used to decrypt the configuration data. Commonly-assigned U.S. Pat. No. 7,479,798, which is hereby incorporated by reference herein in its entirety, describes a disabling element that can be used to selectively disable a reading of a data from a device.
Cryptographic algorithms may provide one or more classes of encryption/decryption schemes for securing the configuration data. However, these cryptographic algorithms may be vulnerable to specific kinds of attacks. One type of attack on an encryption/decryption cryptographic system in a device is known as a power analysis attack. This approach involves observing the power consumption of the device while it is executing a cryptographic algorithm. An attacker can combine the data derived from observing the power consumption of the device with the knowledge of the specific operations that are executed during the cryptographic algorithm, and thereby deduce information about keys and other secret data of the cryptographic algorithm.
One type of power analysis attack is known as a Differential Power Analysis (“DPA”) (see, for example, “Introduction to Differential Power Analysis and Related Attacks”, by Paul Kocher et al., of Cryptography Research, San Francisco, Calif., copyright 1998, reprinted at web site: www.cryptography.com). DPA involves observing the power consumption of a device while it executes cryptographic operations for a large number of varying inputs. By collecting and statistically correlating data from these multiple observations, an attacker can derive secret information for the cryptographic operations carried out by the device.
Different elements of a cryptographic algorithm may be particularly vulnerable to DPA attacks. For example, key scheduling routines, used for generating multiple sub-keys for multiple cryptographic rounds from a secret cipher key may be especially vulnerable in this regard, given that these routines manipulate the cipher key in a known way. In addition, substitution tables (also referred to as substitution boxes or “S-boxs”), which are common in cryptographic algorithms and often implemented as look up tables, may also be vulnerable to DPA attacks. Also, the initial round of encryption or final round of decryption of some cryptographic algorithms may be particularly vulnerable to DPA attacks, because they may only involve key manipulation without modification of plaintext or ciphertext.