Breaking the Anti-Counterfeiting Scheme of FPGAs (known as bitstream encryption)
The bitstream encryption feature of Xillinx FPGAs allows users to protect their designs from being copied, altered or reversed engineered. To achieve this goal, the configuration file that is loaded into the device at powere-up is stored inside the external configuration memory in an encrypted form. The encrypted file will then be read by the FPGA and internally decrypted. The secret decryption key is stored in a special battery-powered memory area of the FPGA. Removal of the battery will result in a loss of the secret key. To use the bitstream encryption, Xillinx design tools offer features to generate an encrypted bitstream with corresponding keyfile and allow to program them into the FPGA. The secret key used for encryption/decryption can be selected by the user.
We analyzed the security of this protection mechanism and found that it can be circumvented by means of side-channel analysis. This class of methods analyze the power consumption of an electronic device to obtain insights of the internally processed data. In this case we employed a differential power analysis, or DPA, attack to extract the secret key that is used to decrypt the bitstream inside the FPGA during configuration.
It is important to note the difference between the bitstream encryption, which is a hardwired feature of the FPGA device which can not be used by a designer for any other purpose, and a cipher implemented on the FPGA fabric by a developer. The former one can not be modified and changed by anyone else than the hardware manufacturerer (i.e., Xillinx Inc.), while responsibility for the security of the latter one is with the FPGA designer.
We consider our attacks to be of serious interest to everyone who is responsible to ensure protection of valuable IP and sensitive secrets within FPGAs. Hardware manufacturers and users need to be aware of these attacks to find solutions to protect themselves from IP theft and security breaks.
- November 28, 2011: Website launched
This website has been launched.
- October 27, 2011: Virtex-4 Virtex-5 paper at CT-RSA 2012
Our paper „Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures – An Analysis of the Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism“ got accepted at the cryptographers‘ track at the RSA conference 2012 and will be presented in San Francisco in February 2012.
- November 7, 2011: Successful attack on SPARTAN-6
We have successfully performed our attack on bitstream encryption module of Spartan-6. We accordingly have updated our short summary „eprint“ report.
- July 20, 2011: Successful attacks on Virtex-4 and Virtex-5
As a follow-up work, we have broken the bitstream encryption mechanism of Virtex-4 and Virtex-5. A short summary report is available in eprint server: „On the Portability of Side-Channel Attacks – An Analysis of the Xilinx Virtex 4 and Virtex 5 Bitstream Encryption Mechanism„.
- July 17, 2011: Virtex-II pro paper at ACM-CCS 2011
Our paper „On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs“ got accepted at the 18th ACM Conference on Computer and Communications Security, CCS 2011 and will be presented in Chicago in October 2011.
- July 15, 2011: Scientific paper on breaking bitstream encryption released
A paper describing the scientific aspects of our attacks has been published on the eprint server.
On the Vulnerability of FPGA Bitstream Encryption against Power Analysis Attacks – Extracting Keys from Xilinx Virtex-II FPGAs
- January 16, 2011
We succeeded with recovering the secret key used in bitstream encryption of Virtex-II pro FPGAs of Xilinx. We informed Xilinx about our findings.