Physical Cryptanalysis

Breaking the Anti-Counterfeiting Scheme of FPGAs (known as bitstream encryption)

Frequently asked questions about breaking bitstream encryption. This page is subject to frequent changes.

FAQ

Attacks

Q: What is bitstream encryption and for what purpose is it used?
A: Bitstream encryption is a feature of some modern Xillinx FPGAs, which allows the user to encrypt the FPGAs configuration. Without bitstream encryption the configuration of the FPGA can be eavesdropped by monitoring the communication between configuration ROM and FPGA during the process of configuration. The feature ensures, that the configuration data is transmitted only in encrypted form. Thus it denies attacks such as cloning of devices or stealing and reverse-engineering the bitstream.

Q: How difficult is the attack?
A: Adversaries with basic knowledge about differential power analysis and cyptography will need 4-6 months to deveop the expertise to perform the attack. For a decent side-channel specialist this attack can be performed within a few weeks or even in a few days. Once the attack has been implemented, it is a matter of hours to attack additional devices. We believe that our current method can still be improved, so that an FPGA bitstream can be broken within minutes soon.

Q: How does this attack effect my FPGA application?
A: Your FPGA application itself is not effected at all, unless it relies on the secrecy of the bitstream, as it, e.g., contains secret cryptographic keys. Our analysis targets only the bitstream encryption feature by Xillinx itself, which is a crypto implementation embedded in modern Xillinx FPGA series in order to protect the bitstream. We do not target the application running inside the device after configuration. This implies that our analyses explicitely exclude an evaluation of the side-channel security of third-party crypto implementations.

Q: On which devices does your attack work?
A: Our attack targets the bitstream encryption of Xillinx FPGAs. We applied our attacks to Virtex II Pro, Virtex 4, Virtex 5 and Spartan 6 FPGAs. Nevertheless we believe that our attacks will also work on more recent devices. We will update this list as soon as we analyzed additional devices.

Q: Should I select another manufacturer’s FPGAs to get a better IP protection?
A: We only analyzed the IP-protection security feature of the market leader Xillinx. Here we found, that it cannot provide sufficient protection against real-world attacks. To judge other manufacturers solutions, one needs to carefully evaluate them, what we have not done. Thus regarding the security of the IP protection schemes of other manufacturers we can only state that the fact that they have not been publicly analyzed doesn’t mean they provide a better security.

Q: How does this attack effect the protection of my intellectual property?
A: There are three options. If you did not use one of the effected devices (see above) this attack has no impact on your IP. In case you use one of the effected devices (see above) without using the bitstream encryption feature, the security of your IP will also not be effected by our analysis. This does not mean it is secure, but rather that it has not been protected before at all. Finally, if you use one of the effected devices and protected the configuration by means of Xillinx’s bitstream encryption our analysis covers your use case. We have shown that a decent attacker can decrypt your configuration with medium efforts. Note that our attack did not lower the level of bitstream security in Xillinx FPGAs. In fact we only documented an vulnerability that already existed for many years.

Q: What can an attacker do with a decrypted bitstream?
A: The most probable scenario of bitstream theft is device cloning. An attacker could use the decrypted bitstream to program FPGAs of his own, either for product piracy or to embed your IP into his own products. It is also possible that the bitstreams are modified and/or reverse engineered to steal technical developments, embed malicious hardware or modify, e.g., internal keys. It is also possible to read out the content of internal memories by analyzing bitstreams.

Q: Isn’t it irresponsible to do research on security weaknesses?
A: No! Trying to analyse security system and to publish those results has been the central rule of the scientific community in the field of cryptography for more than 30 years. It is the daily work of 1000s of scientist worldwide – most of them at universities but quite a few also in industry – to find weaknesses in security systems and to publish those findings. Why are they doing this? Time has shown over and over again that the only way to build truly secure systems is to have them analized by outsiders. „Analyzed“ means, of course, trying to break them. Otherwise consumers and companies who use security systems will never know whether they are secure or not.

Q: I’m using one of the effected devices. What can I do to prevent my FPGA bitstream from being stolen?
A: Honestly: Nothing that really works out well. There are promising ideas and concepts (e.g., TinyTPM presented by T. Feller et al. at Host2011) to protect FPGA IP, but these concepts rely on the assumption that at least a part of the bitstream remains secret, i.e. it can be loaded into the FPGA in a protected environment. Our recent analyses show, that this assumption is violated in practice. At the end of the day a solution to this security problem can only be implemented by the Manufacturers (Xillinx in this case). As a hot fix manufactureres of products using Xillinx FPGAs with enabled bitstream encryption is to deny physical access to the devices power consumption and EM radiation by employing metal shields and molding to block both side-channels. Still remember that an attacker being able to circumvent the protection measure, can perform the attack as before. Thus these measures need to be considered as hardening the attack not as preventing it.

Q: I’ve read about a new bitstream authentication mechanism in recent Xillinx FPGAs. How does this effect your attack?
A: Unfortunately it does not effect our findings at all. Worse than that, our findings annihilate the feature, as it only protects from modifying the bitstream. If the bitstream is decrypted, the authentication mechanism can be removed by reprogramming the FPGA with a modified bitstream.