for abstract and bibtex entry) [276 entries]The following is a bibliography list of publications and other resources relating to the topic of "FPGA design security". The scope of the list is quite wide and contains entries that are security oriented but not necessarily FPGA specific. It is an evolving list, so if you have any comments, corrections or additions, feel free to contact me at (firstname.lastname@cl.cam.ac.uk). If you are an author on the list, please make sure all details are correct; if your document is only available and linked through a paywall (IEEE/Springer), consider making it available on your webpage and send me the link.
See bottom of this page for more info on this list.
Enjoy.
for abstract and bibtex entry) [276 entries]
Saar Drimer: "Volatile FPGA design security -- a survey (v0.96)", 2008.
| Abstract. Volatile FPGAs, the dominant type of programmable logic devices, are used in space, military, automotive, and consumer electronics applications which require them to operate in a wide range of environments. The continuous growth in both their capability and capacity now requires significant resources to be invested in the designs that are created for them. This has brought increased interest in the security attributes of FPGAs; specifically, how well do they protect the information processed within it, how are designs protected during distribution, and how developers' ownership rights are protected while designs from multiple sources are combined. This survey establishes the foundations for discussing ``FPGA security'', examines a wide range of attacks and defenses along with the current state of industry offerings, and finally, outlines on-going research and latest developments. |
| @misc{Drimer_FPGASecuritySurvey_WEB08, author = {Saar Drimer}, title = {Volatile {FPGA} design security -- a survey (v0.96)}, month = {April}, year = {2008}, www_section = {FPGA design security}, url = {http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf}, } |
Thomas Wollinger and Christof Paar: "How secure Are FPGAs in cryptographic applications? (long version)", 2004.
| Abstract. The use of FPGAs for cryptographic applications is highly attractive for a variety of reasons but at the same time there are many open issues related to the general security of FPGAs. This contribution attempts to provide a state-of-the-art description of this topic. First, the advantages of reconfigurable hardware for cryptographic applications are discussed from a systems perspective. Second, potential security problems of FPGAs are described in detail, followed by a proposal of a some countermeasure. Third, a list of open research problems is provided. Even though there have been many contributions dealing with the algorithmic aspects of cryptographic schemes implemented on FPGAs, this contribution appears to be the first comprehensive treatment of system and security aspects. |
| @inproceedings{WP_FPL03, author = {Thomas Wollinger and Christof Paar}, title = {How secure Are {FPGA}s in cryptographic applications? (long version)}, booktitle = {Field Programmable Logic and Applications}, year = {2004}, month = {September}, isbn = {3-540-22989-2}, pages = {707--711}, www_section = {FPGA design security}, url = {http://eprint.iacr.org/2003/119.pdf}, } |
Thomas Wollinger, Jorge Guajardo and Christof Paar: "Security on FPGAs: state-of-the-art implementations and attacks", 2004.
| Abstract. In the last decade, it has become apparent that embedded systems are integral parts of our every day lives. The wireless nature of many embedded applications as well as their omnipresence has made the need for security and privacy preserving mechanisms particularly important. Thus, as FPGAs become integral parts of embedded systems, it is imperative to consider their security as a whole. This contribution provides a state-of-the-art description of security issues on FPGAs, both from the system and implementation perspectives. We discuss the advantages of reconfigurable hardware for cryptographic applications, show potential security problems of FPGAs, and provide a list of open research problems. Moreover, we summarize both public and symmetric-key algorithm implementations on FPGAs. |
| @article{WollingerGP_SecurityFPGA_TECS03, author = {Thomas Wollinger and Jorge Guajardo and Christof Paar}, title = {Security on {FPGA}s: state-of-the-art implementations and attacks}, journal = {Transactions on Embedded Computing Systems}, volume = {3}, number = {3}, year = {2004}, month = {March}, issn = {1539-9087}, pages = {534--574}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {FPGA design security}, url = {http://portal.acm.org/citation.cfm?id=1015052}, } |
Steve A. Guccione, Delon Levi and Prasanna Sundararajan: "Jbits: A Java-based interface for reconfigurable computing", 1999.
| Abstract.
(Partial) The JBits software is a set of Java classes which provide an Application Programming Interface (API) to access the Xilinx FPGA bitstream. The interface operates on either bitstreams generated by Xilinx design tools, or on bitstreams read back from actual hardware. This permits all configurable resources like Look-up tables, routing and the flip-flops in the FPGA to be individually configured under software control. The API has been used to construct complete circuits and to modify existing circuits. In addition, the object-oriented support in the Java programming language has permitted a small library of parameterizable, object oriented macro circuits or Cores to be implemented. Finally, this API may be used as a base to construct other tools. This includes traditional design tools for performing tasks such as circuit placement and routing, as well as application specific tools to perform more narrowly defined tasks. The circuits developed can be downloaded on to the Xilinx hardware and probed using BoardScope. BoardScope is a graphical and interactive hardware debug tool for Xilinx FPGAs. It enables a user to look inside the chips and see the internal states and circuit configurations while the hardware is operating. The data is sampled using the readback capabilities of the FPGAs, and then graphically displayed. The interface to the hardware is provided by XHWIF, the Xilinx standard HardWare InterFace for FPGA based hardware. |
| @inproceedings{XILINX_JBITS, author = {Steve A. Guccione and Delon Levi and Prasanna Sundararajan}, title = {{Jbits}: A Java-based interface for reconfigurable computing}, booktitle = {Military and Aerospace Applications of Programmable Devices and Technologies}, year = {1999}, www_section = {FPGA design security}, url = {http://users.utcluj.ro/~baruch/resources/JBits/JBitsMAPPLD.pdf}, } |
Steve Trimberger: "Trusted design in FPGAs", 2007.
| Abstract. Using FPGAs, a designer can separate the design process from the manufacturing flow. Therefore, the owner of a sensitive design need not expose the design to possible theft and tampering during its manufacture, dramatically simplifying the process of assuring trust in that design. Modern FPGAs include bitstream security features that turn the fielded design trust problem into an information security problem, with well-known cryptographic information security solutions. The generic nature of the FPGA base array allows the validation expense to be amortized over all designs targeted to that base array. Even the task of checking design tools is simplified by using non-destructive checks of the FPGA design. |
| @inproceedings{Trimberger_FPGATrust_DAC07, author = {Steve Trimberger}, title = {Trusted design in {FPGAs}}, booktitle = {Design Automation Conference}, month = {June}, year = {2007}, number = {}, www_section = {FPGA design security}, url = {http://videos.dac.com/44th/papers/1_2.pdf}, } |
Mark McLean and Jason Moore: "FPGA-based single chip cryptographic solution--securing FPGAs for red-black systems", 2007.
| Abstract.
The use of Field Programmable Gate Arrays (FPGAs) in Type I Cryptographic equipment has historically been limited. While FPGA use is allowed, restrictions on how they are used can result in inefficient processing and an increase in system size, weight and power. For example, redundancy and isolation of functionality is required through physically separate devices. This paper introduces new technology that will provide the industry with an FPGA-based single chip cryptographic solution. The National Security Agency (NSA) and Xilinx have been working together to bring the advantages of FPGA technology to the High Assurance industry. Utilizing the Xilinx Virtex-4 FPGA, the NSA and Xilinx have developed a design flow and verification process based on NSA requirements for high-grade cryptographic processing. This paper will outline the design flow process and summarize the results of the evaluation effort. |
| @article{McLeanMoore_RedBlackFPGA_MES07, author = {Mark McLean and Jason Moore}, title = {{FPGA-based} single chip cryptographic solution--securing {FPGAs} for red-black systems}, journal = {Military Embedded Systems}, month = {March}, year = {2007}, www_section = {FPGA design security}, url = {http://www.mil-embedded.com/pdfs/NSA.Mar07.pdf}, } |
Tim Guneysu, Bodo Moller and Christof Paar: "Dynamic intellectual property protection for reconfigurable devices", 2007.
| Abstract. The distinct advantage of SRAM-based Field Programmable Gate Arrays (FPGA) is their flexibility for configuration changes. However; this opens up the threat of theft of Intellectual Property (IP) since the system configuration is stored in easy-to-access Flash memory. To prevent this, high-end FPGAs have already been extended with symmetric-key decryption engines used to load an encrypted version of the configuration that cannot simply be copied and used without knowledge of the secret key. However, such protection systems based on straightforward use of symmetric cryptography are not well-suited with respect to business and licensing processes, since they are lacking a convenient scheme for key transport and installation. We propose a new protection scheme for the IP of circuits in configuration bit files that provides a significant improvement to the current unsatisfying situation. It uses both public-key and symmetric cryptography, but does not burden FPGAs with the usual overhead of public-key cryptography: While it needs hard-wired symmetric cryptography, the public-key functionality is moved into a temporary configuration bit stream for a one-time setup procedure. This approach requires only very few modifications to current FPGA technology. Using five basic stages, the new protection scheme allows new accounting models for volume licensing of IP, with automated key installation on FPGAs taking place at the customer's site. |
| @inproceedings{GuneysuMP_DynamicIPP_FPT07, title = {Dynamic intellectual property protection for reconfigurable devices}, author = {Tim G{\"{u}}neysu and Bodo M{\"{o}}ller and Christof Paar}, booktitle = {Field-Programmable Technology}, pages = {169--176}, month = {November}, year = {2007}, www_section = {FPGA design security}, url = {http://www.ieeexplore.ieee.org/xpl/freeabs_all.jsp?isnumber=4439214&arnumber=4439246}, } |
Badrignans Benoit, Elbaz Reouven and Torres Lionel: "Secure FPGA configuration architecture preventing system downgrade", 2008.
| Abstract. In the context of FPGAs, system downgrade consists inpreventing the update of the hardware configuration or in replaying an old bitstream. The objective can be to preclude a system designer from fixing security vulnerabilities in a design. Such an attack can be performed over a network when the FPGA-based system is remotely updated or on the bus between the configuration memory and the FPGA chip at power-up. Several security schemes providing encryption and integrity checking of the bitstream have been proposed in the literature. However, as we show in this paper, they do not detect the replay of old FPGA configurations; hence they provide adversaries with the opportunity to downgrade the system. We thus propose a new architecture that, in addition to ensuring bitstream confidentiality and integrity, precludes replay of old bitstreams. We show that the hardware cost of this architecture is negligible. |
| @inproceedings{BadrignansET_SystemDowngrade_FPL08, title = {Secure {FPGA} configuration architecture preventing system downgrade}, author = {Badrignans Beno{\^{i}}t and Elbaz Reouven and Torres Lionel}, booktitle = {Field Programmable Logic}, pages = {317--322}, month = {September}, year = {2008}, www_section = {FPGA design security}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4629951}, } |
Lilian Bossuet, Guy Gogniat and Wayne Burleson: "Dynamically configurable security for SRAM FPGA bitstreams", 2004.
| Abstract. FPGAs are becoming increasingly attractive thanks to the improvement of their capacities and their performances. Today FPGAs represent an efficient design solution for numerous systems. Moreover, since FPGAs are important for electronic industry it becomes necessary to improve their security particularly for SRAM FPGAs, since they are more vulnerable than other FPGA technologies. This paper proposes a solution to improve the security of SRAM FPGAs through flexible bitstream encryption. This proposition is distinct from other works because it uses the latest capabilities of SRAM FPGAs like partial dynamic reconfiguration and self reconfiguration. It does not need an external battery to store the secret key. It opens a new way of application partitioning oriented by the security policy. |
| @inproceedings{BossuetGB_DynamicReconfigBitstreams_RAW04, author = {Lilian Bossuet and Guy Gogniat and Wayne Burleson}, title = {Dynamically configurable security for {SRAM} {FPGA} bitstreams}, booktitle = {IEEE Reconfigurable Architectures Workshop}, volume = {}, month = {April}, year = {2004}, isbn = {}, pages = {}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, www_section = {FPGA design security}, url = {http://www.lilianbossuet.com/en/Doc/publications/Bossuet_RAW04.pdf}, } |
Javier Castillo, Pablo Huerta and Jose Ignacio Martinez: "Secure IP downloading for SRAM FPGAs", 2007.
| Abstract. Nowadays there is a growing number of systems based on FPGAs spread over wide areas. When these kind of systems are used, serious security problems may appear. The configuration data for these devices can be very sensitive information that has to be protected against piracy and reverse engineering. In this paper, the main target is to describe a rapid prototyping platform that allows Secure IP downloading and Rights Management. This platform is based on the possibility offered by the new FPGA families for reprogramming part of the device while the rest is working. This work shows how an FPGA system based on an Open Source OpenRISC 1200 microprocessor takes advantage of this feature to perform the Secure Download of the software and the hardware needed to run a User Application. The platform includes digital signature schemes, symmetric encryption and hashing functions to increment the security. An IP rights management method using this architecture is also presented. |
| @article{CastilloHM_SecureIPDL_MM07, title = {Secure {IP} downloading for {SRAM} {FPGA}s}, author = {Javier Castillo and Pablo Huerta and Jos{\'{e}} Ignacio Mart{\'{i}}nez}, journal = {Microprocessors and Microsystems}, volume = {31}, number = {2}, pages = {77--86}, month = {February}, year = {2007}, publisher = {Elsevier}, www_section = {FPGA design security}, url = {http://linkinghub.elsevier.com/retrieve/pii/S0141933106000251}, } |
Ryan J. Fong, Scott J. Harper and Peter M. Athanas: "A versatile framework for FPGA field updates: an application of partial self-reconfiguration", 2003.
| Abstract. Field programmable gate arrays (FPGAs) provide an attractive solution to developers needing custom logic for short time-to-market products. Products embedding FPGA system-on-chip solutions have the advantage in that they can be updated once deployed. New FPGA firmware may be loaded via manufacturer-supplied memory devices or remotely via a network connection. Recent FPGAs allow for self-reconfiguration, where the user-FPGA fabric can internally modify its own configuration data. Using self-reconfiguration, configuration control protocols can be implemented in user logic. This allows new FPGA programming methods to be designed. We propose a versatile partial self-reconfiguration framework for FPGA field updates that customizes to specific applications, reduces reconfiguration times, and minimizes the need for external hardware. The framework provides flexibility in media sources and design security. A prototype using this framework is demonstrated on a Xilinx Virtex-II FPGA. |
| @article{FongHA_VersatileFieldUpdate_RSP03, title = {A versatile framework for {FPGA} field updates: an application of partial self-reconfiguration}, author = {Ryan J. Fong and Scott J. Harper and Peter M. Athanas}, journal = {IEEE International Workshop on Rapid Systems Prototyping}, pages = {117--123}, year = {2003}, www_section = {FPGA design security}, url = {http://ieeexplore.ieee.org/iel5/8579/27166/01207038.pdf}, } |
Graham Seamann: "FPGA bitstreams and open designs", 2000.
| @manual{Seamann_OpenDesign_WEB00, author = {Graham Seamann}, title = {{FPGA} bitstreams and open designs}, month = {April}, year = {2000}, www_section = {FPGA design security}, url = {http://web.archive.org/web/20050831135514/http://www.opencollector.org/news/Bitstream/}, } |
Kenneth Austin: "Data security arrangements for semiconductor programmable devices", 1995.
| Abstract. A programmable logic device comprises a semiconductor with configurable circuitry, an input circuit for encrypted data to determine the configuration of the circuitry, decrypting circuitry responsive to a key value held in a non-volatile data store, and volatile storage circuitry for holding decrypted configuration data. Encrypting circuitry uses the same key value to encrypt configuration data and stores the encrypted configuration data for use in the programmable logic device. |
| @manual{Austin_BSEncryption_USPAT95, author = {Kenneth Austin}, title = {Data security arrangements for semiconductor programmable devices}, organization = {United States Patent Office}, year = {1995}, number = {5388157}, www_section = {FPGA design security}, url = {http://patft1.uspto.gov/netacgi/nph-Parser?patentnumber=5388157}, } |
Saar Drimer: "Authentication of FPGA bitstreams: why and how", 2007.
| Abstract. Encryption of volatile FPGA bitstreams provides confidentiality to the design but does not ensure its authenticity. This paper motivates the need for adding authentication to the configuration process by providing application examples where this functionality would be useful. An examination of possible solutions is followed by suggesting a practical one in consideration of the FPGA's configuration environment constraints. The solution proposed here involves two symmetric-key encryption cores running in parallel to provide both authentication and confidentiality while sharing resources for efficient implementation. |
| @inproceedings{Drimer_BSAuthentication_ARC07, author = {Saar Drimer}, title = {Authentication of {FPGA} bitstreams: why and how}, booktitle = {Applied Reconfigurable Computing}, month = {March}, year = {2007}, series = {LNCS}, volume = {4419}, isbn = {978-3-540-71430-9}, publisher = {Springer}, pages = {73--84}, www_section = {FPGA design security}, url = {http://www.cl.cam.ac.uk/~sd410/papers/bsauth.pdf}, } |
Yohei Hori, Akashi Satoh, Hirofumi Sakane and Kenji Toda: "Bitstream encryption and authentication with AES-GCM in dynamically reconfigurable systems", 2008.
| Abstract. A high-speed and secure dynamic partial reconfiguration (DPR) system is realized with AES-GCM that guarantees both confidentiality and authenticity of FPGA bitstreams. In DPR systems, bitstream authentication is essential for avoiding fatal damage caused by unintended bitstreams. An encryption-only system can prevent bitstream cloning and reverse engineering, but cannot prevent erroneous or malicious bitstreams from being configured. Authenticated encryption is a relatively new concept that provides both message encryption and authentication, and AES-GCM is one of the latest authenticated encryption algorithms suitable for hardware implementation. We implemented the AES-GCM-based DPR system targeting the Virtex-5 device on an off-the-shelf board, and evaluated its throughput and hardware resource utilization. For comparison, we also implemented AES-CBC and SHA-256 modules on the same device. The experimental results showed that the AES-GCM-based system achieved higher throughput with less resource utilization than the AES/SHA-based system. The AES-GCM-module achieved more than 1 Gbps throughput and the entire system achieved about 800 Mbps throughput with reasonable resource utilization. This paper clarifies the advantage of using AES-GCM for protecting DPR systems. |
| @inproceedings{HoriSST_BSPartialReconfigAuth_FPL08, title = {Bitstream encryption and authentication with {AES-GCM} in dynamically reconfigurable systems}, author = {Yohei Hori and Akashi Satoh and Hirofumi Sakane and Kenji Toda}, booktitle = {Field Programmable Logic and Applications}, year = {2008}, month = {September}, volume = {}, number = {}, pages = {23--28}, www_section = {FPGA design security}, url = {http://staff.aist.go.jp/hori.y/articles/hori_fpl08.pdf}, } |
Milind M. Parelkar: "FPGA security -- bitstream authentication", 2005.
| Abstract. Safeguarding Intellectual Property on FPGAs is a major challenge for FPGA manufacturers. The challenge stems not from the fact that it is difficult to add security features to the FPGA, but from the commercial point of view. The main question is whether the entire user base will be ready to pay for these added features. Also, there is no consensus among various manufactures as to which security features are absolutely essential for FPGA security. This paper addresses some security scenarios in FPGAs, and tries to point out why currently existing security features are inadequate. The concept of bitstream authentication is introduced and different authentication options are compared. Finally a comparative analysis of hardware implementations of the authentication algorithms is provided for FPGA as well as ASIC implementations. |
| @techreport{Parelkar_BSAuthentication_TR05, author = {Milind M. Parelkar}, title = {{FPGA} security -- bitstream authentication}, institution = {George Mason University}, number = {}, month = {}, year = {2005}, www_section = {FPGA design security}, url = {http://ece.gmu.edu/courses/Crypto_resources/web_resources/theses/GMU_theses/Parelkar/Parelkar_Fall_2005.pdf}, } |
Milind M. Parelkar: "Authenticated encryption in hardware", 2005.
| Abstract.
Traditionally, authenticated encryption was achieved using an independent algorithm for encryption, and a separate one for authentication. Recently, in response to the NIST's solicitation, new modes of operation of block ciphers have been developed. These modes allow for a joint implementation of encryption and authentication. This feature is especially beneficial in case of hardware implementations, as it allows for the substantial decrease in the circuit area and power compared to the traditional schemes. In this thesis, three new modes of operation, OCB, CCM and EAX, and two versions of the traditional scheme, based on AES for encryption, and HMAC-SHA1 and SHA-512 for authentication, have been compared from the point of view of efficiency of hardware implementations. All schemes have been implemented targeting Xilinx Virtex 4 family of FPGAs and a standard-cell ASIC based on 90 nm and 130 nm technology. All schemes have been compared from the point of view of the circuit area, implementation speed, inclusion in the current generation of standards, and a potential for future improvements. |
| @mastersthesis{Parelkar_AuthenticationInHW_MS05, author = {Milind M. Parelkar}, title = {Authenticated encryption in hardware}, school = {George Mason University}, address = {Fairfax, VA, USA}, year = {2005}, month = {}, www_section = {FPGA design security}, url = {http://mason.gmu.edu/~mparelka/reports/Milind_Thesis_pdf.pdf}, } |
Milind M. Parelkar and Kris Gaj: "Implementation of EAX mode of operation for FPGA bitstream encryption and authentication", 2005.
| Abstract. In order to provide a capability for secure remote reconfiguration of FPGAs, FPGA bitstream needs to be encrypted and authenticated during its transmission through any public network. Bitstream encryption is already implemented in a few modern FPGA families, such as Xilinx Virtex II. An important feature lacking in the current generation of FPGAs is the ability to cryptographically verify the authenticity of the bitstream. In this paper, we propose the use of the EAX mode of operation of advanced encryption standard (AES) for a joint encryption and authentication of the FPGA bitstream, using a single cipher engine. We demonstrate and quantify the advantages of this method compared to a generic scheme relying on different algorithms and different cryptographic engines for performing both operations. |
| @inproceedings{ParelkarGaj_BSAuthEAX_FPT05, author = {Milind M. Parelkar and Kris Gaj}, title = {Implementation of {EAX} mode of operation for {FPGA} bitstream encryption and authentication}, booktitle = {Field Programmable Technology}, month = {December}, year = {2005}, pages = {335--336}, www_section = {FPGA design security}, url = {http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01568588}, } |
Bradley D. Christiansen: "FPGA security through decoy circuits", 2006.
| Abstract.
Field Programmable Gate Arrays (FPGAs) based on Static Random Access Memory (SRAM) are vulnerable to tampering attacks such as readback and cloning attacks. Such attacks enable the reverse engineering of the design programmed into an FPGA. To counter such attacks, measures that protect the design with low performance penalties should be employed. This research proposes a method which employs the addition of active decoy circuits to protect SRAM FPGAs from reverse engineering. The effects of the protection method on security, execution time, power consumption, and FPGA resource usage are quantified. The method significantly increases the security of the design with only minor increases in execution time, power consumption, and resource usage. For the circuits used to characterize the method, security increased to more than one million times the original values, while execution time increased to at most 1.2 times, dynamic power consumption increased to at most two times, and look-up table usage increased to at most seven times the original values. These are reasonable penalties given the size and security of the modified circuits. The proposed design protection method also extends to FPGAs based on other technologies and to Application-Specific Integrated Circuits (ASICs). |
| @mastersthesis{Christiansen_DecoyCircuits_MS06, author = {Bradley D. Christiansen}, title = {{FPGA} security through decoy circuits}, school = {Air Force Institute of Technology, Ohio, USA}, address = {}, year = {2006}, month = {March}, www_section = {FPGA design security}, url = {http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=ADA454021&Location=U2&doc=GetTRDoc.pdf}, } |
Adam Megacz: "A library and platform for FPGA bitstream manipulation", 2007.
| Abstract. Since 1998, no commercially available FPGA has been accompanied by public documentation of its native machine code (or bitstream) format. Consequently, research in reconfigurable hardware has been confined to areas which are specifically supported by manufacturer-supplied tools. Recently, detailed documentation of the bitstream format for the Atmel FPSLIC series of FPGAs appeared on the Usenet group comp.arch.fpga. This information has been used to create abits, a Java library for direct manipulation of FPSLIC bitstreams and partial reconfiguration. The abits library is accompanied by the slipway reference design, a low-cost USB bus-powered board carrying an FPSLIC.This paper describes the abits library and slipway platform, as well as a few applications which they make possible. Both the abits source code and slipway board layout are publicly available under the terms of the BSD license. It is our hope that these tools will enable further research in reconfigurable hardware which would not otherwise be possible. |
| @article{Megacz_BitstreamManipulation_FCCM07, author = {Adam Megacz}, title = {A library and platform for {FPGA} bitstream manipulation}, journal = {Field-Programmable Custom Computing Machines Symposium}, volume = {}, month = {April}, year = {2007}, isbn = {0-7695-2940-2}, pages = {45--54}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, www_section = {FPGA design security}, url = {http://www.megacz.com/research/megacz-fccm07.pdf}, } |
William Sealey Gosset: "Atmel AT40k/94k configuration format documentation (Usenet comp.arch.fpga)", 2005.
| @misc{Gosset_USENET05, author = {William Sealey Gosset}, title = {Atmel AT40k/94k configuration format documentation ({Usenet} comp.arch.fpga)}, month = {August}, year = {2005}, www_section = {FPGA design security}, url = {http://groups.google.com/group/comp.arch.fpga/msg/a90fca82aafe8e2b}, } |
Jean-Baptiste Note and Eric Rannaud: "From the bitstream to the netlist", 2008.
| Abstract. We present an in-depth analysis of the Xilinx bitstream format. The information gathered in this paper allows bitstream compilation and decompilation. While not actually compromising current bitstream security, the easiness of the decompilation process should raise awareness aboutbitstream security issues. Available documentation from Xilinx and some custom assumptions about the bitstream format are presented and analyzed, so as to first gather a database mapping bitstream data to its related netlist elements, thanks to a suitable algorithm applied to a well-chosen bitstream. This database is then used as input to an efficient program which can compile a bitstream from a low-level textual description or conversely decompile a bitstream to the same textual description for any subsequent input. The whole process of database gathering and the decompilation of the bitstream format for a particular chip runs at about the speed of bitgen compilation. The sole process of compiling/decompiling a bitstream from/to its associated textual description runs two orders of magnitude faster. |
| @inproceedings{NoteRannaud_BStoNetlist_FPGA08, author = {Jean-Baptiste Note and {\'{E}}ric Rannaud}, title = {From the bitstream to the netlist}, booktitle = {ACM/SIGDA Symposium on Field Programmable Gate Arrays}, month = {February}, year = {2008}, pages = {264--264}, publisher = {ACM New York, NY, USA}, key = {}, www_section = {FPGA design security}, url = {http://islsm.org/~jb/debit/bitstream.pdf}, } |
Ulogic FPGA netlist recovery: "Ulogic FPGA netlist recovery", 2007.
| Abstract. Ulogic is a free software project aimed at netlist recovery from FPGA closed bitstream formats. |
| @misc{Ulogic_WEB07, author = {{Ulogic FPGA netlist recovery}}, title = {}, organization = {}, edition = {}, month = {October}, year = {2007}, key = {}, www_section = {FPGA design security}, url = {http://www.ulogic.org}, } |
Carol Marsh and Tom Kean: "A security tagging scheme for ASIC designs and intellectual property cores", 2007.
| Abstract. This paper introduces a novel idea for labelling and protecting electronic designs and in particular Intellectual Property (IP) Cores, implemented in Application Specific Integrated Circuits (ASICs) and Field Programmable Gate Arrays (FPGAs). |
| @manual{MarshKean_IPPTags_07, author = {Carol Marsh and Tom Kean}, title = {A security tagging scheme for {ASIC} designs and intellectual property cores}, organization = {Algotronix}, month = {January}, year = {2007}, key = {}, www_section = {secure IP, FPGA}, url = {http://www.us.design-reuse.com/articles/article15105.html}, } |
Eric Simpson and Patrick Schaumont: "Offline hardware/software authentication for reconfigurable platforms", 2006.
| Abstract. Many Field-Programmable Gate Array (FPGA) based systems utilize third-party intellectual property (IP) in their development. When they are deployed in non-networked environments, the question raises how this IP can be protected against non-authorized use. We describe an offline authentication scheme for IP modules. The scheme implements mutual authentication of the IP modules and the hardware platform, and enables us to provide authentication and integrity assurances to both the system developer and IP provider. Compared to the Trusted Computing Platforms approach to hardware, software authentication, our solution is more lightweight and tightly integrates with existing FPGA security features. We are able to demonstrate an implementation of the authentication scheme that requires a symmetric cipher and a Physically Unclonable Function (PUF). In addition to the low hardware requirements, our implementation does not require any on-chip, non-volatile storage. |
| @inproceedings{SimpsonSchaumont_OfflineHWSWAuthentication_CHES06, author = {Eric Simpson and Patrick Schaumont}, title = {Offline hardware/software authentication for reconfigurable platforms}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {4249}, isbn = {978-3-540-46559-1}, publisher = {Springer}, month = {October}, year = {2006}, pages = {311--323}, www_section = {secure IP, FPGA}, url = {http://rijndael.ece.vt.edu/schaum/papers/2006ches.pdf}, } |
Lin Yuan, Gang Qu, Lahouari Ghout and Ahmed Bouridane: "VLSI Design IP protection: solutions, new challenges, and opportunities", 2006.
| Abstract. It has been a decade since the need of VLSI design intellectual property (IP) protection was identified. The goals of IP protection are 1) to enable IP providers to protect their IPs against unauthorized use, 2) to protect all types of design data used to produce and deliver IPs, 3) to detect the use of IPs, and 4) to trace the use of IPs. There are significant advances from both industry and academic towards these goals. However, do we have solutions to achieve all these goals? What are the current state-of-the-art IP protection techniques? Do they meet the protection requirement designers sought for? What are the (new) challenges and is there any feasible answer to them in the foreseeable future? |
| @article{YQGB_VLSIIPPROTECTION_AHS06, author = {Lin Yuan and Gang Qu and Lahouari Ghout and Ahmed Bouridane}, title = {{VLSI} Design {IP} protection: solutions, new challenges, and opportunities}, journal = {NASA/ESA Conference on Adaptive Hardware and Systems}, volume = {0}, month = {June}, year = {2006}, isbn = {0-7695-2614-4}, pages = {469--476}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, www_section = {secure IP}, url = {http://www.ece.umd.edu/~gangqu/research/papers/c053.pdf}, } |
Nathaniel Couture and Kenneth B. Kent: "Periodic licensing of FPGA based intellectual property", 2006.
| Abstract. As Field Programmable Gate Arrays (FPGA) gain popularity and become more prevalent in consumer products, the desire to have expiring FPGA Intellectual Property(IP) will also rise. Up to this point, the sale of Intellectual Property (IP) targeting FPGA-based consumer products have not been tremendously profitable for the creators of this IP. The sale of the products containing this IP however have been. This is due in part to the way the IP is licensed. This research investigates the feasibility of physically enforced periodic licensing of FPGA IP. The goal is to design a hardware architecture to support licensable FPGA IP cores targeting consumer products. This work describes a method of licensing IP on FPGAs based on techniques derived from software licensing schemes. Current software and hardware licensing techniques are described in detail, including a survey of current research in the fields of FPGA security, secure memory technologies, and cryptography. A licensing architecture for FPGA IP is proposed, and an implementation on a Xilinx Virtex 2 FPGA demonstrates that expiration of FPGA based IP can be achieved. Future work includes the development of a hardware architecture for consumer products that supports licensable IP cores as well as their delivery. |
| @inproceedings{CK_PERIODICIP_FPGA06, author = {Nathaniel Couture and Kenneth B. Kent}, title = {Periodic licensing of FPGA based intellectual property}, booktitle = {Field Programmable Gate Arrays Symposium}, month = {February}, year = {2006}, isbn = {1-59593-292-5}, pages = {234--234}, location = {Monterey, California, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {secure IP, FPGA}, url = {http://www.ieeexplore.ieee.org/iel5/4042379/4042097/04042469.pdf}, } |
Tom Kean: "Method of using a mask programmed key to securely configure a field programmable gate array", 2001.
| Abstract. Techniques are used to protect intellectual property cores on field programmable gate arrays. An approach is to associate each field programmable gate array, or a limited number of field programmable gate arrays, with a secret key. Each field programmable gate array may only be properly configured or programmed by an appropriate encrypted bitstream (which includes one or more intellectual property cores). This encrypted bitstream has been encoded by or for the secret key associated with a particular FPGA. Other techniques are also presented in this application and include network-based, non network-based, software-based, layered, and other approaches. The techniques allow an intellectual property core vendor to charge a customer per-use or per-configuration of their intellectual property. This is because an encrypted bitstream is useable only in a limited number, possibly just one, of the integrated circuits. |
| @manual{Kean_USPAT02, author = {Tom Kean}, title = {Method of using a mask programmed key to securely configure a field programmable gate array}, organization = {United States Patent Office}, year = {2001}, number = {Application 20010037458}, www_section = {secure IP, FPGA}, url = {http://www.algotronix.com/content/US21037458A1.pdf}, } |
Tom Kean: "Cryptographic rights management of FPGA intellectual property cores", 2002.
| Abstract. As the capacity of FPGAs increases to millions of equivalent gates the use of Intellectual Property (IP) cores becomes increasingly important to control design complexity. FPGAs are becoming platforms for integrating a system solution from components supplied by independent vendors in the same way as printed circuit boards provided a platform for earlier generations of designers. However, the current commercial model for IP cores involves large up-front license fees reminiscent of ASIC NRE charges. In order to match the IP core business model to the low to medium volume applications addressed by FPGA customers it is important to develop cryptographic techniques which allow IP core vendors to sell their product on a pay-peruse basis rather than through up-front license fees. |
| @inproceedings{Kean_RightsManagement_FPGA02, author = {Tom Kean}, title = {Cryptographic rights management of {FPGA} intellectual property cores}, booktitle = {Field Programmable Gate Arrays Symposium}, year = {2002}, isbn = {1581134525}, pages = {113--118}, location = {Monterey, California, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, key = {}, www_section = {secure IP, FPGA}, url = {http://www.algotronix.com/content/security%20fpga2002.pdf}, } |
Tom Kean: "Secure configuration of Field Programmable Gate Arrays", 2001.
| Abstract. Although SRAM programmed Field Programmable Gate Arrays (FPGA's) have come to dominate the industry due to their density and performance advantages over non-volatile technologies they have a serious weakness in that they are vulnerable to piracy and reverse engineering of the user design. This is becoming increasingly important as the size of chips - and hence the value of customer designs - increases. FPGA's are now being used in consumer products where piracy is more common. Further, reconfiguration of FPGA's in the field is becoming increasingly popular particularly in networking applications and it is vital to provide security against malicious parties interfering with equipment functionality through this mechanism. |
| @inproceedings{Kean_FPGASecureConfig_FPL01, author = {Tom Kean}, title = {Secure configuration of {Field Programmable Gate Arrays}}, booktitle = {Field Programmable Logic and Applications}, year = {2001}, isbn = {3540424997}, pages = {142--151}, publisher = {Springer-Verlag}, address = {London, UK}, key = {}, www_section = {secure IP, FPGA}, url = {http://www.algotronix.com/content/security%20FPL%202001.pdf}, } |
Amir H. Sheikh Zeineddini: "Secure partial reconfiguration of FPGAs", 2005.
| Abstract.
SRAM FPGAs are configured by loading application-specific configuration data---the bitstream---into an internal configuration memory. Because the configuration memory is a SRAM volatile memory, it must be configured each time the device is powered up. The necessity of configuration on each power up makes it easier for attackers to clone, reverse engineer, or tamper the bitstream during configuration. Bitstream encryption is the most effective and practical solution to improve the security of SRAM FPGAs and protecting the configuration data. The existing Xilinx solution uses CAD tools support for bitstream encryption and an on-chip special circuit for decryption. One of the drawbacks of this solution is that it is not possible to use partial reconfiguration and readback when the device is configured with an encrypted bitstream. Partial reconfiguration changes the design behavior in a portion of the FPGA without full reconfiguration by using a partial bitstream. Different forms of this new capability provide many advantages such as run-time reconfiguration for various application areas. This thesis investigates a method to perform a secure partial reconfiguration and improve the security of SRAM FPGAs through exploiting a configuration controller that enables an FPGA to dynamically reconfigure itself under the control of an embedded processor core. The hardware architecture of this configuration controller was implemented with a minimal footprint using two schemes: one based on hard-wired PowerPC processor core and the second based on MicroBlaze soft processor core. The software part of the controller consists of the program responsible for loading the configuration bitstream from external memory, authentication, decryption, and partial reconfiguration of the FPGA. This scheme enables embedded systems that benefit from partial reconfiguration to increase their design security without requiring external circuitry and provides flexibility by allowing the use of various authentication and encryption/decryption algorithms. The scheme is tested for partially reconfigurable designs containing the configuration controller and an application system within a single FPGA. Comparison of the total configuration time (including authentication and decryption) and resource utilization targeting Xilinx Virtex-II Pro devices are also provided. |
| @mastersthesis{Zeineddini_SecurePartialConfig_MS05, author = {Amir H. Sheikh Zeineddini}, title = {Secure partial reconfiguration of {FPGAs}}, school = {George Mason University}, address = {Fairfax, VA, USA}, year = {2005}, month = {}, www_section = {secure IP, FPGA}, url = {http://ece.gmu.edu/courses/Crypto_resources/web_resources/theses/GMU_theses/Zeineddini/Zeineddini_Summer_2005.pdf}, } |
Rawat Siripokarpirom: "Distribution of bitstream-level IP cores for functional evaluation using FPGAs", 2004.
| Abstract. Due to their flexibility, increased logic density and low design costs, Field-Programmable Gate Arrays (FPGAs) have become a viable option for implementing many kinds of applications such as custom computing machines, rapid system prototyping, hardware emulation, IP verification and evaluation. This paper proposes an alternative approach that allows IP providers to deliver their IP to customers for functional evaluation before purchase, by mapping IP cores into SRAM-based FPGA logic and distributing them as a bitstream file for a particular device so that customers can use their FPGA boards to try-out the IP as a black-box, pre-verified design component. This paper also presents a simple hardware/software infrastructure and its prototype implementation that allows for seamless integration of hardware IP into an existing simulation environment. In addition, a case study is given to demonstrate the proposed approach and some security issues concerning bitstream-level IP distribution are also discussed. |
| @inproceedings{Siripokarpirom_IPDIST_FPL04, author = {Rawat Siripokarpirom}, title = {Distribution of bitstream-level {IP} cores for functional evaluation using {FPGAs}}, booktitle = {Field Programmable Logic and Applications}, year = {2004}, pages = {700--709}, www_section = {secure IP, FPGA}, url = {http://www.springerlink.com/content/ht35m17pmlbpugqy/}, } |
Jonathan Peter Graf: "A key management architecture for securing off-chip data transfers on an FPGA", 2004.
| Abstract. Data security is becoming ever more important in embedded and portable electronic devices. The sophistication of the analysis techniques used by attackers is amazingly advanced. Digital devices external interfaces to memory and communications interfaces to other digital devices are vulnerable to malicious probing and examination. A hostile observer might be able to glean important details of a devices design from such an interface analysis. Defensive measures for protecting a device must therefore be even more sophisticated and robust. This thesis presents an architecture that acts as a secure wrapper around an embedded application on a Field Programmable Gate Array (FPGA). The architecture includes functional units that serve to authenticate a user over a secure serial interface, create a key with multiple layers of security, and encrypt an external memory interface using that key. In this way, the wrapper protects all of the digital interfaces of the embedded application from external analysis. Cryptographic methods built into the system include an RSA-related secure key exchange, the Secure Hash Algorithm, a certificate storage system, and the Data Encryption Standard algorithm in counter mode. The principles behind the encrypted external memory interface and the secure authentication interface can be adjusted as needed to form a secure wrapper for a wide variety of embedded FPGA applications. |
| @mastersthesis{Graf_MS_KEYMNGMNT_04, author = {Jonathan Peter Graf}, title = {A key management architecture for securing off-chip data transfers on an {FPGA}}, school = {Virginia Tech}, address = {Blacksburg, VA, USA}, year = {2004}, month = {}, www_section = {secure IP, FPGA}, url = {http://scholar.lib.vt.edu/theses/available/etd-07192004-102951/unrestricted/jgraf_thesis.pdf}, } |
Michael J. Wirthlin and Brian McMurtrey: "Web-based IP evaluation and distribution using applets", 2003.
| Abstract. This paper introduces an IP evaluation and delivery framework that operates within Java applets. The use of such applets allows circuit designers to create, evaluate, test, and obtain FPGA circuits directly within a web browser. Based on the JHDL design tool, these applets allow structural viewing, circuit simulation, and netlist generation of application-specific circuits. An important component of this framework is the ability to deliver black-box simulation models as executable Java applets. These applet-based simulation models can be tied to third-party simulation tools using network sockets. Several techniques for interfacing black-box applet models to external simulators are described. |
| @article{WM_IPEVALJAVAAPPLETS03, author = {Michael J. Wirthlin and Brian McMurtrey}, title = {Web-based {IP} evaluation and distribution using applets}, journal = {CAD of Integrated Circuits and Systems Transactions}, volume = {22}, number = {8}, year = {2003}, pages = {985--994}, www_section = {secure IP, FPGA}, url = {http://ieeexplore.ieee.org/iel5/43/27332/01214857.pdf}, } |
David Kessner: "Copy protection for SRAM based FPGA designs", 2000.
| @manual{Kessner_CopyProtectionFPGA_WEB00, author = {David Kessner}, title = {Copy protection for {SRAM} based {FPGA} designs}, organization = {}, edition = {}, month = {May}, year = {2000}, key = {}, www_section = {secure IP, FPGA}, url = {http://web.archive.org/web/20031010002149/http://free-ip.com/copyprotection.html}, } |
Kun-Wah Yip and Tung-Sang Ng: "Partial-encryption technique for intellectual property protection of FPGA-based products", 2000.
| @article{YN_IEEETCE00, author = {Kun-Wah Yip and Tung-Sang Ng}, title = {Partial-encryption technique for intellectual property protection of {FPGA}-based products}, journal = {Consumer Electronics IEEE Transactions}, volume = {46}, number = {1}, year = {2000}, pages = {183--190}, month = {February}, www_section = {secure IP, FPGA}, url = {http://ieeexplore.ieee.org/iel5/30/17888/00826397.pdf}, } |
Andrew Dauman: "An open IP encryption flow permits industry-wide interoperability", 2006.
| @manual{SYNPLICITY_ENCIPFLOW_06, author = {Andrew Dauman}, title = {An open {IP} encryption flow permits industry-wide interoperability}, organization = {Synplicity, Inc.}, edition = {}, month = {June}, year = {2006}, key = {}, www_section = {secure IP, FPGA}, url = {http://www.synplicity.com/literature/whitepapers/pdf/ip_encryption_wp.pdf}, } |
Virtual Socket Interface Alliance: "Virtual Socket Interface Alliance", 2007.
| Abstract. The VSIA is an open organization developing SoC, IP and reuse standards to enhance the productivity of SoC design. |
| @manual{VSIA_WEB07, author = {{Virtual Socket Interface Alliance}}, title = {}, month = {February}, year = {2007}, www_section = {secure IP}, url = {http://www.vsi.org/}, } |
Ron Wilson: "Panel unscrambles intellectual property encryption issues", 2007.
| @manual{EDN_IPENCPANEL_07, author = {Ron Wilson}, title = {Panel unscrambles intellectual property encryption issues}, organization = {}, edition = {}, month = {January}, year = {2007}, key = {}, www_section = {secure IP}, url = {http://www.edn.com/article/CA6412249.html}, } |
Ron Wilson: "Silicon intellectual property panel puzzles selection process", 2007.
| @manual{EDN_IPSELECTIONPANEL_07, author = {Ron Wilson}, title = {Silicon intellectual property panel puzzles selection process}, organization = {}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {secure IP}, url = {http://www.edn.com/article/CA6412358.html}, } |
Intellectual property protection: schemes, alternatives and discussion: "Intellectual property protection: schemes, alternatives and discussion", 2001.
| Abstract. Various solutions exist for protection of virtual components (VCs), but not all are equally applicable to each type of VC. Trade-offs exist between the value (perceived or real) of the VC, difficulty of implementation of the protection scheme, and the resulting usability of the protected VC by both the integrator and the end user. This paper briefly discusses and introduces known technologies and mechanisms that support the broad spectrum of VC types, sources of VCs, and business requirements for VC users and providers. |
| @manual{VSIA01, author = {{Intellectual property protection: schemes, alternatives and discussion}}, title = {}, organization = {Virtual Socket Interface Alliance, Intellectual Property Protection Development Working Group}, edition = {}, month = {January}, year = {2001}, key = {}, www_section = {secure IP}, url = {http://www.quicklogic.com/images/ip_protection.pdf}, } |
Stefan Mangard, Elisabeth Oswald and Thomas Popp: "Power analysis attacks: Revealing the secrets of smart cards", 2007.
| Abstract.
The book "Power Analysis Attacks - Revealing the Secrets of Smartcards" is the first book that provides a comprehensive introduction to power analysis attacks and countermeasures. It discusses and compares all kinds of attacks and countermeasures that have been published so far. The book is intended for DPA starters and practitioners. It starts by discussing cryptographic devices, how they are built, and why their power consumption leaks information about their internal data. Then, it discusses how this power consumption can be characterized in a statistical manner, what type of statistics are useful and how the statistics are related to one of the most important practical issues: how many measurements are needed in power analysis attacks. The core of the book are two chapters that discuss simple and differential power analysis attacks in detail. Finally, the book covers countermeasures such as masking and hiding, including special logic styles and also attacks on countermeasures, such as higher-order attacks. |
| @book{MangardOP_DPABook_07, author = {Stefan Mangard and Elisabeth Oswald and Thomas Popp}, title = {Power analysis attacks: Revealing the secrets of smart cards}, year = {2007}, isbn = {978-0-387-30857-9}, publisher = {Springer-Verlag}, address = {Secaucus, NJ, USA}, www_section = {side-channel analysis}, url = {http://www.dpabook.org/}, } |
Francois-Xavier Standaert, Loic van Oldeneel tot Oldenzeel, David Samyde and Jean-Jacques Quisquater: "Differential power analysis of FPGAs : How practical is the attack?", 2003.
| Abstract. Recent developments in information technologies made the secure transmission of digital data a critical design point. Large data flows have to be exchanged securely and involve encryption rates that sometimes may require hardware implementations. Reprogrammable devices such as Field Programmable Gate Arrays are highly attractive solutions for hardware implementations of encryption algorithms and several papers underline their growing performances and flexibility for any digital processing application. Although cryptosystem designers frequently assume that secret parameters will be manipulated in closed reliable computing environments, Kocher et al. stressed in 1998 that actual computers and microchips leak information correlated with the data handled. Side-channel attacks based on time, power and electromagnetic measurements were successfully applied to the smart card technology, but we have no knowledge of any attempt to implement them against FPGAs. This paper examines how monitoring power consumption signals might breach FPGA-security. We propose first experimental results against FPGA-implementations of cryptographic algorithms in order to confirm that power analysis has to be considered as a serious threat for FPGA security. We also highlight certain features of FPGAs that increase their resistance against side-channel attacks. |
| @inproceedings{StandaertOSQ_FPGAPAPractical_FPL03, author = {Fran{\c{c}}ois-Xavier Standaert and Lo{\"{i}}c van Oldeneel tot Oldenzeel and David Samyde and Jean-Jacques Quisquater}, title = {Differential power analysis of {FPGA}s : How practical is the attack?}, booktitle = {Field Programmable Logic and Applications}, month = {September}, year = {2003}, pages = {701--709}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis, FPGA}, url = {http://www.springerlink.com/content/lgvq5dy9x37v1d7x/}, } |
Li Shang, Alireza S. Kaviani and Kusuma Bathala: "Dynamic power consumption in Virtex-II FPGA family", 2002.
| Abstract. This paper analyzes the dynamic power consumption in the fabric of Field Programmable Gate Arrays (FPGAs) by taking advantage of both simulation and measurement. Our target device is Xilinx Virtex-II family, which contains the most recent and largest programmable fabric. We identify important resources in the FPGA architecture and obtain their utilization, using a large set of real designs. Then, using a number of representative case studies we calculate the switching activity corresponding to each resource. Finally, we combine effective capacitance of each resource with its utilization and switching activity to estimate its share of power consumption. According to our results, the power dissipation share of routing, logic and clocking resources are 60 percent, 16 percent, and 14 percent, respectively. Also, we concluded that dynamic power dissipation of a Virtex-II CLB is 5.9 W per MHz for typical designs, but it may vary significantly depending on the switching activity. |
| @inproceedings{ShangKB_DynamicPowerV2_FPGA02, author = {Li Shang and Alireza S. Kaviani and Kusuma Bathala}, title = {Dynamic power consumption in {Virtex-II FPGA} family}, booktitle = {Field Programmable Gate Arrays Symposium}, year = {2002}, isbn = {1-58113-452-5}, pages = {157--164}, location = {Monterey, California, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {side-channel analysis, FPGA}, url = {http://post.queensu.ca/~shangl/papers/shang02feb.pdf}, } |
Francois-Xavier Standaert, Siddika Berna Ors and Bart Preneel: "Power analysis of an FPGA implementation of Rijndael: is pipelining a DPA countermeasure?", 2004.
| Abstract. Since their publication in 1998, power analysis attacks have attracted significant attention within the cryptographic community. So far, they have been successfully applied to different kinds of (unprotected) implementations of symmetric and public-key encryption schemes. However, most published attacks apply to smart cards and only a few publications assess the vulnerability of hardware implementations. In this paper we investigate the vulnerability of Rijndael FPGA (Field Programmable Gate Array) implementations to power analysis attacks. The design used to carry out the experiments is an optimized architecture with high clock frequencies, presented at CHES 2003. First, we provide a clear discussion of the hypothesis used to mount the attack. Then, we propose theoretical predictions of the attacks that we confirmed experimentally, which are the first successful experiments against an FPGA implementation of Rijndael. In addition, we evaluate the effect of pipelining and unrolling techniques in terms of resistance against power analysis. We also emphasize how the efficiency of the attack significantly depends on the knowledge of the design. |
| @inproceedings{StandaertBOP_PowerAnalysisFPGAAES_CHES04, author = {Fran{\c{c}}ois-Xavier Standaert and Siddika Berna {\"{O}}rs and Bart Preneel}, title = {Power analysis of an {FPGA} implementation of {Rijndael}: is pipelining a {DPA} countermeasure?}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {3156}, isbn = {978-3-540-22666-6}, month = {August}, year = {2004}, pages = {30--44}, publisher = {Springer}, address = {London, UK}, www_section = {side-channel analysis, FPGA}, url = {http://www.springerlink.com/content/00ylcvw3rh7nwded/}, } |
Francois-Xavier Standaert, Siddika Berna Ors, Jean-Jacques Quisquater and Bart Preneel: "Power analysis attacks against FPGA implementations of the DES", 2004.
| Abstract. Cryptosystem designers frequently assume that secret parameters will be manipulated in tamper resistant environments. However, physical implementations can be extremely difficult to control and may result in the unintended leakage of side-channel information. In power analysis attacks, it is assumed that the power consumption is correlated to the data that is being processed. An attacker may therefore recover secret information by simply monitoring the power consumption of a device. Several articles have investigated power attacks in the context of smart card implementations. While FPGAs are becoming increasingly popular for cryptographic applications, there are only a few articles that assess their vulnerability to physical attacks. In this article, we demonstrate the specific properties of FPGAs w.r.t. Differential Power Analysis (DPA). First we emphasize that the original attack by Kocher et al. and the improvements by Brier et al. do not apply directly to FPGAs because their physical behavior differs substantially from that of smart cards. Then we generalize the DPA attack to FPGAs and provide strong evidence that FPGA implementations of the Data Encryption Standard (DES) are vulnerable to such attacks. |
| @inproceedings{StandaertBOQP_PowerAnalysisFPGADES_FPL04, author = {Fran{\c{c}}ois-Xavier Standaert and Siddika Berna {\"{O}}rs and Jean-Jacques Quisquater and Bart Preneel}, title = {Power analysis attacks against {FPGA} implementations of the {DES}}, booktitle = {Field Programmable Logic and Applications}, month = {August}, year = {2004}, pages = {84--94}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis, FPGA}, url = {http://www.springerlink.com/content/j6ru6h2a0jcw9vc3/}, } |
Francois-Xavier Standaert, Francois Mace, Eric Peeters and Jean-Jacques Quisquater: "Updates on the security of FPGAs against power analysis attacks", 2006.
| Abstract. This paper reports on the security of cryptographic algorithms implemented on FPGAs against power analysis attacks. We first present some improved experiments against these reconfigurable devices, due to an improved measurement process. Although it is usually believed that FPGAs are noisy targets for such attacks, it is shown that simple power consumption models can nearly perfectly correlate with actual measurements. Then, we evaluate how these correlation values depend on the resources used in the FPGAs. Finally, we investigate the possibility to counteract these attacks by using random pre-charges in the devices and determine how this technique allows a designer to increase the security of an implementation. These results confirm that side-channel attacks present a serious threat for most microelectronic devices, including FPGAs. To conclude, we discuss the security vs. efficiency tradeoffs. |
| @inproceedings{StandaertMP_FPGAPAUpdade_ARC06, author = {Fran{\c{c}}ois-Xavier Standaert and Fran{\c{c}}ois Mace and Eric Peeters and Jean-Jacques Quisquater}, title = {Updates on the security of {FPGAs} against power analysis attacks}, booktitle = {Reconfigurable Computing: Architectures and Applications}, series = {LNCS}, volume = {3985}, year = {2006}, pages = {335--346}, www_section = {side-channel analysis, FPGA}, url = {http://www.springerlink.com/content/d38271pw36628h1r}, } |
Eric Peeters, Francois-Xavier Standaert and Jean-Jacques Quisquater: "Power and electromagnetic analysis: Improved model, consequences and comparisons", 2006.
| Abstract. Since their publication in 1998 and 2001 respectively, Power and Electromagnetic Analysis (SPA, DPA, EMA) have been successfully used to retrieve secret information stored in cryptographic devices. Both attacks usually model the side-channel leakages using the so-called "Hamming weight" and "Hamming distance" models, i.e. they only consider the number of bit transitions in a device as an image of its leakage. In these models, the main difference between power and electromagnetic analysis is assumed to be the fact that the latter allows space localization (i.e. to observe the leakage of only a part of the cryptographic device). In this paper, we make use of a more accurate leakage model for CMOS devices and investigate its consequences. In particular, we show that it is practically feasible to distinguish between 0 -> 1 and 1 -> 0 bit transitions in certain implementations and that electromagnetic analysis is particularly efficient in this respect. We denote this model as the "switching distance" leakage model and show how it may be very helpful to defeat some commonly used countermeasures (e.g. data buses precharged with random values). Then, we compare the different models and stress their respective constraints/advantages regarding practical attacks. |
| @article{PeetersSQ_PEMA_ImprovedModel_VLSI06, author = {Eric Peeters and Fran{\c{c}}ois-Xavier Standaert and Jean-Jacques Quisquater}, title = {Power and electromagnetic analysis: Improved model, consequences and comparisons}, journal = {Special Issue of Integration, The VLSI Journal: Embedded Cryptographic Hardware}, year = {2006}, keywords = {Cryptographic Hardware, Side-Channel Attacks, Leakage Models}, www_section = {side-channel analysis}, url = {http://www.dice.ucl.ac.be/crypto/files/publications/pdf252.pdf}, } |
Francois-Xavier Standaert, Eric Peeters, Gael Rouvroy and Jean-Jacques Quisquater: "An overview of power analysis attacks against Field Programmable Gate Arrays", 2006.
| Abstract. Since their introduction by Kocher in 1998, power analysis attacks have attracted significant attention within the cryptographic community. While early works in the field mainly threatened the security of smart cards and simple processors, several recent publications have shown the vulnerability of hardware implementations as well. In particular, field programmable gate arrays are attractive options for hardware implementation of encryption algorithms, but their security against power analysis is a serious concern, as we discuss in this paper. For this purpose, we present recent results of attacks attempted against standard encryption algorithms, provide a theoretical estimation of these attacks based on simple statistical parameters and evaluate the cost and security of different possible countermeasures. |
| @article{StandaertPRQ_PowerAnalysisFPGA_IEEE06, author = {Fran{\c{c}}ois-Xavier Standaert and Eric Peeters and Ga{\"{e}}l Rouvroy and Jean-Jacques Quisquater}, title = {An overview of power analysis attacks against Field Programmable Gate Arrays}, journal = {Proceedings of the IEEE}, year = {2006}, month = {Febuary}, volume = {94}, number = {2}, pages = {383--394}, www_section = {side-channel analysis, FPGA}, url = {http://ieeexplore.ieee.org/iel5/5/33381/01580507.pdf}, } |
Kris Tiri and Ingrid Verbauwhede: "Synthesis of secure FPGA implementations", 2004.
| Abstract. This paper describes the synthesis of Dynamic Differential Logic to increase the resistance of FPGA implementations against Differential Power Analysis. The synthesis procedure is developed and a detailed description is given of how EDA tools should be used appropriately to implement a secure digital design flow. Compared with an existing technique to implement Dynamic Differential Logic on FPGA, the technique saves a factor 2 in slice utilization. Experimental results also indicate that a secure version of the AES encryption algorithm can now be implemented with a mere 50 percent increase in time delay and 90 percent increase in slice utilization when compared with a normal non-secure single ended implementation. |
| @inproceedings{TiriVerbauwhede_FPGASecureSynthesis_IWLS04, author = {Kris Tiri and Ingrid Verbauwhede}, title = {Synthesis of secure {FPGA} implementations}, booktitle = {International Workshop on Logic and Synthesis}, year = {2004}, pages = {224--231}, publisher = {}, www_section = {side-channel analysis, FPGA}, url = {http://eprint.iacr.org/2004/068.pdf}, } |
Vincent Carlier, Herve Chabanne, Emmanuelle Dottax and Herve Pelletier: "Electromagnetic side channels of an FPGA implementation of AES", 2004.
| Abstract. We show how to attack an FPGA implementation of AES where all bytes are processed in parallel using differential electromagnetic analysis. We first focus on exploiting local side channels to isolate the behaviour of our targeted byte. Then, generalizing the Square attack, we describe a new way of retrieving information, mixing algebraic properties and physical observations. |
| @article{CarlierCDP_EMAFPGAAES_IACR04, author = {Vincent Carlier and Herv{\'{e}} Chabanne and Emmanuelle Dottax and Herv{\'{e}} Pelletier}, title = {Electromagnetic side channels of an {FPGA} implementation of {AES}}, journal = {Cryptology ePrint Archive}, year = {2004}, number = {145}, www_section = {side-channel analysis, FPGA}, url = {http://eprint.iacr.org/2004/145.pdf}, } |
Nam Sung Kim, Todd Austin, David Blaauw, Trevor Mudge, Krisztian Flautner, Jie S. Hu, Mary Jane Irwin, Mahmut Kandemir and Vijaykrishnan Narayanan: "Leakage Current: Moore's Law Meets Static Power", 2003.
| Abstract. Power consumption is now the major technical problem facing the semiconductor industry. In comments on this problem at the 2002 International Electron Devices Meeting, Intel chairman Andrew Grove cited off-state current leakage in particular as a limiting factor in future microprocessor integration. Off-state leakage is static power, current that leaks through transistors even when they are turned off. It is one of two principal sources of power dissipation in today’s microprocessors. The other is dynamic power, which arises from the repeated capacitance charge and discharge on the output of the hundreds of millions of gates in today’s chips. Until very recently, only dynamic power has been a significant source of power consumption, and Moore’s law has helped to control it. Shrinking processor technology has allowed and, below 100 nanometers, actually required reducing the supply voltage. Dynamic power is proportional to the square of supply voltage, so reducing the voltage significantly reduces power consumption. Unfortunately, smaller geometries exacerbate leakage, so static power begins to dominate the power consumption equation in microprocessor design. |
| @article{SungABM+_MooreStaticPower_IEEE03, author = {Nam Sung Kim and Todd Austin and David Blaauw and Trevor Mudge and Kriszti{\'{a}}n Flautner and Jie S. Hu and Mary Jane Irwin and Mahmut Kandemir and Vijaykrishnan Narayanan}, title = {Leakage Current: Moore's Law Meets Static Power}, journal = {Computer}, volume = {36}, number = {12}, year = {2003}, issn = {0018-9162}, pages = {68--75}, publisher = {IEEE Computer Society Press}, address = {Los Alamitos, CA, USA}, www_section = {side-channel analysis}, url = {http://www.ece.northwestern.edu/~rjoseph/ece510-fall2005/papers/static_power.pdf}, } |
Stefan Mangard: "Hardware countermeasures against DPA -- a statistical analysis of their effectiveness", 2004.
| Abstract. Many hardware countermeasures against differential power analysis (DPA) attacks have been developed during the last years. Designers of cryptographic devices using such countermeasures to protect their devices have the challenging task to select and implement a suitable combination of countermeasures. Every device has different requirements, and so there is no universal solution to protect devices against DPA attacks. In this article, a statistical approach is pursued to determine the effect of hardware countermeasures on the number of samples needed in DPA attacks. This approach results in a calculation method that enables designers to assess the resistance of their devices against DPA attacks throughout the design process. This way, different combinations of countermeasures can be easily compared and costly design iterations can be avoided. |
| @inproceedings{Mangard_HWDPACOUNTER_RSA04, author = {Stefan Mangard}, title = {Hardware countermeasures against {DPA} -- a statistical analysis of their effectiveness}, booktitle = {RSA Conference}, month = {February}, year = {2004}, editor = {Tatsuaki Okamoto}, volume = {2964}, series = {LNCS}, pages = {222--235}, publisher = {Springer}, www_section = {side-channel analysis}, url = {http://www.iaik.tugraz.at/research/sca-lab/publications/pdf/Mangard2004HardwareCountermeasuresagainst.pdf}, } |
Karine Gandolfi, Christophe Mourtel and Francis Olivier: "Electromagnetic analysis: Concrete results", 2001.
| Abstract.
Although the possibility of attacking smart-cards by analyzing their electromagnetic power radiation repeatedly appears in research papers, all accessible references evade the essence of reporting conclusive experiments where actual cryptographic algorithms such as des or RSA were successfully attacked. This work describes electromagnetic experiments conducted on three different CMOS chips, featuring different hardware protections and executing a DES, an alleged COMP128 and an RSA. In all cases the complete key material was successfully retrieved. |
| @inproceedings{GandolfiMO_EMAConcreteResults_CHES01, author = {Karine Gandolfi and Christophe Mourtel and Francis Olivier}, title = {Electromagnetic analysis: Concrete results}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, month = {May}, year = {2001}, series = {LNCS}, volume = {2162}, isbn = {3-540-42521-7}, pages = {251--261}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.gemplus.com/smart/rd/publications/pdf/GMO01ema.pdf}, } |
Elke De Mulder, Pieter Buysschaert, Siddika Berna Ors, Peter Delmotte, Bart Preneel, Guy Vandenbosch and Ingrid Verbauwhede: "Electromagnetic analysis attack on an FPGA implementation of an elliptic curve cryptosystem", 2005.
| Abstract. This paper presents simple (SEMA) and differential (DEMA) electromagnetic analysis attacks on an FPGA implementation of an elliptic curve processor. Elliptic curve cryptography is a public key cryptosystem that is becoming increasingly popular. Implementations of cryptographic algorithms should not only be fast, compact and power efficient, but they should also resist side channel attacks. One of the side channels is the electromagnetic radiation out of an integrated circuit. Hence it is very important to assess the vulnerability of implementations of cryptosystems against these attacks. A SEMA attack on an unprotected implementation can find all the key bits with only one measurement. We also describe a DEMA attack on an improved implementation and demonstrate that a correlation analysis requires 1000 measurements to find the key bits. |
| @inproceedings{DeMulderBOD+_EMAFPGA_ECC05, author = {Elke {De Mulder} and Pieter Buysschaert and Siddika Berna {\"{O}}rs and Peter Delmotte and Bart Preneel and Guy Vandenbosch and Ingrid Verbauwhede}, title = {Electromagnetic analysis attack on an {FPGA} implementation of an elliptic curve cryptosystem}, booktitle = {EUROCON: Proceedings of the International Conference on ``Computer as a tool''}, month = {November}, year = {2005}, isbn = {}, pages = {1879--1882}, publisher = {}, address = {}, www_section = {side-channel analysis, FPGA}, url = {http://www.sps.ele.tue.nl/members/m.j.bastiaans/spc/demulder.pdf}, } |
Elke De Mulder, Siddika Berna Ors, Bart Preneel and Ingrid Verbauwhede: "Differential electromagnetic attack on an FPGA implementation of elliptic curve cryptosystems", 2006.
| Abstract. This paper describes a differential electromagnetic analysis attack performed on a hardware implementation of an elliptic curve cryptosystem. We describe the use of the distance of mean test. The number of measurements needed to get a clear idea of the right guess of the key-bit is taken as indication of the success of the attack. We can find the right key-bit by using only 2000 measurements. Also we give a electromagnetic model for the FPGA we use in our experiments. The amplitude, the direction and the position of the current on the FPGA's lines with respect to the position of the antenna have an influence on the measured electromagnetic radiation in the FPGA's surrounding area. |
| @inproceedings{DeMulderOPW_DEMAFPGA_ECC06, author = {Elke {De Mulder} and Siddika Berna {\"{O}}rs and Bart Preneel and Ingrid Verbauwhede}, title = {Differential electromagnetic attack on an {FPGA} implementation of elliptic curve cryptosystems}, booktitle = {World Automation Congress}, month = {July}, year = {2006}, isbn = {}, pages = {}, publisher = {}, address = {}, www_section = {side-channel analysis, FPGA}, url = {https://www.cosic.esat.kuleuven.be/publications/article-737.pdf}, } |
Jean-Jacques Quisquater and David Samyde: "ElectroMagnetic Analysis (EMA): Measures and counter-measures for smart cards", 2001.
| Abstract. A processor can leak information by different ways, electromagnetic radiations could be one of them. This idea, was first introduced by Kocher, with timing and power measurements. Here we developed the continuation of his ideas by measuring the field radiated by the processor. Therefore we show that the electromagnetic attack obtains at least the same result as power consumption and consequently must be carefully taken into account. Finally we enumerate countermeasures to be implemented. |
| @inproceedings{QuisquaterSamyde_SmartCardEMAttack_EMA01, author = {Jean-Jacques Quisquater and David Samyde}, title = {{ElectroMagnetic Analysis (EMA)}: Measures and counter-measures for smart cards}, booktitle = {{E-SMART}: Proceedings of the International Conference on Research in Smart Cards}, year = {2001}, isbn = {3-540-42610-8}, pages = {200--210}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.springerlink.com/content/chmydkq8x5tgdrce/fulltext.pdf}, } |
Paul C. Kocher, Joshua Jaffe and Benjamin Jun: "Differential power analysis", 1999.
| Abstract. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information. |
| @inproceedings{KocherJJ_DPA_CRYPTO99, author = {Paul C. Kocher and Joshua Jaffe and Benjamin Jun}, title = {Differential power analysis}, booktitle = {Cryptology Conference on Advances in Cryptology}, year = {1999}, series = {LNCS}, volume = {1666}, isbn = {3-540-66347-9}, pages = {388--397}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.cryptography.com/resources/whitepapers/DPA.pdf}, } |
Paul C. Kocher: "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems", 1996.
| Abstract. By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevent timing attacks. |
| @inproceedings{Kocher_TimingAttacks_CRYPTO96, author = {Paul C. Kocher}, title = {Timing attacks on implementations of {Diffie-Hellman}, {RSA}, {DSS}, and other systems}, booktitle = {Cryptology Conference on Advances in Cryptology}, year = {1996}, series = {LNCS}, volume = {1109}, isbn = {3-540-61512-1}, pages = {104--113}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf}, } |
Jean-Francois Dhem, Francois Koeune, Philippe-Alexandre Leroux, Patrick Mestre, Jean-Jacques Quisquater and Jean-Louis Willems: "A practical implementation of the timing attack", 1998.
| Abstract. When the running time of a cryptographic algorithm is non-constant, timing measurements can leak information about the secret key. This idea, first publicly introduced by Kocher, is developed here to attack an earlier version of the CASCADE smart card. We propose several improvements on Kocher's ideas, leading to a practical implementation that is able to break a 512-bit key in a few minutes, provided we are able to collect 300 000 timing measurements (128-bit keys can be recovered in a few seconds using a personal computer and less than 10 000 samples). We therefore show that the timing attack represents an important threat against cryptosystems, which must be very seriously taken into account. |
| @inproceedings{DhemKLMQW_TimingAttack_UCL98, author = {Jean-Francois Dhem and Francois Koeune and Philippe-Alexandre Leroux and Patrick Mestr{\'{e}} and Jean-Jacques Quisquater and Jean-Louis Willems}, title = {A practical implementation of the timing attack}, booktitle = {{CARDIS}}, pages = {167--182}, year = {1998}, www_section = {side-channel analysis}, url = {http://users.belgacom.net/dhem/papers/CG1998_1.pdf}, } |
Dakshi Agrawal, Bruce Archambeault, Josyula R. Rao and Pankaj Rohatgi: "The EM side-channel(s): Attacks and assessment methodologies", 2001.
| Abstract.
We present a systematic investigation of the leakage of compromising information via electromagnetic (EM) emanations from chipcards and other devices. This information leakage differs substantially from and is more powerful than the leakage from other conventional side-channels such as timing and power. EM emanations are shown to consist of a multiplicity of compromising signals, each leaking somewhat different information. Our experimental results confirm that these signals could individually contain enough leakage to break cryptographic implementations and to defeat countermeasures against other side-channels such as power. Using techniques from Signal Detection Theory, we also show that generalized and far more devastating attacks can be constructed from an effective pooling of leakages from multiple signals derived from EM emanations. The magnitude of EM exposure demands a leakage assessment methodology whose correctness can be rigorously proved. We define a model that completely and quantitatively bounds the information leaked from multiple (or all available) EM side-channel signals in CMOS devices and use that to develop a practical assessment methodology for devices such as chipcards. |
| @techreport{AgrawalARR_EMSideChannels_IBMEM01, author = {Dakshi Agrawal and Bruce Archambeault and Josyula R. Rao and Pankaj Rohatgi}, title = {The {EM} side-channel(s): Attacks and assessment methodologies}, institution = {IBM Watson Research Center}, number = {2001/037}, year = {2001}, www_section = {side-channel analysis}, url = {http://www.research.ibm.com/intsec/emf-paper.ps}, } |
Dakshi Agrawal, Bruce Archambeault, Josyula R. Rao and Pankaj Rohatgi: "The EM side-channel(s)", 2002.
| Abstract. We present results of a systematic investigation of leakage of compromising information via electromagnetic (EM) emanations from CMOS devices. These emanations are shown to consist of a multiplicity of signals, each leaking somewhat different information about the underlying computation. We show that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even be used to break power analysis countermeasures. |
| @inproceedings{AgrawalARR_SmartCardEMA_CHES02, author = {Dakshi Agrawal and Bruce Archambeault and Josyula R. Rao and Pankaj Rohatgi}, title = {The {EM} side-channel(s)}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, month = {August}, year = {2002}, series = {LNCS}, volume = {2523}, isbn = {3-540-00409-2}, pages = {29--45}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.springerlink.com/content/mvtxbq9qa287g7c6/}, } |
Thomas S. Messerges: "Power analysis attack countermeasures and their weaknesses", 2000.
| Abstract. The basic concepts of power analysis attacks are reviewed. Various countermeasures against these attacks are presented and their weaknesses are discussed. One promising software countermeasure that uses random masks is more thoroughly investigated. A second-order attack against this countermeasure is introduced and an optimal decision threshold is discussed. |
| @inproceedings{Messerges_PACountermeasures_00, author = {Thomas S. Messerges}, title = {Power analysis attack countermeasures and their weaknesses}, booktitle = {Communications, Electromagnetics, Propagation and Signal Processing Workshop}, year = {2000}, month = {}, isbn = {}, pages = {}, location = {}, publisher = {}, address = {}, key = {}, www_section = {side-channel analysis}, url = {http://www.iccip.csl.uiuc.edu/conf/ceps/2000/messerges.pdf}, } |
Siddika Berna Ors, Elisabeth Oswald and Bart Preneel: "Power-analysis attacks on an FPGA --- first experimental results", 2003.
| Abstract. Field Programmable Gate Arrays (FPGAs) are becoming increasingly popular, especially for rapid prototyping. For implementations of cryptographic algorithms, not only the speed and the size of the circuit are important, but also their security against implementation attacks such as side-channel attacks. Power-analysis attacks are typical examples of side-channel attacks, that have been demonstrated to be effective against implementations without special countermeasures. The flexibility of FPGAs is an important advantage in real applications but also in lab environments. It is therefore natural to use FPGAs to assess the vulnerability of hardware implementations to power-analysis attacks. To our knowledge, this paper is the first to describe a setup to conduct power-analysis attacks on FPGAs. We discuss the design of our hand-made FPGA-board and we provide a first characterization of the power consumption of a Virtex 800 FPGA. Finally we provide strong evidence that implementations of elliptic curve cryptosystems without specific countermeasures are indeed vulnerable to simple power-analysis attacks. |
| @inproceedings{OrsOP_PAFPGAFirstResults_CHES03, author = {Siddika Berna {\"{O}}rs and Elisabeth Oswald and Bart Preneel}, title = {Power-analysis attacks on an {FPGA} --- first experimental results}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {2779}, pages = {35--50}, month = {September}, year = {2003}, publisher = {Springer-Verlag}, isbn = {978-3-540-40833-8}, address = {London, UK}, www_section = {side-channel analysis, FPGA}, url = {http://www.iaik.tugraz.at/Research/sca-lab/publications/pdf/Ors2003Power-AnalysisAttackson.pdf}, } |
Marco Bucci, Luca Giancane, Raimondo Luzzi, Giuseppe Scotti and Alessandro Trifiletti: "Enhancing power analysis attacks against cryptographic devices", 2006.
| Abstract. A novel current measuring technique is introduced which promises to substantially enhance power analysis attacks against cryptographic co-processors. The proposed technique exploits an active circuit to measure the instantaneous current consumption of a device under attack while supplying, at the same time, the device with a stable voltage. Higher gain-bandwidth product, higher sensitivity and lower insertion error are the main advantages with respect to a resistor-based measurement. Experimental results when the proposed circuit is used to measure the current consumption of an FPGA are reported and the achievable advantage in terms of sensitivity is discussed too. |
| @inproceedings{BucciGLST_PAActiveSample_ISCAS06, author = {Marco Bucci and Luca Giancane and Raimondo Luzzi and Giuseppe Scotti and Alessandro Trifiletti}, title = {Enhancing power analysis attacks against cryptographic devices}, booktitle = {Circuits and Systems Symposium}, month = {May}, year = {2006}, www_section = {side-channel analysis}, url = {http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1693232}, } |
Markus G. Kuhn: "Compromising emanations: eavesdropping risks of computer displays", 2003.
| Abstract.
Electronic equipment can emit unintentional signals from which eavesdroppers may reconstruct processed data at some distance. This has been a concern for military hardware for over half a century. The civilian computer-security community became aware of the risk through the work of van Eck in 1985. Military “Tempest” shielding test standards remain secret and no civilian equivalents are available at present. The topic is still largely neglected in security textbooks due to a lack of published experimental data. This report documents eavesdropping experiments on contemporary computer displays. It discusses the nature and properties of compromising emanations for both cathode-ray tube and liquid-crystal monitors. The detection equipment used matches the capabilities to be expected from well-funded professional eavesdroppers. All experiments were carried out in a normal unshielded office environment. They therefore focus on emanations from display refresh signals, where periodic averaging can be used to obtain reproducible results in spite of varying environmental noise. Additional experiments described in this report demonstrate how to make information emitted via the video signal more easily receivable, how to recover plaintext from emanations via radio-character recognition, how to estimate remotely precise video-timing parameters, and how to protect displayed text from radio-frequency eavesdroppers by using specialized screen drivers with a carefully selected video card. Furthermore, a proposal for a civilian radio-frequency emission-security standard is outlined, based on path-loss estimates and published data about radio noise levels. Finally, a new optical eavesdropping technique is demonstrated that reads CRT displays at a distance. It observes high-frequency variations of the light emitted, even after diffuse reflection. Experiments with a typical monitor show that enough video signal remains in the light to permit the reconstruction of readable text from signals detected with a fast photosensor. Shot-noise calculations provide an upper bound for this risk. |
| @techreport{Kuhn_Tempest_CLTR577_03, author = {Markus G. Kuhn}, title = {Compromising emanations: eavesdropping risks of computer displays}, institution = {University of Cambridge, Computer Laboratory}, year = {2003}, type = {}, number = {577}, address = {}, month = {December}, key = {}, www_section = {side-channel analysis}, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf}, } |
Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R. Rao and Pankaj Rohatgi: "Advances in side-channel cryptanalysis, electromagnetic analysis and template attacks", 2003.
| Abstract. We describe two recent advances which substantially increase the scope and power of side-channel cryptanalysis. The first advance is the exploitation of information leakage from electromagnetic emanations. The second advance, known as template attacks, is a superior data analysis technique which substantially reduces the number of side-channel samples needed for an attack. These advances pose a risk to all cryptographic implementations, including those immune against earlier side-channel attacks. |
| @article{AgrawalACRR_SideChannelAdvancements_RSA03, author = {Dakshi Agrawal and Bruce Archambeault and Suresh Chari and Josyula R. Rao and Pankaj Rohatgi}, title = {Advances in side-channel cryptanalysis, electromagnetic analysis and template attacks}, institution = {RSA Laboratories}, year = {2003}, volume = {6}, number = {1}, month = {Spring}, key = {}, www_section = {side-channel analysis}, url = {http://researchweb.watson.ibm.com/people/a/agrawal/publications/CryptoBytes2003.pdf}, } |
Dakshi Agrawal, Josyula R. Rao and Pankaj Rohatgi: "Multi-channel Attacks", 2003.
| Abstract. We introduce multi-channel attacks, i.e., side-channel attacks which utilize multiple side-channels such as power and EM simultaneously. We propose an adversarial model which combines a CMOS leakage model and the maximum-likelihood principle for performing and analyzing such attacks. This model is essential for deriving the optimal and very often counter-intuitive techniques for channel selection and data analysis. We show that using multiple channels is better for template attacks by experimentally showing a three-fold reduction in the error probability. Developing sound countermeasures against multi-channel attacks requires a rigorous leakage assessment methodology. Under suitable assumptions and approximations, our model also yields a practical assessment methodology for net information leakage from the power and all available EM channels in constrained devices such as chip-cards. Classical DPA/DEMA style attacks assume an adversary weaker than that of our model. For this adversary, we apply the maximum-likelihood principle to such design new and more efficient single and multiple-channel DPA/DEMA attacks. |
| @inproceedings{AdrawalRR_MultiChannelAttacks_CHES03, author = {Dakshi Agrawal and Josyula R. Rao and Pankaj Rohatgi}, title = {Multi-channel Attacks}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {2779}, month = {September}, year = {2003}, pages = {2--16}, key = {}, www_section = {side-channel analysis}, url = {http://researchweb.watson.ibm.com/people/a/agrawal/publications/CryptoBytes2003.pdf}, } |
Suresh Chari, Josyula R. Rao and Pankaj Rohatgi: "Template attacks", 2002.
| Abstract. We present template attacks, the strongest form of side channel attack possible in an information theoretic sense. These attacks can break implementations and countermeasures whose security is dependent on the assumption that an adversary cannot obtain more than one or a limited number of side channel samples. They require that an adversary has access to an identical experimental device that he can program to his choosing. The success of these attacks in such constraining situations is due manner in which noise within each sample is handled. In contrast to previous approaches which viewed noise as a hindrance that had to be reduced or eliminated, our approach focuses on precisely modeling noise, and using this to fully extract information present in a single sample. We describe in detail how an implementation of RC4, not amenable to techniques such as SPA and DPA, can easily be broken using template attacks with a single sample. Other applications include attacks on certain DES implementations which use DPA-resistant hardware and certain SSL accelerators which can be attacked by monitoring electromagnetic emanations from an RSA operation even from distances of fifteen feet. |
| @inproceedings{ChariRR_TemplateAttacks_CHES03, author = {Suresh Chari and Josyula R. Rao and Pankaj Rohatgi}, title = {Template attacks}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, month = {August}, year = {2002}, series = {LNCS}, volume = {2523}, isbn = {3-540-00409-2}, pages = {13--28}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {side-channel analysis}, url = {http://www.springerlink.com/content/7hr0n9vbc1le5a0u/}, } |
Dries Schellekens, Pim Tuyls and Bart Preneel: "Embedded trusted computing with authenticated non-volatile memory", 2008.
| Abstract. Trusted computing is an emerging technology to improve the trustworthiness of computing platforms. The Trusted Computing Group has proposed specifications for a Trusted Platform Module and a Mobile Trusted Module. One of the key problems when integrating these trusted modules into an embedded system-on-chip design, is the lack of on-chip multiple-time-programmable non-volatile memory. In this paper, we describe a solution to protect the trusted module’s persistent state in external memory against non-invasive attacks. We introduce a minimal cryptographic protocol to achieve an authenticated channel between the trusted module and the external non-volatile memory. A MAC algorithm has to be added to the external memory to ensure authenticity. As a case study, we discuss trusted computing on reconfigurable hardware. In order to make our solution applicable to the low-end FPGA series which has no security measures on board, we present a solution that only relies on the reverse engineering complexity of the undocumented bitstream encoding and uses a physically unclonable function for one-time-programmable key storage. Clearly, this solution is also applicable to high-end series with special security measures on board. Our solution also supports field updates of the trusted module. |
| @inproceedings{SchellekensTP_EmbTrustedAuthNVM_TRUST08, author = {Dries Schellekens and Pim Tuyls and Bart Preneel}, title = {Embedded trusted computing with authenticated non-volatile memory}, booktitle = {TRUST}, series = {LNCS}, volume = {4968}, isbn = {}, publisher = {Springer}, month = {}, year = {2008}, pages = {60--74}, www_section = {hardware security}, url = {http://www.cosic.esat.kuleuven.be/publications/article-1013.pdf}, } |
Thomas Eisenbarth, Tim Guneysu, Christof Paar, Ahmad-Reza Sadeghi, Dries Schellekens and Marko Wolf: "Reconfigurable trusted computing in hardware", 2007.
| Abstract.
Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The TrustedComputing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM). However, actual TPMs are mostly available for workstations and servers nowadays and rather for specific domainapplications and not primarily for embedded systems. Further, the TPM specifications are becoming monolithic andmore complex while the applications demand a scalable and flexible usage of TPM functionalities. In this paper we propose a reconfigurable (hardware) architecture with TC functionalities where we focus on TPMsas proposed by the TCG specifically designed for embedded platforms. Our approach allows for (i) an efficient andscalable design and update of TPM functionalities, in particular for hardware-based crypto engines and accelerators, (ii) establishing a minimal trusted computing base in hardware, (iii) including the TPM as well as its functionalities into the chain of trust that enables to bind sensitive data to the underlying reconfigurable hardware, and (iv) designing a manufacturer independent TPM. We discuss possible implementations based on current FPGAs and point out the associated challenges, in particular with respect to protection of the internal TPM state since it must not be subject to manipulation, replay, and cloning |
| @inproceedings{EisenbarthGPSSW_ReconfigTCHardware_STC07, author = {Thomas Eisenbarth and Tim G{\"{u}}neysu and Christof Paar and Ahmad-Reza Sadeghi and Dries Schellekens and Marko Wolf}, title = {Reconfigurable trusted computing in hardware}, booktitle = {Scalable Trusted Computing}, year = {2007}, isbn = {978-1-59593-888-6}, pages = {15--20}, location = {Alexandria, Virginia, USA}, publisher = {ACM}, www_section = {hardware security, FPGA}, url = {http://portal.acm.org/ft_gateway.cfm?id=1314360&type=pdf&coll=GUIDE&dl=GUIDE&CFID=60350097&CFTOKEN=96354864}, } |
Ross J. Anderson, Mike Bond, Jolyon Clulow and Sergei P. Skorobogatov: "Cryptographic processors -- a survey", 2005.
| Abstract. Tamper-resistant cryptographic processors are becoming the standard way to enforce data-usage policies. Their history began with military cipher machines, and hardware security modules that encrypt the PINs used by bank customers to authenticate themselves to ATMs. In both cases, the designers wanted to prevent abuse of data and key material should a device fall into the wrong hands. From these specialist beginnings, cryptoprocessors spread into devices such as prepayment electricity meters, and the vending machines that sell credit for them. In the 90s, tamper-resistant smartcards became integral to GSM mobile phone identification and to key management in pay-TV set-top boxes, while secure microcontrollers were used in remote key entry devices for cars. In the last five years, dedicated crypto chips have been embedded in devices from games console accessories to printer ink cartridges, to control product and accessory aftermarkets. The Trusted Computing initiative will soon embed cryptoprocessors in PCs so that they can identify each other remotely. This paper surveys the range of applications of tamper-resistant hardware, and the array of attack and defence mechanisms which have evolved in the tamper-resistance arms race. |
| @techreport{AndersonBCS_CryptoProcessors_CLTR05, author = {Ross J. Anderson and Mike Bond and Jolyon Clulow and Sergei P. Skorobogatov}, title = {Cryptographic processors -- a survey}, institution = {University of Cambridge, Computer Laboratory}, year = {2005}, type = {}, number = {641}, address = {}, month = {August}, key = {}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-641.pdf}, } |
Ross J. Anderson and Markus G. Kuhn: "Low cost attacks on tamper resistant devices", 1998.
| Abstract. There has been considerable recent interest in the level of tamper resistance that can be provided by low cost devices such as smartcards. It is known that such devices can be reverse engineered using chip testing equipment, but a state of the art semiconductor laboratory costs millions of dollars. In this paper, we describe a number of attacks that can be mounted by opponents with much shallower pockets. Three of them involve special (but low cost) equipment: differential fault analysis, chip rewriting, and memory remanence. There are also attacks based on good old fashioned protocol failure which may not require any special equipment at all. We describe and give examples of each of these. Some of our attacks are significant improvements on the state of the art; others are useful cautionary tales. Together, they show that building tamper resistant devices, and using them effectively, is much harder that it looks. |
| @inproceedings{AndersonKuhn_LowCost_SP97, author = {Ross J. Anderson and Markus G. Kuhn}, title = {Low cost attacks on tamper resistant devices}, booktitle = {International Workshop on Security Protocols}, year = {1998}, isbn = {3540640401}, pages = {125--136}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/~mgk25/tamper2.pdf}, } |
Ross J. Anderson and Markus G. Kuhn: "Tamper resistance -- a cautionary note", 1996.
| Abstract. An increasing number of systems, from pay-TV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems - some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as `the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care. |
| @inproceedings{AndersonKuhn_TamperCaution_USENIX96, author = {Ross J. Anderson and Markus G. Kuhn}, title = {Tamper resistance -- a cautionary note}, booktitle = {USENIX Workshop on Electronic Commerce Proceedings}, address = {Oakland, CA}, isbn = {1880446839}, month = {November}, year = {1996}, pages = {1--11}, location = {Berkeley, California, US}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/~mgk25/tamper.pdf}, } |
Oliver Kommerling and Markus G. Kuhn: "Design principles for tamper-resistant smartcard processors", 1999.
| Abstract. We describe techniques for extracting protected software and data from smartcard processors. This includes manual microprobing, laser cutting, focused ion-beam manipulation, glitch attacks, and power analysis. Many of these methods have already been used to compromise widely fielded conditional access systems, and current smartcards offer little protection against them. We give examples of low-cost protection concepts that make such attacks considerably more difficult. |
| @inproceedings{KommerlingKuhn_TamperResistantSC_USENIX99, author = {Oliver K{\"{o}}mmerling and Markus G. Kuhn}, title = {Design principles for tamper-resistant smartcard processors}, booktitle = {USENIX Workshop on Smartcard Technology}, pages = {9--20}, month = {May}, year = {1999}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf}, } |
Tim Tuan, Tom Strader and Steve Trimberger: "Analysis of data remanence in a 90nm FPGA", 2007.
| Abstract. FPGAs are increasingly used in military applications, the security of a design when the part is powered off is an important property that needs to be analyzed. In this paper, we study data remanence in modern FPGAs using a custom 90nm FPGA designed for this test. The effects of temperatures, architecture, memory topology, and power off methods are analyzed. We find that different memory cells in the FPGA architecture have different remanence properties depending on their circuit design, data content, leakage and supply noise. To our knowledge, this is the first study of data remanence in FPGAs and in deep-submicron ICs. |
| @article{TuanST_DataRemanenceFPGA_CICC07, title = {Analysis of data remanence in a {90nm FPGA}}, author = {Tim Tuan and Tom Strader and Steve Trimberger}, journal = {IEEE Custom Integrated Circuits Conference}, month = {September}, year = {2007}, volume = {}, number = {}, pages = {93--96}, www_section = {hardware security, FPGA}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4405689}, } |
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten.: "Lest we remember: cold boot attacks on encryption keys", 2008.
| Abstract. Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them. |
| @article{HaldermanSHC+_LestWeRemember_USENIX08, title = {Lest we remember: cold boot attacks on encryption keys}, author = {J. Alex Halderman and Seth D. Schoen and Nadia Heninger and William Clarkson and William Paul and Joseph A. Calandrino and Ariel J. Feldman and Jacob Appelbaum and Edward W. Felten.}, journal = {USENIX Security Symposium (to appear)}, year = {2008}, www_section = {hardware security}, url = {http://citp.princeton.edu/pub/coldboot.pdf}, } |
Sergei P. Skorobogatov: "Low temperature data remanence in static RAM", 2002.
| Abstract. Security processors typically store secret key material in static RAM, from which power is removed if the device is tampered with. It is commonly believed that, at temperatures below -20 C, the contents of SRAM can be frozen; therefore, many devices treat temperatures below this threshold as tampering events. We have done some experiments to establish the temperature dependency of data retention time in modern SRAM devices. Our experiments show that the conventional wisdom no longer holds. |
| @techreport{Skorobogatov_TempRemanence_CLTR02, author = {Sergei P. Skorobogatov}, title = {Low temperature data remanence in static {RAM}}, institution = {University of Cambridge, Computer Laboratory}, year = {2002}, month = {June}, type = {}, number = {536}, address = {}, key = {}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-536.pdf}, } |
Sergei P. Skorobogatov: "Semi-invasive attacks -- a new approach to hardware security analysis", 2005.
| Abstract.
(Partial) Semiconductor chips are used today not only to control systems, but also to protect them against security threats. A continuous battle is waged between manufacturers who invent new security solutions, learning their lessons from previous mistakes, and the hacker community, constantly trying to break implemented protections. Some chip manufacturers do not pay enough attention to the proper design and testing of protection mechanisms. Even where they claim their products are highly secure, they do not guarantee this and do not take any responsibility if a device is compromised. In this situation, it is crucial for the design engineer to have a convenient and reliable method of testing secure chips. This thesis presents a wide range of attacks on hardware security in microcontrollers and smartcards. This includes already known non-invasive attacks, such as power analysis and glitching, and invasive attacks, such as reverse engineering and microprobing. A new class of attacks---semi-invasive attacks---is introduced. Like invasive attacks, they require depackaging the chip to get access to its surface. But the passivation layer remains intact, as these methods do not require electrical contact to internal lines. Semi-invasive attacks stand between noninvasive and invasive attacks. They represent a greater threat to hardware security, as they are almost as effective as invasive attacks but can be low-cost like non-invasive attacks. |
| @techreport{Skorobogatov_SemiInvasive_CLTR05, author = {Sergei P. Skorobogatov}, title = {Semi-invasive attacks -- a new approach to hardware security analysis}, institution = {University of Cambridge, Computer Laboratory}, year = {2005}, type = {}, number = {630}, address = {}, month = {April}, key = {}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf}, } |
Sergei P. Skorobogatov: "Data remanence in Flash memory devices", 2005.
| Abstract. Data remanence is the residual physical representation of data that has been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. Security protection in microcontrollers and smartcards with EEPROM/Flash memories is based on the assumption that information from the memory disappears completely after erasing. While microcontroller manufacturers successfully hardened already their designs against a range of attacks, they still have a common problem with data remanence in floating-gate transistors. Even after an erase operation, the transistor does not return fully to its initial state, thereby allowing the attacker to distinguish between previously programmed and not programmed transistors, and thus restore information from erased memory. The research in this direction is summarised here and it is shown how much information can be extracted from some microcontrollers after their memory has been erased. |
| @inproceedings{Skorobogatov_FlashDataRemanence_CHES05, author = {Sergei P. Skorobogatov}, title = {Data remanence in Flash memory devices}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {3659}, isbn = {3540284745}, publisher = {Springer}, month = {September}, year = {2005}, pages = {339--353}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/~sps32/DataRem_CHES2005.pdf}, } |
Sergei P. Skorobogatov: "Optically enhanced position-locked power analysis", 2006.
| Abstract. This paper introduces a refinement of the power-analysis attack on integrated circuits. By using a laser to illuminate a specific area on the chip surface, the current through an individual transistor can be made visible in the circuit's power trace. The photovoltaic effect converts light into a current that flows through a closed transistor. This way, the contribution of a single transistor to the overall supply current can be modulated by light. Compared to normal power-analysis attacks, the semi-invasive position-locking technique presented here gives attackers not only access to Hamming weights, but to individual bits of processed data. This technique is demonstrated on the SRAM array of a PIC16F84 microcontroller and reveals both which memory locations are being accessed, as well as their contents. |
| @inproceedings{Skorobogatov_CHES06, author = {Sergei P. Skorobogatov}, title = {Optically enhanced position-locked power analysis}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {4249}, isbn = {978-3-540-46559-1}, publisher = {Springer}, month = {October}, year = {2006}, pages = {61--75}, www_section = {hardware security}, url = {http://www.cl.cam.ac.uk/~sps32/ches2006-poslock.pdf}, } |
Srivaths Ravi, Anand Raghunathan and Srimat Chakradhar: "Tamper resistance mechanisms for secure, embedded systems", 2004.
| Abstract. Security is a concern in the design of a wide range of embedded systems. Extensive research has been devoted to the development of cryptographic algorithms that provide the theoretical underpinnings of information security. Functional security mechanisms, such as security protocols, suitably employ these mathematical primitives in order to achieve the desired security objectives. However, functional security mechanisms alone cannot ensure security, since most embedded systems present attackers with an abundance of opportunities to observe or interfere with their implementation, and hence to compromise their theoretical strength. This paper surveys various tamper or attack techniques, and explains how they can be used to undermine or weaken security functions in embedded systems. Tamper-resistant design refers to the process of designing a system architecture and implementation that is resistant to such attacks. We outline approaches that have been proposed to design tamper-resistant embedded systems, with examples drawn from recent commercial products. |
| @inproceedings{RaviRC_TamperResistance_VLSID04, author = {Srivaths Ravi and Anand Raghunathan and Srimat Chakradhar}, title = {Tamper resistance mechanisms for secure, embedded systems}, booktitle = {International Conference on VLSI Design}, year = {2004}, isbn = {0769520723}, pages = {605--611}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, www_section = {hardware security}, url = {http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1260985}, } |
Peter Gutmann: "Secure deletion of data from magnetic and solid-state memory", 1996.
| Abstract. With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult. |
| @inproceedings{Gutmann_SecureDeletion_USENIX96, author = {Peter Gutmann}, title = {Secure deletion of data from magnetic and solid-state memory}, booktitle = {USENIX Workshop on Smartcard Technology}, address = {San Jose, California}, month = {July}, year = {1996}, pages = {77--89}, www_section = {hardware security}, url = {http://www.cs.cornell.edu/people/clarkson/secdg/papers.sp06/secure_deletion.pdf}, } |
Peter Gutmann: "Data remanence in semiconductor devices", 2001.
| Abstract. A paper published in 1996 examined the problems involved in truly deleting data from magnetic storage media and also made a mention of the fact that similar problems affect data held in semiconductor memory. This work extends the brief coverage of this area given in the earlier paper by providing the technical background information necessary to understand remanence issues in semiconductor devices. Data remanence problems affect not only obvious areas such as RAM and non-volatile memory cells but can also occur in other areas of the device through hot-carrier effects (which change the characteristics of the semiconductors in the device), electromigration (which physically alter the device itself), and various other effects which are examined alongside the more obvious memory-cell remanence problems. The paper concludes with some design and device usage guidelines which can be useful in reducing remanence effects. |
| @article{Gutmann_DataRemanence_USENIX01, author = {Peter Gutmann}, title = {Data remanence in semiconductor devices}, journal = {USENIX Security Symposium}, pages = {39--54}, year = {2001}, month = {August}, www_section = {hardware security}, url = {http://www.cypherpunks.to/~peter/usenix01.pdf}, } |
Sean W. Smith: "Fairy dust, secrets, and the real world", 2003.
| @article{Smith_IEEESP03, author = {Sean W. Smith}, title = {Fairy dust, secrets, and the real world}, journal = {IEEE Security and Privacy}, volume = {1}, number = {1}, year = {2003}, issn = {1540-7993}, pages = {89--93}, publisher = {IEEE Educational Activities Department}, address = {Piscataway, NJ, USA}, www_section = {hardware security}, url = {http://www.cs.dartmouth.edu/~sws/pubs/fairydust.pdf}, } |
Brian Dipert: "Cunning circuits confound crooks", 2000.
| @article{Dipert_EDM00, author = {Brian Dipert}, title = {Cunning circuits confound crooks}, journal = {EDN Magazine}, year = {2000}, month = {October}, www_section = {hardware security}, url = {http://www.edn.com/contents/images/21df2.pdf}, } |
Steve H. Weingart: "Physical security devices for computer subsystems: a survey of attacks and defences", 2000.
| Abstract.
As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. This technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge. This paper describes known physical attacks, ranging from simple attacks that require little skill or resource, to complex attacks that require trained, technical people and considerable resources. Physical security methods to deter or prevent these attacks are presented. The intent is to match protection methods with the attack methods in terms of complexity and cost. In this way cost effective protection can be produced across a wide range of systems and needs. Specific technical mechanisms now in use are shown, as well as mechanisms proposed for future use. Common design problems and solutions are discussed with consideration for manufacturing. |
| @inproceedings{Weingart_PhysicalSecuritySurvey_CHES00, author = {Steve H. Weingart}, title = {Physical security devices for computer subsystems: a survey of attacks and defences}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {1965}, month = {August}, year = {2000}, isbn = {3-540-41455-X}, pages = {302--317}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {hardware security}, url = {http://www.springerlink.com/content/lnuyd6hb3tawht75/}, } |
Steve Weingart and Steve R. White: "Mind the gap: updating FIPS 140", 2005.
| Abstract. In order to be secure, modules that provide cryptographic function must do more than simply implement a secure cryptographic algorithm. They must resist system-level attacks, whether by software or hardware, and whether the attack is intended to produce incorrect results or to expose information that should be protected. The details of these requirements change over time. Both attack and defensive technologies improve, turning difficult attacks into easy ones, or expensive defenses into inexpensive ones. The current standard for the security of cryptographic systems is FIPS 140, which lays out four levels of security that have increasingly stringent requirements. This paper argues that changing attack technologies and application requirements have led to a gap in FIPS 140, and that a new level is needed. Such a level is proposed, intermediate between the two highest levels of FIPS 140. The new level allows the validation of commercially feasible products that are more secure than the current Level 3, but that do not carry the difficult burden imposed by the current Level 4 validation requirements. |
| @inproceedings{WeingartWhite_UpdatingFIPS140_05, author = {Steve Weingart and Steve R. White}, title = {Mind the gap: updating FIPS 140}, booktitle = {FIPS Physical Security Workshop}, month = {September}, year = {2005}, pages = {}, www_section = {hardware security}, url = {http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/papers/physecpaper18.pdf}, } |
Sean W. Smith and Steve Weingart: "Building a high-performance, programmable secure coprocessor", 1999.
| Abstract.
Secure coprocessors enable secure distributed applications by providing safe havens where an application program can execute and accumulate state., free of observation and interference by an adversary with direct physical access to the device. However, for these coprocessors to be effective, participants in such applications must be able to verify that they are interacting with an authentic program on an authentic, untampered device. Furthermore, secure coprocessors that support general-purpose computation and will be manufactured and distributed as commercial products must provide these core sanctuary and authentication properties while also meeting many additional challenges, including: - the applications, operating system, and underlying security management may all come from different, mutually suspicious authorities; - configuration and maintenance must occur in a hostile environment, while minimizing disruption of operations; - the device must be able to recover from the vulnerabilities that inevitably emerge in complex software; - physical security dictates that the device itself can never be opened and examined; and - ever-evolving cryptographic requirements dictate that hardware accelerators be supported by reloadable on-card software. This paper summarizes the hardware, software, and cryptographic architecture we developed to address these problems. |
| @article{SmithWeingart_SecureCoprocessor_CN99, author = {Sean W. Smith and Steve Weingart}, title = {Building a high-performance, programmable secure coprocessor}, journal = {Computer Networks: The International Journal of Computer and Telecommunications Networking}, volume = {31}, number = {9}, year = {1999}, issn = {1389-1286}, pages = {831--860}, publisher = {Elsevier North-Holland, Inc.}, address = {New York, NY, USA}, www_section = {hardware security}, url = {http://www.research.ibm.com/secure_systems_department/projects/scop/papers/arch.pdf}, } |
Denis G. Abraham, George M. Dolan, Glen P. Double and James V. Stevens: "Transaction security system", 1991.
| Abstract. Components of previous security systems were designed Independently from one another and were often difficult to integrate. Described is the recently available IBM Transaction Security System. It implements the Common Cryptographic Architecture and offers a comprehensive set of security products that allow users to Implement end-to-end secure systems with IBM components. The system includes a mainframe host-attached Network Security Processor, high-performance encryption adapters for the IBM Personal Computer and Personal System/2, Micro Channel, an RS-232 attached Security Interface Unit, and a credit-card size state-of-the-art Personal Security card containing a high-performance microprocessor. The application programming interface provides common programming In the host and the workstation and supports all of the Systems Application Architecture languages except REXX and RPG. Applications may be written to run on Multiple Virtual Storage (MVS) and PC DOS operating systems. |
| @article{AbrahamDDS_IBM91, author = {Denis G. Abraham and George M. Dolan and Glen P. Double and James V. Stevens}, title = {Transaction security system}, journal = {IBM Systems Journal}, volume = {30}, number = {2}, year = {1991}, issn = {0018-8670}, pages = {206--229}, publisher = {IBM Corporation}, address = {Riverton, NJ, USA}, www_section = {hardware security}, url = {http://www.research.ibm.com/journal/sj/302/ibmsj3002G.pdf}, } |
David C. Musker: "Protecting and exploiting intellectual property in electronics", 1998.
| @article{Musker_ReverseEngineering_WEB98, author = {David C. Musker}, title = {Protecting and exploiting intellectual property in electronics}, journal = {IBC Conferences}, month = {June}, year = {1998}, www_section = {hardware security}, url = {http://www.jenkins-ip.com/serv/serv_6.htm}, } |
Alliance for Gray Market and Counterfeit Abatement: "Managing the risks of counterfeiting in the information technology industry", 2006.
| Abstract. Counterfeiting is among the most challenging issues facing the information technology (IT) industry today. Illegal replicas of brand-name high tech products are flooding the marketplace, cutting into legitimate companies' revenue and reducing their ability to invest in research and development (R&D). Proliferation of technology used to make computers, servers, and a host of high tech products as well as a lack of regulatory enforcement in developing nations is accelerating counterfeiting. It is now estimated that as much as 10 percent of all high tech products sold globally are counterfeit. |
| @manual{AGMCA_COUNTERFEIT06, author = {{Alliance for Gray Market and Counterfeit Abatement}}, title = {Managing the risks of counterfeiting in the information technology industry}, organization = {}, year = {2006}, month = {August}, key = {}, www_section = {hardware security}, url = {http://www.agmaglobal.org/press_events/press_docs/Counterfeit_WhitePaper_Final.pdf}, } |
Jerry M. Soden, Richard E. Anderson and Chris L. Henderson: "IC failure analysis: Magic, mystery, and science", 1997.
| Abstract. Advancing IC and packaging technologies motivate and direct the future of failure analysis. The authors review current tools and techniques and discuss challenges and opportunities created by the industry's critical need for new diagnosis and failure analysis paradigms. |
| @article{SodenAH_FailureAnalysis_IEEE97, author = {Jerry M. Soden and Richard E. Anderson and Chris L. Henderson}, title = {{IC} failure analysis: Magic, mystery, and science}, journal = {IEEE Design \& Test}, volume = {14}, number = {3}, month = {July}, year = {1997}, issn = {0740-7475}, pages = {59--69}, publisher = {IEEE Computer Society Press}, address = {Los Alamitos, CA, USA}, www_section = {hardware security}, url = {http://portal.acm.org/citation.cfm?id=622765}, } |
David Chaum: "Design concepts for tamper responding systems", 1983.
| @inproceedings{Chaum_TamperResponding_CRYPTO83, author = {David Chaum}, title = {Design concepts for tamper responding systems}, booktitle = {Cryptology Conference on Advances in Cryptology}, year = {1983}, pages = {387--392}, www_section = {hardware security}, url = {http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C83/387.PDF}, } |
Ross J. Anderson: "Security engineering: A guide to building dependable distributed systems", 2001.
| Abstract. Ross Anderson, widely recognized as one of the world's foremost authorities on security engineering, presents a comprehensive design tutorial that covers a wide range of applications. Designed for today's programmers who need to build systems that withstand malice as well as error (but have no time to go do a PhD in security), this book illustrates basic concepts through many real-world system design successes and failures. Topics range from firewalls, through phone phreaking and copyright protection, to frauds against e-businesses. Anderson's book shows how to use a wide range of tools, from cryptology through smartcards to applied psychology. As everything from burglar alarms through heart monitors to bus ticket dispensers starts talking IP, the techniques taught in this book will become vital to everyone who wants to build systems that are secure, dependable and manageable. |
| @book{Anderson_SecurityEngineering_01, author = {Ross J. Anderson}, title = {Security engineering: A guide to building dependable distributed systems}, year = {2001}, isbn = {0471389226}, publisher = {John Wiley \& Sons, Inc.}, address = {New York, NY, USA}, www_section = {security and crypto}, url = {http://www.cl.cam.ac.uk/~rja14/book.html}, } |
Niels Ferguson and Bruce Schneier: "Practical Cryptography", 2003.
| Abstract.
In today's world, security is a top concern for businesses worldwide. Without a secure computer system, you don't make money, you don't expand, and -- bottom line -- you don't survive. Cryptography holds great promise as the technology to provide security in cyberspace. Amazingly enough, no literature exists about how to implement cryptography and how to incorporate it into real-world systems. With Practical Cryptography, an author team of international renown provides you with the first hands-on cryptographic product implementation guide, bridging the gap between cryptographic theory and real-world cryptographic applications. |
| @book{FergusonSchneier_PRACCRYPT03, author = {Niels Ferguson and Bruce Schneier}, title = {Practical Cryptography}, year = {2003}, isbn = {0471223573}, publisher = {John Wiley \& Sons, Inc.}, address = {New York, NY, USA}, www_section = {security and crypto}, url = {http://portal.acm.org/citation.cfm?id=862117}, } |
Alfred J. Menezes, Scott A. Vanstone and Paul C. Van Oorschot: "Handbook of applied cryptography", 1996.
| Abstract.
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper. |
| @book{MENEZES_HAC96, author = {Alfred J. Menezes and Scott A. Vanstone and Paul C. Van Oorschot}, title = {Handbook of applied cryptography}, year = {1996}, isbn = {0-849-38523-7}, publisher = {CRC Press, Inc.}, address = {Boca Raton, FL, USA}, www_section = {security and crypto}, url = {http://www.cacr.math.uwaterloo.ca/hac/}, } |
Bruce Schneier: "Applied cryptography (2nd ed.): protocols, algorithms, and source code in C", 1995.
| @book{Schneier_APPCRYPTO95, author = {Bruce Schneier}, title = {Applied cryptography (2nd ed.): protocols, algorithms, and source code in {C}}, year = {1995}, isbn = {0-471-11709-9}, publisher = {John Wiley \& Sons, Inc.}, address = {New York, NY, USA}, www_section = {security and crypto}, url = {http://portal.acm.org/citation.cfm?id=212584}, } |
Colin Boyd and Anish Mathuria: "Protocols for authentication and key establishment", 2003.
| @book{BM_AUTHPROTOCOLS03, author = {Colin Boyd and Anish Mathuria}, title = {Protocols for authentication and key establishment}, year = {2003}, isbn = {978-3-540-43107-7}, publisher = {Springer}, address = {}, www_section = {security and crypto}, url = {http://sky.fit.qut.edu.au/~boydc/pake.html}, } |
John Black: "``Authenticated encryption'' in Encyclopedia of Cryptography and Security", 2005.
| Abstract. A survey of the methods for achieving authentication and encryption in the private-key setting. Includes generic composition as well as the several recently-invented methods that provide better efficiency. |
| @inbook{Black_AuthenticatedEncryption_BOOKCH05, author = {John Black}, title = {{``Authenticated encryption''} in Encyclopedia of Cryptography and Security}, volume = {}, series = {Authenticated encryption}, publisher = {Springer}, address = {}, edition = {}, month = {}, year = {2005}, type = {Section}, chapter = {A}, pages = {10--21}, www_section = {security and crypto}, url = {http://www.cs.colorado.edu/~jrblack/papers/ae.pdf}, } |
Paul Syverson: "A taxonomy of replay attacks", 1994.
| Abstract. This paper presents a taxonomy of replay attacks on cryptographic protocols in terms of message origin and destination. The taxonomy is independent of any method used to analyze or prevent such attacks. It is also complete in the sense that any replay attack is composed entirely of elements classified by the taxonomy. The classification of attacks is illustrated using both new and previously known attacks on protocols. The taxonomy is also used to discuss the appropriateness of particular countermeasures and protocol analysis methods to particular kinds of replays. |
| @inproceedings{Syverson_ReplayTaxonomy_IEEECSP94, author = {Paul Syverson}, title = {A taxonomy of replay attacks}, booktitle = {Computer Security Foundations Workshop}, year = {1994}, publisher = {IEEE Computer Society Press}, www_section = {security and crypto}, url = {http://chacs.nrl.navy.mil/publications/CHACS/1994syverson-foundations.pdf}, } |
Phillip Rogaway and David Wagner: "A critique of CCM", 2003.
| Abstract. CCM is a conventional authenticated-encryption scheme obtained from a 128-bit block cipher. The mechanism has been adopted as the mandatory encryption algorithm in an IEEE 802.11 draft standard, and its use has been proposed more broadly. In this note we point out a number of limitations of CCM. A related note provides an alternative to CCM. |
| @article{RogawayWagner_CCMCritique_IACR03, title = {A critique of {CCM}}, author = {Phillip Rogaway and David Wagner}, journal = {IACR ePrint Archive}, volume = {70}, year = {2003}, www_section = {security and crypto}, url = {http://eprint.iacr.org/2003/070.pdf}, } |
Joe Fabula, Jason Moore and Andrew Ware: "Understanding neutron single-event phenomena in FPGAs", 2007.
| @article{FabulaMW_UnderstandingFPGASEU_MES07, author = {Joe Fabula and Jason Moore and Andrew Ware}, title = {Understanding neutron single-event phenomena in FPGAs}, journal = {Military Embedded Systems}, month = {March}, year = {2007}, www_section = {radiation, FPGA}, url = {http://www.mil-embedded.com/PDFs/Xilinx.Mar07.pdf}, abstract = {} |
Tanay Karnik, Peter Hazucha and Jagdish Patel: "Characterization of soft errors caused by single event upsets in CMOS processes", 2004.
| Abstract. Radiation-induced single event upsets (SEUs) pose a major challenge for the design of memories and logic circuits in high performance microprocessors in technologies beyond 90nm. Historically, we have considered power-performance-area trade offs. There is a need to include the soft error rate (SER) as another design parameter. In this paper, we present radiation particle interactions with silicon, charge collection effects, soft errors, and their effect on VLSI circuits. We also discuss the impact of SEUs on system reliability. We describe an accelerated measurement of SERs using a high-intensity neutron beam, the characterization of SERs in sequential logic cells, and technology scaling trends. Finally, some directions for future research are given. |
| @article{KarnikHP_SEUCMOS_IEEEDSC04, author = {Tanay Karnik and Peter Hazucha and Jagdish Patel}, title = {Characterization of soft errors caused by single event upsets in {CMOS} processes}, journal = {IEEE Transactions on Dependable and Secure Computing}, volume = {1}, number = {2}, year = {2004}, issn = {1545-5971}, pages = {128--143}, publisher = {IEEE Computer Society Press}, address = {Los Alamitos, CA, USA}, www_section = {radiation}, url = {http://ieeexplore.ieee.org/iel5/8858/29698/01350778.pdf}, } |
Eugene Normand: "Single event upset at ground level", 1996.
| Abstract. Ground level upsets have been observed in computer systems containing large amounts of random access memory (RAM). Atmospheric neutrons are most likely the major cause of the upsets based on measured data using the Weapons Neutron Research (WNR) neutron beam. |
| @article{Normand_SEUSeaLevel_IEEE96, author = {Eugene Normand}, title = {Single event upset at ground level}, journal = {IEEE Transactions on Nuclear Science}, volume = {}, number = {}, month = {December}, year = {1996}, issn = {}, pages = {2742--2750}, publisher = {}, address = {}, www_section = {radiation}, url = {http://www.boeing.com/assocproducts/radiationlab/publications/SEU_at_Ground_Level.pdf}, } |
Austin Lesea, Saar Drimer, Joe Fabula, Carl Carmichael and Peter Alfke: "The Rosetta experiment: atmospheric soft error rate testing in differing technology FPGAs", 2005.
| Abstract. Results are presented from real-time experiments that evaluated large FPGAs fabricated in different CMOS technologies (0.15 um, 0.13 um and 90 nm) for their sensitivity to radiation-induced single event upsets. These results are compared to circuit simulation (Qcrit) studies, as well as to LANSCE neutron beam results and Crocker Nuclear Laboratory (University of California, Davis) cyclotron proton beam results. |
| @article{LeseaDFCA_RosettaSEU_IEEETDMR05, author = {Austin Lesea and Saar Drimer and Joe Fabula and Carl Carmichael and Peter Alfke}, title = {The {Rosetta} experiment: atmospheric soft error rate testing in differing technology {FPGA}s}, journal = {IEEE Transactions on Device and Materials Reliability}, year = {2005}, volume = {5}, number = {3}, pages = {317--328}, month = {September}, www_section = {radiation, FPGA}, url = {http://www.cl.cam.ac.uk/~sd410/papers/rosetta.pdf}, } |
Bernhard Fechner: "Dynamic delay-fault injection for reconfigurable hardware", 2005.
| Abstract. Modern internet and telephone switches consist of numerous VLSI-circuits operating at high frequencies to handle high bandwidths. It is beyond question that such systems must contain mechanisms making them reliable through fault-detection or fault-tolerance. For monetary reasons, one or multiple Field Programmable Gate Arrays (FPGAs) are used in modern Application Specific Integrated Circuit (ASIC) development systems before production. Hardware manufacturers have a strong focus on quick fault-injection to verify and validate the correct function of such a (faulttolerant) system. However, current FPGA-based fault injection schemes do not consider delay faults. In this paper we present an extension to traditional FPGA fault injection schemes without any additional hardware for fixed and small hardware overhead for dynamic phase shifting. By using digital clock managers (DCMs), we are able to inject delay faults very fast through phase-shift variation of the clock without reconfiguring the FPGA. |
| @inproceedings{Fechner_DelayFaultReconfigHW_IPDPS05, author = {Bernhard Fechner}, title = {Dynamic delay-fault injection for reconfigurable hardware}, booktitle = {Parallel and Distributed Processing IEEE Symposium}, month = {April}, year = {2005}, isbn = {0-7695-2312-9}, pages = {282.1}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, www_section = {radiation, FPGA}, url = {http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1420244}, } |
Timothy G. W. Gordon and Peter J. Bentley: "On evolvable hardware", 2002.
| @inproceedings{GordonBentley_EvolvableHardware_SCIE02, author = {Timothy G. W. Gordon and Peter J. Bentley}, title = {On evolvable hardware}, booktitle = {Soft Computing in Industrial Electronics}, year = {2002}, isbn = {}, pages = {279--323}, location = {Heidelberg, Germany}, publisher = {Physica-Verlag}, address = {London, UK}, www_section = {evolvable hardware}, url = {http://www.cs.ucl.ac.uk/staff/t.gordon/scie.pdf}, } |
Adrian Thompson and Paul Layzell: "Analysis of unconventional evolved electronics", 1999.
| @article{ThompsonLayzell_UnconventionalEvolvedHW_ACM99, author = {Adrian Thompson and Paul Layzell}, title = {Analysis of unconventional evolved electronics}, journal = {Communications of the ACM}, volume = {42}, number = {4}, year = {1999}, issn = {0001-0782}, pages = {71--79}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {evolvable hardware, FPGA}, url = {http://portal.acm.org/citation.cfm?id=299174}, } |
Andres Upegui and Eduardo Sanchez: "Evolving hardware with self-reconfigurable connectivity in Xilinx FPGAs", 2006.
| Abstract. Randomly connecting networks have proven to be universal computing machines. By interconnecting a set of nodes in a random way one can model very complicated non-linear dynamic systems. Although random Boolean networks (RBN) use Boolean functions as their basic component, there are not hardware implementations of such systems. The absence of implementations is mainly due to the arbitrary connections exhibited by the network, and connection flexibility use to be very expensive in terms of hardware resources. In this paper we present an on chip self-reconfigurable approach for providing a flexible connections at very low resource cost by partially reconfiguring Virtex II FPGAs. |
| @inproceedings{UpeguiS_EVOLVEHW_AHS06, author = {Andres Upegui and Eduardo Sanchez}, title = {Evolving hardware with self-reconfigurable connectivity in {Xilinx} {FPGA}s}, pages = {153--160}, booktitle = {NASA /ESA Conference on Adaptive Hardware and Systems}, editor = {A. Stoica et al.}, publisher = {{IEEE} Computer Society}, address = {Los Alamitos, CA, USA}, year = {2006}, www_section = {evolvable hardware, FPGA}, url = {http://lslwww.epfl.ch/~upegui/docs/Upegui-AHS06.pdf}, } |
Andres Upegui and Eduardo Sanchez: "Evolving hardware by dynamically reconfiguring Xilinx FPGAs", 2005.
| Abstract. Evolvable Hardware arises as a promising solution for automatic digital synthesis of digital and analog circuits. During the last decade, a special interest has been focused on evolving digital systems by directly mapping a chromosome on the FPGA configuration bitstream. This approach allowed a great degree of flexibility for evolving circuits. Nowadays, FPGAs routing scheme does not allow doing it in such flexible and safe way, so additional constraints must be introduced. In this paper we summarize three techniques for performing hardware evolution by exploiting the capacities of Virtex families. Among our proposals there are high and low level approaches, and coarse and fine grained components. A modular based evolution, with pre- placed and routed components, provides a coarse grain approach. Two techniques for directly modifying LUT contents on hard macros provide a fine grained evolution. Finally, integrating both approaches, coarse and fine grain, provides a more general and powerful framework. |
| @inproceedings{UpeguiS_EVOLVEHW_05, author = {Andres Upegui and Eduardo Sanchez}, title = {Evolving hardware by dynamically reconfiguring {Xilinx} {FPGA}s}, booktitle = {Evolvable Systems: From Biology to Hardware}, year = {2005}, series = {LNCS}, volume = {3637}, editor = {J.M. Moreno et al.}, Pages = {56--65}, publisher = {Springer-Verlag}, address = {Berlin Heidelberg}, www_section = {evolvable hardware, FPGA}, url = {http://lslwww.epfl.ch/~upegui/docs/Upegui_ICES05.pdf}, } |
Lukas Sekanina: "Towards evolvable IP cores for FPGAs", 2003.
| Abstract. The paper deals with a new approach to the design of adaptive hardware using common Field Programmable Gate Arrays (FPGA). The ultimate aim is to develop evolvable IP (Intellectual Property) cores. The cores should be reused in the same way as ordinary IP cores are reused. In contrast to the conventional cores, the evolvable cores are able to perform autonomous evolution of their internal circuits. The cores should be available in the form of HDL source code, i.e. they should be synthesizable into any reconfigurable device of a sufficient capacity. The approach is based on implementation of a virtual reconfigurable circuit and a genetic unit in an ordinary FPGA. In the presented case study an adaptive image filter is designed, implemented and synthesized. The proposed idea of evolvable IP core could open the way towards defining a business model for evolvable hardware. |
| @inproceedings{Sekanina_EV03, author = {Luk{\'{a}}{\v{s}} Sekanina}, title = {Towards evolvable {IP} cores for {FPGA}s}, pages = {145--154}, booktitle = {NASA/DoD Conference on Evolvable Hardware}, year = {2003}, location = {Los Alamitos, US}, publisher = {IEEE Computer Society Press}, ISBN = {0-7695-1977-6}, www_section = {evolvable hardware, FPGA}, url = {http://www.fit.vutbr.cz/~sekanina/publ/eh03/eh03b.pdf}, } |
Lukas Sekanina and Stepan Friedl: "An evolvable combinational unit for FPGAs", 2004.
| Abstract. A complete hardware implementation of an evolvable combinational unit for FPGAs is presented. The proposed combinational unit consisting of a virtual reconfigurable circuit and evolutionary algorithm was described in VHDL independently of a target platform, i.e. as a soft IP core, and realized in the COMBO6 card. In many cases the unit is able to evolve (i.e. to design) the required function automatically and autonomously, in a few seconds, only on the basis of interactions with an environment. A number of circuits were successfully evolved directly in the FPGA, in particular, 3-bit multipliers, adders, multiplexers and parity encoders. The evolvable unit was also tested in a simulated dynamic environment and used to design various circuits specified by randomly generated truth tables. |
| @article{SekaninaFriedl_EvolvableUnitFPGA_CI04, author = {Luk{\'{a}}{\v{s}} Sekanina and {\v{S}}t{\v{e}}p{\'{a}}n Friedl}, title = {An evolvable combinational unit for {FPGA}s}, journal = {Computing and Informatics}, pages = {461--486}, volume = {23}, number = {5}, year = {2004}, ISSN = {1335-9150}, www_section = {evolvable hardware, FPGA}, url = {http://www.fit.vutbr.cz/~sekanina/publ/cai/cai04.pdf}, } |
Adrian Thompson: "Hardware evolution page", 2006.
| @manual{Thompson_WEB06, author = {Adrian Thompson}, title = {Hardware evolution page}, month = {February}, year = {2006}, www_section = {evolvable hardware}, url = {http://www.cogs.susx.ac.uk/users/adrianth/ade.html}, } |
Andres Upegui and Eduardo Sanchez: "Evolving hardware by dynamically reconfiguring Xilinx FPGAs", 2005.
| Abstract. Evolvable Hardware arises as a promising solution for automatic digital synthesis of digital and analog circuits. During the last decade, a special interest has been focused on evolving digital systems by directly mapping a chromosome on the FPGA configuration bitstream. This approach allowed a great degree of flexibility for evolving circuits. Nowadays, FPGAs routing scheme does not allow doing it in such flexible and safe way, so additional constraints must be introduced. In this paper we summarize three techniques for performing hardware evolution by exploiting the capacities of Virtex families. Among our proposals there are high and low level approaches, and coarse and fine grained components. A modular based evolution, with pre- placed and routed components, provides a coarse grain approach. Two techniques for directly modifying LUT contents on hard macros provide a fine grained evolution. Finally, integrating both approaches, coarse and fine grain, provides a more general and powerful framework. |
| @inproceedings{US_LNCS05, author = {Andres Upegui and Eduardo Sanchez}, title = {Evolving hardware by dynamically reconfiguring {Xilinx} {FPGA}s}, booktitle = {Evolvable Systems: From Biology to Hardware}, series = {LNCS}, volume = {3637}, editor = {J.M. Moreno et al.}, pages = {56--65}, publisher = {Springer-Verlag}, address = {Berlin Heidelberg}, year = {2005}, www_section = {evolvable hardware, FPGA}, url = {http://lslwww.epfl.ch/~upegui/docs/Upegui_ICES05.pdf}, } |
G. Edward Suh and Srinivas Devadas: "Physical unclonable functions for device authentication and secret key generation", 2007.
| Abstract. Physical Unclonable Functions (PUFs) are innovative circuit primitives that extract secrets from physical characteristics of integrated circuits (ICs). We present PUF designs that exploit inherent delay characteristics of wires and transistors that differ from chip to chip, and describe how PUFs can enable low-cost authentication of individual ICs and generate volatile secret keys for cryptographic operations. |
| @inproceedings{SuhDevadas_PUFAuthKey_DAC07, author = {G. Edward Suh and Srinivas Devadas}, title = {Physical unclonable functions for device authentication and secret key generation}, booktitle = {Design Automation Conference}, year = {2007}, isbn = {978-1-59593-627-1}, pages = {9--14}, location = {San Diego, California}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {PUFs}, url = {http://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf}, } |
Jorge Guajardo, Sandeep S. Kumar, Geert Jan Schrijen and Pim Tuyls: "Physical unclonable functions and public-key crypto for FPGA IP protection", 2007.
| Abstract. In recent years, IP protection of FPGA hardware designs has become a requirement for many IP vendors. To this end solutions have been proposed based on the idea of bitstream encryption, symmetric-key primitives, and the use of physical unclonable functions (PUFs). In this paper, we propose new protocols for the IP protection problem on FPGAs based on public-key (PK) cryptography, analyze the advantages and costs of such an approach, and describe a PUF intrinsic to current FPGAs based on SRAM properties. A major advantage of using PK-based protocols is that they do not require the private key stored in the FPGA to leave the device, thus increasing security. This added security comes at the cost of additional hardware resources but it does not cause significant performance degradation. |
| @inproceedings{GuardoKST_PUFIPP_FPL07, author = {Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls}, title = {Physical unclonable functions and public-key crypto for {FPGA} {IP} protection}, booktitle = {Field Programmable Logic and Applications, 2007}, month = {August}, year = {2007}, pages = {189--195}, www_section = {PUFs, FPGA}, url = {http://www.ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=4380602&arnumber=4380646}, } |
Jorge Guajardo, Sandeep S. Kumar, Geert Jan Schrijen and Pim Tuyls: "FPGA intrinsic PUFs and their use for IP protection", 2007.
| Abstract. In recent years, IP protection of FPGA hardware designs has become a requirement for many IP vendors. In [34], Simpson and Schaumont proposed a fundamentally different approach to IP protection on FPGAs based on the use of Physical Unclonable Functions (PUFs). Their work only assumes the existence of a PUF on the FPGAs without actually proposing a PUF construction. In this paper, we propose new protocols for the IP protection problem on FPGAs and provide the first construction of a PUF intrinsic to current FPGAs based on SRAM memory randomness present on current FPGAs. We analyze SRAM-based PUF statistical properties and investigate the trade offs that can be made when implementing a fuzzy extractor. |
| @inproceedings{GuajardoKST_FPGAMemoryPUF_CHES07, author = {Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls}, title = {{FPGA} intrinsic {PUFs} and their use for {IP} protection}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {4727}, isbn = {978-3-540-74734-5}, month = {September}, year = {2007}, pages = {63--80}, www_section = {PUFs, FPGA}, url = {http://www.springerlink.com/index/u64160h472125824.pdf}, } |
Blaise Gassend, Dwaine Clarke, Marten van Dijk and Srinivas Devadas: "Silicon physical random functions", 2002.
| Abstract. We describe the notion of a Physical Random Function (PUF). We argue that a complex integrated circuit can be viewed as a silicon PUF and describe a technique to identify and authenticate individual integrated circuits (ICs). We describe several possible circuit realizations of different PUFs. These circuits have been implemented in commodity Field Programmable Gate Arrays (FPGAs). We present experiments which indicate that reliable authentication of individual FPGAs can be performed even in the presence of significant environmental variations. We describe how secure smart cards can be built, and also briefly describe how PUFs can be applied to licensing and certification applications. |
| @inproceedings{GassendCDD_SiliconPUF_CCSC02, author = {Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas}, title = {Silicon physical random functions}, booktitle = {ACM Conference on Computer and Communications Security}, year = {2002}, isbn = {1-58113-612-9}, pages = {148--160}, location = {Washington, DC, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {PUFs}, url = {http://csg.csail.mit.edu/pubs/memos/Memo-456/memo-456.pdf}, } |
Jae W. Lee, Daihyun Lim, Blaise Gassend, G. Edward Suh, Marten van Dijk and Srinivas Devadas: "A technique to build a secret key in integrated circuits for identification and authentication application", 2004.
| Abstract. This paper describes a technique that exploits the statistical delay variations of wires and transistors across ICs to build a secret key unique to each IC. To explore its feasibility, we fabricated a candidate circuit to generate a response based on its delay characteristics. We show that there exists enough delay variation across ICs implementing the proposed circuit to identify individual ICs. Further, the circuit functions reliably over a practical range of environmental variation such as temperature and voltage. |
| @inproceedings{LeeLGSDD_PUFSecretKey_VLSI04, author = {Jae W. Lee and Daihyun Lim and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srinivas Devadas}, title = {A technique to build a secret key in integrated circuits for identification and authentication application}, pages = {176--159}, booktitle = {Proceedings of the Symposium on VLSI Circuits}, year = {2004}, location = {}, publisher = {}, ISBN = {}, language = {}, www_section = {PUFs}, url = {http://people.csail.mit.edu/suh/papers/vlsi04.pdf}, } |
Ravikanth S. Pappu, Ben Recht, Jason Taylor and Niel Gershenfeld: "Physical one-way functions", 2002.
| Abstract. Modern cryptographic practice rests on the use of one-way functions, which are easy to evaluate but difficult to invert. Unfortunately, commonly used one-way functions are either based on unproven conjectures or have known vulnerabilities. We show that instead of relying on number theory, the mesoscopic physics of coherent transport through a disordered medium can be used to allocate and authenticate unique identifiers by physically reducing the medium's microstructure to a fixed-length string of binary digits. These physical one-way functions are inexpensive to fabricate, prohibitively difficult to duplicate, admit no compact mathematical representation, and are intrinsically tamper-resistant. We provide an authentication protocol based on the enormous address space that is a principal characteristic of physical one-way functions. |
| @article{PappuRTG_PhysicalOneWayFunctions_SCIENCE02, author = {Ravikanth S. Pappu and Ben Recht and Jason Taylor and Niel Gershenfeld}, title = {Physical one-way functions}, pages = {2026--2030}, journal = {Science}, volume = {297}, number = {}, year = {2002}, www_section = {PUFs}, url = {http://web.media.mit.edu/~brecht/papers/02.PapEA.powf.pdf}, } |
Ravikanth S. Pappu: "Physical one-way functions", 2001.
| @phdthesis{Pappu_PhysicalOneWayFunctions_PHD01, author = {Ravikanth S. Pappu}, title = {Physical one-way functions}, school = {Massachusetts Institute of Technology}, month = {March}, year = {2001}, www_section = {PUFs}, url = {http://pubs.media.mit.edu/pubs/papers/01.03.pappuphd.powf.pdf}, } |
Daihyun Lim, Jae W. Lee, Blaise Gassend, G. Edward Suh, Marten van Dijk and Srini Devadas: "Extracting secret keys from integrated circuits", 2005.
| Abstract. Modern cryptographic protocols are based on the premise that only authorized participants can obtain secret keys and access to information systems. However, various kinds of tampering methods have been devised to extract secret keys from conditional access systems such as smartcards and ATMs. Arbiter-based physical unclonable functions (PUFs) exploit the statistical delay variation of wires and transistors across integrated circuits (ICs) in manufacturing processes to build unclonable secret keys.We fabricated arbiter-based PUFs in custom silicon and investigated the identification capability, reliability, and security of this scheme. Experimental results and theoretical studies show that a sufficient amount of inter-chip variation exists to enable each IC to be identified securely and reliably over a practical range of environmental variations such as temperature and power supply voltage. We show that arbiter-based PUFs are realizable and well suited to build, for example, key-cards that need to be resistant to physical attacks. |
| @article{LimLGSDD_PUFKeys_VLSI05, author = {Daihyun Lim and Jae W. Lee and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srini Devadas}, title = {Extracting secret keys from integrated circuits}, journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems}, year = {2005}, volume = {13}, number = {10}, pages = {1200--1205}, month = {October}, www_section = {PUFs}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1561249}, } |
Pim Tuyls, Geert-Jan Schrijen, Boris Skoric, Jan van Geloven, Nynke Verhaegh and Rob Wolters: "Read-proof hardware from protective coatings", 2006.
| Abstract. In cryptography it is assumed that adversaries only have black box access to the secret keys of honest parties. In real life, however, the black box approach is not sufficient because attackers have access to many physical means that enable them to derive information on the secret keys. In order to limit the attacker's ability to read out secret information, the concept of Algorithmic Tamper Proof (ATP) security is needed as put forth by Gennaro, Lysyanskaya, Malkin, Micali and Rabin. An essential component to achieve ATP security is read-proof hardware. In this paper, we develop an implementation of read-proof hardware that is resistant against invasive attacks. The construction is based on a hardware and a cryptographic part. The hardware consists of a protective coating that contains a lot of randomness. By performing measurements on the coating a fingerprint is derived. The cryptographic part consists of a Fuzzy Extractor that turns this fingerprint into a secure key. Hence no key is present in the non-volatile memory of the device. It is only constructed at the time when needed, and deleted afterwards. A practical implementation of the hardware and the cryptographic part is given. Finally, experimental evidence is given that an invasive attack on an IC equipped with this coating, reveals only a small amount of information on the key. |
| @inproceedings{TuylsSSGVW_PUFCoating_CHES06, author = {Pim Tuyls and Geert-Jan Schrijen and Boris {\v{S}}kori{\'{c}} and Jan van Geloven and Nynke Verhaegh and Rob Wolters}, title = {Read-proof hardware from protective coatings}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {4249}, isbn = {978-3-540-46559-1}, publisher = {Springer}, month = {October}, year = {2006}, pages = {369--383}, www_section = {PUFs}, url = {http://www.springerlink.com/content/8454587207415662/fulltext.pdf}, } |
Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu: "Initial SRAM state as a fingerprint and source of true random numbers for RFID tags", 2007.
| Abstract. RFID applications create a need for low-cost security and privacy in potentially hostile environments. Our measurements show that initialization of SRAM produces a physical fingerprint. We propose a system of Fingerprint Extraction and Random Numbers in SRAM (FERNS) that harvests static identity and randomness from existing volatile CMOS storage. The identity results from manufacture-time physically random device threshold mismatch, and the random numbers result from run-time physically random noise. We use experimental data from virtual tags, microcontroller memory, and the WISP UHF RFID tag to validate the principles behind FERNS. We show that a 256byte SRAM can be used to identify circuits among a population of 160 virtual tags, and can potentially produce 128bit random numbers capable of passing cryptographic statistical tests. |
| @inproceedings{Holcomb_SRAMFingerprintRFID_RFIDSEC07, author = {Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu}, title = {Initial {SRAM} state as a fingerprint and source of true random numbers for {RFID} tags}, booktitle = {Proceedings of the Conference on RFID Security}, month = {July}, year = {2007}, www_section = {PUFs}, url = {http://prisms.cs.umass.edu/~kevinfu/papers/holcomb-FERNS-RFIDSec07.pdf}, } |
James D. R. Buchanan, Russell P. Cowburn, Ana-Vanessa Jausovec, Dorothee Petit, Peter Seem, Gang Xiong, Del Atkinson, Kate Fenton, Dan A. Allwood and Matthew T. Bryan: "Forgery: `Fingerprinting' documents and packaging", 2005.
| @article{Buchanan_DocumentPUF_NATURE05, author = {James D. R. Buchanan and Russell P. Cowburn and Ana-Vanessa Jausovec and Doroth{\'{e}}e Petit and Peter Seem and Gang Xiong and Del Atkinson and Kate Fenton and Dan A. Allwood and Matthew T. Bryan}, title = {Forgery: `Fingerprinting' documents and packaging}, journal = {Nature}, volume = {436}, number = {7050}, pages = {475}, month = {July}, year = {2005}, www_section = {PUFs}, url = {http://www.ingeniatechnology.com/docs/download.php?file=FingerprintingDocumentsAndPackaging.pdf}, } |
Encarnacion Castillo, Luis Parrilla, Antonio Garcia, Antonio Lloris and Uwe Meyer-Baese: "Intellectual property protection of HDL IP cores through automated signature hosting", 2007.
| Abstract. This paper presents significant improvements to our previous watermarking technique for Intellectual Property Protection (IPP) that enables the protection of IP cores. The technique relies on hosting the bits of a digital signature at the HDL design level using combinational logic included within the original system. Thus, any attack trying to change or remove the digital signature will damage the design. The technique also includes a procedure for secure signature extraction. The new advances refer to increasing the applicability of this watermarking technique to any design and the provision of an automatic tool for signature hosting purposes. The design examples on FPL devices show the effectiveness of this watermarking technique. Synthesis results show that the application of the proposed watermarking strategy results in negligible degradation of system performance and very low area penalties. |
| @inproceesings{CastilloPGLB_IPPAuto_SignatureHosting_FPL07, author = {Encarnaci{\'{o}}n Castillo and Luis Parrilla and Antonio Garc{\'{i}}a and Antonio Lloris and Uwe Meyer-Baese}, title = {Intellectual property protection of {HDL} {IP} cores through automated signature hosting}, booktitle = {Field Programmable Logic and Applications, 2007}, month = {August}, year = {2007}, pages = {183--188}, www_section = {watermarking, FPGA}, url = {http://www.ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=4380602&arnumber=4380645}, } |
Daniel Ziener and Jurgen Teich: "FPGA core watermarking based on power signature analysis", 2006.
| Abstract. In this paper we introduce a new method to watermark FPGA cores where the signature (watermark) is detected at the power supply pins of the FPGA. This is the first watermarking method, where the signature is extracted in this way. We are able to sign cores at the netlist as well as the bitfile level, so a wide spectrum of cores can be protected. The power watermarking method works with all types of FPGAs, but with Xilinx FPGAs, we can integrate the watermarking algorithms and the signature into the functionality of the watermarked core. So it is very hard to remove the watermark without destroying the core. We introduce a detection algorithm which can decode the signature from a voltage trace with high probability. Additionally, a second algorithm is introduced which improves the detection probability in case of considerable noise sources. Using this algorithm, it is possible to decode the signature even if other cores operate on the same device at the same time. |
| @inproceedings{ZienerTeich_WatermarkPowerSig_FPT06, author = {Daniel Ziener and J{\"{u}}rgen Teich}, title = {{FPGA} core watermarking based on power signature analysis}, booktitle = {IEEE International Conference on Field-Programmable Technology}, month = {December}, year = {2006}, pages = {205--212}, www_section = {watermarking, FPGA}, url = {http://www12.informatik.uni-erlangen.de/publications/pub2006/zienerfpt06.pdf}, } |
Daniel Ziener, Assmus Stefan and Teich Jurgen: "Identifying FPGA IP-Cores based on lookup table content analysis", 2006.
| Abstract. In this paper we introduce a new method to identify IP cores in an FPGA by analyzing the content of lookup tables. This techniques can be used to identify registered cores for IP protection against unlicensed usage. We show methods to extract the content of the lookup tables in a design from a binary bitfile of Xilinx Virtex-II and Virtex-II Pro FPGAs. To identify a core, we compare the number of unique functions from lookup tables of the core with the lookup tables extracted from a product with an FPGA from an accused company. Also placement information can be used for increasing the reliability of the result. With these methods, no additional sources or information must be inquired from the accused company. These techniques can be used for netlist and bitfile cores, so a wide spectrum of cores can be identified. |
| @inproceedings{ZienerAJ_LUTBasedWatermark_FPL06, author = {Daniel Ziener and A{\ss{}}mus Stefan and Teich J{\"{u}}rgen}, title = {Identifying {FPGA} {IP-Cores} based on lookup table content analysis}, booktitle = {Field Programmable Logic and Applications}, month = {August}, pages = {481--486}, year = {2006}, www_section = {watermarking, FPGA}, url = {http://www12.informatik.uni-erlangen.de/publications/pub2006/zienerfpl06.pdf}, } |
Lin Yuan, Pushkin R. Pari and Gang Qu: "Soft IP protection: watermarking HDL codes", 2004.
| Abstract.
Intellectual property (IP) reuse based design is one of the most promising techniques to close the so-called design productivity gap. To facilitate better IP reuse, it is desirable to have IPs exchanged in the soft form such as hardware description language (HDL) source codes. However, soft IPs have higher protection requirements than hard IPs and most existing IP protection techniques are not applicable to soft IPs. In this paper, we describe the basic requirements, make the necessary assumptions, and propose several practical schemes for HDL code protection. We protect the HDL codes by hiding author's signature also called as watermarking, similar to the idea for hard IP and multimedia data protection. But the new challenge is how to embed watermark into HDL source codes, which must be properly documented and synthesizable for reuse. We leverage the unique feature of Verilog HDL design to develop several watermarking techniques. These techniques can protect both new and existing Verilog designs. We watermark SCU-RTL & ISCAS benchmark Verilog circuits, as well as a MP3 decoder. Both original and watermarked designs are implemented on ASICs & FPGAs. The results show that the proposed techniques survive the commercial synthesis tools and cause little design overhead in terms of area/resources, delay and power. |
| @inproceedings{YuanPQ_SoftIPProtection_IH04, author = {Lin Yuan and Pushkin R. Pari and Gang Qu}, title = {Soft {IP} protection: watermarking {HDL} codes}, booktitle = {Information Hiding}, year = {2004}, pages = {224--238}, www_section = {watermarking}, url = {http://www.ece.umd.edu/~gangqu/research/papers/c040.pdf}, } |
Tri Van Le and Yvo Desmedt: "Cryptanalysis of UCLA watermarking schemes for intellectual property protection", 2002.
| Abstract. We analyze four recently proposed watermarking schemes for intellectual property protection of digital designs. The first scheme watermarks solutions of a hard optimization problem, namely the graph coloring problem. The other three schemes belong to a family of techniques for watermarking digital circuits on programmable hardware. They are different from the usual image and audio watermarking since they must maintain correctness of the watermarked objects. Thus their watermarks cannot be embedded in the form of small errors as usually done in audio and visual watermarking. Although constraint-based watermarking schemes existed long before, these schemes are the first ones to protect hardware designs. In this paper, we apply a novel method to break the first of these schemes. We show how to modify a watermarked object in such a way that every signature strings can be extracted from it. Thus anyone can claim ownership of the object, yet leave no traces of who leaked the object. According to our best knowledge, this method is new and it may be of its own interest. In the remaining three schemes, we show how to locate and to remove the watermark embedded in the object, without knowing the secret key used in the embedding. |
| @inproceedings{VanLeDesmedt_UCLAWatermarkingCryptanalysis_IH02, author = {Tri Van Le and Yvo Desmedt}, title = {Cryptanalysis of {UCLA} watermarking schemes for intellectual property protection}, booktitle = {Workshop on Information Hiding}, series = {LNCS}, volume = {2578}, year = {2002}, isbn = {3-540-00421-1}, pages = {213--225}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {watermarking}, url = {http://www.springerlink.com/content/0qp5l9u76cehw6gv/fulltext.pdf}, } |
Amr T. Abdel-Hamid, Sofiene Tahar and El Mostapha Aboulhamid: "IP watermarking techniques: survey and comparison", 2003.
| Abstract. Intellectual property (IP) block reuse is essential for facilitating the design process of System-on-a-Chip. Sharing IP blocks in such a competitive market poses significant high security risks. IPs can be read, copied or even partitioned to cover the authorship proof. Creators and owners of IP designs want assurance that their content will not be illegally redistributed by consumers. Consumers, on the other hand, want assurance that the content they buy is legitimate. Digital watermarking, used with most of the shared digital media, has emerged as a candidate solution for helping copyright protection of IP blocks. In this paper, we outline IP watermarking and survey the current state-of- the-art of different schemes and algorithms. We also highlight the main technical problems that should be solved in order to let IP watermarking be used widely in industry. |
| @inproceedings{AbdelhamidTA_WatermarkingSurvey_IEEE03, author = {Amr T. Abdel-Hamid and Sofi{\`{e}}ne Tahar and El Mostapha Aboulhamid}, title = {{IP} watermarking techniques: survey and comparison}, booktitle = {IEEE International Workshop on System-on-Chip for Real-Time Applications}, year = {2003}, pages = {}, isbn = {0-7695-1929-6}, www_section = {watermarking}, url = {http://ieeexplore.ieee.org/Xplore/defdeny.jsp?url=/iel5/8609/27279/01213006.pdf}, } |
John Lach, William H. Mangione-Smith and Miodrag Potkonjak: "Signature hiding techniques for FPGA intellectual property protection", 1998.
| Abstract. This work presents the first known attempt to leverage the unique characteristics of FPGAs to protect commercial investments in intellectual property. A watermark is applied to the physical layout of a digital circuit when it is mapped into an FPGA This watermark uniquely identifies the circuit origin and yet is difficult to detect. While this approach imposes additional constraints, experiments involving a number of large complex designs indicate that the performance impact is small. |
| @inproceedings{LachMP_FPGASignatureHiding_CAD98, author = {John Lach and William H. Mangione-Smith and Miodrag Potkonjak}, title = {Signature hiding techniques for {FPGA} intellectual property protection}, booktitle = {IEEE/ACM International Conference on Computer-Aided Design}, year = {1998}, isbn = {1-58113-008-2}, pages = {186--189}, location = {San Jose, California, United States}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {watermarking, FPGA}, url = {http://portal.acm.org/citation.cfm?id=288606}, } |
John Lach, William H. Mangione-Smith and Miodrag Potkonjak: "Robust FPGA intellectual property protection through multiple small watermarks", 1999.
| Abstract. A number of researchers have proposed using digital marks to provide ownership identification for intellectual property. Many of these techniques share three specific weaknesses: complexity of copy detection, vulnerability to mark removal after revelation for ownership verification, and mark integrity issues due to partial mark removal. This paper presents a method for watermarking field programmable gate array (FPGA) intellectual property (IP) that achieves robustness by responding to these three weaknesses. The key technique involves using secure hash functions to generate and embed multiple small marks that are more detectable, verifiable, and secure than existing IP protection techniques. |
| @inproceedings{LachMP_MultipleWatermarks_DAC99, author = {John Lach and William H. Mangione-Smith and Miodrag Potkonjak}, title = {Robust {FPGA} intellectual property protection through multiple small watermarks}, booktitle = {ACM/IEEE Conference on Design Automation}, year = {1999}, isbn = {1-58133-109-7}, pages = {831--836}, location = {New Orleans, Louisiana, United States}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {watermarking, FPGA}, url = {http://portal.acm.org/citation.cfm?id=310080}, } |
Adarsh K. Jain, Lin Yuan, Pushkin R. Pari and Gang Qu: "Zero overhead watermarking technique for FPGA designs", 2003.
| Abstract.
FPGAs, because of their re-programmability, are becoming very popular for creating and exchanging VLSI intellectual properties (IPs) in the reuse-based design paradigm. Existing watermarking and fingerprinting techniques successfully embed identification information into FPGA designs to deter IP infringement. However, such methods incur timing and/or resource overhead, unpredictable at times, which causes performance degradation. In this paper, we propose a new FPGA watermarking technique that guarantees zero design overhead. Our approach consists of two phases. First we design as usual to obtain the best, possible, quality IP. Then we map the required signature to additional timing constraints on carefully selected nets and redo a small portion of the design (e.g. place and route). The FPGA configuration bitstream for the resulting watermarked design will be significantly different from the original design, which provides us with a strong proof of authorship. The watermarking technique has zero design overhead because it is developed to maintain the performance of the design from the first phase. This is demonstrated by applying the proposed technique on several real-life FPGA designs, which range in size from a few thousand to more than two million gates, on Xilinx devices. |
| @inproceedings{JainYPQ_ZeroOverheadFPGAWatermark_GLSVLSI03, author = {Adarsh K. Jain and Lin Yuan and Pushkin R. Pari and Gang Qu}, title = {Zero overhead watermarking technique for {FPGA} designs}, booktitle = {ACM Great Lakes symposium on VLSI}, year = {2003}, isbn = {1-58113-677-3}, pages = {147--152}, location = {Washington, D. C., USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {watermarking, FPGA}, url = {http://www.ece.umd.edu/~gangqu/research/papers/c027.pdf}, } |
John Lach, William H. Mangione-Smith and Miodrag Potkonjak: "Fingerprinting techniques for Field-Programmable Gate Array intellectual property protection", 2001.
| Abstract.
As current computer-aided design (CAD) tool and very large scale integration technology capabilities create a new market of reusable digital designs, the economic viability of this new core-based design paradigm is pending on the development of techniques for intellectual property protection. This work presents the first technique that leverages the unique characteristics of field programmable gate arrays (FPGAs) to protect commercial investment in intellectual property through fingerprinting. A hidden encrypted mark is embedded into the physical layout of a digital circuit when it is placed and routed onto the FPGA. This mark uniquely identifies both the circuit origin and original circuit recipient, yet is difficult to detect and/or remove, even via recipient collusion. While this approach imposes additional constraints on the backend CAD tools for circuit place and route, experiments indicate that the performance and area impacts are minimal. |
| @article{LachMP_FPGAFingerprinting_CAD01, author = {John Lach and William H. Mangione-Smith and Miodrag Potkonjak}, title = {Fingerprinting techniques for {Field-Programmable Gate Array} intellectual property protection}, journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems}, volume = {20}, month = {October}, year = {2001}, www_section = {watermarking, FPGA}, url = {http://ieeexplore.ieee.org/iel5/43/20593/00952741.pdf}, } |
Andrew B. Kahng, John Lach, William H. Mangione-Smith, Stefanus Mantik, Igor L. Markov, Miodrag Potkonjak, Paul Tucker, Huijuan Wang and Gregory Wolfe: "Constraint-based watermarking techniques for design IP protection", 2001.
| Abstract. Digital system designs are the product of valuable effort and know-how. Their embodiments, from software and hardware description language program down to device-level netlist and mask data, represent carefully guarded intellectual property (IP). Hence, design methodologies based on IP reuse require new mechanisms to protect the rights of IP producers and owners. This paper establishes principles of watermarking-based IP protection, where a watermark is a mechanism for identification that is: 1) nearly invisible to human and machine inspection; 2) difficult to remove; and 3) permanently embedded as an integral part of the design.Watermarking addresses IP protection by tracing unauthorized reuse and making untraceable unauthorized reuse as difficult as recreating given pieces of IP from scratch. We survey related work in cryptography and design methodology, then develop desiderata, metrics, and concrete protocols for constraint-based watermarking at various stages of the very large scale integration (VLSI) design process. In particular, we propose a new preprocessing approach that embeds watermarks as constraints into the input of a black-box design tool and a new post processing approach that embeds watermarks as constraints into the output of a black-box design tool. To demonstrate that our protocols can be transparently integrated into existing design flows, we use a testbed of commercial tools for VLSI physical design and embed watermarks into real-world industrial designs. We show that the implementation overhead is low---both in terms of central processing unit time and such standard physical design metrics as wirelength, layout area, number of vias, and routing congestion. We empirically show that in the placement and routing applications considered in our methods achieve strong proofs of authorship are resistant to tampering and do not adversely influence timing. |
| @article{KahngLM+_ConstraintBasedWatermarking_CAD01, author = {Andrew B. Kahng and John Lach and William H. Mangione-Smith and Stefanus Mantik and Igor L. Markov and Miodrag Potkonjak and Paul Tucker and Huijuan Wang and Gregory Wolfe}, title = {Constraint-based watermarking techniques for design {IP} protection}, journal = {IEEE Transactions on CAD of Integrated Circuits and Systems}, volume = {20}, number = {10}, year = {2001}, pages = {1236--1252}, www_section = {watermarking}, url = {http://www.eecs.umich.edu/~imarkov/pubs/jour/j009.pdf}, } |
John Lach, William H. Mangione-Smith and Miodrag Potkonjak: "FPGA fingerprinting techniques for protecting intellectual property", 1998.
| Abstract. As CAD tools and semiconductor technology improvements increase market opportunities for reusable hardware components, it becomes more important to produce techniques for protecting intellectual property rights. This work presents a method of fingerprinting an FPGA design component, so that products in the field can be used to identify both the component designer as well as the customer of record. These techniques are efficient, have extremely low impact on design quality, and are resistant to tampering |
| @inproceedings{LachMP_FPGAFingerprinting_CICC98, author = {John Lach and William H. Mangione-Smith and Miodrag Potkonjak}, title = {{FPGA} fingerprinting techniques for protecting intellectual property}, booktitle = {Custom Integrated Circuits Conference}, year = {1998}, www_section = {watermarking, FPGA}, url = {http://www.ieeexplore.ieee.org/iel4/5666/15173/00694986.pdf?arnumber=694986}, } |
Andrew B. Kahng, John Lach, William H. Mangione-Smith, Stefanus Mantik, Igor L. Markov, Miodrag Potkonjak, Paul Tucker, Huijuan Wang and Gregory Wolfe: "Watermarking techniques for intellectual property protection", 1998.
| Abstract. Digital system designs are the product of valuable effort and know-how. Their embodiments, from software and HDL program down to device-level netlist and mask data, represent carefully guarded intellectual property (IP). Hence, design methodologies based on IP reuse require new mechanisms to protect the rights of IP producers and owners. This paper establishes principles of watermarking-based IP protection, where a watermark is a mechanism for identification that is (i) nearly invisible to human and machine inspection, (ii) difficult to remove, and (iii) permanently embedded as an integral part of the design. We survey related work in cryptography and design methodology, then develop desiderata, metrics and example approaches centering on constraint-based techniques for watermarking at various stages of the VLSI design process. |
| @inproceedings{KahngLM+_WatermarkingTechniques_DAC98, author = {Andrew B. Kahng and John Lach and William H. Mangione-Smith and Stefanus Mantik and Igor L. Markov and Miodrag Potkonjak and Paul Tucker and Huijuan Wang and Gregory Wolfe}, title = {Watermarking techniques for intellectual property protection}, booktitle = {Design Automation Conference}, year = {1998}, isbn = {0-89791-964-5}, pages = {776--781}, location = {San Francisco, California, United States}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {watermarking}, url = {http://portal.acm.org/citation.cfm?id=277240}, } |
Meh Long: "Implementing Skein hash function on Xilinx Virtex-5 FPGA platform", 2009.
| @misc{Long_SkeinFPGA_09, title = {Implementing {Skein} hash function on {Xilinx} {Virtex-5} {FPGA} platform}, author = {Meh Long}, month = {February}, year = {2009}, www_section = {hardware crypto, FPGA}, url = {http://www.skein-hash.info/sites/default/files/skein_fpga.pdf}, } |
Saar Drimer, Tim Guneysu and Christof Paar: "DSPs, BRAMs and a pinch of logic: new recipes for AES on FPGAs", 2008.
| Abstract. We present an AES cipher implementation that is based on the BlockRAM and DSP units embedded within Xilinx's Virtex-5 FPGAs. An iterative ``basic'' module outputs a 32 bit column of an AES round each clock cycle, with a throughput of 1.76 Gbit/s when processing two 128 bit inputs. This construct is replicated four times for a 128 bit datapath for a full AES round with 6.21 Gbit/s throughput when processing eight inputs. Finally, the ``round'' module is replicated ten times for a fully unrolled design that yields over 55 Gbit/s of throughput. The combination and arrangement of the specialized embedded functions available in the FPGA allows us to implement our designs using very few traditional user logic elements such as flip-flops and lookup tables, yet still achieve these high throughputs. The complete source code for these designs is made publicly available for use in further research and for replicating our results. Our contribution ends with a discussion of comparing cipher implementations in the literature, and why these comparisons can be meaningless without a common reporting style, platform, or within the context of a specific constrained application. |
| @inproceedings{DrimerGP_NewAESRecipes_FCCM08, author = {Saar Drimer and Tim G{\"{u}}neysu and Christof Paar}, title = {{DSPs}, {BRAMs} and a pinch of logic: new recipes for {AES} on {FPGAs}}, booktitle = {IEEE Symposium on Field-Programmable Custom Computing Machines}, month = {April}, year = {2008}, location = {Palo Alto, California, USA}, publisher = {IEEE}, www_section = {hardware crypto, FPGA}, url = {http://www.cl.cam.ac.uk/~sd410/papers/aes_dsp.pdf}, } |
Philippe Bulens, Francois-Xavier Standaert, Jean-Jacques Quisquater, Pascal Pellegrin and Gael Rouvroy: "Implementation of the AES-128 on Virtex-5 FPGAs", 2008.
| Abstract. This paper presents an updated implementation of the Advanced Encryption Standard (AES) on the recent Xilinx Virtex-5 FPGAs. We show how a modified slice structure in these reconfigurable hardware devices results in significant improvement of the design efficiency. In particular, a single substitution box of the AES can fit in 8 FPGA slices. We combine these technological changes with a sound intertwining of the round and key round functionalities in order to produce encryption and decryption architectures that perfectly fit with the Digital Cinema Initiative specifications. More generally, our implementations are convenient for any application requiring Gbps-range throughput. |
| @inproceedings{BulensSQPR_AESV5_AFRICACRYPT08, author = {Philippe Bulens and Fran{\c{c}}ois-Xavier Standaert and Jean-Jacques Quisquater and Pascal Pellegrin and Ga{\"{e}}l Rouvroy}, title = {Implementation of the {AES-128} on {Virtex-5} {FPGAs}}, booktitle = {Progress in Cryptology - AfricaCrypt}, year = {2008}, pages = {16--26}, publisher = {Springer}, www_section = {hardware crypto, FPGA}, url = {http://www.dice.ucl.ac.be/~fstandae/PUBLIS/53.pdf}, } |
Kimmo Jarvinen: "Studies on high-speed hardware implementations of cryptographic algorithms", 2008.
| @phdthesis{Jarvinen_PHDThesis_08, author = {Kimmo J{\"{a}}rvinen}, title = {Studies on high-speed hardware implementations of cryptographic algorithms}, school = {Helsinki University of Technology}, month = {November}, year = {2008}, www_section = {hardware crypto, FPGA}, url = {http://lib.tkk.fi/Diss/2008/isbn9789512295906/isbn9789512295906.pdf}, } |
Kimmo Jarvinen, Matti Tommiska and Jorma Skytta: "Comparative survey of high-performance cryptographic algorithm implementations on FPGAs", 2005.
| Abstract. The authors present a comparative survey of private-key cryptographic algorithm implementations on field programmable gate arrays (FPGAs). The performance and flexibility of FPGAs make them almost ideal implementation platforms for cryptographic algorithms, and therefore the FPGA-based implementation of cryptographic algorithms has been widely studied during the past few years. However, a complete analysis of published implementations has not been presented previously. The authors analyse FPGA-based implementations of certain widely used cryptographic algorithms in terms of speed, area and implementation techniques. The algorithms studied in this article include the private-key cryptographic algorithms advanced encryption standard and international data encryption algorithm and certain hash algorithms. These algorithm implementations provide a good overview of the field of private-key cryptographic algorithm implementation. |
| @article{JarvinenTS_AESComparison_IEEE05, title = {Comparative survey of high-performance cryptographic algorithm implementations on {FPGAs}}, author = {Kimmo J{\"{a}}rvinen and Matti Tommiska and Jorma Skytt{\"{a}}}, journal = {IEE Proceedings Information Security}, volume = {152}, number = {1}, pages = {3--12}, year = {2005}, www_section = {hardware crypto, FPGA}, url = {http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01541354}, } |
Benjamin Gittins, Howard Landman, Sean O'Neil and Ron Kelson: "A presentation on VEST hardware performance, chip area measurements, power consumption estimates and benchmarking in relation to the AES, SHA-256 and SHA-512", 2005.
| Abstract. The ECRYPT/eSTREAM organisers have required all submissions to be benchmarked against the Advanced Encryption Standard (AES) and where applicable, a secure trusted authentication mechanism. The goal is stated to be to identify those eSTREAM submissions that offer an advance over AES efficiency in any one or more benchmark dimensions. In this paper, we respond to the eSTREAM requirement and offer a wide-sweeping multi-dimensional analysis and comparison between VEST and the hardware implementations of the AES, AES-HMAC and SHA-2 primitives. This analysis clearly establishes VEST superiority over the AES, HMAC and SHA-2 primitives generally while direct comparisons between VEST and several of the best AES HMAC and SHA-2 implementations illustrates VEST superiority measuring in the hundreds of percent on several design dimensions or axis. |
| @misc{GittinsLOK_VESTPerf_05, title = {A presentation on {VEST} hardware performance, chip area measurements, power consumption estimates and benchmarking in relation to the {AES}, {SHA-256} and {SHA-512}}, author = {Benjamin Gittins and Howard Landman and Sean O'Neil and Ron Kelson}, month = {November}, year = {2005}, www_section = {hardware crypto, FPGA}, url = {http://www.vestciphers.com/20070418-ProVEST-PerformanceSurvey.pdf}, } |
Frank K. Gurkaynak and Peter Luethi: "Recommendations for hardware evaluation of cryptographic algorithms", 2006.
| Abstract. At the SASC 2006 three papers on hardware implementation of the eSTREAM candidates were presented. The workshop provided an interesting platform where hardware designers were confronted with the developers of the algorithms. The presentations were followed by a lively discussion. As hardware designers, we must admit that we have learned a lot from these discussions. In this brief document we want to outline our personal observations and will attempt to make some suggestions for further hardware evaluations. |
| @techreport{GurkaynakLuethi_HWEvalCrypto_06, title = {Recommendations for hardware evaluation of cryptographic algorithms}, author = {Frank K. G{\"{u}}rkaynak and Peter Luethi}, intitution = {Integrated Systems Laboratory, ETH Zurich CH-8092 Switzerland}, year = {2006}, www_section = {hardware crypto, FPGA}, url = {http://asic.ethz.ch/estream/SASC_recommendations.pdf}, } |
Kimmo Jarvinen, Matti Tommiska and Jorma Skytta: "A fully pipelined memoryless 17.8 Gbps AES-128 encryptor", 2003.
| Abstract. A fully pipelined implementation of the Advanced Encryption Standard encryption algorithm with 128-bit input and key length (AES-128) was implemented on Xilinx' Virtex-E and Virtex-II devices. The design is called SIG-AES-E and it implements the S-boxes combinatorially and thus requires no internal memory. It is concluded, that SIG-AES-E is faster than other published FPGA-based implementations of the AES-128 encryption algorithm. |
| @inproceedings{JarvinenTS_AES_FPL03, author = {Kimmo J{\"{a}}rvinen and Matti Tommiska and Jorma Skytt{\"{a}}}, title = {A fully pipelined memoryless {17.8} {Gbps} {AES-128} encryptor}, booktitle = {Eleventh ACM/SIGDA International Symposium on Field Programmable Gate Arrays}, year = {2003}, pages = {207--215}, address = {New York, NY, USA}, publisher = {ACM}, isbn = {1-58113-651-X}, location = {Monterey, California, USA}, www_section = {hardware crypto, FPGA}, url = {http://portal.acm.org/citation.cfm?id=611848}, } |
Francois-Xavier Standaert: "Secure and efficient implementation of symmetric encryption schemes using FPGAs", 2007.
| @misc{Standaert_SymmetricCipherFPGA_07, author = {Fran{\c{c}}ois-Xavier Standaert}, title = {Secure and efficient implementation of symmetric encryption schemes using {FPGAs}}, month = {September}, year = {2007}, key = {}, www_section = {hardware crypto, FPGA}, url = {http://www.dice.ucl.ac.be/~fstandae/PUBLIS/45.pdf}, } |
Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, Andy Rupp and Manfred Schimmler: "How to break DES for EUR 8,980", 2006.
| @inproceedings{KumarPPP+_COPACOBANA_SHARCS06, author = {Sandeep Kumar and Christof Paar and Jan Pelzl and Gerd Pfeiffer and Andy Rupp and Manfred Schimmler}, title = {How to break {DES} for {EUR 8,980}}, booktitle = {Special-Purpose Hardware for Attacking Cryptographic Systems Workshop}, location = {Cologne, Germany}, year = {2006}, address = {}, month = {April}, www_section = {hardware crypto, FPGA}, url = {http://www.copacobana.org/paper/copacobana_SHARCS2006.pdf}, abstract = {(Partial) Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising way to tackle existing ciphers (in the absence of mathematical breakthroughs) is to build special-purpose hardware. Dedicating those machines to the task of cryptanalysis holds the promise of a dramatically improved cost-performance ratio so that breaking of commercial ciphers comes within reach. This contribution describes the design and realization of the reprogrammable machine COPACOBANA (Cost-Optimized Parallel Code Breaker), which is optimized for running cryptanalytical algorithms. The primary design goal was to produce a re-programmable low-cost design for less than EUR 10,000 which is applicable for attacking the Data Encryption Standard (DES) in less than nine days.} |
Ricardo Chaves, Georgi Kuzmanov, Stamatis Vassiliadis and Leonel Sousa: "Reconfigurable memory based AES co-processor", 2006.
| @inproceedings{ChavesKVS_ReconfigAES_PDPS06, title = {Reconfigurable memory based AES co-processor}, author = {Ricardo Chaves and Georgi Kuzmanov and Stamatis Vassiliadis and Leonel Sousa}, booktitle = {Parallel and Distributed Processing Symposium}, year = {2006}, month = {April}, pages = {192--199}, www_section = {hardware crypto, FPGA}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1639441}, abstract = {We consider the AES encryption/decryption algorithm and propose a memory based hardware design to support it. The proposed implementation is mapped on the Xilinx Virtex II Pro technology. Both the byte substitution and the polynomial multiplication of the AES algorithm are implemented in a single dual port on-chip memory block (BRAM). Two AES encryption/decryption cores have been designed and implemented on a prototyping XC2VP20-7 FPGA: a completely unrolled loop structure capable of achieving a throughput above 34 Gbits/s, with an implementation cost of 3513 slices and 80 BRAMs; and a fully folded structure, requiring only 515 slices and 12 BRAMs, capable of a throughput above 2 Gbits/s. To evaluate the proposed AES design, it has been embedded in a polymorphic processor organization, as a reconfigurable co-processor. Comparisons to state-of-the-art AES cores indicate that the proposed unfolded core outperforms the most recent works by 34\% in throughput and requires 68\% less reconfigurable area. Experimental results of both folded and unfolded AES cores suggest over 560\% improvement in the throughput/slice metric when compared to the recent AES related art.} |
Emmanuel Lopez-Trejo, Francisco Rodriguez-Henriquez and Arturo Diaz-Perez: "An FPGA implementation of CCM mode using AES", 2005.
| Abstract. Due to the exponential growth of wireless and mobile applications, security has become a paramount design aspect. New techniques have been proposed for replacing the broken Wired Equivalent Privacy (WEP) protocol, which arguably is the most widely security tool used up to now in wireless environments. Under this scenario, AES in CCM (Counter with CBC-MAC) mode has been included in the IEEE 802.11i wireless standard as a promising alternative to the compromised WEP protocol. In this contribution, we present an FPGA implementation of the CCM mode of operation using AES as its block cipher. Our design achieves a throughput of 1.05 Gbits/Sec with reasonable area requirements. |
| @inproceedings{Lopes-TrejoRD_FPGACCM_ICISC05, author = {Emmanuel L{\'{o}}pez-Trejo and Francisco Rodr{\'{i}}guez-Henr{\'{i}}quez and Arturo D{\'{i}}az-P{\'{e}}rez}, title = {An {FPGA} implementation of {CCM} mode using {AES}}, journal = {Information Security and Cryptology (ICISC)}, month = {December}, year = {2005}, series = {LNCS}, volume = {3935}, pages = {322--334}, publisher = {Springer}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/8q84785122672504/}, } |
Alireza Hodjat and Ingrid Verbauwhede: "A 21.54 Gbits/s fully pipelined AES processor on FPGA", 2004.
| Abstract. This paper presents the architecture of a fully pipelined AES encryption processor on a single chip FPGA. By using loop unrolling and inner-round and outer-round pipelining techniques, a maximum throughput of 21.54 Gbits/s is achieved. A fast and an area efficient composite field implementation of the byte substitution phase is designed using an optimum number of pipeline stages for FPGA implementation. A 21.54 Gbits/s throughput is achieved using 84 block RAMs and 5177 slices of a VirtexII-Pro FPGA with a latency of 31 cycles and throughput per area rate of 4.2 Mbps/Slice. |
| @inproceedings{HodjatVerbauwhede_FullyPipelinedAES_FCCM04, title = {A {21.54 Gbits/s} fully pipelined {AES} processor on {FPGA}}, author = {Alireza Hodjat and Ingrid Verbauwhede}, journal = {Field-Programmable Custom Computing Machines}, year = {2004}, month = {April}, volume = {}, number = {}, pages = {308--309}, publisher = {IEEE Computer Society}, isbn = {0-7695-2230-0}, www_section = {hardware crypto, FPGA}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1364653}, } |
Gael Rouvroy, Francois-Xavier Standaert, Jean-Jacques Quisquater and Jean-Didier Legat: "Compact and efficient encryption/decryption module for FPGA implementation of the AES Rijndael very well suited for small embedded applications", 2004.
| Abstract. Hardware implementations of the advanced encryption standard (AES) Rijndael algorithm have recently been the object of an intensive evaluation. Several papers describe efficient architectures for ASICs and FPGAs. In this context, the highest effort was devoted to high throughput (up to 20 Gbps) encryption-only designs, fewer works studied low area encryption-only architectures and only a few papers have investigated low area encryption/decryption structures. However, in practice, only a few applications need throughput up to 20 Gbps while flexible and low cost encryption/decryption solutions are needed to protect sensible data, especially for embedded hardware applications. We purpose an efficient solution to combine Rijndael encryption and decryption in one FPGA design, with a strong focus on low area constraints. The proposed design fits into the smallest Xilinx FPGAs, deals with data streams of 208 Mbps, uses 163 slices and 3 RAM blocks and improves by 68\% the best-known similar designs in terms of ratio Throughput/Area. We also propose implementations in other FPGA Families (Xilinx Virtex-II) and comparisons with similar DES, triple-DES and AES implementations. |
| @inproceedings{RouvroySQL_CompactAES_CC04, author = {Ga{\"{e}}l Rouvroy and Fran{\c{c}}ois-Xavier Standaert and Jean-Jacques Quisquater and Jean-Didier Legat}, title = {Compact and efficient encryption/decryption module for {FPGA} implementation of the {AES} {Rijndael} very well suited for small embedded applications}, journal = {International Conference on Information Technology: Coding and Computing}, year = {2004}, volume = {2}, pages = {583}, address = {Los Alamitos, CA, USA}, isbn = {0-7695-2108-8}, publisher = {IEEE Computer Society}, www_section = {hardware crypto, FPGA}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1286716}, } |
Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer and Manfred Schimmler: "Breaking ciphers with COPACOBANA -- a cost-optimized parallel code breaker", 2006.
| Abstract.
Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising way to tackle existing ciphers (assuming no mathematical breakthrough) is to build special-purpose hardware. Dedicating those machines to the task of cryptanalysis holds the promise of a dramatically improved cost-performance ratio so that breaking of commercial ciphers comes within reach. This contribution presents the design and realization of the COPACOBANA (Cost-Optimized Parallel Code Breaker) machine, which is optimized for running cryptanalytical algorithms and can be realized for less than USD 10,000. It will be shown that, depending on the actual algorithm, the architecture can outperform conventional computers by several orders in magnitude. COPACOBANA hosts 120 low-cost FPGAs and is able to, e.g., perform an exhaustive key search of the Data Encryption Standard (DES) in less than nine days on average. As a real-world application, our architecture can be used to attack machine readable travel documents (ePass). COPACOBANA is intended, but not necessarily restricted to solving problems related to cryptanalysis. The hardware architecture is suitable for computational problems which are parallelizable and have low communication requirements. The hardware can be used, e.g., to attack elliptic curve cryptosystems and to factor numbers. Even though breaking full-size RSA (1024 bit or more) or elliptic curves (ECC with 160 bit or more) is out of reach with COPACOBANA, it can be used to analyze cryptosystems with a (deliberately chosen) small bitlength to provide reliable security estimates of RSA and ECC by extrapolation. |
| @inproceedings{KumarPPPS_COPACOBANA_CHES06, author = {Sandeep Kumar and Christof Paar and Jan Pelzl and Gerd Pfeiffer and Manfred Schimmler}, title = {Breaking ciphers with {COPACOBANA} -- a cost-optimized parallel code breaker}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {4249}, isbn = {978-3-540-46559-1}, publisher = {Springer}, month = {October}, year = {2006}, pages = {101--118}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/b5gp2783243w1964/fulltext.pdf}, } |
Viktor Fischer and Milos Drutarovsk\'y: "Two methods of Rijndael implementation in reconfigurable hardware", 2001.
| Abstract. This paper presents an evaluation of the Rijndael cipher, the Advanced Encryption Standard winner, from the viewpoint of its implementation in a Field Programmable Devices (FPD). Starting with an analysis of algorithm’s general characteristics a general cipher structure is described. Two different methods of Rijndael algorithm mapping to FPD are analyzed and suitability of available FPD families is evaluated. Finally, results of proposed mapping implemented in Altera FLEX, ACEX and APEX FPD are presented and compared with the fastest known Xilinx FPGA implementation. Results obtained are significantly faster than that of other implementations known up to now. |
| @inproceedings{FischerDrutarovsky_TwoAES_CHES01, author = {Viktor Fischer and Milo{\v{s}} Drutarovsk{\'y}}, title = {Two methods of {Rijndael} implementation in reconfigurable hardware}, booktitle = {CHES}, year = {2001}, series = {LNCS}, volume = {2160}, pages = {77--92}, isbn = {3-540-42521-7}, publisher = {Springer-Verlag}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/pp7l21ne2ynxebex/}, } |
Kris Gaj and Pawel Chodowiec: "Fast implementation and fair comparison of the final candidates for advanced encryption standard using field programmable gate arrays", 2001.
| Abstract. The results of fast implementations of all five AES final candidates using Virtex Xilinx Field Programmable Gate Arrays are presented and analyzed. Performance of several alternative hardware architectures is discussed and compared. One architecture optimum from the point of view of the throughput to area ratio is selected for each of the two major types of block cipher modes. For feedback cipher modes, all AES candidates have been implemented using the basic iterative architecture, and achieved speeds ranging from 61 Mbit/s for Mars to 431 Mbit/s for Serpent. For non-feedback cipher modes, four AES candidates have been implemented using a high-throughput architecture with pipelining inside and outside of cipher rounds, and achieved speeds ranging from 12.2 Gbit/s for Rijndael to 16.8 Gbit/s for Serpent. A new methodology for a fair comparison of the hardware performance of secret-key block ciphers has been developed and contrasted with methodology used by the NSA team. |
| @inproceedings{GajChodowiec_FairAESCandidates_RSACT01, title = {Fast implementation and fair comparison of the final candidates for advanced encryption standard using field programmable gate arrays}, author = {Kris Gaj and Pawel Chodowiec}, booktitle = {The Cryptographers Track at the RSA Security Conference}, series = {LNCS}, volume = {2020}, pages = {84--99}, year = {2001}, publisher = {Springer}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/50g2epmwke4qjebb/}, } |
Andreas Dandalis, Viktor K. Prasanna and Jose D.P. Rolim: "A comparative study of performance of AES final candidates using FPGAs", 2000.
| Abstract. In this paper we study and compare the performance of FPGA-based implementations of the five final AES candidates (MARS, RC6, Rijndael, Serpent, and Twofish). Our goal is to evaluate the suitability of the aforementioned algorithms for FPGA-based implementations. Among the various time-space implementation tradeoffs, we focused primarily on time performance. The time performance metrics are throughput and key-setup latency. Throughput corresponds to the amount of data processed per time unit while the key-setup latency time is the minimum time required to commence encryption after providing the input key. Time performance and area requirement results are pro- vided for all the final AES candidates. To the best of our knowledge, we are not aware of any published results that include key-setup latency results. Our results suggest that Rijndael and Serpent favor FPGA implementations the most since their algorithmic characteristics match extremely well with the hardware characteristics of FPGAs. |
| @inproceedings{DandalisPR_AESCompare_CHES00, title = {A comparative study of performance of {AES} final candidates using {FPGAs}}, author = {Andreas Dandalis and Viktor K. Prasanna and Jose D.P. Rolim}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {1965}, pages = {125--140}, year = {2000}, publisher = {Springer}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/l1wbq8dyy7qtv1m6/}, } |
Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin and Michael Szydlo: "Security analysis of a cryptographically-enabled RFID device", 2005.
| Abstract.
We describe our success in defeating the security of an RFID device known as a Digital Signature Transponder (DST). Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPassTM payment transponders and automobile ignition keys. Our analysis of the DST involved three phases: 1. Reverse engineering: Starting from a rough published schematic, we determined the complete functional details of the cipher underpinning the challenge-response protocol in the DST. We accomplished this with only ``oracle'' or ``black-box'' access to an ordinary DST, that is, by experimental observation of responses output by the device. 2. Key cracking: The key length for the DST is only 40 bits. With an array of of sixteen FPGAs operating in parallel, we can recover a DST key in under an hour using two responses to arbitrary challenges. 3. Simulation: Given the key (and serial number) of a DST, we are able to simulate its RF output so as to spoof a reader. As validation of our results, we purchased gasoline at a service station and started an automobile using simulated DST devices. We accomplished all of these steps using inexpensive off-the-shelf equipment, and with minimal RF expertise. This suggests that an attacker with modest resources can emulate a target DST after brief short-range scanning or long-range eavesdropping across several authentication sessions. We conclude that the cryptographic protection afforded by the DST device is relatively weak |
| @inproceedings{BonoGSJRS_RFID_USENIX05, author = {Steve Bono and Matthew Green and Adam Stubblefield and Ari Juels and Avi Rubin and Michael Szydlo}, title = {Security analysis of a cryptographically-enabled {RFID} device}, booktitle = {USENIX Security Symposium}, year = {2005}, editor = {}, volume = {}, series = {}, pages = {1--16}, address = {Baltimore, Maryland, USA}, month = {July-August}, organization = {USENIX}, publisher = {}, www_section = {hardware crypto, FPGA}, url = {http://www.usenix.org/events/sec05/tech/bono/bono.pdf}, } |
Electronic Frontier Foundation: "Cracking DES: Secrets of encryption research, wiretap politics and chip design", 1998.
| Abstract.
This book was written to reveal a hidden truth. The standard way that the US Government recommends that we make information secure and private, the "Data Encryption Standard" or DES, does not actually make that information secure or private. The government knows fairly simple ways to reveal the hidden information (called "cracking" or "breaking" DES). Many scientists and engineers have known or suspected this for years. The ones who know exactly what the government is doing have been unable to tell the public, fearing prosecution for revealing "classified" information. Those who are only guessing have been reluctant to publish their guesses, for fear that they have guessed wrong. This book describes a machine which we actually built to crack DES. The machine exists, and its existence can easily be verified. You can buy one yourself, in the United States; or can build one yourself if you desire. The machine was designed and built in the private sector, so it is not classified. We have donated our design to the public domain, so it is not proprietary. There is no longer any question that it can be built or has been built. We have published its details so that other scientists and engineers can review, reproduce, and build on our work. There can be no more doubt. DES is not secure. |
| @book{EFF_DES, author = {{Electronic Frontier Foundation}}, editor = {Mike Loukides and John Gilmore}, title = {Cracking {DES}: Secrets of encryption research, wiretap politics and chip design}, year = {1998}, isbn = {1565925203}, publisher = {O'Reilly \& Associates, Inc.}, address = {Sebastopol, CA, USA}, www_section = {hardware crypto}, url = {http://cryptome.org/cracking-des/cracking-des.htm}, } |
NSA@home: "NSA@home", 2007.
| @misc{NSAAtHome_WEB07, author = {{NSA@home}}, title = {}, organization = {}, month = {September}, year = {2007}, www_section = {hardware crypto, FPGA}, url = {http://nsa.unaligned.org/}, } |
The A5 cracking project: "The A5 cracking project", 2007.
| @misc{A5Crack_WEB07, author = {{The A5 cracking project}}, title = {}, organization = {}, month = {September}, year = {2007}, www_section = {hardware crypto, FPGA}, url = {http://wiki.thc.org/cracking_a5}, } |
Richard Clayton and Mike Bond: "Experience using a low-cost FPGA design to crack DES keys", 2002.
| Abstract. This paper describes the authors' experiences attacking the IBM 4758 CCA, used in retail banking to protect the ATM infrastructure. One of the authors had previously proposed a theoretical attack to extract DES keys from the system, but it failed to take account of real-world banking security practice. We developed a practical scheme that collected the necessary data in a single 10-minute session. Risk of discovery by intrusion detection systems made it necessary to complete the key ``cracking''' part of the attack within a few days, so a hardware DES cracker was implemented on a USD 995 off-the-shelf FPGA development board. This gave a 20-fold increase in key testing speed over the use of a standard 800 MHz PC. The attack was not only successful in its aims, but also shed new light on the protocol vulnerabilities being exploited. In addition, the FPGA development led to a fresh way of demonstrating the non-randomness of some of the DES S-boxes and indicated when pipelining can be a more effective technique than replication of processing blocks. The wide range of insights we obtained demonstrates that there can be significant value in implementing attacks ``for real''. |
| @inproceedings{BC_DESCRACK02, author = {Richard Clayton and Mike Bond}, title = {Experience using a low-cost {FPGA} design to crack {DES} keys}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, year = {2002}, series = {LNCS}, volume = {2523}, isbn = {3-540-00409-2}, pages = {579--592}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {hardware crypto, FPGA}, url = {http://www.cl.cam.ac.uk/~rnc1/descrack/DEScracker.pdf}, } |
Ivan Hamer and Paul Chow: "DES cracking on the Transmogrifier 2a", 1999.
| Abstract. The Cryptographic Challenges sponsored by RSA Laboratories have given some members of the computing community an opportunity to participate in some of the intrigue involved with solving secret messages. This paper describes an effort to build DES-cracking hardware on a field-programmable system called the Transmogrifier 2a. A fully implemented system will be able to search the entire key space in 1040 days at a rate of 800 million keys/second. |
| @inproceedings{HC_TRANSMO99, author = {Ivan Hamer and Paul Chow}, title = {{DES} cracking on the {Transmogrifier 2a}}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, year = {1999}, series = {LNCS}, volume = {1717}, isbn = {3-540-66646-X}, pages = {13--24}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {hardware crypto}, url = {http://www.springerlink.com/content/bqllltjjm24h671a/fulltext.pdf}, } |
Synaptic Laboratories Ltd.: "[ Hardware Ciphers ]", 2006.
| Abstract.
The [ Hardware Ciphers ] web site is targeted to a wide audience. Our first objective is to assist hardware designers find the best secure hardware cipher and cipher implementation suitable for their unique project requirements. Our second objective is to provide this information in a manner that is easily accessible by students, software cipher designers, managers, government officials and the wider general public who may also benefit from the extensive information compiled on this site. This site is motivated in part based on the observation that cryptographers in the public sector have predominantly focused on software and general-purpose cipher design. Therefore the requirements for an efficient and well-balanced software cipher are well documented. What is less widely understood are the basic processes, critical issues and differences that guide the design of ciphers and cipher implementations that are secure and efficient in hardware. |
| @manual{HWCIPHERS_WEB, title = {{[ Hardware Ciphers ]}}, organization = {Synaptic Laboratories Ltd.}, month = {November}, year = {2006}, www_section = {hardware crypto, FPGA}, url = {http://www.hardware-ciphers.com}, } |
G.P. Saggese, A. Mazzeo, N. Mazzocca and A.G.M. Strollo: "An FPGA-based performance analysis of the unrolling, tiling, and pipelining of the AES algorithm", 2003.
| Abstract. In October 2000 the National Institute of Standards and Technology chose Rijndael algorithm as the new Advanced Encryption Standard (AES). AES finds wide deployment in a huge variety of products making efficient implementations a significant priority. In this paper we address the design and the FPGA implementation of a fully key agile AES encryption core with 128-bit keys. We discuss the effectiveness of several design techniques, such as accurate floorplanning, the unrolling, tiling and pipelining transformations (also in the case of feedback modes of operation) to explore the design space. Using these techniques, four architectures with different level of parallelism, trading off area for performance, are described and their implementations on a Virtex-E FPGA part are presented. The proposed implementations of AES achieve better performance as compared to other blocks in the literature and commercial IP core on the same device. |
| @inproceedings{SaggeseMMS_AES_FPL05, title = {An {FPGA-based} performance analysis of the unrolling, tiling, and pipelining of the {AES} algorithm}, author = {G.P. Saggese and A. Mazzeo and N. Mazzocca and A.G.M. Strollo}, booktitle = {Field-Programmable Logic and Applications}, series = {LNCS}, volume = {2778}, pages = {292--302}, year = {2003}, publisher = {Springer}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/r7kdmbk5vwccuwl3/}, } |
Tim Good and Mohammed Benaissa: "AES on FPGA from the fastest to the smallest", 2005.
| Abstract. Two new FPGA designs for the Advanced Encryption Standard (AES) are presented. The first is believed to be the fastest, achieving 25 Gbps throughput using a Xilinx Spartan-III (XC3S2000) device. The second is believed to be the smallest and fits into a Xilinx Spartan-II (XC2S15) device, only requiring two block memories and 124 slices to achieve a throughput of 2.2 Mbps. These designs show the extremes of what is possible and have radically different applications from high performance e-commerce IPsec servers to low power mobile and home applications. The high speed design presented here includes support for continued throughput during key changes for both encryption and decryption which previous pipelined designs have omitted. |
| @inproceedings{GoodBenaissa_AESFPGASmallFast_CHES05, author = {Tim Good and Mohammed Benaissa}, title = {{AES} on {FPGA} from the fastest to the smallest}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {3659}, isbn = {3-540-28474-5}, publisher = {Springer}, month = {September}, year = {2005}, pages = {427--440}, www_section = {hardware crypto, FPGA}, url = {http://www.springerlink.com/content/8ey56t5n1m3k31t6/fulltext.pdf}, } |
David Canright: "A very compact S-Box for AES", 2005.
| Abstract. A key step in the Advanced Encryption Standard (AES) algorithm is the ``S-box.'' Many implementations of AES have been proposed, for various goals, that effect the S-box in various ways. In particular, the most compact implementations to date of Satoh et al.[14] and Mentens et al.[6] perform the 8-bit Galois field inversion of the S-box using subfields of 4 bits and of 2 bits. Our work refines this approach to achieve a more compact S-box. We examined many choices of basis for each subfield, not only polynomial bases as in previous work, but also normal bases, giving 432 cases. The isomorphism bit matrices are fully optimized, improving on the ``greedy algorithm.'' Introducing some NOR gates gives further savings. The best case improves on [14] by 20 per-cent. This decreased size could help for area-limited hardware implementations, e.g., smart cards, and to allow more copies of the S-box for parallelism and/or pipelining of AES. |
| @inproceedings{CANRIGHT_AESSBOX_CHES05, author = {David Canright}, title = {A very compact {S-Box} for {AES}}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, series = {LNCS}, volume = {3659}, isbn = {3-540-28474-5}, publisher = {Springer}, month = {September}, year = {2005}, pages = {441--455}, www_section = {hardware crypto}, url = {http://www.springerlink.com/content/bhj8hmtc1pwakja3/fulltext.pdf}, } |
Martin Feldhofer, Kerstin Lemke, Elisabeth Oswald, Francois-Xavier Standaert, Thomas Wollinger and Johannes Wolkerstorfer: "State of the art in hardware architectures", 2005.
| Abstract. This is the first of two deliverables that survey state-of-the-art hardware architectures for cryptographic algorithms. Hardware implementations of cryptographic algorithms have a long history. Traditionally, algorithms were implemented in hardware to achieve a higher speed than with implementations in software. The requirements of contemporary and future applications however, demand often other properties of hardware implementations. Today we can identify two application scenarios where hardware implementations are advantageous over software implementations. Firstly, these are high-speed applications where a cryptographic co-processor performs the cryptographic operations in order to relieve the rest of the system. Secondly, these are applications where low power and low area requirements are stringent. In both application scenarios, the secure storage of keys is important. In this deliverable we survey hardware architectures that are suitable for cryptographic applications. In particular, we analyze various hardware implementations of the AES algorithm. The focus of this survey will be on throughput-optimized circuits and on circuits designed for operation in very constricted environments where the power budget and the silicon area are sparse resources. In order to provide a profound analysis of existing AES hardware we describe the AES algorithm briefly. The analysis of existing AES hardware shows considerations for light-weight implementations and for high-performance implementations. For both implementation goals, pointers and references to state-of-the-art implementations are given. Concepts and design considerations behind these implementations, which allow to push the limits of AES hardware implementations, are summarized in a compact manner. |
| @techreport{FLOS+_HWARCH_ECRYPT05, author = {Martin Feldhofer and Kerstin Lemke and Elisabeth Oswald and Fran{\c{c}}ois-Xavier Standaert and Thomas Wollinger and Johannes Wolkerstorfer}, title = {State of the art in hardware architectures}, institution = {ECRYPT, European Network of Excellence in Cryptology}, month = {September}, year = {2005}, type = {}, number = {D.VAM.2}, address = {}, key = {}, www_section = {hardware crypto}, url = {http://www.iaik.tu-graz.ac.at/research/krypto/AES/VAM2-IAIK-17-D.VAM2-1_0.pdf}, } |
Adam J. Elbirt, W. Yip, B. Chetwynd and Christof Paar: "An FPGA-based performance evaluation of the AES block cipher candidate algorithm finalists", 2001.
| Abstract. The technical analysis used in determining which of the potential Advanced Encryption Standard candidates was selected as the Advanced Encryption Algorithm includes efficiency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as field-programmable gate arrays (FPGAs) are highly attractive options for hardware implementations of encryption algorithms, as they provide cryptographic algorithm agility, physical security, and potentially much higher performance than software solutions. This contribution investigates the significance of FPGA implementations of the Advanced Encryption Standard candidate algorithms. Multiple architectural implementation options are explored for each algorithm. A strong focus is placed on high-throughput implementations, which are required to support security for current and future high bandwidth applications. Finally, the implementations of each algorithm will be compared in an effort to determine the most suitable candidate for hardware implementation within commercially available FPGAs. |
| @article{ElbirtYCP_FPGAPerfAES_VLSI01, title = {An {FPGA-based} performance evaluation of the {AES} block cipher candidate algorithm finalists}, author = {Adam J. Elbirt and W. Yip and B. Chetwynd and Christof Paar}, journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems}, year = {2001}, month = {August}, volume = {9}, number = {4}, pages = {545--557}, www_section = {hardware crypto, FPGA}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=931230}, } |
Johannes Wolkerstorfer, Elisabeth Oswald and Mario Lamberger: "An ASIC Implementation of the AES SBoxes", 2002.
| Abstract. This article presents a hardware implementation of the SBoxes from the Advanced Encryption Standard (AES). The SBoxes substitute an 8-bit input for an 8-bit output and are based on arithmetic operations in the finite field GF(28). We show that a calculation of this function and its inverse can be done efficiently with combinational logic. This approach has advantages over a straight-forward implementation using read-only memories for table lookups. Most of the functionality is used for both encryption and decryption. The resulting circuit offers low transistor count, has low die-size, is convenient for pipelining, and can be realized easily within a semi-custom design methodology like a standard-cell design. Our standard cell implementation on a 0.6 um CMOS process requires an area of only 0.108 mm2 and has delay below 15 ns which equals a maximum clock frequency of 70 MHz. These results were achieved without applying any speed optimization techniques like pipelining. |
| @inproceedings{WOL_ASICAESSBOX_RSA02, author = {Johannes Wolkerstorfer and Elisabeth Oswald and Mario Lamberger}, title = {An ASIC Implementation of the AES SBoxes}, booktitle = {Cryptographer's Track at the RSA Conference on Topics in Cryptology}, year = {2002}, isbn = {3-540-43224-8}, pages = {67--78}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {hardware crypto}, url = {http://www.springerlink.com/content/r6437m2yx03ky0xe/fulltext.pdf}, } |
Lejla Batina, Siddika Berna Ors, Bart Preneel and Joos Vandewalle: "Hardware architectures for public key cryptography", 2003.
| Abstract. This paper presents an overview of hardware implementations for the two commonly used types of public key cryptography, i.e. RSA and elliptic curve cryptography, both based on modular arithmetic. We first discuss the mathematical background and the algorithms to implement these cryptosystems. Next an overview is given of the different hardware architectures which have been proposed in the literature. |
| @article{BatinaOPV_PKCHW_VLSI03, author = {Lejla Batina and Siddika Berna {\"{O}}rs and Bart Preneel and Joos Vandewalle}, title = {Hardware architectures for public key cryptography}, journal = {VLSI Journal, Integration}, volume = {34}, number = {1-2}, year = {2003}, issn = {0167-9260}, pages = {1--64}, publisher = {Elsevier Science Publishers B. V.}, address = {Amsterdam, The Netherlands, The Netherlands}, www_section = {hardware crypto}, url = {http://www.cosic.esat.kuleuven.be/publications/article-31.pdf}, } |
Roar Lien, Tim Grembowski and Kris Gaj: "A 1 Gbit/s partially unrolled architecture of hash functions SHA-1 and SHA-512", 2004.
| Abstract. Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols, such as IPSec and SSL. In this paper, we investigate a new hardware architecture for a family of dedicated hash functions, including American standards SHA-1 and SHA-512. Our architecture is based on unrolling several message digest steps and executing them in one clock cycle. This modification permits implementing majority of dedicated hash functions with the throughput exceeding 1 Gbit/s using medium-size Xilinx Virtex FPGAs. In particular, our new architecture has enabled us to speed up the implementation of SHA-1 compared to the basic iterative architecture from 544 Mbit/s to 1 Gbit/s using Xilinx XCV1000. The implementation of SHA-512 has been sped up from 717 to 929 Mbit/s for Virtex FPGAs, and exceeded 1 Gbit/s for Virtex-E Xilinx FPGAs. |
| @inproceedings{LGG_SHA1G_RSA04, author = {Roar Lien and Tim Grembowski and Kris Gaj}, title = {A 1 Gbit/s partially unrolled architecture of hash functions {SHA-1} and {SHA-512}}, booktitle = {Cryptographer's Track at the RSA Conference on Topics in Cryptology}, series = {LNCS}, volume = {2964}, year = {2004}, pages = {324--338}, www_section = {hardware crypto}, url = {http://www.springerlink.com/content/5uctcqgd1uk0qm3k/}, } |
Luigi Dadda, Marco Macchetti and Jeff Owen: "The design of a high speed ASIC unit for the hash function SHA-256 (384, 512)", 2004.
| Abstract. After recalling the basic algorithms published by NIST for implementing the hash functions SHA-256 (384, 512), a basic circuit characterized by a cascade of full adder arrays is given. Implementation options are discussed and two methods for improving speed are exposed: the delay balancing and the pipelining. An application of the former is first given, obtaining a circuit that reduces the length of the critical path by a full adder array. A pipelined version is then given, obtaining a reduction of two full adder arrays in the critical path. The two methods are afterwards combined and the results obtained through hardware synthesis are exposed, where a comparison between the new circuits is also given. |
| @inproceedings{DMO_SHAASIC_DATE04, author = {Luigi Dadda and Marco Macchetti and Jeff Owen}, title = {The design of a high speed {ASIC} unit for the hash function {SHA-256} {(384, 512)}}, booktitle = {Design, Automation and Test in Europe}, month = {February}, year = {2004}, volume = {3}, isbn = {0-7695-2085-5-3}, pages = {70--75}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, www_section = {hardware crypto}, url = {http://portal.acm.org/citation.cfm?id=968880.969266#}, } |
Saar Drimer, Steven J. Murdoch and Ross Anderson: "Thinking inside the box: system-level failures of tamper proofing", 2008.
| Abstract. PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs - the Ingenico 13300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally we recommend changes to the Common Criteria framework in light of the lessons learned. |
| @article{DrimerMA_TemperProofFail_OAKLAND08, title = {Thinking inside the box: system-level failures of tamper proofing}, author = {Saar Drimer and Steven J. Murdoch and Ross Anderson}, journal = {IEEE Symposium on Security and Privacy}, pages = {281--295}, month = {May}, year = {2008}, www_section = {misc}, url = {http://www.cl.cam.ac.uk/~sd410/papers/ped_attacks.pdf}, } |
Ian Kuon and Jonathan Rose: "Measuring the gap between FPGAs and ASICs", 2006.
| Abstract. This paper presents experimental measurements of the differences between a 90nm CMOS FPGA and 90nm CMOS Standard Cell ASICs in terms of logic density, circuit speed and power consumption. We are motivated to make these measurements to enable system designers to make better informed hoices between these two media and to give insight to FPGA makers on the deficiencies to attack and thereby improve FPGAs. In the paper, we describe the methodology by which the measurements were obtained and we show that, for circuits containing only combinational logic and flip-flops, the ratio of silicon area required to implement them in FPGAs and ASICs is on average 40. Modern FPGAs also contain "hard" blocks such as multiplier/accumulators and block memories and we find that these blocks reduce this average area gap significantly to as little as 21. The ratio of critical path delay, from FPGA to ASIC, is roughly 3 to 4, with less influence from block memory and hard multipliers. The dynamic power onsumption ratio is approximately 12 times and, with hard blocks, this gap generally becomes smaller. |
| @inproceedings{KuonRose_FPGAASICGap_FPGA06, author = {Ian Kuon and Jonathan Rose}, title = {Measuring the gap between {FPGAs} and {ASICs}}, booktitle = {Field Programmable Gate Arrays Symposium}, year = {2006}, isbn = {1-59593-292-5}, pages = {21--30}, location = {Monterey, California, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {misc, FPGA}, url = {http://www.eecg.toronto.edu/~jayar/pubs/kuon/kuonfpga06.pdf}, } |
Tom Kean: "DesignTag Brochure", 2007.
| @manual{Kean_DesignTagBrochure_WEB07, author = {Tom Kean}, title = {DesignTag Brochure}, organization = {Algotronix}, edition = {}, month = {January}, year = {2007}, key = {}, www_section = {misc, FPGA}, url = {http://www.algotronix.com/content/Algotronix%20DesignTag%20Brochure.pdf}, } |
Ted Huffmire, Brett Brotherton, Gang Wang, Timothy Sherwood, Ryan Kastner, Timothy Levin, Thuy Nguyen and Cynthia Irvine: "Moats and drawbridges: an isolation primitive for reconfigurable hardware based systems", 2007.
| Abstract. Blurring the line between software and hardware, reconfigurable devices strike a balance between the raw high speed of custom silicon and the post-fabrication flexibility of general-purpose processors. While this flexibility is a boon for embedded system developers, who can now rapidly prototype and deploy solutions with performance approaching custom designs, this results in a system development methodology where functionality is stitched together from a variety of soft IP cores, often provided by multiple vendors with different levels of trust. Unlike traditional software where resources are managed by an operating system, soft IP cores necessarily have very fine grain control over the underlying hardware. To address this problem, the embedded systems community requires novel security primitives which address the realities of modern reconfigurable hardware. We propose an isolation primitive, moats and drawbridges, that are built around four design properties: logical isolation, interconnect traceability, secure reconfigurable broadcast, and configuration scrubbing. Each of these is a fundamental operation with easily understood formal properties, yet maps cleanly and efficiently to a wide variety of reconfigurable devices. We carefully quantify the required overheads on real FPGAs and demonstrate the utility of our methods by applying them to the practical problem of memory protection. |
| @inproceedings{HuffmireBWSKLNI_MoatsDrawbridges_IEEESP07, author = {Ted Huffmire and Brett Brotherton and Gang Wang and Timothy Sherwood and Ryan Kastner and Timothy Levin and Thuy Nguyen and Cynthia Irvine}, title = {Moats and drawbridges: an isolation primitive for reconfigurable hardware based systems}, booktitle = {IEEE Symposium on Security and Privacy}, year = {2007}, pages = {281--295}, www_section = {misc,FPGA}, url = {http://www.cs.ucsb.edu/~sherwood/pubs/IEEESP-moats.pdf}, } |
Kevin D. Mitnick and William L. Simon: "The art of deception: Controlling the human element of security", 2002.
| Abstract. A legendary hacker reveals how to guard against the gravest security risk of all-human nature |
| @book{Mitnick_ArtOfDeception_BOOK02, author = {Kevin D. Mitnick and William L. Simon}, title = {The art of deception: Controlling the human element of security}, year = {2002}, isbn = {0471237124}, publisher = {John Wiley \& Sons, Inc.}, address = {New York, NY, USA}, www_section = {misc}, url = {http://portal.acm.org/citation.cfm?id=861316}, } |
| @manual{IPUK_WEB07, title = {Intellectual Property Group of the Government's Creative Industries Task Force}, year = {2007}, www_section = {misc}, url = {http://www.ipo.gov.uk/ipportal.htm}, } |
Jamil Khatib: "Open hardware design trend", 2004.
| @manual{Khatib_OpenHardware_WEB04, author = {Jamil Khatib}, title = {Open hardware design trend}, organization = {}, edition = {}, month = {January}, year = {2004}, key = {}, www_section = {misc, FPGA}, url = {http://www.opencores.org/articles.cgi/view/12}, } |
Dan Boneh, Richard A. DeMillo and Richard J. Lipton: "On the importance of eliminating errors in cryptographic computations", 2001.
| Abstract. We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a black-box containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is affected by a random hardware fault causing it to output incorrect values. For example, the hardware fault flips an internal register bit at some point during the computation. We show that for many digital signature and identification schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for non-CRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat—Shamir identification is exposed after a small number (e.g. 10) of faulty executions of the protocol, and (4) the secret key used in Schnorr's identification protocol is exposed after a much larger number (e.g. 10,000) of faulty executions. Our estimates for the number of necessary faults are based on standard security parameters such as a 1024-bit modulus, and a 2^(-40) identification error probability. Our results demonstrate the importance of preventing errors in cryptographic computations. We conclude the paper with various methods for preventing these attacks. |
| @article{BonehDL_EliminatingErrors_JC01, author = {Dan Boneh and Richard A. DeMillo and Richard J. Lipton}, title = {On the importance of eliminating errors in cryptographic computations}, journal = {Journal of Cryptology}, volume = {14}, number = {2}, year = {2001}, pages = {101--119}, www_section = {misc}, url = {http://www.springerlink.com/content/cljfg7u5n4bw312a/fulltext.pdf}, } |
Eli Biham and Adi Shamir: "Differential fault analysis of secret key cryptosystems", 1997.
| @inproceedings{BihamShamir_DiffFaultAnalysis_CRYPTO97, author = {Eli Biham and Adi Shamir}, title = {Differential fault analysis of secret key cryptosystems}, booktitle = {Cryptology Conference on Advances in Cryptology}, year = {1997}, isbn = {3-540-63384-7}, pages = {513--525}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {misc}, url = {http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C97/513.PDF}, } |
John Edwards: "No room for Second Place: Xilinx and Altera slug it out for supremacy in the changing PLD market", 2006.
| @article{Edwards_PLDMarketshare_EDNMAG06, author = {John Edwards}, title = {No room for Second Place: {Xilinx} and {Altera} slug it out for supremacy in the changing {PLD} market}, journal = {EDN Magazine}, month = {June}, year = {2006}, www_section = {misc, FPGA}, url = {http://www.edn.com/index.asp?layout=article&articleid=CA6339519}, } |
Kevin Morris: "All is not SRAM - a survey of flash, antifuse, and EE programmable logic", 2004.
| @article{Morris_FPGAJOUR04, author = {Kevin Morris}, title = {All is not {SRAM} - a survey of flash, antifuse, and {EE} programmable logic}, journal = {FPGA and Programmable Logic Journal}, month = {February}, year = {2004}, www_section = {misc, FPGA}, url = {http://www.fpgajournal.com/articles/sram.htm}, } |
| @manual{WIPO, title = {{World Intellectual Property Organization}}, month = {March}, year = {2006}, key = {}, www_section = {misc}, url = {http://www.wipo.int}, } |
US Department of Defence Advisory Group on Electron Devices: "Special technology area review on commercial off-the-shelf electronic components", 1999.
| Abstract. It is recognized that appropriate use of COTS electronics components during development of new systems and system upgrades is essential to reduce costs in order to stay within shrinking acquisition budgets, maintain technology currency as system life cycles shorten and balance the needs for high system performance with acceptable costs. However, it is also unequivocally clear that, although COTS usage will continue to expand, the need for military unique components to maintain war fighter superiority will not disappear. There is and will continue to be a need for the DoD to invest in electronics R&D. The benefits of this investment are clear and compelling. |
| @manual{COTS99, author = {}, title = {Special technology area review on commercial off-the-shelf electronic components}, organization = {US Department of Defence Advisory Group on Electron Devices}, edition = {}, month = {June}, year = {1999}, key = {}, www_section = {misc}, url = {http://handle.dtic.mil/100.2/ADA445319}, } |
Viktor Fischer and Milos Drutarovsky: "True random number generator embedded in reconfigurable hardware", 2002.
| Abstract. This paper presents a new True Random Number Generator (TRNG) based on an analog Phase-Locked Loop (PLL) implemented in a digital Altera Field Programmable Logic Device (FPLD). Starting with an analysis of the one available on chip source of randomness - the PLL synthesized low jitter clock signal, a new simple and reliable method of true randomness extraction is proposed. Basic assumptions about statistical properties of jitter signal are confirmed by testing of mean value of the TRNG output signal. The quality of generated true random numbers is confirmed by passing standard NIST statistical tests. The described TRNG is tailored for embedded System-On-a-Programmable-Chip (SOPC) cryptographic applications and can provide a good quality true random bit-stream with throughput of several tens of kilobits per second. The possibility of including the proposed TRNG into a SOPC design significantly increases the system security of embedded cryptographic hardware. |
| @inproceedings{FischerDrutarovsky_ReconfigHWTRNG_CHES02, author = {Viktor Fischer and Milos Drutarovsk{\'{y}}}, title = {True random number generator embedded in reconfigurable hardware}, booktitle = {Cryptographic Hardware and Embedded Systems Workshop}, year = {2002}, series = {LNCS}, volume = {2523}, isbn = {3-540-00409-2}, pages = {415--430}, publisher = {Springer-Verlag}, address = {Berlin/Heidelberg, Germany}, www_section = {misc, FPGA}, url = {http://www.springerlink.com/content/00veem7fjd2ejaqj/fulltext.pdf}, } |
Paul Kohlbrenner and Kris Gaj: "An embedded true random number generator for FPGAs", 2004.
| Abstract. Field Programmable Gate Arrays (FPGAs) are an increasingly popular choice of platform for the implementation of cryptographic systems. Until recently, designers using FPGAs had less than optimal choices for a source of truly random bits. In this paper we extend a technique that uses on-chip jitter and PLLs to a much larger class of FPGAs that do not contain PLLs. Our design uses only the Configurable Logic Blocks (CLBs) common to all FPGAs, and has a self-testing capability. Using the intrinsic jitter contained in digital circuits, we produce random bits at speeds of up to 0.5 Mbits/second with good statistical characteristics. We discuss the engineering challenges of extracting random bits from digital circuits, and we report the results of running standard statistical tests (NIST) on the output generated by our system. |
| @inproceedings{KohlbrennerGaj_EmbeddedTRNG_FPGA04, author = {Paul Kohlbrenner and Kris Gaj}, title = {An embedded true random number generator for {FPGAs}}, booktitle = {Field Programmable Gate Arrays Symposium}, year = {2004}, isbn = {1-58113-829-6}, pages = {71--78}, location = {Monterey, California, USA}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {misc, FPGA}, url = {http://portal.acm.org/citation.cfm?id=968292}, } |
Ilija Hadzic and Jonathan M. Smith: "Balancing performance and flexibility with hardware support for network architectures", 2003.
| Abstract. The goals of performance and flexibility are often at odds in the design of network systems. The tension is common enough to justify an architectural solution, rather than a set of context-specific solutions. The Programmable Protocol Processing Pipeline (P4) design uses programmable hardware to selectively accelerate protocol processing functions. A set of field-programmable gate arrays (FPGAs) and an associated library of network processing modules implemented in hardware are augmented with software support for function selection and composition, and applied to processing-intensive portions of a user-programmable protocol stack. The system is sufficiently flexible to support protocol stacks that are dynamically altered in reaction to changing network conditions or user needs.The P4 can be transparently inserted into a conventional protocol architecture, such as that of TCP/IP. This experimental demonstration shows that the P4's programmability can be used to significantly improve the performance of TCP/IP under operating conditions where the protocol would perform poorly without augmentation. Generalizing from these experiments, the P4 is shown to have many applications as an open platform for implementing adaptive and programmable networks, and has illustrated new security issues that arise in FPGA-based architectures.The P4 and closely-related systems, such as network processors, are attractive architectural solutions to balancing performance and flexibility. |
| @article{HadzicSmith_FPGANetwork_ACM03, author = {Ilija Had{\v{z}}i{\'{c}} and Jonathan M. Smith}, title = {Balancing performance and flexibility with hardware support for network architectures}, journal = {ACM Transactions on Computer Systems}, volume = {21}, number = {4}, year = {2003}, issn = {0734-2071}, pages = {375--411}, publisher = {ACM}, address = {New York, NY, USA}, www_section = {misc, FPGA}, url = {http://portal.acm.org/citation.cfm?doid=945506.945508}, } |
Ilija Hadzic, Sanjay Udani and Jonathan M. Smith: "FPGA viruses", 1999.
| Abstract.
Programmable logic is widely used, for applications ranging from field-upgradable subsystems to advanced uses such as reconfigurable computing platforms. Users can thus implement algorithms which are largely executed by a general-purpose CPU, but may be selectively accelerated with special purpose hardware. In this paper, we show that programmable logic devices unfortunately open another avenue for malicious users to implement the hardware analogue of a computer virus. We begin with an outline of the general properties of FPGAs that create risks. We then explain how to exploit these risks, and demonstrate through experiments that they are exploitable even in the absence of detailed layout information. We prove our point by demonstrating the first known FPGA virus and its effect on the current absorbed by the device, namely that the device is destroyed. We close by outlining possible methods of defense and point out the similarities and differences between FPGA and software viruses. |
| @inproceedings{HadzicUS_FPGAViruses_FPL99, author = {Ilija Had{\v{z}}i{\'{c}} and Sanjay Udani and Jonathan M. Smith}, title = {{FPGA} viruses}, booktitle = {Field Programmable Logic and Applications}, year = {1999}, series = {LNCS}, volume = {1673}, isbn = {3-540-66457-2}, pages = {291--300}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {misc, FPGA}, url = {http://www.springerlink.com/content/9wnbm5eqgpjvlcug/BodyRef/PDF/558_10705539_Chapter_30.pdf}, } |
Saar Drimer and Steven J. Murdoch: "Keep your enemies close: distance bounding against smartcard relay attacks", 2007.
| Abstract. Modern smartcards, capable of sophisticated cryptography, provide a high assurance of tamper resistance and are thus commonly used in payment applications. Although extracting secrets out of smartcards requires resources beyond the means of many would-be thieves, the manner in which they are used can be exploited for fraud. Cardholders authorize financial transactions by presenting the card and disclosing a PIN to a terminal without any assurance as to the amount being charged or who is to be paid, and have no means of discerning whether the terminal is authentic or not. Even the most advanced smartcards cannot protect customers from being defrauded by the simple relaying of data from one location to another. We describe the development of such an attack, and show results from live experiments on the UK's EMV implementation, Chip & PIN. We discuss previously proposed defences, and show that these cannot provide the required security assurances. A new defence based on a distance bounding protocol is described and implemented, which requires only modest alterations to current hardware and software. As far as we are aware, this is the first complete design and implementation of a secure distance bounding protocol. Future smartcard generations could use this design to provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. We also discuss the security-economics impact to customers of enhanced authentication mechanisms. |
| @inproceedings{DrimerMurdoch_SmartCardDisbo_USENIX07, author = {Saar Drimer and Steven J. Murdoch}, title = {Keep your enemies close: distance bounding against smartcard relay attacks}, booktitle = {USENIX Security Symposium}, pages = {87--102}, month = {August}, year = {2007}, www_section = {misc, FPGA}, url = {http://www.cl.cam.ac.uk/~sd410/papers/sc_relay.pdf}, } |
Gerhard P. Hancke and Markus G. Kuhn: "An RFID distance bounding protocol", 2005.
| Abstract. Radio-frequency identification tokens, such as contactless smartcards, are vulnerable to relay attacks if they are used for proximity authentication. Attackers can circumvent the limited range of the radio channel using transponders that forward exchanged signals over larger distances. Cryptographic distance-bounding protocols that measure accurately the round-trip delay of the radio signal provide a possible countermeasure. They infer an upper bound for the distance between the reader and the token from the fact that no information can propagate faster than at the speed of light. We propose a new distance-bounding protocol based on ultra-wideband pulse communication. Aimed at being implementable using only simple, asynchronous, low-power hardware in the token, it is particularly well suited for use in passive low-cost tokens, noisy environments and high-speed applications. |
| @inproceedings{HanckeKuhn_RFIDDisbo_SECURECOMM05, author = {Gerhard P. Hancke and Markus G. Kuhn}, title = {An {RFID} distance bounding protocol}, booktitle = {Security and Privacy for Emerging Areas in Communications Networks}, year = {2005}, isbn = {0-7695-2369-2}, pages = {67--73}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, www_section = {misc}, url = {http://www.cl.cam.ac.uk/~gh275/distance.pdf}, } |
Bryan H. Fletcher: "S3A1800DSP: serial Flash bitsream update over Ethernet", 2008.
| Abstract. This design utilizes MultiBoot in an application that updates the configuration memory remotely over ethernet. The Xilinx MicroBlaze™ soft processor core runs at 62.5 MHz on the Xilinx Spartan-3A DSP 1800A Platform (3SD1800AP). The 3SD1800AP is designed with Micron DDR2 SDRAM and Intel serial Flash to give MicroBlaze access to memory and non-volatile storage, as well as a National PHY for networking. |
| @manual{Fletcher_AvnetRemoteUpdate_WEB08, author = {Bryan H. Fletcher}, title = {{S3A1800DSP}: serial {Flash} bitsream update over {Ethernet}}, organization = {{Avent, Inc.}}, edition = {}, month = {February}, year = {2008}, key = {}, www_section = {misc, FPGA}, url = {http://www.avnet.com}, } |
Dick James: "2004 -- The year of 90-nm: A review of 90 nm devices", 2005.
| Abstract. The year 2004 saw the introduction of the first 90-nm process node devices into the marketplace. This node is notable not only for the expected reduction in feature sizes, but also for the more general adoption of low-k dielectric layers, and the first use of nickel silicide and strained silicon. Chipworks, as a supplier of competitive intelligence to the semiconductor and electronics industries, monitors the evolution of chip processes as they come into commercial production. Chipworks has obtained parts from leading edge manufacturers, and performed structural analyses to examine the features and manufacturing processes of the devices. The paper shows how ``90nm'' has been interpreted by various vendors, details the physical transistor structures we have analyzed, and comments on the introduction of strain into CMOS processing. |
| @article{CHIPWORKS_ASMC05, author = {Dick James}, title = {2004 -- The year of 90-{nm}: A review of 90 {nm} devices}, journal = {IEEE/SEMI Advanced Semiconductor Manufacturing Conference}, year = {2005}, www_section = {misc, FPGA}, url = {http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1438770}, } |
Arnaud Lagger, Andres Upegui and Eduardo Sanchez: "Self-reconfigurable pervasive platform for cryptographic application", 2006.
| Abstract. The complexity exhibited by pervasive systems is constantly increasing. Customer electronics devices provide day to day a larger amount of functionalities. A common approach for guaranteeing high performance is to include specialized coprocessor units. However, these systems lack flexibility, since one must define, in advance, the coprocessor functionality. A solution to this problem is to use run-time reconfigurable coprocessors, exploiting the advantages of hardware while keeping a flexible platform. In this paper, we describe a self-reconfigurable pervasive platform containing a dynamically reconfigurable cryptographic coprocessor. As case-study, we consider three ciphering algorithms and we compare the performance of the coprocessor against a full-software implementation. The number of ciphering algorithms can be infinitely extended using a remote server. |
| @inproceedings{LaggerUS_SelfReconfig_FPL06, author = {Arnaud Lagger and Andres Upegui and Eduardo Sanchez}, title = {Self-reconfigurable pervasive platform for cryptographic application}, booktitle = {Field Programmable Logic and Applications}, year = {2006}, month = {August}, isbn = {}, pages = {}, location = {Madrid, Spain}, publisher = {}, address = {}, www_section = {misc}, url = {http://lslwww.epfl.ch/~upegui/docs/FPL06.pdf}, } |
United Stated Department of Defense: "High performance microchip supply", 2005.
| Abstract. (partial) The microelectronics industry, supplier of hardware capability that underlies much of America's modern military leadership technology, is well into a profound restructuring leading to horizontal consolidation replacing the past vertically integrated company structure. One unintended result of this otherwise sound industry change is the relocation of critical microelectronics manufacturing capabilities from the United States to countries with lower cost capital and operating environments. Trustworthiness and supply assurance for components used in critical military and infrastructure applications are casualties of this migration. Further, while not the focus of this study per se, the U.S. national technological leadership may be increasingly challenged by these changing industry dynamics; this poses long term national economic security concerns. |
| @manual{USDOD_MicrochipSupply_05, author = {}, title = {High performance microchip supply}, organization = {United Stated Department of Defense}, edition = {}, month = {February}, year = {2005}, key = {}, www_section = {misc}, url = {http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf}, } |
National Aeronautics and Space Administration: "Aerospace science and technology dictionary", 2006.
| @manual{NASA_SEUDEF, title = {Aerospace science and technology dictionary}, organization = {National Aeronautics and Space Administration}, year = {2006}, www_section = {misc}, url = {http://www.hq.nasa.gov/office/hqlibrary/aerospacedictionary/}, } |
Katherine Compton and Scott Hauck: "Reconfigurable computing: a survey of systems and software", 2002.
| Abstract. Due to its potential to greatly accelerate a wide variety of applications, reconfigurable computing has become a subject of a great deal of research. Its key feature is the ability to perform computations in hardware to increase performance, while retaining much of the flexibility of a software solution. In this survey, we explore the hardware aspects of configurable computing machines, from single chip architectures to multi-chip systems, including internal structures and external coupling. We also focus on the software that targets these machines, such as compilation tools that map high-level algorithms directly to the reconfigurable substrate. Finally, we consider the issues involved in run-time reconfigurable systems, which reuse the configurable hardware during program execution. |
| @article{ComptonHauck_ConfigCompSurvey_ACM02, author = {Katherine Compton and Scott Hauck}, title = {Reconfigurable computing: a survey of systems and software}, journal = {ACM Compututing Surveys}, volume = {34}, number = {2}, month = {June}, year = {2002}, issn = {0360-0300}, pages = {171--210}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {misc, FPGA}, url = {http://www.ee.washington.edu/faculty/hauck/publications/ConfigCompute.pdf}, } |
Martin Stigge, Henryk Plotz, Wolf Muller and Jens-Peter Redlich: "Reversing CRC -- theory and practice", 2006.
| Abstract. The Cyclic Redundancy Check (CRC) was developed as a checksum algorithm for the detection of data corruption in the process of data transmission or storage. However, in some scenarios there's a CRC given which a set of data is expected to have, so the data itself has to be modi ed (at the end or at some chosen position) in a way that it computes to the given CRC checksum afterwards. We present methods providing solutions to this problem. Each algorithm is explained in theory and accompanied by an implementation for the CRC32 in the C programming language. |
| @techreport{StiggePMR_ReversingCRC_TR06, author = {Martin Stigge and Henryk Pl{\"{o}}tz and Wolf M{\"{u}}ller and Jens-Peter Redlich}, title = {Reversing {CRC} -- theory and practice}, institution = {Humboldt University Berlin}, number = {SAR-PR-2006-05}, year = {2006}, month = {May}, www_section = {misc}, url = {http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2006-05/SAR-PR-2006-05.pdf}, } |
John H. Conway: "On numbers and games", 1976.
| @book{Conway_OnNumbersAndGames_BOOK76, author = {John H. Conway}, title = {On numbers and games}, publisher = {Academic Press}, year = {1976}, www_section = {misc}, url = {}, } |
Gerhard P. Hancke: "A practical relay attack on ISO 14443 proximity cards", 2005.
| Abstract. Contactless smart cards are used in access control and payment systems. This paper illustrates an attack which effectively allows an attacker to ``borrow'' the victim's card for a short period without requiring physical access to the victim's card. As a result the legitimate owner will remain unaware of the attack. We show that our hardware success fully executed a relay attack against an ISO 14443A contactless smart card, up to a distance of 50 m. Simply relaying information between the card and reader over a longer distance does not require the same technical resources from the attacker as hardware tampering or cryptanalysis. This attack is therefore a feasible method for circumventing current security protocols with little effort. Since application-level measures fail to protect against relay attacks, we discuss possible solutions involving characteristics of the physical communication medium. |
| @misc{Hancke_RelayProximityCards_WEB05, author = {Gerhard P. Hancke}, title = {A practical relay attack on {ISO} 14443 proximity cards}, year = {2005}, url = {http://www.cl.cam.ac.uk/~gh275/relay.pdf}, www_section = {misc}, } |
Ken Thompson: "Reflections on trusting trust", 1984.
| @article{Thompson_TrustingTrust_ACM84, author = {Ken Thompson}, title = {Reflections on trusting trust}, journal = {Communications of ACM}, volume = {27}, number = {8}, year = {1984}, issn = {0001-0782}, pages = {761--763}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {misc}, url = {http://www.cs.washington.edu/education/courses/cse590s/02sp/Reflections.pdf}, } |
Javier Castillo, Pablo Huerta, Victor Lopez and Jose Ignacio Martinez: "A secure self-reconfiguring architecture based on open-source hardware", 2005.
| Abstract. With the new and powerful Field Programmable Gate Array (FPGA) families, new possibilities have been opened. One of these features is the possibility of reconfiguring a section of the FPGA while the rest is working. Moreover, this fixed part could be responsible for reprogramming the reconfigurable part, either because a change in functionality is required or because a new version of the hardware needs to be implemented. This paper shows how an FPGA system based on an Open Source OpenRISC 1200 microprocessor takes advantage of this feature to perform the Secure Download of the firmware and the hardware needed to run an application. In this particular case a Reed-Solomon Encoder and a Cryptographic application were used to demonstrate the viability of the scheme. |
| @article{CastilloHLM_SecureSelfReconfigOpenHW_RECONFIG05, author = {Javier Castillo and Pablo Huerta and Victor L{\'{o}}pez and Jos{\'{e}} Ignacio Mart{\'{i}}nez}, title = {A secure self-reconfiguring architecture based on open-source hardware}, journal = {Reconfigurable Computing and FPGAs}, volume = {0}, year = {2005}, isbn = {0-7695-2456-7}, pages = {10--16}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, www_section = {misc, FPGA}, url = {http://www.escet.urjc.es/~jcastillo/castilloj_selfreconf.pdf}, } |
| @manual{CHIPWORKS, title = {Chipworks}, www_section = {misc}, url = {http://www.chipworks.com/}, } |
In-Stat: "FPGA market will reach \$2.75 billion by decade's end", 2006.
| @manual{Instat_FPGAMarketshare_WEB06, author = {{In-Stat}}, title = {{FPGA} market will reach \$2.75 billion by decade's end}, month = {April}, year = {2006}, www_section = {misc}, url = {http://www.instat.com/press.asp?Sku=IN0603187SI&ID=1674}, } |
Virtual Socket Interface Alliance: "SoC standards leader VSI Alliance announces plans to close operations", 2007.
| @misc{VSIA_Closed_WEB07, author = {{Virtual Socket Interface Alliance}}, title = {{SoC} standards leader {VSI Alliance} announces plans to close operations}, month = {July}, year = {2007}, www_section = {misc}, url = {http://www.vsia.org/news/vsia_plans_to_close.htm}, } |
Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, and Mihir Bellare, Tadayoshi Kohno, Jon Callas and Jesse Walker: "The Skein hash function family (version 1.1", 2008.
| @manual{FergusonLSWBKCW_Skein_08, author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker}, title = {The {Skein} hash function family (version 1.1}, organization = {}, edition = {}, month = {November}, year = {2008}, key = {}, www_section = {crypto algo.}, url = {http://www.skein-hash.info/sites/default/files/skein1.1.pdf}, } |
Joan Daemen and Vincent Rijmen: "AES proposal: Rijndael", 1999.
| @manual{DaemenRijmen_AESProposal_99, author = {Joan Daemen and Vincent Rijmen}, title = {{AES} proposal: {Rijndael}}, organization = {}, edition = {}, month = {September}, year = {1999}, key = {}, www_section = {crypto algo.}, url = {http://www.daimi.au.dk/~ivan/rijndael.pdf}, } |
Phillip Rogaway, Mihir Bellare and John Black: "OCB: A block-cipher mode of operation for efficient authenticated encryption", 2003.
| Abstract. We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ? {0, 1}* using |M|/n+2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap offset calculations; cheap key setup; a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. |
| @article{OCB_RBB_INFOSEC03, author = {Phillip Rogaway and Mihir Bellare and John Black}, title = {OCB: A block-cipher mode of operation for efficient authenticated encryption}, journal = {ACM Transactions on Information System Security}, volume = {6}, number = {3}, year = {2003}, issn = {1094-9224}, pages = {365--403}, publisher = {ACM Press}, address = {New York, NY, USA}, www_section = {crypto algo.}, url = {http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-full.pdf}, } |
Tadayoshi Kohno, John Viega and Doug Whiting: "CWC: A high-performance conventional authenticated encryption mode", 2004.
| Abstract. We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software. |
| @inproceedings{CWC_KVW_FSE04, author = {Tadayoshi Kohno and John Viega and Doug Whiting}, title = {{CWC}: A high-performance conventional authenticated encryption mode}, booktitle = {Fast Software Encryption}, series = {LNCS}, volume = {3017}, year = {2004}, pages = {408--426}, www_section = {crypto algo.}, url = {http://eprint.iacr.org/2003/106.pdf}, } |
Virgil D. Gligor and Pompiliu Donescu: "Fast encryption and authentication: XCBC encryption and XECB authentication modes", 2002.
| Abstract. We present the eXtended Ciphertext Block Chaining (XCBC) and the eXtended Electronic Codebook (XECB) encryption schemes or modes of encryption that can detect encrypted-message forgeries with high probability even when used with typical non-cryptographic Manipulation Detection Code (MDC) functions (e.g., bitwise exclusive-or and cyclic redundancy code (CRC) functions). These modes detect encrypted-message forgeries at low cost in performance, power, and implementation, and preserve both message secrecy and integrity in a single pass over the message data. Their performance and security scale directly with those of the underlying block cipher function. We also present the XECB message authentication (XECB-MAC) modes that have all the operational properties of the XOR-MAC modes (e.g., fully parallel and pipelined operation, incremental updates, and out-of-order verification), and have better performance. They are intended for use either stand-alone or with encryption modes that have similar properties (e.g., counter-based XOR encryption). However, the XECB-MAC modes have higher upper bounds on the probability of adversary's success in producing a forgery than the XOR-MAC modes. |
| @inproceedings{XEBC_GD_SFE01, author = {Virgil D. Gligor and Pompiliu Donescu}, title = {Fast encryption and authentication: {XCBC} encryption and {XECB} authentication modes}, booktitle = {Fast Software Encryption}, year = {2002}, series = {LNCS}, volume = {2355}, isbn = {3-540-43869-6}, pages = {92--108}, publisher = {Springer-Verlag}, address = {London, UK}, www_section = {crypto algo.}, url = {http://www.springerlink.com/content/ghn46c42g1kljduc/}, } |
Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu: "Finding collisions in the full SHA-1", 2005.
| Abstract. In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2^69 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2^80 theoretical bound. |
| @inproceedings{WangYY_SHA1Collisions_CRYPTO05, author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu}, title = {Finding collisions in the full {SHA-1}}, booktitle = {Cryptology Conference on Advances in Cryptology}, year = {2005}, pages = {17--36}, www_section = {crypto algo.}, url = {http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf}, } |
Mihir Bellare, Joe Kilian and Phillip Rogaway: "The security of the cipher block chaining message authentication code", 2000.
| @article{BKR_CBCMACSEC00, author = {Mihir Bellare and Joe Kilian and Phillip Rogaway}, title = {The security of the cipher block chaining message authentication code}, journal = {Journal of Computer and System Sciences}, volume = {61}, number = {3}, year = {2000}, issn = {0022-0000}, pages = {362--399}, publisher = {Academic Press, Inc.}, address = {Orlando, FL, USA}, www_section = {crypto algo.}, url = {http://www.cs.ucdavis.edu/research/tech-reports/1997/CSE-97-15.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 47: Data encryption standard", 1977.
| @manual{DES_FIPS47, author = {}, title = {{FIPS} 47: Data encryption standard}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {January}, year = {1977}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 140-2: Security requirements for cryptographic modules", 2001.
| @manual{NIST_FIPS140-2_SecurityModules_02, author = {}, title = {{FIPS} 140-2: Security requirements for cryptographic modules}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {{December} 2002}, month = {May}, year = {2001}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 140-3 (DRAFT): Security requirements for cryptographic modules", 2007.
| @manual{NIST_FIPS140-3_SecurityModules_07, author = {}, title = {{FIPS 140-3 (DRAFT)}: Security requirements for cryptographic modules}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {July}, year = {2007}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips140-3/fips1403Draft.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 180-3: Secure hash standard", 2008.
| @manual{NIST_FIPF180_3_SHA, author = {}, title = {{FIPS} 180-3: Secure hash standard}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {October}, year = {2008}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 197: Advanced encryption standard", 2001.
| @manual{AES_FIPS197, author = {}, title = {{FIPS} 197: Advanced encryption standard}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {November}, year = {2001}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf}, } |
National Institute of Standards, U.S. Department of Commerce: "FIPS 198: The keyed-hash message authentication code (HMAC)", 2002.
| Abstract. This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in combination with a shared secret key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. The HMAC specification in this standard is a generalization of Internet RFC 2104, HMAC, Keyed-Hashing for Message Authentication, and ANSI X9.71, Keyed Hash Message Authentication Code. |
| @manual{NIST_FIPS198_HMAC, author = {}, title = {{FIPS} 198: The keyed-hash message authentication code (HMAC)}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {March}, year = {2002}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf}, } |
Morris Dworkin: "Special Publication 800-38A: Recommendation for block cipher modes of operation", 2001.
| Abstract. This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data. |
| @manual{MODES_NISTPUB_800_38A, author = {Morris Dworkin}, title = {Special Publication 800-38A: Recommendation for block cipher modes of operation}, organization = {National Institute of Standards, U.S. Department of Commerce}, edition = {}, month = {December}, year = {2001}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf}, } |
Morris Dworkin: "Special Publication 800-38B: Recommendation for block cipher modes of operation: The CMAC mode for authentication", 2005.
| Abstract. This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data. |
| @manual{CMAC_NISTPUB_800_38B, author = {Morris Dworkin}, title = {Special Publication 800-38B: Recommendation for block cipher modes of operation: The {CMAC} mode for authentication}, organization = {National Institute of Standards and Technology, U.S. Department of Commerce}, edition = {}, month = {May}, year = {2005}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf}, } |
Morris Dworkin: "Special Publication 800-38C: Recommendation for block cipher modes of operation: the CCM mode for authentication and confidentiality", 2005.
| Abstract. This Recommendation defines a mode of operation, called CCM, for a symmetric key block cipher algorithm. CCM may be used to provide assurance of the confidentiality and the authenticity of computer data by combining the techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm. |
| @manual{CCM_NISTPUB_800_38C, author = {Morris Dworkin}, title = {Special Publication 800-38C: Recommendation for block cipher modes of operation: the {CCM} mode for authentication and confidentiality}, organization = {National Institute of Standards and Technology, U.S. Department of Commerce}, edition = {}, month = {May}, year = {2005}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf}, } |
Morris Dworkin: "Special Publication 800-38D: Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC", 2007.
| Abstract. This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher. |
| @manual{GCM_NISTPUB_800_38D, author = {Morris Dworkin}, title = {Special Publication 800-38D: Recommendation for block cipher modes of operation: {Galois/Counter} mode (GCM) and {GMAC}}, organization = {National Institute of Standards and Technology, U.S. Department of Commerce}, edition = {}, month = {November}, year = {2007}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf}, } |
Elaine Barker, Don Johnson and Miles Smid: "FIPS 800-56: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography", 2007.
| Abstract. This Recommendation specifies key establishment schemes using discrete logarithm cryptography, based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography). |
| @manual{KEYESTABLMNT_FIPS800_56A, author = {Elaine Barker and Don Johnson and Miles Smid}, title = {{FIPS} 800-56: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography}, organization = {National Institute of Standards and Technology, U.S. Department of Commerce}, edition = {}, month = {March}, year = {2007}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf}, } |
Elaine Barker, William Barker, William Burr, William Polk and Miles Smid: "FIPS 800-57: Recommendation for key management--part 1: General (revised)", 2006.
| Abstract. This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems. |
| @manual{KEYMNGMNT1_FIPS800_57, author = {Elaine Barker and William Barker and William Burr and William Polk and Miles Smid}, title = {{FIPS} 800-57: Recommendation for key management--part 1: General (revised)}, organization = {National Institute of Standards and Technology, U.S. Department of Commerce}, edition = {}, month = {May}, year = {2006}, key = {}, www_section = {NIST}, url = {http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf}, } |
Actel Corp.: "ProASIC3 flash family FPGAs", 2006.
| @manual{PROASIC3_DATASHEET, author = {{Actel Corp.}}, title = {{ProASIC3} flash family {FPGAs}}, organization = {}, edition = {}, month = {April}, year = {2006}, key = {}, www_section = {Actel}, url = {http://www.actel.com/documents/PA3_DS.pdf}, } |
Actel Corp.: "Application note: Introduction to security in ProASIC3/E", 2005.
| @manual{ACTEL_PROASIC_SEC, author = {}, title = {Application note: Introduction to security in {ProASIC3/E}}, organization = {Actel Corp.}, edition = {}, month = {January}, year = {2005}, key = {}, www_section = {Actel}, url = {http://web.archive.org/web/20070303113800/http://www.actel.com/documents/PA3_E_Security_AN.pdf}, } |
iRoC Technologies: "Radiation results of the SER test of Actel, Xilinx and Altera FPGA instances", 2004.
| @manual{ACTEL_IROC04, author = {{iRoC Technologies}}, title = {Radiation results of the {SER} test of {Actel}, {Xilinx} and {Altera} {FPGA} instances}, organization = {}, edition = {}, month = {}, year = {2004}, key = {}, www_section = {Actel}, url = {http://www.actel.com/documents/OverviewRadResultsIROC.pdf}, } |
Altera Corp.: "AN320: OpenCore Plus evaluation of Megafunctions", 2005.
| @manual{ALTERA_AN320_MEGAFUNCEVAL, author = {{Altera Corp.}}, title = {{AN320}: {OpenCore Plus} evaluation of {Megafunctions}}, organization = {}, edition = {}, month = {October}, year = {2005}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/an/an320.pdf}, } |
Altera Corp.: "AN341: Using the design security feature in Stratix II and Stratix II GX devices", 2007.
| @manual{Altera_AN341_S2DesignSecurity, author = {{Altera Corp.}}, title = {{AN341}: Using the design security feature in {Stratix II} and {Stratix II GX} devices}, organization = {}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/an/AN341.pdf}, } |
Altera Corp.: "AN343: OpenCore evaluation of AMPP Megafunctions", 2004.
| @manual{ALTERA_AN343_AMPPEVAL, author = {{Altera Corp.}}, title = {{AN343}: {OpenCore} evaluation of {AMPP Megafunctions}}, organization = {}, edition = {}, month = {February}, year = {2004}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/an/an343.pdf}, } |
Altera Corp.: "AN357: Error detection using CRC in Altera FPGA devices", 2004.
| @manual{Altera_AN357_SEU_04, author = {{Altera Corp.}}, title = {{AN357}: Error detection using {CRC} in {Altera} {FPGA} devices}, organization = {Altera Corp.}, edition = {}, month = {July}, year = {2004}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/an/an357.pdf}, } |
Altera Corp.: "An FPGA design security solution using a secure memory device", 2007.
| @manual{Altera_WP01033_IFF, author = {}, title = {An {FPGA} design security solution using a secure memory device}, organization = {Altera Corp.}, edition = {}, month = {October}, year = {2007}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/wp/wp-01033.pdf}, } |
Altera Corp.: "FPGA design security solution using MAX II devices", 2004.
| @manual{Altera_WPM2DSGN_IFF, author = {}, title = {{FPGA} design security solution using {MAX} {II} devices}, organization = {Altera Corp.}, edition = {}, month = {September}, year = {2004}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/wp/wp_m2dsgn.pdf}, } |
Altera Corp.: "Court issues preliminary injunction against Clear Logic in Altera litigation", 2002.
| @manual{ALTERA_VS_CLOGIC_2, title = {Court issues preliminary injunction against {Clear Logic} in {Altera} litigation}, organization = {Altera Corp.}, month = {July}, year = {2002}, www_section = {Altera}, url = {http://www.altera.com/corporate/news_room/releases/releases_archive/2002/corporate/nr-clearlogic.html}, } |
United States Court of Appeals for the Ninth Circuit: "Altera Corporation vs. Clear Logic Incorporated (D.C. No. CV-99-21134)", 2005.
| @manual{ALTERA_VS_CLOGIC_1, title = {{Altera Corporation vs. Clear Logic Incorporated (D.C. No. CV-99-21134)}}, organization = {United States Court of Appeals for the Ninth Circuit}, month = {April}, year = {2005}, www_section = {Altera}, url = {http://www.svmedialaw.com/altera%20v%20clear%20logic.pdf}, } |
Charlie Jenkins and Christian Plante: "Military anti-tampering solutions using programmable logic", 2007.
| Abstract. Military applications are becoming increasingly complex. Major programs such as Future Combat Systems (FCS), Joint Strike Fighter F-35 (JSF), and the Joint Tactical Radio System (JTRS) are pushing technological capabilities to their limits. Due to the technology requirements and environments to which they are exposed, these military systems rely on programmable logic (FPGAs) to provide extreme flexibility plus protection from tampering. As FPGAs become an integral part of leading edge architectural design replacing ASICs and ASSPs, the security of the FPGA design and configuration bitstream is of utmost importance. This paper describes two techniques—configuration bitstream encryption and handshaking tokens for securing designers’ intellectual property (IP) within SRAM-based FPGAs. |
| @manual{Altera_CP01007_06, author = {Charlie Jenkins and Christian Plante}, title = {Military anti-tampering solutions using programmable logic}, organization = {Altera Corp.}, edition = {}, month = {November}, year = {2007}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/cp/CP-01007.pdf}, } |
Altera Corp.: "Stratix II device handbook", 2005.
| @manual{STRATIX2, author = {{Altera Corp.}}, title = {{Stratix II} device handbook}, organization = {}, edition = {}, month = {December}, year = {2005}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/hb/stx2/stratix2_handbook.pdf}, } |
Altera Corp.: "Configuration and testing, Stratix-II device handbook", 2005.
| @manual{STRATIX2_CONFIG, author = {{Altera Corp.}}, title = {Configuration and testing, {Stratix-II} device handbook}, organization = {}, edition = {}, month = {May}, year = {2005}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/hb/stx2/stx2_sii51003.pdf}, } |
Altera Corp.: "Stratix III design handbook", 2006.
| @manual{STRATIX3_HANDBOOK, author = {{Altera Corp.}}, title = {{Stratix III} design handbook}, organization = {}, edition = {}, month = {November}, year = {2006}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/hb/stx3/stratix3_handbook.pdf}, } |
Altera Corp.: "Design security in Stratix III devices", 2006.
| @manual{Altera_WP01010_S3DesignSecurity, author = {{Altera Corp.}}, title = {Design security in {Stratix III} devices}, organization = {}, edition = {}, month = {November}, year = {2006}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/wp/wp-01010.pdf}, abstract = {As FPGAs are increasingly used for critical system functions, protecting designs and intellectual property (IP) implemented inside FPGAs is becoming more important. Altera Stratix III devices are the first high-density and high-performance FPGAs to use the advanced encryption standard (AES) with both non-volatile and volatile key programming to protect designs against copying, reverse engineering, and tampering. To make the Stratix III design security solution more secure and to protect the AES key, many security features have been implemented. The solution has been reviewed by external security consultants during the design phase and improvements have been made based on their feedback. This white paper details the security protection provided by the Stratix III design security solution.} |
Altera Corp.: "Cyclone II device family data sheet", 2006.
| @manual{CYCLONE2, author = {{Altera Corp.}}, title = {{Cyclone II} device family data sheet}, organization = {}, edition = {}, month = {June}, year = {2006}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/hb/cyc2/cyc2_cii5v1_01.pdf}, } |
Altera Corp.: "FLEX 10K embedded programmable logic device family", 2003.
| @manual{FLEX10K, author = {{Altera Corp.}}, title = {{FLEX 10K} embedded programmable logic device family}, organization = {}, edition = {}, month = {January}, year = {2003}, key = {}, www_section = {Altera}, url = {http://www.altera.com/literature/ds/dsf10k.pdf}, } |
Lattice Semiconductor Corp.: "DS1006: LatticeECP2/M family data sheet", 2007.
| @manual{ECP2M_DATASHEET, author = {{Lattice Semiconductor Corp.}}, title = {{DS1006}: {LatticeECP2/M} family data sheet}, organization = {}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {Lattice}, url = {http://www.latticesemi.com/documents/DS1006.pdf}, } |
Lattice Semiconductor Corp.: "HB1003: LatticeECP2/M family handbook", 2007.
| @manual{ECP2M_DATASHEET, author = {{Lattice Semiconductor Corp.}}, title = {{HB1003}: {LatticeECP2/M} family handbook}, organization = {}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {Lattice}, url = {http://www.latticesemi.com/documents/HB1003.pdf}, } |
Lattice Semiconductor Corp.: "TN1109: LatticeECP2/M configuration encryption usage guide", 2007.
| @manual{ECP2M_ENCRYPTION, author = {{Lattice Semiconductor Corp.}}, title = {{TN1109}: {LatticeECP2/M} configuration encryption usage guide}, organization = {}, edition = {}, month = {March}, year = {2007}, key = {}, www_section = {Lattice}, url = {http://www.latticesemi.com/documents/tn1109.pdf}, } |
Xilinx Inc.: "Development system reference guide 10.1", 2009.
| @manual{Xilinx_DevRefGuide101_WEB09, author = {{Xilinx Inc.}}, title = {Development system reference guide 10.1}, organization = {}, edition = {}, month = {February}, year = {2009}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/itp/xilinx10/books/docs/dev/dev.pdf}, note = {\url{http://www.xilinx.com/itp/xilinx10/books/docs/dev/dev.pdf}}, } |
Xilinx Inc.: "Processor peripheral IP evaluation", 2007.
| @misc{Xilinx_ProcessorEval_WEB07, author = {{Xilinx Inc.}}, title = {Processor peripheral {IP} evaluation}, month = {October}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/ipcenter/ipevaluation/proc_ip_evaluation.htm}, } |
Carl Carmichael: "XAPP197: Triple module redundancy design techniques for Virtex FPGAs", 2006.
| Abstract. Triple Module Redundancy (TMR) combined with Single Event Upset (SEU) correction through partial reconfiguration is a powerful and effective SEU mitigation strategy. This method is only supported for the Virtex series of Xilinx FPGAs. Xilinx Application Note, XAPP216, describes the use of Readback and Partial Configuration for SEU detection and correction. This application note outlines the recommended design methodology for constructing and implementing TMR logic within the Virtex architecture. |
| @manual{Xilinx_XAPP197_TMR_06, author = {Carl Carmichael}, title = {{XAPP197}: Triple module redundancy design techniques for {Virtex} {FPGAs}}, organization = {{Xilinx Inc.}}, edition = {}, month = {July}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp216.pdf}, } |
Xilinx Inc.: "XAPP290: Two flows for partial reconfiguration: module based or difference based", 2004.
| Abstract. An important feature in the Xilinx Virtex architecture is the ability to reconfigure a portion of the FPGA while the remainder of the design is still operational. Partial reconfiguration is useful for applications that require the loading of different designs into the same area of the device or the flexibility to change portions of a design without having to either reset or completely reconfigure the entire device. |
| @manual{Xilinx_XAPP290_PartialReconfig, author = {{Xilinx Inc.}}, title = {{XAPP290}: Two flows for partial reconfiguration: module based or difference based}, organization = {}, edition = {}, month = {September}, year = {2004}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp290.pdf}, } |
Xilinx Inc.: "XAPP412: Architecting systems for upgradability with IRL (Internet Reconfigurable Logic)", 2001.
| Abstract. Internet Reconfigurable Logic (IRL™) is a system design methodology to enable the remote upgrade of hardware, while insuring the reliability of the upgrade. FPGAs, which are “Field Programmable” are inherently capable of changing their functionality with a new bitstream. IRL takes advantage of this capability by delivering new bitstreams and software drivers to the remote hardware. This application note will describe the basic concepts of an IRL-enabled system, detail design considerations for building an IRL system and give a high level description of the PAVE Framework, the Xilinx API and development framework that enables embedded systems to be upgraded. |
| @manual{Xilinx_XAPP412_IRL, author = {{Xilinx Inc.}}, title = {{XAPP412}: Architecting systems for upgradability with {IRL} ({Internet Reconfigurable Logic})}, organization = {}, edition = {}, month = {June}, year = {2001}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp412.pdf}, } |
Les Jones: "XAPP714: Single Event Upset (SEU) detection and correction using Virtex-4 Device", 2005.
| Abstract.
Application domains such as military, aerospace, and high-reliability communications require detection of Single Event Upsets (SEUs) or soft errors even when the likelihood of such an occurrence is extremely low. Furthermore, applications running in redundant systems require fast indication of an SEU in order to minimize the impact upon operation. In many cases, fast correction with minimal impact upon operation is also required. For systems that require fast recovery from SEUs, this application note describes a pre engineered solution using Virtex-4 devices. It provides single-error correction and double error detection (SECDED) for each unit of device configuration memory. Any changes in the configuration memory are detected by continuous parity checks and can be quickly repaired without loss of FPGA configuration. The SEU controller module can be easily integrated into any standard ISE design project. The solution is completely self-contained, requiring no FPGA I/O pins or external devices, and is capable of monitoring 100 percent of the static CMOS configuration latches (CCLs) in the device. |
| @manual{Xilinx_XAPP714_05, author = {Les Jones}, title = {{XAPP714}: {Single Event Upset} ({SEU}) detection and correction using {Virtex-4} Device}, organization = {Xilinx Inc.}, edition = {}, month = {August}, year = {2005}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp714.pdf}, } |
Ralf Krueger: "XAPP766: Using high security features in Virtex-II series FPGAs", 2004.
| @manual{Xilinx_XAPP766_BatterySecurity, author = {Ralf Krueger}, title = {{XAPP766}: Using high security features in {Virtex-II} series {FPGA}s}, organization = {Xilinx Inc.}, edition = {}, month = {July}, year = {2004}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp766.pdf}, } |
Catalin Baetoniu and Shalin Sheth: "XAPP780: FPGA IFF copy protection using Dallas Semiconductor/Maxim DS2432 Secure EEPROM", 2005.
| @manual{Xilinx_XAPP780_IFF, author = {Catalin Baetoniu and Shalin Sheth}, title = {{XAPP780}: {FPGA} {IFF} copy protection using {Dallas Semiconductor}/{Maxim} {DS2432} Secure {EEPROM}}, organization = {Xilinx Inc.}, edition = {}, month = {August}, year = {2005}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/application_notes/xapp780.pdf}, } |
Abhay Maheshwari and Austin Lesea: "WP208: Flip-chip package substrate solder issue", 2004.
| Abstract. Alpha particle emission in close proximity to the device circuitry is minimized by following Xilinx low alpha solder requirements on package substrate pads. One flip-chip packaging vendor's failure to comply with these requirements has resulted in contamination by high alpha solder causing possible soft errors due to flipped device configuration bits. This white paper provides an overview on soldering material, describes the specific soldering problem, and offers some solutions. |
| @manual{XILINX_WP208, author = {Abhay Maheshwari and Austin Lesea}, title = {{WP208}: Flip-chip package substrate solder issue}, organization = {Xilinx Inc.}, edition = {}, month = {January}, year = {2004}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp208.pdf}, } |
Matt Klein: "WP221: Static power and the importance of realistic junction temperature analysis", 2005.
| Abstract. Total power consumption of a board or system is important; each FPGA or ASIC in a system is beginning to be forced to meet a power budget. With this concern and the trend of increasing static power with use of high performance 90 nm FPGAs, Xilinx has put considerable effort into reducing static power in the Virtex-4 FPGAs. To this end, it is important to consider a realistic operating temperature for the FPGAs, which can easily have junction temperature up to and in excess of 85°C. As junction temperature rises, static power rises exponentially, fueling this concern. |
| @manual{XILINX_WP221, author = {Matt Klein}, title = {{WP221}: Static power and the importance of realistic junction temperature analysis}, organization = {Xilinx Inc.}, edition = {}, month = {March}, year = {2005}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp221.pdf}, } |
Derek Curd: "WP246: Power consumption in 65 nm FPGAs", 2007.
| Abstract.
With the introduction of the Virtex-5 family, Xilinx is once again leading the charge to deliver new technologies and capabilities to FPGA consumers. The move to 65 nm FPGAs promises to deliver many of the benefits traditionally associated with smaller process geometries: lower cost, higher performance, and greater logic capacity. However, along with these benefits, the 65 nm process node brings with it new challenges. This white paper addresses one of those challenges, power consumption in 65 nm FPGAs. As with the Virtex-4 family, Xilinx has implemented a number of process and architectural innovations in Virtex-5 devices to ensure that static power consumption is minimized and that the dynamic power benefits of moving to a new process node are fully realized. |
| @manual{XILINX_WP246, author = {Derek Curd}, title = {{WP246}: Power consumption in {65 nm} {FPGAs}}, organization = {Xilinx Inc.}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp246.pdf}, } |
Austin Lesea: "IP security in FPGAs", 2007.
| @manual{XILINX_WP261_IPSEC, author = {Austin Lesea}, title = {{IP} security in {FPGAs}}, organization = {Xilinx Inc.}, edition = {}, month = {February}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp261.pdf}, } |
Maureen Smerdon: "Security solutions using Spartan-3 generation FPGAs", 2007.
| Abstract. In today’s world, security is a huge concern for our global society. Whether boarding a plane, closing the front door, or beginning your next generation circuit design, security has become a significant issue. In our homes, we try to build in the right amount of security to protect ourselves against theft. Security is rapidly becoming a necessity in the electronics industry as well. It is important to understand why security issues have escalated to the forefront in the electronics design field. One reason is the alarming amount of counterfeited goods that are the result of theft. These goods threaten the economy and have a significant effect worldwide in the consumer markets according to the Anti-counterfeiting Coalition. This white paper identifies the top design security threats, explores the basic levels of security, and describes how new, low-cost Spartan-3A, Spartan-3AN, and Spartan-3A DSP FPGAs from Xilinx can help protect your products and profits. |
| @manual{XILINX_WP266, author = {Maureen Smerdon}, title = {Security solutions using {Spartan-3} generation {FPGAs}}, organization = {Xilinx Inc.}, edition = {}, month = {July}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp266.pdf}, } |
Glenn Crow: "Advanced security schemes for Spartan-3A/3AN/3A DSP FPGAs", 2007.
| Abstract. FPGAs provide the ability to integrate and support new protocols and standards with ease, as well as product customization while still delivering rapid time to market. With the internet and the global market, outsourcing manufacturing has become more popular making security a bigger factor. As stated in articles published by industry leaders, reverse engineering, cloning, overbuilding, and tampering have become major security issues. Experts estimate that each year multiple billions of dollars in revenue are lost due to counterfeiting. These goods threaten the economy and have a significant effect worldwide in the consumer markets according to the Anti-counterfeiting Coalition. This white paper identifies the top design security threats, explores the advanced security options, and describes how new, low-cost Spartan-3A, Spartan-3AN, and Spartan-3A DSP FPGAs from Xilinx can help protect your products and profits. |
| @manual{XILINX_WP267, author = {Glenn Crow}, title = {Advanced security schemes for {Spartan-3A/3AN/3A DSP} {FPGAs}}, organization = {Xilinx Inc.}, edition = {}, month = {August}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/white_papers/wp267.pdf}, } |
Chen Wei Tseng: "Lock your designs with the Virtex-4 security solution", 2005.
| @article{Xilinx_V4SEC_05, author = {Chen Wei Tseng}, title = {Lock your designs with the {Virtex-4} security solution}, organization = {Xilinx Inc.}, journal = {Xcell Journal}, year = {2005}, volume = {}, number = {}, pages = {}, month = {Spring}, www_section = {Xilinx}, url = {http://www.xilinx.com/publications/xcellonline/xcell_52/xc_v4security52.htm}, } |
Adam P. Donlin and Stephen M. Trimberger: "Evolved circuits for bitstream protection", 2005.
| Abstract. A security circuit for a reprogrammable logic IC includes an evolved circuit that ties the performance of the security circuit to the physical properties of that particular reprogrammable logic IC. The security circuit can be a decryption and/or encryption circuit that decrypts and/or encrypts, respectively, a configuration bitstream for the IC. Because of the link between the performance of the security circuit and the physical properties of the IC, the security circuit cannot be used in other ICs. For example, an encrypted bitstream that can be decrypted by the security circuit in a first IC will typically not be decrypted by the same security circuit in a second IC, since the physical properties of the two ICs will typically be different. The evolved circuit can comprise a portion of the security circuit, such as a security key generator, or it can comprise the full security circuit. |
| @manual{DonlinTrimberger_EvolveBitstreamProtection_USPTO05, author = {Adam P. Donlin and Stephen M. Trimberger}, title = {Evolved circuits for bitstream protection}, organization = {United States Patent Office}, year = {2005}, month = {May}, number = {6894527}, www_section = {Xilinx}, url = {http://patft1.uspto.gov/netacgi/nph-Parser?patentnumber=6894527}, } |
Stephen M. Trimberger and Robert O. Conn: "Remote field upgrading of programmable logic device configuration data via adapter connected to target memory socket", 2007.
| Abstract. A method and apparatus are provided for updating or changing configuration data stored in the PROM of a target system, the data being used to configure one or more reprogrammable logic devices such as FPGAs. In one embodiment the apparatus comprises a modem used to communicate remotely with a host system, a shadow PROM for receiving new configuration data intended for use in a target system, an interface for relaying configuration data from the shadow PROM to the target, and means for controlling the components of the update system. |
| @manual{TrimbergerConn_RemoteFieldUpgrading_USPTO07, author = {Stephen M. Trimberger and Robert O. Conn}, title = {Remote field upgrading of programmable logic device configuration data via adapter connected to target memory socket}, organization = {United States Patent Office}, year = {2007}, month = {September}, number = {7269724}, www_section = {Xilinx}, url = {http://patft1.uspto.gov/netacgi/nph-Parser?patentnumber=7269724}, } |
Xilinx Inc.: "DS099: Spartan-3 FPGA family: Complete data sheet", 2006.
| @manual{SPARTAN3_DATASHEET, author = {{Xilinx Inc.}}, title = {{DS099}: {Spartan-3 FPGA} family: Complete data sheet}, organization = {}, edition = {}, month = {April}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/data_sheets/ds099.pdf}, } |
Xilinx Inc.: "DS312: Spartan-3E FPGA family: Complete data sheet", 2006.
| @manual{SPARTAN3E, author = {{Xilinx Inc.}}, title = {{DS312}: {Spartan-3E FPGA} family: Complete data sheet}, organization = {}, edition = {}, month = {May}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/data_sheets/ds312.pdf}, } |
Xilinx Inc.: "UG332: Spartan-3 generation configuration user guide", 2006.
| @manual{Xilinx_UG332_S3ConfigUG, author = {{Xilinx Inc.}}, title = {{UG332}: {Spartan-3} generation configuration user guide}, organization = {}, edition = {}, month = {December}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug332.pdf}, } |
Xilinx Inc.: "UG331: Spartan-3 generation FPGA user guide", 2006.
| @manual{SPARTAN3_UG, author = {{Xilinx Inc.}}, title = {{UG331}: {Spartan-3} generation {FPGA} user guide}, organization = {}, edition = {}, month = {December}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug331.pdf}, } |
Xilinx Inc.: "UG002: Virtex-II user guide", 2005.
| @manual{VIRTEX2, author = {{Xilinx Inc.}}, title = {{UG002}: {Virtex-II} user guide}, organization = {}, edition = {}, month = {March}, year = {2005}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug002.pdf}, } |
Xilinx Inc.: "UG012: Virtex-II Pro and Virtex-II Pro X FPGA user guide", 2005.
| @manual{VIRTEX2P, author = {{Xilinx Inc.}}, title = {{UG012}: {Virtex-II Pro} and {Virtex-II Pro X} {FPGA} user guide}, organization = {}, edition = {}, month = {March}, year = {2005}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug012.pdf}, } |
Xilinx Inc.: "UG070: Virtex-4 user guide", 2006.
| @manual{VIRTEX4, author = {{Xilinx Inc.}}, title = {{UG070}: {Virtex-4} user guide}, organization = {}, edition = {}, month = {March}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug070.pdf}, } |
Xilinx Inc.: "UG071: Virtex-4 configuration user guide", 2006.
| @manual{VIRTEX4_CONFIG, author = {{Xilinx Inc.}}, title = {{UG071}: {Virtex-4} configuration user guide}, organization = {}, edition = {}, month = {January}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug071.pdf}, } |
Xilinx Inc.: "UG190: Virtex-5 user guide", 2006.
| @manual{VIRTEX5, author = {{Xilinx Inc.}}, title = {{UG190}: {Virtex-5} user guide}, organization = {}, edition = {}, month = {July}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug190.pdf}, } |
Xilinx Inc.: "UG191: Virtex-5 configuration user guide", 2006.
| @manual{VIRTEX5_CONFIG, author = {{Xilinx Inc.}}, title = {{UG191}: {Virtex-5} configuration user guide}, organization = {}, edition = {}, month = {July}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug191.pdf}, } |
Xilinx Inc.: "UG192: Virtex-5 system monitor user guide", 2006.
| @manual{VIRTEX5_SYSMON, author = {{Xilinx Inc.}}, title = {{UG192}: {Virtex-5} system monitor user guide}, organization = {}, edition = {}, month = {October}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug192.pdf}, } |
Xilinx Inc.: "DS202: Virtex-5 data sheet: DC and switching characteristics", 2006.
| @manual{VIRTEX5_DATASHEET, author = {{Xilinx Inc.}}, title = {{DS202}: {Virtex-5} data sheet: {DC} and switching characteristics}, organization = {}, edition = {}, month = {October}, year = {2006}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/data_sheets/ds202.pdf}, } |
Xilinx Inc.: "UG193: Virtex-5 XtremeDSP design considerations user guide", 2007.
| @manual{VIRTEX5_DSP, author = {{Xilinx Inc.}}, title = {{UG193}: {Virtex-5} {XtremeDSP} design considerations user guide}, organization = {}, edition = {}, month = {December}, year = {2007}, key = {}, www_section = {Xilinx}, url = {http://www.xilinx.com/support/documentation/user_guides/ug193.pdf}, } |
I've made every effort to provide a direct link to the publication/document, preferably in PDF. However, some documents are not freely available and often are behind a pay- or registration-wall, in which case the link is to there. If you spot a broken link or can provide a direct link to a PDF where one is missing, please let me know. Accents are removed in the HTML due to laziness, but appear in all their glory in the bibtex entry.
You are welcome to use the Perl script to your heart's content... but please do give some credit and link back. Be nice. See my comments in the code for guidance. In brief, if you want to order your entries you need to add a www_section = {foo}, field to each entry. The ordering of the categories is determined by the first instance they appear, then by sequential order in which they are ordered in the bibtex file. If you run into trouble consult the raw bibtex file linked below. In a case of emergency, contact me.
- fpgasec_web.bib: raw bibtex file (input to the script below)
- sbib2html.pl: perl script that generated the html
- switch content II: origin of (modified) javascript code
last modified 2009/3/9