# **FPGA** security

EUVE

Nele Mentens nele.mentens@kuleuven.be

Design and security of cryptographic algorithms and devices for real-world applications

June 1-6, 2014, Šibenik, Croatia

# Outline

- Introduction
  - FPGA vs. ASIC
  - FPGA application
- FPGA technology
  - Architecture
  - Configuration
  - Design flow
  - Performance comparison
- Crypto on FPGA
  - Area and speed optimization
  - AES design examples
- Dynamic/partial reconfiguration





#### Introduction **FPGA** application

- Prototype for ASIC design
- End product
  - Recently developed FPGAs are heterogeneous systems with dedicated building blocks.
  - FPGAs closely follow technology scaling because they are manufactured in high volumes.
- Application domains: ٠
  - space
  - telecommunication
  - signal processing
  - ...

SM

SM

IOB

SM

SM

CLB

SM

SM

CLB

e • SM

SM

CLB

Many applications require data security on FPGA. ٠

Summer School, Šibenik, Croatia – June 1-6, 2014



- Multiplexers,
- Flip-Flops (FFs),
- Carry logic.
- SM = Switch Matrix
- IOB = Input/Output Block

# FPGA technology<br/>Architecture Image: Comparison of the state of the state

Flip-Flop

Look-Up

Summer School, Šibenik, Croatia – June 1-6, 2014







Summer School, Šibenik, Croatia – June 1-6, 2014

# FPGA technology Architecture





Summer School, Šibenik, Croatia – June 1-6, 2014





Summer School, Šibenik, Croatia – June 1-6, 2014





- Latest development of Xilinx FPGAs:
  - Zynq-7000 series
  - ARM + FPGA
  - Processor-centered architecture

#### FPGA technology Configuration

- Configuration data: bitstream
- Configuration technology:
  - (anti-)fuse: one-time programmable
  - flash: non-volatile configuration memory
  - SRAM: volatile configuration memory
- SRAM (vs. flash) configuration memory
  - Higher density
  - Higher power consumption
  - On-board or on-chip non-volatile memory needed to store the bitstream during power-off
  - Higher configuration speed

Summer School, Šibenik, Croatia – June 1-6, 2014



## FPGA technology Configuration

basic content of a slice (excluding carry logic) + configuration



Summer School, Šibenik, Croatia – June 1-6, 2014

|   | FPGA technology<br>Configuration |   |   |                |                |                |                |  |                    |  |                    |                                                                                                                                             |  |
|---|----------------------------------|---|---|----------------|----------------|----------------|----------------|--|--------------------|--|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|--|
| Α | В                                | С | D | Z <sub>0</sub> | Z <sub>1</sub> | Z <sub>2</sub> | Z <sub>3</sub> |  | Z <sub>65280</sub> |  | Z <sub>65535</sub> | Why 16 configuration                                                                                                                        |  |
| 0 | 0                                | 0 | 0 | 0              | 1              | 0              | 1              |  | 0                  |  | 1                  | Why 16 configuration<br>bits for a 4-to-1 LUT?                                                                                              |  |
| 0 | 0                                | 0 | 1 | 0              | 0              | 1              | 1              |  | 0                  |  | 1                  | DITS IOL 9 4-10-1 LOT                                                                                                                       |  |
| 0 | 0                                | 1 | 0 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  |                                                                                                                                             |  |
| 0 | 0                                | 1 | 1 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  | $2^{16}$ possible output<br>functions:<br>$Z_0 = 0$<br>$Z_1 = A'.B'.C'.D'$<br>$Z_2 = A'.B'.C'.D$<br>$Z_3 = A'.B'.C'$<br><br>$Z_{65280} = A$ |  |
| 0 | 1                                | 0 | 0 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  |                                                                                                                                             |  |
| 0 | 1                                | 0 | 1 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  |                                                                                                                                             |  |
| 0 | 1                                | 1 | 0 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  |                                                                                                                                             |  |
| 0 | 1                                | 1 | 1 | 0              | 0              | 0              | 0              |  | 0                  |  | 1                  |                                                                                                                                             |  |
| 1 | 0                                | 0 | 0 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 0                                | 0 | 1 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 0                                | 1 | 0 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 0                                | 1 | 1 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 1                                | 0 | 0 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 1                                | 0 | 1 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |
| 1 | 1                                | 1 | 0 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  | Z <sub>65535</sub> = 1                                                                                                                      |  |
| 1 | 1                                | 1 | 1 | 0              | 0              | 0              | 0              |  | 1                  |  | 1                  |                                                                                                                                             |  |





Summer School, Šibenik, Croatia – June 1-6, 2014



Summer School, Šibenik, Croatia – June 1-6, 2014



#### **Crypto on FPGA** Area and speed optimization

- Maximize the use of dedicated building blocks
  - Multipliers (in older FPGAs)
    - A\*B
    - with or without registers
  - DSP slices (in more recently developed FPGAs)
    - version 1: A \* B + C
    - version 2: (A + B) \* C + D
    - · many options for including or excluding pipeline registers
  - Block RAM
    - single-port or dual-port
  - Shift registers
    - a LUT can also be used as an addressable shift register

Summer School, Šibenik, Croatia – June 1-6, 2014

## Crypto on FPGA AES design examples

Two examples:

- 1. P. Chodowiec, and K. Gaj, "Very Compact FPGA Implementation of the AES Algorithm", C.D. Walter et al. (Eds.): CHES 2003, LNCS 2779, pp. 319–333, 2003.
- S. Drimer, T. Güneysu, and C. Paar, "DSPs, BRAMs and a pinch of logic: extended recipes for AES on FPGAs", ACM Transactions on Reconfigurable Technology and Systems (TRETS), 3(1), 2010.

(pictures in the slides are copied from these publications)





Summer School, Šibenik, Croatia – June 1-6, 2014





Summer School, Šibenik, Croatia – June 1-6, 2014



EUVE

Summer School, Šibenik, Croatia – June 1-6, 2014



Summer School, Šibenik, Croatia – June 1-6, 2014

## Crypto on FPGA AES design example 2





Summer School, Šibenik, Croatia – June 1-6, 2014



- implementation attack resistance.