高效高安全FPGA配置比特流密码算法及实现

张彦龙; 周婧; 邰瑜; 蔡海洋; 王硕; 肖克; 张雪婷; 董晗; 杜忠

doi:10.20193/j.ices2097-4191.2025.0022

PDF(6351 KB)

集成电路与嵌入式系统 ›› 2025, Vol. 25 ›› Issue (6) : 48-57. DOI: 10.20193/j.ices2097-4191.2025.0022

FPGA前沿技术与应用研究专刊

高效高安全FPGA配置比特流密码算法及实现

张彦龙 ¹^,² ,
周婧 ²^,³^,^* ,
邰瑜 ³ ,
蔡海洋 ³ ,
王硕 ² ,
肖克 ² ,
张雪婷 ² ,
董晗 ² ,
杜忠 ²

作者信息 +

Efficient and high-security FPGA configuration bit-stream cryptographic algorithm and implementation

ZHANG Yanlong ¹^,² ,
ZHOU Jing ²^,³^,^* ,
TAI Yu ³ ,
CAI Haiyang ³ ,
WANG Shuo ² ,
XIAO Ke ² ,
ZHANG Xueting ² ,
DONG Han ² ,
DU Zhong ²

Author information +

文章历史 +

摘要

针对目前FPGA配置比特流解密认证资源开销大、效率低等问题,基于有限域GF(2³²)乘法运算提出了GMAC_GF32认证算法,并结合CTR模式的AES加密运算设计并实现了一种高效、高安全的FPGA配置比特流解密认证方法。该方法采用四级流水线设计实现AES256_CTR解密模块电路,使得每次解密时间与传输128位数据时间相匹配,最大化提高了FPGA解密的吞吐率,另外,每级流水线运算通过采用4个S-Box并行运算能够提高能量侧信道安全性。认证模块电路通过有限域GF(2³²)运算将现有验证码改进为32位,能够有效降低串行计算验证码的效率,提高时钟利用率,并且通过在认证模块电路引入内置多项式函数能够提高验证码的安全性,防止攻击码流的载入。基于FPGA原型验证板的实验验证结果表明,采用的流水线解密方式提升AES256_CTR算法的解密效率,将解密过程压缩到4个时钟周期;所提认证方法能够在维持认证强度的同时,大幅减少额外认证数据量及隐性时间成本,实现认证算法所消耗的面积资源减少96.5%;最终使得解密认证电路面积没有明显增加。本文提出的方法适用于对性能与安全均有较高要求的FPGA芯片设计场景。

Abstract

To address the current issues of high resource overhead and low efficiency in FPGA configuration bitstream decryption and authentication, this paper proposes the GMAC_GF32 authentication algorithm based on finite field GF(2³²) multiplication operations. Combined with AES encryption in CTR mode, we design and implement an efficient and highly secure FPGA configuration bitstream decryption and authentication method. The method employs a four-stage pipeline design for the AES256_CTR decryption module, ensuring that each decryption cycle aligns with the time required to transmit 128 bits of data, thereby maximizing the decryption throughput of the FPGA. Additionally, each pipeline stage enhances power side-channel security by utilizingsixteen S-Boxes operating in parallel. The authentication module improves existing verification codes to 32 bits through GF(2³²) operations, effectively mitigating the inefficiency of serial verification code computation, improving clock utilization. The authentication module enhances security by incorporating built-in polynomial functions to prevent the loading of malicious code streams. Experimental validation on an FPGA prototype board demonstrates that the proposed pipeline decryption approach optimizes the AES256_CTR algorithm, compressing the decryption process to four clock cycles. The authentication method significantly reduces additional authentication data volume and hidden time costs while maintaining security strength, achieving a 96.5% reduction in area resource consumption for the authentication algorithm;thereby achieving no noticeable increase in the overall decryption-authentication circuit area. The proposed method is well-suited for FPGA chip design scenarios requiring high performance and robust security.

导出引用

张彦龙, 周婧, 邰瑜, 等. 高效高安全FPGA配置比特流密码算法及实现[J]. 集成电路与嵌入式系统. 2025, 25(6): 48-57 https://doi.org/10.20193/j.ices2097-4191.2025.0022

ZHANG Yanlong, ZHOU Jing, TAI Yu, et al. Efficient and high-security FPGA configuration bit-stream cryptographic algorithm and implementation[J]. Integrated Circuits and Embedded Systems. 2025, 25(6): 48-57 https://doi.org/10.20193/j.ices2097-4191.2025.0022

中图分类号： TP309 (安全保密)

参考文献

列表( 原文顺序 | 文献年度倒序 | 文中引用次数倒序 ) 可视化分析

[1]	VIPIN K, FAHMY S A. FPGA dynamic and partial reconfiguration: A survey of architectures, methods, and applications[J]. ACM Computing Surveys, 2018, 51(4):1-39. 本文引用 [1]

[2]	ENDER M, MORADI A, PAAR C. The unpatchable silicon:a full break of the bitstream encryption of Xilinx 7-series FPGAs[C]// 29th USENIX Security Symposium (USENIX Security 20), 2020:1803-1819. 本文引用 [1]

[3]	VAIDEHI M, RABI B J. Design and analysis of AES-CBC mode for high security applications[C]// Second International Conference on Current Trends in Engineering and Technology-ICCTET.IEEE, 2014:499-502. 本文引用 [1]

[4]	DWORKINM. Recommendation for block cipher modes of operation:Galois/Counter Mode (GCM) and GMAC[M]. National Institute of Standards & Technology, 2004. 本文引用 [2]

[5]	LIPMAA H, ROGAWAY P, WAGNER D. CTR-mode encryption[C]// First NIST Workshop on Modes of Operation, 2000:39. 本文引用 [1]

[6]	ABDULLAH A M. Advanced encryption standard (AES) algorithm to encrypt and decrypt data[J]. Cryptography and Network Security, 2017, 16(1):11. 本文引用 [1]

[7]	HUSSAIN S M S, FAROOQ S M, USTUN T S. Analysis and implementation of message authentication code (MAC) algorithms for GOOSE message security[J]. IEEE Access, 2019(7):80980-80984. 本文引用 [1]

[8]

涂开辉, 黄志洪, 侯峥嵘, 等. 基于配置模式匹配和层次化映射结构的高效FPGA码流生成系统研究[J]. 电子与信息学报, 2019, 41(11):2585-2591.

K H

, HUANG

Z H

, HOU

Z R

, et al. Research on an efficient FPGA bitstream generation system based on configuration pattern matching and hierarchical mapping structure[J]. Journal of Electronics & Information Technology, 2019, 41(11):2585-2591. (in Chinese)

本文引用 [1]

[9]	谭德立, 徐炜遐. FPGA 芯片动态配置的研究与实现[J]. 计算机工程与科学, 2006, 28(8):108. TAN D L, XU W X. Research and implementation of dynamic configuration for FPGA chips[J]. Computer Engineering and Science, 2006, 28(8):108. (in Chinese) 本文引用 [1]