A kind of Circuits System design encrypted circuit and encryption method thereof
Technical field
The present invention relates to a kind of Circuits System design encrypted circuit and encryption method thereof; Especially relate to a kind of FPGA (Field Programmable Gate Array that uses encrypted circuit to circuit; Field programmable gate array) designs the circuit and the encryption method thereof of encrypting; Forbid that the rival cracks the design data of circuit through catching the configuration data bit stream that transmits between FPGA and the external memory storage, this invention also can be used for the encrypted circuit design and the encryption method thereof of similar field electronic circuit.
Background technology
After new product development was accomplished and come into operation, it is lucrative that in a single day the rival feels, i.e. usurp technology secret by every possible means, even directly adopt the method for flight to carry out product image, have a strong impact on designer's interests.Simultaneously, technology, production, the quality control level of imitated producer are comparatively low usually, though produce same product, quality can't guarantee, in the regular supplier's prestige of influence, gives and uses the client also to bring great inconvenience.Domestic manufacturers seldom consider to encrypt in the process of product design at present.The strong large manufacturer of minority takes the scheme of direct custom chip to encrypt, and for common manufacturer, the high expense of custom chip is unaffordable.
Common one comparatively the circuit design of sophisticated functions comprise CPU (central processing unit) and FPGA, CPU is responsible for the processing of data, FPGA is responsible for logical process.When system powers on, when the configuration data bit stream among the FPGA transmits, can capture it between FPGA and external memory storage 4.The configuration data bit stream that utilization captures disposes another FPGA device, just can duplicate this FPGA design, and this is the critical process of copying.
Prior art flows owing to being easy to capture the FPGA configuration bit, and duplicates, and therefore, the FPGA design is difficult to take precautions against design and steals.(IP) compares with lift intellectual property, possibly from bit stream, extract IP hardly, but but can from FPGA, clone whole design.In order to protect configuration bit stream, the FPGA that has can encrypt by bit stream now.Yet, come need increase step in process of production the key among the FPGA is programmed for the FPGA of encryption configuration bit stream for not possessing embedded bit stream cryptographic means, therefore improved cost.
Summary of the invention
The present invention provides a kind of Circuits System design encrypted circuit and encryption method thereof; This invention can overcome the circuit design of prior art existence well easily by the technical problem of rival's plagiarism; The encryption designed circuit and the encryption method of a kind of economy, the circuit of method realization reliably are provided; Prevent the imitated of rival, thus the protection number one.
The present invention provides a kind of embodiment of Circuits System design encrypted circuit, and a kind of Circuits System design encrypted circuit comprises FPGA and CPU, and CPU links to each other with FPGA with data/address bus through address bus; When system powered on, the configuration data bit stream among the FPGA transmitted between FPGA and external memory storage, and Circuits System design encrypted circuit also comprises an encrypting module; Encrypting module links to each other with FPGA, contains algorithm engine in the encrypting module, and stores corresponding key; Also be embedded in corresponding arithmetic module among the FPGA, and contain with encrypting module in the key that is complementary, when system powers on; FPGA reads the result of calculation from encrypting module, with its with FPGA in the result of calculation contrast of algoritic module, if result's coupling; The enables users design if do not match, is then forbidden user's design.Encrypting module adopts identical algorithm, the key that is complementary and identical algorithm engine input with the algoritic module of FPGA.
As the further execution mode of Circuits System design encrypted circuit of the present invention; Described encrypting module further comprises encrypted memory; Algorithm engine is the hash algorithm engine; Key writes in the encrypted memory in the production process of circuit product, and the embedded hash algorithm engine of encrypting module chip calculates, and the result is kept in the encrypted memory.
As the further execution mode of Circuits System of the present invention design encrypted circuit, said algoritic module is the hash algorithm module, contain among the FPGA with said encrypting module encrypted memory in the key that matees; According to encrypting module in the identical input of Hash algorithm engine calculate; When system powered on, behind the intact FPGA of user's design configurations, FPGA produced a random number; Send to encrypting module to random number; Encrypting module carries out computations and result of calculation is stored in the encrypted memory, and FPGA reads the message authentication code result of calculation from encrypting module, with its with FPGA in Hash algoritic module authentication code result compare.
As the further execution mode of Circuits System design encrypted circuit of the present invention; Add security authentication module among the described CPU, when system powered on, described security authentication module sent the forcible authentication order to FPGA; FPGA control encrypting module is carried out encrypting and authenticating; If authentication success, CPU executive utility then, otherwise forbid the key function of application program.
As the further execution mode of Circuits System design encrypted circuit of the present invention, described encrypting module chip is the single bus interface chip, and encrypting module is connected with the I/O pin of FPGA through a data lines.
The present invention also provides a kind of embodiment of utilizing above-mentioned encrypted circuit to carry out Circuits System design method of encrypting, and a kind of Circuits System design encrypted circuit carries out method of encrypting, and described encryption method may further comprise the steps:
S10: system powers on, the configuration of FPGA log-on data, and FPGA gets into the encrypting and authenticating process;
S11:FPGA produces a random number;
S12:FPGA sends to encrypting module to random number;
S13: encrypting module begins to carry out AES and calculates, and result of calculation is stored in the encrypted memory;
S14:FPGA reads the message authentication code result of calculation from encrypting module;
S15:FPGA begins starting algorithm and calculates, and encrypting module adopts identical algorithm, the key that is complementary and identical algorithm engine input with the algoritic module of FPGA;
S16:FPGA will compare from the message authentication code result of calculation of encrypting module and the algorithm computation result of FPGA;
Whether S17:FPGA verification algorithm result of calculation matees;
S18: if result's coupling, enables users FPGA design; If do not match, then forbid user FPGA design.
As the further execution mode of a kind of Circuits System design encryption method of the present invention, described encryption method also further comprises the safety certification step:
S20: system powers on or moves;
S21:CPU sends to FPGA with the forcible authentication order;
S22:FPGA carries out the encrypting and authenticating process;
S23:CPU reads the authentication result of FPGA;
S24: whether checking FPGA verification process is successful;
S25: if FPGA authentication success, then CPU executive utility; If the FPGA authentication is unsuccessful, then forbid the CPU executive utility.
As the further execution mode of a kind of Circuits System design encryption method of the present invention,
In the circuit product production process, key is write in the chip of encrypting module, hash algorithm engine embedded in the chip calculates, and the result is kept in the encrypted memory; Embedded hash algorithm module among the FPGA, and contain with encrypting module in the key that matees, according to encrypting module in the identical input of Hash algorithm engine calculate.
As the further execution mode of a kind of Circuits System design encryption method of the present invention; Described encrypting module adopts 160 message authentication codes based on hash algorithm to carry out AES calculating, and described FPGA adopts 160 message authentication codes based on hash algorithm to carry out AES calculating.
Through using described Circuits System design encrypted circuit of embodiment of the present invention and encryption method thereof, through a kind of economy, method has realized the encryption design to circuit reliably, thereby has effectively prevented the imitated of rival, has protected the interests of self.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the system encryption theory diagram of Circuits System design encrypted circuit of the present invention;
Fig. 2 is the circuit theory diagrams of Circuits System design encrypted circuit of the present invention;
Fig. 3 encrypts the design of program flow chart for Circuits System design encrypted circuit FPGA of the present invention;
Fig. 4 is the application security design flow diagram of Circuits System design encryption method of the present invention;
Wherein: 1-FPGA, 2-encrypting module, 3-CPU, 4-external memory storage, 5-algoritic module, 6-encrypted memory, 7-algorithm engine, 8-security authentication module.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
As the embodiment of a kind of Circuits System design of the present invention encrypted circuit, Circuits System design encrypted circuit as shown in Figure 1 is a kind of concrete application of the present invention on track traffic rolling stock man-machine interaction unit device, and Circuits System design encrypted circuit comprises FPGA 1 and CPU 3; CPU 3 links to each other with FPGA 1 with data/address bus through address bus, and when system powered on, the configuration data bit stream among the FPGA 1 transmitted between FPGA 1 and external memory storage 4; Circuits System design encrypted circuit also comprises an encrypting module 2, and encrypting module 2 links to each other with FPGA 1, contains algorithm engine 7 in the encrypting module 2; And store corresponding key, also be embedded in corresponding arithmetic module 5 among the FPGA 1, and contain with encrypting module 2 in the key that is complementary; When system powered on, FPGA 1 read the result of calculation from encrypting module 2, with its with FPGA 1 in the result of calculation contrast of algoritic module; If result's coupling; The enables users design if do not match, is then forbidden it.Encrypting module 2 adopts identical algorithm, the key that is complementary and identical algorithm engine input with the algoritic module 5 of FPGA1.Wherein, encrypting module 2 is a slice monobus encryption chip, and embedded hash algorithm engine can be realized the encryption of system.Encrypting module 2 adopts DS28E01 safe storage chip.
Encrypting module 2 further comprises encrypted memory 6; Algorithm engine 7 is hash algorithm engines; Key writes in the encrypted memory in the production process of circuit product, and the embedded hash algorithm engine of encrypting module 2 chips calculates, and the result is kept in the encrypted memory 6.Algoritic module 5 among the FPGA 1 is hash algorithm modules; Contain among the FPGA 1 with encrypting module 2 encrypted memory in the key that matees; According to encrypting module 2 in the identical input of Hash algorithm engine calculate, disposed FPGA after, can not launch user design immediately.Have only when the hash calculation result among safe storage and the FPGA is complementary, just can the enables users design.When system powered on, behind the intact FPGA 1 of user's design configurations, FPGA 1 produced a random number; Send to encrypting module 2 to random number; Encrypting module 2 carries out computations and result of calculation is stored in the encrypted memory 6, and FPGA 1 reads 160 message authentication codes (MAC) result of calculation from encrypting module 2, with its with FPGA 1 in Hash algoritic module authentication code (MAC; Message Authentication Code, message authentication code) result compares.If MAC result's coupling, the enables users design if do not match, is then forbidden it.Key only has the person specially designated for a post to know, has guaranteed the fail safe of circuit design to greatest extent.
In order to prevent that the imitator from getting around the encrypting and authenticating between FPGA and the safe storage, design FPGA voluntarily according to circuit theory and function, and the cancellation encrypted circuit.In CPU 3, further add security authentication module 8, force FPGA power on or running in carry out security authentication process, otherwise forbid the key function of application program.When system powered on, security authentication module 8 sent forcible authentication order to FPGA 1, and FPGA 1 control encrypting module 2 is carried out encrypting and authenticatings, if authentication success, CPU 3 executive utilities then, otherwise forbid the key function of application program.
As shown in Figure 2, encrypting module 2 chips are the single bus interface chip, and encrypting module 2 is connected with the I/O pin of FPGA 1 through a data lines.Encrypting module 2 needs to adopt pull-up resistor and 1 line I/O pin.
As the embodiment of a kind of Circuits System design of the present invention encryption method, a kind of Circuits System design encryption method as shown in Figure 3, encryption method may further comprise the steps:
S10: system powers on, the configuration of FPGA 1 log-on data, and FPGA 1 gets into the encrypting and authenticating process;
S11:FPGA 1 produces a random number;
S12:FPGA 1 sends to encrypting module 2 to random number;
S13: encrypting module 2 begins to carry out AES and calculates, and result of calculation is stored in the encrypted memory 6;
S14:FPGA 1 reads the message authentication code result of calculation from encrypting module 2;
S15:FPGA 1 beginning starting algorithm calculates, and encrypting module 2 adopts identical algorithm, the key that is complementary and identical algorithm engine input with the algoritic module 5 of FPGA 1;
S16:FPGA 1 will calculate the algorithm computation result who reads result and FPGA 1 and compare from the message authentication code of encrypting module 2;
Whether S17:FPGA 1 verification algorithm result of calculation matees;
S18: if result's coupling, enables users FPGA 1 design; If do not match, then forbid user FPGA 1 design.
Shown in the program flow diagram of Fig. 4, get around the encrypting and authenticating between FPGA and the safe storage in order to prevent the imitator, design FPGA voluntarily according to circuit theory and function, and the cancellation encrypted circuit, encryption method further comprises the safety certification step:
S20: system powers on or moves;
S21:CPU 3 sends to FPGA 1 with the forcible authentication order;
S22:FPGA 1 carries out the encrypting and authenticating process;
S23:CPU 3 reads the authentication result of FPGA 1;
S24: whether checking FPGA 1 verification process is successful;
S25: if FPGA 1 authentication success, then CPU 3 executive utilities; If FPGA 1 authentication is unsuccessful, then forbid CPU 3 executive utilities.
The encrypting and authenticating process is further comprising the steps of:
In the circuit product production process, key is write in the chip of encrypting module 2, hash algorithm engine embedded in the chip calculates, and the result is kept in the encrypted memory;
Embedded hash algorithm module among the FPGA, and contain with encrypting module 2 in the coupling key, according to encrypting module 2 in the identical input of Hash algorithm engine calculate.
Encrypting module 2 adopts 160 message authentication codes based on the Hash AES to carry out AES calculating, and FPGA 1 adopts 160 message authentication codes based on the Hash AES to carry out AES calculating.
From fail safe, in order circuit design to be cloned in another FPGA design, must clone's key and the unique ID of safe storage chip.This is difficult to realize, because can not read the key in the safe storage chip, also can't from MAC result, oppositely distorts hash algorithm and confirm key.
Embodiment of the present invention can be guaranteed to clone device and can't be worked from the source, thereby has protected user's design.Do not have correct key and hash algorithm result of calculation, can forbid the user's design among the FPGA always, entire circuit just can't be worked.
The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.The present invention simultaneously also can be applied to other association area.