CN115378595A - Code stream encryption and decryption implementation method, system and equipment for configuring FPGA - Google Patents

Code stream encryption and decryption implementation method, system and equipment for configuring FPGA Download PDF

Info

Publication number
CN115378595A
CN115378595A CN202210940011.2A CN202210940011A CN115378595A CN 115378595 A CN115378595 A CN 115378595A CN 202210940011 A CN202210940011 A CN 202210940011A CN 115378595 A CN115378595 A CN 115378595A
Authority
CN
China
Prior art keywords
code stream
key
encryption
fpga
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210940011.2A
Other languages
Chinese (zh)
Inventor
杨堃
王海力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingwei Qili Shanghai Information Technology Co ltd
Original Assignee
Jingwei Qili Shanghai Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingwei Qili Shanghai Information Technology Co ltd filed Critical Jingwei Qili Shanghai Information Technology Co ltd
Priority to CN202210940011.2A priority Critical patent/CN115378595A/en
Publication of CN115378595A publication Critical patent/CN115378595A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

The embodiment of the invention provides an encryption and decryption implementation method, system and device for configuring an FPGA code stream, which reduce the capacity of an original EFUSE stored key by using a simple pseudo-random number generation design, greatly improve the yield of chip generation by adopting an EFUSE circuit with smaller capacity, shorten the EFUSE burning process time and improve the EFUSE writing success probability. Meanwhile, the EFUSE capacity is reduced, the chip area proportion occupied by the EFUSE is correspondingly reduced, the total area of the FPGA chip is also reduced, the output of the FPGA chip is correspondingly improved, and the FPGA generation cost is reduced. The method has the advantages that the confidentiality of the FPGA configuration code stream is effectively improved due to the steps of encryption algorithm selection, code stream scrambling, integrity check and the like in the generation process of the configuration code stream, and accordingly the safety of the FPGA design of a user is protected from being stolen.

Description

Code stream encryption and decryption implementation method, system and equipment for configuring FPGA
Technical Field
The embodiment of the invention relates to the technical field of FPGA chip design, in particular to a method, a system and equipment for realizing encryption and decryption of code streams for configuring an FPGA.
Background
A Programmable Gate Array (FPGA) is a Programmable logic device, and different work tasks are realized by configuring the use mode of its internal resources according to the user's needs.
The FPGA user can encrypt the code stream in the code stream generation stage for the purpose of design protection of the FPGA user, and the encrypted code stream is firstly decrypted and then configured in the code stream loading stage. In current schemes implementing decryption, key storage is essential. Table 1 below shows a summary of the key lengths required by the current mainstream encryption algorithm.
Table 1: summary table of key length required by current mainstream encryption algorithm
Encryption algorithm name Key length (bits)
Triple DES(2keys) 80
Triple DES(3keys) 112
AES-128 128
AES-192 192
AES-256 256
According to the principle of cryptography, the longer the key length, the higher the security level of the encryption. Therefore, encryption is usually performed by using an encryption algorithm with a long key. Therefore, a long key needs to be stored inside the FPGA chip, and the key is edited and written into a special type of nonvolatile memory inside the FPGA chip after the user designs the FPGA chip, where the type of the nonvolatile memory is EFUSE (one time programmable memory).
EFUSE is a special transistor design, and due to its own design structure, EFUSE cannot be reduced with the reduction of the size of an integrated circuit process node, that is, EFUSE density is difficult to increase, and storage capacity is small. And because the size of the EFUSE can not be reduced, the EFUSE with larger capacity is designed to occupy higher area proportion by using a small process node. The particularity of the EFUSE structure causes the high-capacity yield of the EFUSE structure to be unstable on a small process node.
Due to the above mentioned EFUSE disadvantage, in a scene with a long storage key, the encrypted bitstream is easily not decrypted due to EFUSE production errors, programming failures and the like.
Disclosure of Invention
Therefore, the embodiment of the invention provides a method, a system and equipment for implementing code stream encryption and decryption for configuring an FPGA (field programmable gate array), so as to solve the problems that:
1. in the prior art, under the scene of longer storage key, the technical problem that the encrypted code stream cannot be decrypted easily due to EFUSE production error, programming failure and the like is solved;
2. the encryption algorithm and the related information of the key are hidden in the configuration code stream, so that the user design safety level is improved.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
according to a first aspect of an embodiment of the present invention, an embodiment of the present invention provides a method for implementing encryption and decryption of a code stream configuring an FPGA, where the method includes the following steps executed on an upper computer:
selecting a target encryption algorithm and generating a corresponding first key based on a pseudo random number according to a corresponding algorithm;
encrypting the plaintext code stream by using the first key, and packaging the encrypted code stream by using the target encryption algorithm number and the corresponding key seed;
and configuring the FPGA chip by using the packaged encryption code stream, and processing the encryption code stream by using a decryption circuit in the FPGA chip to obtain a plaintext code stream so as to complete the FPGA configuration.
Further, selecting a target encryption algorithm and generating a corresponding first key based on the pseudo-random number according to the corresponding algorithm comprises:
selecting a target encryption algorithm from a plurality of encryption algorithms;
acquiring a target encryption algorithm number based on a preset encryption algorithm number mapping table;
generating a corresponding key seed by a pseudo-random number generator according to a selected target encryption algorithm;
determining the iteration preset times by combining the key required length of the selected encryption algorithm with the key seed length;
shifting the key seed one bit to the left/right at each iteration to generate a different pseudo-random number than the previous one;
and after all iterations are completed, splicing all pseudo random numbers according to a generation sequence, a reverse sequence or a disorder sequence to obtain the first secret key.
Further, the step of encapsulating the encryption code stream by using the target encryption algorithm number and the corresponding key seed comprises the following steps:
combining the target encryption algorithm number and the corresponding key seed according to a front-back sequence to generate an original packet header;
the original packet header is completely supplemented according to the definition of the length of the packet header, and the generation of the packet header is completed;
carrying out data scrambling on the supplemented packet headers;
performing ECC calculation on the scrambled data to obtain an ECC calculation result, and attaching the ECC result to the back of the scrambled packet header;
splicing the packet header and the encryption code stream after ECC calculation is finished;
and performing CRC calculation on the spliced code stream to obtain a CRC result, and attaching the CRC result to the back of the spliced code stream to finish packaging the encrypted code stream.
Further, performing data scrambling on the padded packet header, including:
performing data scrambling on the supplemented packet headers by adopting a mode of mutually negating 0, 1; or alternatively
And counting 0,1 number in the data, compressing the items with more numbers, and scrambling the data of the aligned packet headers.
Preferably, the encryption and decryption implementation method for configuring the FPGA code stream further includes the following steps executed inside the FPGA chip:
decapsulating the encapsulated encryption code stream, and extracting the target encryption algorithm number and a corresponding key seed;
generating a second key corresponding to the target encryption algorithm by using the key seed; wherein the key generation algorithms of the first key and the second key are the same;
and decrypting the decapsulated encryption code stream by using the second key to obtain a plaintext code stream, so as to configure the FPGA by using the plaintext code stream.
Further, decapsulating the encapsulated encryption code stream to extract the target encryption algorithm number and the corresponding key seed, including:
performing CRC on the received packaged encryption code stream;
if the CRC fails, setting a CRC error, and stopping the subsequent flow;
if CRC check succeeds, ECC check is carried out on the scrambled packet header according to the packet format;
if the ECC check fails, setting an ECC check error, and stopping the subsequent flow;
if the ECC is successfully checked, descrambling the packet header to recover the original packet header information;
and extracting the target encryption algorithm number and the related fields of the corresponding key seeds according to a packet header construction mode.
Further, generating a second key corresponding to the target encryption algorithm using the key seed comprises:
determining the iteration preset times of generating the key by using the key seed and the encryption algorithm as a basis;
generating the random number by adopting a shift register, and shifting the key seed to the left/right by one bit in each iteration so as to generate a pseudo-random number different from the previous time;
the pseudo-random number generated at each iteration is stored using a further register,
and after all iterations are completed, splicing all pseudo random numbers according to a generation sequence, a reverse sequence or a disorder sequence to obtain the second secret key.
According to a second aspect of the embodiments of the present invention, an embodiment of the present application provides a system for implementing encryption and decryption of a code stream configuring an FPGA, where the system includes:
the first key generation module is used for selecting a target encryption algorithm and generating a corresponding first key based on a pseudo-random number according to a corresponding algorithm;
the code stream encryption and encapsulation module is used for encrypting the plaintext code stream by using the first secret key and encapsulating the encrypted code stream by using the target encryption algorithm number and the corresponding secret key seed;
the output module is used for configuring the FPGA chip by using the packaged encryption code stream, and processing the encryption code stream by a decryption circuit in the FPGA chip to obtain a plaintext code stream so as to complete FPGA configuration;
the first key generation module, the code stream encryption and encapsulation module and the output module are loaded on the upper computer.
Preferably, an embodiment of the present application provides a system for implementing encryption and decryption of a code stream configured with an FPGA, further including:
the receiving module is used for receiving the packaged encryption code stream from the upper computer;
the decapsulation module is used for decapsulating the encapsulated encryption code stream and extracting the target encryption algorithm number and the corresponding key seed;
the second key generation module is used for generating a second key corresponding to the target encryption algorithm by using the key seed; wherein the key generation algorithms of the first key and the second key are the same;
the decryption module is used for decrypting the decapsulated encrypted code stream by using the second secret key to obtain a plaintext code stream;
the configuration module is used for configuring the FPGA by utilizing the plaintext code stream;
the receiving module, the decapsulation module, the second key generation module, the decryption module, and the configuration module are loaded inside the FPGA chip.
According to a third aspect of the embodiments of the present invention, there is provided a device for implementing encryption and decryption of a code stream in FPGA user design, the device including: a processor and a memory;
the memory is to store one or more program instructions;
the processor is configured to run one or more program instructions to execute the steps of the method for implementing encryption and decryption of a code stream for configuring an FPGA as described in any one of the above.
Compared with the prior art, the encryption and decryption implementation method, system and equipment for configuring the FPGA code stream provided by the embodiment of the application have the advantages that the capacity of an original EFUSE secret key is reduced by using a simple pseudo-random number generation design, an EFUSE circuit with smaller capacity is adopted, the yield of chip generation is greatly improved, the EFUSE burning process time is shortened, and the success probability of EFUSE writing is improved. Meanwhile, the EFUSE capacity is reduced, the chip area proportion occupied by the EFUSE is correspondingly reduced, the total area of the FPGA chip is also reduced, the output of the FPGA chip is correspondingly improved, and the FPGA generation cost is reduced. The configuration code stream has the steps of encryption algorithm selection, code stream scrambling, integrity verification and the like in the generation process, so that the confidentiality of the FPGA configuration code stream is effectively improved, and the security of the FPGA design of a user is protected from being stolen.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, the proportions, the sizes, and the like shown in the specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical essence, and any modifications of the structures, changes of the proportion relation, or adjustments of the sizes, should still fall within the scope of the technical contents disclosed in the present invention without affecting the efficacy and the achievable purpose of the present invention.
FIG. 1 is a schematic diagram of the basic structure of an FPGA;
FIG. 2 is a schematic flow chart of a code stream generated by current user design being loaded to each basic unit module of an FPGA;
fig. 3 is a schematic flow diagram of a method for implementing encryption and decryption of a code stream currently configured with an FPGA;
FIG. 4 is a schematic diagram illustrating the principle of stream decryption of a current FPGA decryption module;
fig. 5 is a schematic diagram of a logic structure of a system for implementing encryption and decryption of code streams configuring an FPGA according to an embodiment of the present invention;
fig. 6 is a schematic flow diagram of an upper computer of a method for implementing encryption and decryption of code streams configuring an FPGA according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of generating a corresponding first key according to an embodiment of the present invention;
FIG. 8 is a schematic flowchart of generating a first key corresponding to an AES-256 encryption algorithm according to an embodiment of the present invention;
FIG. 9 is a flowchart illustrating encapsulation of an encrypted code stream according to an embodiment of the present invention;
fig. 10a is a schematic diagram of a padded packet header according to an embodiment of the present invention;
fig. 10b is a schematic diagram of the packet header after ECC computation is completed according to the embodiment of the present invention;
fig. 10c is a schematic diagram illustrating that the packet header and the encryption code stream after ECC computation are spliced together according to an embodiment of the present invention;
FIG. 10d is a diagram of a post-encapsulation encrypted stream according to an embodiment of the present invention;
fig. 11 is a schematic flow diagram of a method for implementing encryption and decryption of code streams configuring an FPGA in an FPGA chip according to an embodiment of the present invention;
FIG. 12 is a flowchart illustrating a process of decapsulating an encapsulated encrypted bitstream according to an embodiment of the present invention;
fig. 13 is a schematic flowchart of generating a second key according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a key generation circuit for generating a second key by using a 16-bit key seed according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1, a Programmable Gate Array (FPGA) is basically configured as an input/output (I/O) module 01, a logic element (logic element) module 02, a routing resource (routing) element module 03, and a configuration (configuration) block 04.
Referring to fig. 2, a schematic flow chart of loading a code stream generated by current user design to each basic unit module of the FPGA is shown. If the FPGA needs to work according to the user requirements, code streams generated by user design need to be loaded to each basic unit through a configuration module, code stream files loaded by the FPGA contain all the user designs, and the FPGA can work as long as the code stream files are loaded to FPGA chips of the same model.
Referring to fig. 3, a schematic flow chart of a method for implementing encryption and decryption of a code stream in current FPGA user design is shown; the current scheme of encrypting and decrypting the cipher stream is that a user gives a key for encryption, and an upper computer encrypts a plaintext code stream by using the key through an encryption algorithm to generate an encrypted cipher stream; and a decryption module is arranged in the FPGA chip, decryption is carried out according to a secret key given by a user, a plaintext code stream is restored in the FPGA chip after decryption, and then the FPGA is configured.
The decryption module is designed inside the FPGA chip, and the specific design block diagram is shown in fig. 4, when the code stream needs to be decrypted, the decryption module first reads the key stored inside the FPGA, and then decrypts the encrypted code stream according to the key.
The purpose of this application lies in:
1. by adding a simple algorithm in upper computer software and a method of adding a simple module in an FPGA chip, high-level code stream encryption and decryption are realized by using small EFUSE capacity, and the probability of code stream decryption failure caused by EFUSE production errors and programming abnormity is greatly reduced;
2. the encryption algorithm and the related information of the key are hidden in the configuration code stream, so that the design safety level of a user is improved.
In order to solve the above technical problem, as shown in fig. 5, an embodiment of the present application provides a system for implementing encryption and decryption of a code stream configured with an FPGA, which specifically includes: a first key generation module 06, a code stream encryption and encapsulation module 07 and an output module 08. The first key generation module 06, the code stream encryption and encapsulation module 07 and the output module 08 are loaded on the upper computer 05.
Further, the first key generation module 06 is configured to select a target encryption algorithm and generate a corresponding first key based on the pseudo random number according to the corresponding algorithm; the code stream encryption and encapsulation module 07 is used for encrypting a plaintext code stream by using the first key and encapsulating the encrypted code stream by using a target encryption algorithm number and a corresponding key seed; and the output module 08 is used for configuring the FPGA chip by using the packaged encryption code stream, and processing the encryption code stream by using a decryption circuit in the FPGA chip to obtain a plaintext code stream so as to complete FPGA configuration.
The embodiment of the present application provides a system for implementing encryption and decryption of a code stream configured with an FPGA, further comprising: the device comprises a receiving module 10, a decapsulation module 11, a second key generation module 12, a decryption module 13 and a configuration module 14. The receiving module 10, the decapsulation module 11, the second key generation module 12, the decryption module 13, and the configuration module 14 are loaded inside the FPGA chip 09.
Further, the receiving module 10 is configured to receive the packaged encrypted stream from the upper computer 05; the decapsulation module 11 is configured to decapsulate the encapsulated encrypted codestream, and extract a target encryption algorithm number and a corresponding key seed; the second key generation module 12 is configured to generate a second key corresponding to the target encryption algorithm by using the key seed; the key generation algorithms of the first key and the second key are the same; the decryption module 13 is configured to decrypt the decapsulated encrypted code stream with the second key to obtain a plaintext code stream; the configuration module 14 is configured to configure the FPGA by using the plaintext code stream.
Compared with the prior art, the encryption and decryption implementation method, system and device for configuring the FPGA code stream provided by the embodiment of the application have the advantages that the capacity of an original EFUSE secret key is reduced by using a simple pseudo-random number generation design, an EFUSE circuit with smaller capacity is adopted, the yield of chip generation is greatly improved, the EFUSE burning process time is shortened, and the EFUSE writing success probability is improved. Meanwhile, the EFUSE capacity is reduced, the chip area proportion occupied by the EFUSE is correspondingly reduced, the total area of the FPGA chip is also reduced, the output of the FPGA chip is correspondingly improved, and the FPGA generation cost is reduced. The method has the advantages that the confidentiality of the FPGA configuration code stream is effectively improved due to the steps of encryption algorithm selection, code stream scrambling, integrity check and the like in the generation process of the configuration code stream, and accordingly the safety of the FPGA design of a user is protected from being stolen.
Corresponding to the code stream encryption and decryption implementation system for configuring the FPGA, the embodiment of the invention also discloses a code stream encryption and decryption implementation method for configuring the FPGA. The method for implementing encryption and decryption of code stream configured with FPGA disclosed in the embodiments of the present invention is described in detail below with reference to the above-described system for implementing encryption and decryption of code stream configured with FPGA.
In an embodiment of the present invention, taking AES-256 encryption algorithm as an example, the following describes in detail specific steps of a method for implementing encryption and decryption of a code stream configuring an FPGA according to an embodiment of the present invention.
As shown in fig. 6, in the embodiment of the present invention, a specific execution step of a code stream encryption and decryption implementation method in FPGA user design on the upper computer 05 is described first.
Step S11: a target encryption algorithm is selected by the first key generation module 06 and a corresponding first key is generated autonomously based on the pseudo random number according to the corresponding algorithm.
Referring to fig. 7, the step S11 specifically includes: selecting a target encryption algorithm from a plurality of encryption algorithms; acquiring a target encryption algorithm number based on a preset encryption algorithm number mapping table; generating a corresponding key seed by a pseudo-random number generator according to a selected target encryption algorithm; determining the iteration preset times by combining the key required length of the selected encryption algorithm with the key seed length; shifting the key seed one bit to the left/right at each iteration to generate a different pseudo-random number than the previous one; and after all iterations are completed, splicing all pseudo random numbers according to a generation sequence, a reverse sequence or a disorder sequence to obtain the first secret key.
In the embodiment of the invention, the process of generating the encryption stream by a simple single encryption algorithm in the encryption flow of the upper computer 05 is changed into the process of supporting multiple encryption algorithms.
And for the selection link of the target encryption algorithm, generating key seeds of keys required by different encryption algorithms according to the selection algorithm. For example, the encryption algorithms are numbered according to table 2 below, and corresponding key seeds are correspondingly generated by the pseudo-random number generator according to the selected encryption algorithm.
Table 2: preset encryption algorithm number mapping table
Encryption algorithm name Encryption algorithm numbering Key seed
Triple DES(2keys) 00000 0xABCD
Triple DES(3keys) 00010 0xFACE007
AES-128 00100 0xBBDA
AES-192 01000 0x1A55
AES-256 10000 0xBEEF
As shown in Table 1, a 256-bit key is required to encrypt and decrypt the code stream in the FPGA user design by the AES-256 encryption algorithm.
In the first key generation and code stream encryption link, the key generation and code stream encryption work required by the encryption algorithm is completed according to the selected algorithm and the generated key seeds. The key generation algorithm of the first key is located on the upper computer 05, and the generated first key is used by a plaintext code stream encryption algorithm of the upper computer 05.
Taking the generation of a 256-bit first key as an example, as shown in fig. 8, 16-bit key seeds are used as a basis for generating the first key, the pseudo random number generator is used for repeatedly iterating 16 times, the seeds are shifted to the left/right by one bit for each iteration so as to generate a pseudo random number different from the previous time, and after all iterations are completed, 16-bit pseudo random numbers generated by 16 times are spliced according to a generation sequence or a generation reverse sequence to generate the 256-bit AES key. The method is provided for AES-256 algorithm encryption, and the original 256-bit key encryption can be realized only by 16-bit key seeds.
In the embodiment of the invention, a method for generating a large bit width encryption key by using a few bit width pseudo-random number generation seed is adopted, specifically, when a large bit width key iteration is generated, a seed shifting mode is used for ensuring that iteration results in each time are different, and finally, small bit width random numbers generated by iteration are spliced into the large bit width key.
Step S12: and encrypting the plaintext code stream by using a first key through the code stream encryption and packaging module 07.
Step S13: and the code stream encryption and packaging module 07 is used for packaging the encrypted code stream by using the target encryption algorithm number and the corresponding key seed.
The step S12 has completed the plaintext code stream encryption process, and the encrypted code stream is obtained. In order to make the hardware (FPGA chip) know what encryption algorithm is used and the need to transfer the key seed, the encrypted code stream needs to be encapsulated again.
Referring to fig. 9, the step S13 specifically includes: combining the target encryption algorithm number and the corresponding key seed according to the front and back order to generate an original packet header; the original packet header is completed according to the definition of the packet header length, and the generated packet header is completed, and the completed packet header is shown in fig. 10 a. Further, in order to ensure that the key seeds are not transmitted in the clear, data scrambling is performed on the supplemented packet headers in various manners, for example, data scrambling is performed on the supplemented packet headers in a manner of mutually negating 0,1; or counting the number of 0,1 in the data, compressing the items with more number, and scrambling the data of the filled packet header. Then, ECC (Error Correcting Code) calculation is performed on the scrambled data to obtain an ECC calculation result, and the ECC result is attached to the scrambled packet header, so that the packet header after ECC calculation is completed is shown in fig. 10 b. The packet header and the encrypted code stream after completing the ECC calculation are spliced together, and then the packet header and the encrypted code stream after completing the ECC calculation are spliced together as shown in fig. 10 c. Performing Cyclic Redundancy Check (CRC) calculation on the spliced code stream to obtain a CRC result, attaching the CRC result to the rear of the spliced code stream to complete packaging of the encrypted code stream, and encrypting the encrypted code stream after packaging as shown in fig. 10 d.
Step S14: the output module 08 configures the FPGA chip 09 by using the packaged encryption code stream, and the encryption code stream is processed by the decryption circuit in the FPGA chip 09 to obtain a plaintext code stream, thereby completing the FPGA configuration
As shown in fig. 11, in the embodiment of the present invention, a specific execution step of a method for implementing encryption and decryption of a code stream of an FPGA inside an FPGA chip 09 is described below.
Step S21: and decapsulating the encapsulated encryption code stream through a decapsulation module 11 to extract a target encryption algorithm number and a corresponding key seed.
In the embodiment of the present invention, the hardware decoding process inside the FPGA chip 09 and the upper computer encryption process are inverse processes, which specifically include: and finishing code stream CRC check, packet header ECC check, packet header descrambling, packet header extraction, key generation and corresponding decryption module selection.
Referring to fig. 12, in the embodiment of the present invention, the step S21 specifically includes: performing Cyclic Redundancy Check (CRC) on the received packaged encryption code stream, specifically comparing a CRC value with the received CRC value, and judging whether the CRC value is consistent with the received CRC value so as to ensure the integrity of code stream receiving; if the CRC fails, setting a CRC error, and stopping the subsequent flow. If the CRC is successfully checked, performing ECC (Error Correcting Code) check on the scrambled packet header according to the packet format to ensure that the packet header is complete; specifically, the ECC check algorithm may perform 1-bit error correction and 2-bit error reporting; and if the ECC calculation has errors exceeding 1bit, the ECC check fails, the ECC check errors are set, and the subsequent flow is stopped. If the ECC is successfully checked, descrambling the packet header to recover the original packet header information, wherein the process is a scrambling reverse operation; and extracting the target encryption algorithm number and the related fields of the corresponding key seeds according to a packet header construction mode.
Step S22: a second key corresponding to the target encryption algorithm is generated by the second key generation module 12 using the key seed.
Referring to fig. 13, the step S22 specifically includes: determining the iteration preset times of generating the key by using the key seed and the encryption algorithm as a basis; a shift register is adopted to generate random numbers, and the key seed is shifted to the left/right by one bit in each iteration so as to generate pseudo random numbers different from the previous time; and storing the pseudo-random number generated by each iteration by using another register, and splicing all the pseudo-random numbers according to a generation sequence, an inverse sequence or a disorder sequence after all iterations are completed to obtain the second key.
In the embodiment of the present invention, the second key generation module 12 adopts a pseudo random number algorithm consistent with the software (the first key generation module 06) to ensure that the random numbers generated by the two modules are consistent. Referring to fig. 14, in the second key generation module 12, a 16-bit shift register may be used to generate a random number, where g0 to g15 in fig. 14 represent key seeds of a user, each iteration is to shift the values of g0 to g15 by one bit to the left or right, the key generated each time is stored by using another register, and all the results are spliced and output in sequence or reverse order after 16 iterations.
In the embodiment of the invention, a method for generating a large-bit-width encryption key by using a less-bit-width pseudo-random number generation seed is adopted, specifically, when a large-bit-width key is generated for iteration, a seed shifting mode is utilized to ensure that iteration results are different every time, and finally, small-bit-width random numbers generated by iteration are spliced into the large-bit-width key.
Step S23: the decryption module 13 decrypts the decapsulated encrypted code stream by using the second key to obtain a plaintext code stream, so as to configure the FPGA by using the plaintext code stream through the configuration module 14.
Compared with the prior art, the encryption and decryption implementation method, system and equipment for configuring the FPGA code stream provided by the embodiment of the application have the advantages that the capacity of an original EFUSE secret key is reduced by using a simple pseudo-random number generation design, an EFUSE circuit with smaller capacity is adopted, the yield of chip generation is greatly improved, the EFUSE burning process time is shortened, and the success probability of EFUSE writing is improved. Meanwhile, due to the fact that the EFUSE capacity is reduced, the proportion of the EFUSE occupied by the chip area is correspondingly reduced, the total area of the FPGA chip is also reduced, the output of the FPGA chip is correspondingly improved, and the FPGA generation cost is reduced. The configuration code stream has the steps of encryption algorithm selection, code stream scrambling, integrity verification and the like in the generation process, so that the confidentiality of the FPGA configuration code stream is effectively improved, and the security of the FPGA design of a user is protected from being stolen.
In the embodiment of the application, the encryption and the descrambling of the packet header avoid plaintext transmission of encrypted and decrypted key seeds, after the encryption algorithm information and the key seeds are recovered in hardware, the key information can be selectively written into EFUSE, and after the key information is written into EFUSE, an upper computer can directly send a ciphered stream to the hardware without a step of recoding the encrypted stream, so that the hardware configuration time is shortened; and different encryption algorithms can be selected to be used for each loading in a code stream packaging mode.
In addition, an embodiment of the present invention further provides a device for implementing encryption and decryption of a code stream configured with an FPGA, where the device includes: a processor and a memory; the memory is to store one or more program instructions; the processor is configured to run one or more program instructions to execute the steps of the method for implementing encryption and decryption of a code stream for configuring an FPGA as described in any one of the above.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the method for implementing encryption and decryption of a code stream configuring an FPGA is implemented according to any one of the above steps.
In an embodiment of the invention, the processor may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps, and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or which may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), SLDRAM (SLDRAM), and Direct Rambus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, it is intended that all such modifications and alterations be included within the scope of this invention as defined in the appended claims.

Claims (10)

1. An encryption and decryption implementation method for configuring an FPGA code stream is characterized by comprising the following steps executed on an upper computer:
selecting a target encryption algorithm and generating a corresponding first key based on a pseudo-random number according to a corresponding algorithm;
encrypting the plaintext code stream by using the first key, and packaging the encrypted code stream by using the target encryption algorithm number and the corresponding key seed;
and configuring the FPGA chip by using the packaged encryption code stream, and processing the encryption code stream by using a decryption circuit in the FPGA chip to obtain a plaintext code stream so as to complete the FPGA configuration.
2. The encryption and decryption implementation method for configuring the FPGA code stream according to claim 1, wherein the selecting of the target encryption algorithm and the self-generation of the corresponding first key based on the pseudo random number according to the corresponding algorithm comprises:
selecting a target encryption algorithm from a plurality of encryption algorithms;
acquiring a target encryption algorithm number based on a preset encryption algorithm number mapping table;
generating a corresponding key seed by a pseudo-random number generator according to a selected target encryption algorithm;
determining the iteration preset times by combining the key required length of the selected encryption algorithm with the key seed length;
shifting the key seed one bit to the left/right at each iteration to generate a different pseudo-random number than the previous one;
and after all iterations are completed, splicing all pseudo random numbers according to a generation sequence, a reverse sequence or a disorder sequence to obtain the first secret key.
3. The method for implementing encryption and decryption of the code stream configuring the FPGA of claim 2, wherein the step of encapsulating the encrypted code stream by using the target encryption algorithm number and the corresponding key seed comprises the steps of:
combining the target encryption algorithm number and the corresponding key seed according to a front-back sequence to generate an original packet header;
the original packet header is completely supplemented according to the packet header length definition, and the generation of the packet header is completed;
carrying out data scrambling on the supplemented packet headers;
performing ECC calculation on the scrambled data to obtain an ECC calculation result, and attaching the ECC result to the back of the scrambled packet header;
splicing the packet header and the encryption code stream after ECC calculation is finished;
and performing CRC calculation on the spliced code stream to obtain a CRC result, and attaching the CRC result to the back of the spliced code stream to finish packaging the encrypted code stream.
4. The method for implementing encryption and decryption of code stream for configuring FPGA of claim 3, wherein the data scrambling of the padded packet header comprises:
performing data scrambling on the filled packet headers by adopting a mode of mutually negating 0, 1; or
And counting 0,1 number in the data, compressing the items with more numbers, and scrambling the data of the aligned packet headers.
5. The method for implementing encryption and decryption of code stream for configuring FPGA according to any one of claims 1 to 4, wherein the method further comprises the following steps executed inside the FPGA chip:
decapsulating the encapsulated encryption code stream, and extracting the target encryption algorithm number and a corresponding key seed;
generating a second key corresponding to the target encryption algorithm by using the key seed; wherein the key generation algorithms of the first key and the second key are the same;
and decrypting the decapsulated encryption code stream by using the second key to obtain a plaintext code stream, so as to configure the FPGA by using the plaintext code stream.
6. The method for implementing encryption and decryption of code stream configured with FPGA of claim 5, wherein decapsulating the encapsulated encrypted code stream to extract the target encryption algorithm number and the corresponding key seed comprises:
performing CRC on the received packaged encryption code stream;
if the CRC fails, setting a CRC error, and stopping the subsequent flow;
if CRC check succeeds, ECC check is carried out on the scrambled packet header according to the packet format;
if the ECC check fails, setting an ECC check error, and stopping the subsequent flow;
if the ECC is successfully checked, descrambling the packet header to recover the original packet header information;
and extracting the target encryption algorithm number and the related fields of the corresponding key seeds according to a packet header establishing mode.
7. The method for implementing encryption and decryption of code stream for configuring FPGA of claim 6, wherein the step of generating the second key corresponding to the target encryption algorithm by using the key seed comprises:
determining the iteration preset times of generating the key by using the key seed and the encryption algorithm as a basis;
generating the random number by adopting a shift register, and shifting the key seed to the left/right by one bit in each iteration so as to generate a pseudo-random number different from the previous time;
the pseudo-random number generated each iteration is stored using a further register,
and after all iterations are completed, splicing all pseudo-random numbers according to a generation sequence, an inverse sequence or a disorder sequence to obtain the second secret key.
8. A code stream encryption and decryption implementation system for configuring an FPGA is characterized by comprising:
the first key generation module is used for selecting a target encryption algorithm and generating a corresponding first key based on a pseudo-random number according to a corresponding algorithm;
the code stream encryption and encapsulation module is used for encrypting the plaintext code stream by using the first secret key and encapsulating the encrypted code stream by using the target encryption algorithm number and the corresponding secret key seed;
the output module is used for configuring the FPGA chip by using the packaged encryption code stream, and processing the encryption code stream by a decryption circuit in the FPGA chip to obtain a plaintext code stream so as to complete FPGA configuration;
the first key generation module, the code stream encryption and encapsulation module and the output module are loaded on the upper computer.
9. The system for implementing encryption and decryption of code streams configuring an FPGA of claim 8, wherein said system further comprises:
the receiving module is used for receiving the packaged encryption code stream from the upper computer;
the decapsulation module is used for decapsulating the encapsulated encryption code stream and extracting the target encryption algorithm number and the corresponding key seed;
the second key generation module is used for generating a second key corresponding to the target encryption algorithm by using the key seed; wherein the key generation algorithms of the first key and the second key are the same;
the decryption module is used for decrypting the decapsulated encrypted code stream by using the second secret key to obtain a plaintext code stream;
the configuration module is used for configuring the FPGA by utilizing the plaintext code stream;
the receiving module, the decapsulation module, the second key generation module, the decryption module, and the configuration module are loaded inside the FPGA chip.
10. A code stream encryption and decryption implementation device for configuring an FPGA is characterized by comprising: a processor and a memory;
the memory is to store one or more program instructions;
the processor is used for executing one or more program instructions to execute the steps of the code stream encryption and decryption implementation method for configuring the FPGA according to any one of claims 1 to 7.
CN202210940011.2A 2022-08-05 2022-08-05 Code stream encryption and decryption implementation method, system and equipment for configuring FPGA Pending CN115378595A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210940011.2A CN115378595A (en) 2022-08-05 2022-08-05 Code stream encryption and decryption implementation method, system and equipment for configuring FPGA

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210940011.2A CN115378595A (en) 2022-08-05 2022-08-05 Code stream encryption and decryption implementation method, system and equipment for configuring FPGA

Publications (1)

Publication Number Publication Date
CN115378595A true CN115378595A (en) 2022-11-22

Family

ID=84063409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210940011.2A Pending CN115378595A (en) 2022-08-05 2022-08-05 Code stream encryption and decryption implementation method, system and equipment for configuring FPGA

Country Status (1)

Country Link
CN (1) CN115378595A (en)

Similar Documents

Publication Publication Date Title
EP2491510B1 (en) Distribution system and method for distributing digital information
US8750503B1 (en) FPGA configuration bitstream encryption using modified key
US10176121B2 (en) Apparatus and method for memory address encryption
US20080084996A1 (en) Authenticated encryption method and apparatus
US9843440B2 (en) Encryptor/decryptor, electronic device including encryptor/decryptor, and method of operating encryptor/decryptor
EP2506488A2 (en) Secure dynamic on-chip key programming
EP3577642B1 (en) Methods and devices for protecting data
US10491374B2 (en) Apparatus and method for encryption
JP2011010291A (en) Generating session key for authentication and secure data transfer
JP4758904B2 (en) Confidential information processing method
US20230386541A1 (en) Puf applications in memories
US9729319B2 (en) Key management for on-the-fly hardware decryption within integrated circuits
US11264063B2 (en) Memory device having security command decoder and security logic circuitry performing encryption/decryption commands from a requesting host
CN114117490A (en) Method, system and equipment for encrypting pitorch model based on AES algorithm
US9602281B2 (en) Parallelizable cipher construction
US8681996B2 (en) Asymmetric key wrapping using a symmetric cipher
US20050138403A1 (en) Data encryption in a symmetric multiprocessor electronic apparatus
CN109923829A (en) Reach an agreement to secret value
KR101687492B1 (en) Storing method of data dispersively and credential processing unit
CN115378595A (en) Code stream encryption and decryption implementation method, system and equipment for configuring FPGA
CN116628776A (en) Memory device and method for reading memory array information of memory chip
JP2019122046A (en) Entanglement and recall system using physically unclonable function technology
TW201243731A (en) Authenticator, authenticatee and authentication method
US7978850B2 (en) Manufacturing embedded unique keys using a built in random number generator
US11960769B2 (en) High performance secure read in secure memory providing a continuous output of encrypted information and specific context

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination