CN109391633B

CN109391633B - Safe IP distribution method

Info

Publication number: CN109391633B
Application number: CN201811522377.8A
Authority: CN
Inventors: 聂廷远; 范博; 周立俭
Original assignee: Qingdao University of Technology
Current assignee: Qingdao University of Technology
Priority date: 2018-12-13
Filing date: 2018-12-13
Publication date: 2021-06-01
Anticipated expiration: 2038-12-13
Also published as: CN109391633A

Abstract

The invention provides a safe IP distribution method in combination with a digital fingerprint technology. The technical scheme comprises three parts of IP module segmentation, IP module protection and IP module assembly. The IP block division part includes: and analyzing the IP design, dividing the IP into a module suitable for protection and a module not suitable for protection according to the sensitivity of the module, the scale of the module and the like, logging in an IP database, and completing the IP module segmentation. The IP module protection part comprises: and randomly selecting a proxy server according to a user request, generating a copyright information text according to the copyright information of the IP owner and the server identification information, encrypting the copyright information text by using a private key of the user to obtain a digital fingerprint, and embedding the digital fingerprint into the protection-suitable module to finish the protection of the IP module. The IP module assembling and distributing section includes: and extracting the improper protection module in the IP design from the IP database, assembling the improper protection module with the proper protection module subjected to fingerprint protection according to the original sequence, distributing to a request user, and registering into the IP database.

Description

Safe IP distribution method

Technical Field

G06F 21/24; the invention belongs to the technical field of IP protection of an IP core integrated circuit, and relates to a distribution strategy and a device after module protection of an IP core.

Background

In the past decades, the high integration of very large scale integrated circuits (VLSI) has placed new demands on chip design, and system on chip (SoC) design, as a new and efficient design method for VLSI, has solved many problems in integrated circuit design. Ip (intellectual property) design multiplexing plays a critical role in SoC design, but also exposes significant risks.

The theft of IP violates the interests of IP owners and IP users, threatens IP security, and hinders the healthy development of the integrated circuit industry. In order to solve the IP security problem, IP protection technology is a challenging issue, and aims to protect products of an IP provider from illegal use of IP, and to detect and track authorized use of IP.

Over the years, technological innovations have made integrated circuit IP increasingly better in terms of hard, soft, and hard cores. At the same time, the goal of IP protection is expanded with the emergence of various emerging types of IP violations. These IP attacks IP reconstruction, counterfeiting, reverse engineering, etc., and the tools for IP piracy are becoming more powerful. The advent of new nanomaterials, design and fabrication technologies has helped to address these IP pirates.

Common deterrent means include patent rights, copyrights, contracts, trademarks, and the like. They do not directly prevent or provide direct protection of IP piracy, rather than deter abuse of IPs, but validation of IP infringement would expose the pirate to litigation and severe penalties.

IP protection mechanisms prevent unauthorized access to the IP using means such as encryption, license agreements, dedicated hardware, or chemistry.

A number of IP protection techniques and standards, such as tagging, digital watermarking, fingerprinting, etc., have emerged at various levels of VLSI design. Tag technologies such as puf (physical Unclonable function) detect the presence of a tag by setting the "tag" in an IP core and by a "detector". Digital watermarking techniques permanently store designer information into the design for IP protection purposes. Digital fingerprinting provides each user with a different copy while IP protection is in progress.

However, IP protection mechanisms and IP protection techniques alone are far from adequate because IP may be resold during distribution by some dishonest vendor or user illicit copies. Therefore, the combination of the IP protection technology and the distribution of the IP design can further ensure the safety of the IP.

The inventionAndnumber ofFinger printTechnique ofIn combination, a secure IP distribution method is provided on the basis of IP module segmentation, IP module protection and IP module assembly.

Disclosure of Invention

The invention aims to provide a safe IP distribution method based on IP fingerprint protection.

The IP distribution method object of the invention is any form of IP core, including IP hard core, soft core and fixed core, and the expression form can be HDL text, circuit netlist, physical layout and the like. The IP is partitioned into protectable and unprotectable modules based on the sensitivity of the module and the size of the module. And randomly selecting a proxy server according to a user request, generating a copyright information text according to the copyright information of the IP owner and the server identification information, encrypting the copyright information text by using a private key of the user to obtain a digital fingerprint, and embedding the digital fingerprint into the protection-suitable module to finish the protection of the IP module. And after the fingerprint-protected proper protection module and the fingerprint-protected improper protection module are assembled in the original sequence, the fingerprint-protected proper protection module and the fingerprint-protected improper protection module are distributed to a requesting user and are registered into an IP database, and the fingerprint protection and distribution of the IP are completed.

The invention relates to a safe IP distribution method, which comprises the following steps:

-IP block splitting, comprising in particular the steps of:

(1) based on the number of connecting lines among all components in the IP design, combining the components larger than a certain threshold value into a module, and dividing the IP into a plurality of modules;

(2) and analyzing each module, and dividing the IP into a module suitable for protection and a module not suitable for protection according to the sensitivity of the module and the scale of the module. The fingerprint embedding is easy to cause modules with larger performance reduction, and the modules with less unit number are divided into modules which are not suitable for protection;

(3) according to the sequence of the modules appearing in the IP, marking the modules as a module m suitable for protection, namely module 1 …, and a module n not suitable for protection, namely module 1 …;

(4) registering information into an IP database to complete IP module segmentation;

-IP block protection, comprising in particular the steps of:

(1) according to a user request, randomly selecting a proxy server, and reading a unique identification information MAC address of the proxy server;

(2) combining copyright information provided by an IP owner and server identification information to generate a copyright information text, and obtaining hash (hash) information through a password hash function MD5 algorithm;

(3) encrypting the hash information by using a private key of a user by using an RC4 algorithm to obtain a digital fingerprint;

(4) decomposing the digital fingerprint into a plurality of constraints, randomly selecting a module to embed the constraints until the fingerprint is completely embedded, and finishing IP module protection;

(5) registering the information into an IP database to complete the protection of the IP module;

-IP module assembly and distribution, comprising in particular the steps of:

(1) extracting registered improper protection module 1 … improper protection module n from the IP database;

(2) assembling the protection module m and the protection module 1 … m which is subjected to fingerprint protection according to the original sequence to generate an IP design for fingerprint protection;

(3) the IP design is distributed to the requesting user and registered into an IP database.

Compared with the close background technology, the IP distribution method has the following advantages:

(1) has transparency. The invention can be applied to integrated circuit IP in any form, and IP expression forms can be HDL texts, circuit netlists, physical layouts and the like. The fingerprint protection method can be used for performing fingerprint protection on all kinds of IP under different design methods and different processes, and has universality.

(2) The invention divides the IP into the protection-eligible module and the protection-ineligible module, and carries out fingerprint embedding on the protection-eligible module, thereby effectively reducing the fingerprint protection overhead.

(3) The invention randomly selects the proxy server according to the user request, and generates the fingerprint by using the unique identification information MAC address of the proxy server, thereby enhancing the security.

(4) The copyright information used by the invention is sourced from the user and the random server, and the digital fingerprint is generated by various encryption algorithms, thereby improving the safety of the system.

Drawings

The drawings in the present specification are provided for illustration purposes only and do not limit the contents of the invention in any way, wherein:

FIG. 1 is a schematic diagram illustrating the distribution mechanism of IP design in the present invention;

FIG. 2 shows a schematic diagram of IP block partitioning in the present invention;

FIG. 3 is a schematic diagram illustrating a proxy server selection mechanism in the present invention;

FIG. 4 is a schematic diagram illustrating IP protected fingerprint generation in the present invention;

FIG. 5 is a schematic diagram illustrating IP block protection in the present invention;

FIG. 6 is a schematic diagram illustrating IP module assembly and distribution in the present invention;

Detailed Description

The invention provides a safe IP distribution method, and IP design is divided into a protective module and an unprotective module in advance according to the sensitivity of the module and the scale of the module. According to the IP using request of the user, a proxy server is randomly selected, a copyright information text is generated according to the copyright information of the IP owner and the server identification information, a digital fingerprint is obtained after the encryption of a private key of the user, and the digital fingerprint is embedded into a proper protection module to complete the protection of the IP module. And after the fingerprint-protected proper protection module and the fingerprint-protected improper protection module are assembled in the original sequence, the fingerprint-protected proper protection module and the fingerprint-protected improper protection module are distributed to the requesting user. The IP provider in the present invention refers to a related enterprise, group and individual who possess IP property rights. An IP user refers to any user who purchases to use IP.

Another premise of implementing IP protection in the present invention is that a trusted third party authority must be present, which is responsible for storing and recording the related content generated during IP distribution, including IP design data, IP copyright information, encryption keys, IP fingerprints and other related information. The third party is responsible for receiving IP user requests, distributing proxy servers, IP fingerprint protection, IP distribution and the like.

The invention can be applied to any form of integrated circuit IP and has universality. And only the proper protection module in the IP is subjected to fingerprint embedding, so that the fingerprint protection overhead is effectively reduced. The use of a random selection proxy server and multiple encryption algorithms improves the security of the system.

The following describes embodiments of the present invention in detail with reference to the accompanying drawings.

Fig. 1 shows a schematic diagram of a distribution operation mechanism of the IP design according to the present invention.

(1) An IP designer or owner provides a verified IP design, and may provide IP cores in the form of HDL text, circuit netlists, physical layouts, etc., including IP hardcores, softcores, and hardcores.

(2) And (4) IP module segmentation, namely dividing each module in the IP into a protection-eligible module and a protection-ineligible module according to the characteristics of each module in the IP, and completing module identification. Fig. 2 shows a schematic diagram of IP block partitioning in the present invention. The method comprises the following specific steps:

IP is divided into several modules based on how close each unit is in the IP design. And clustering according to the number of the connecting lines among the units, wherein if the number of the connecting lines exceeds a certain number, a plurality of units meeting the conditions can be clustered into a module.

Analyzing each module by using an EDA tool, and dividing the IP into a module suitable for protection and a module not suitable for protection according to the sensitivity of the module and the scale of the module. The module in which fingerprint embedding is liable to cause a large performance degradation may be defined as a sensitive module, and the module in which fingerprint embedding is difficult together with the small number of units is divided into modules that are not suitable for protection.

Thirdly, according to the module types and the sequence of the modules in the IP, the modules are classified and marked as a module m which is suitable for protection by a module 1 … and a module n which is not suitable for protection by a module 1 ….

Fourthly, the information is registered into an IP database to finish the IP module segmentation.

(3) And randomly selecting the proxy server according to the user request. Fig. 3 shows a schematic diagram of the proxy server selection mechanism in the present invention. The method comprises the following specific steps:

the third party organization sets a random number seed according to the request information of the IP user, and generates a random number r in the range of [1.. K ], wherein K is the number of all proxy servers.

And selecting a proxy server with the number r, and reading the unique identification information MAC address of the proxy server.

Thirdly, the information is registered in an IP database to complete the selection of the proxy server.

(4) IP block protection, fig. 5 shows a schematic diagram of IP block protection in the present invention. The method comprises the following specific steps:

first, the personal digital fingerprint F is completed_iFig. 4 shows a schematic diagram of the generation of IP protected fingerprints in the present invention.

Combining copyright information provided by an IP owner and a server identification information MAC address to generate a copyright information text.

Obtaining the abstract of the copyright information through a password hash function MD5 algorithm: hash (hash) information.

Utilizing private key K of user_iThe hash information is encrypted by using an RC4 algorithm to obtain a digital fingerprint F_iIt will be used to protect the IP design applied by the user.

Second, the digital fingerprint is broken down into several constraints. The digital fingerprint is described by a binary sequence, the binary number of a certain digit can be converted into a decimal number, and the constraint type is determined according to the decimal number. E.g., 001 for constraint type 1, 002 for constraint type 2, etc.

And then sequentially extracting constraints, randomly selecting an appropriate protection module, and selecting and utilizing the existing fingerprint technology to implement the fingerprint protection of the IP aiming at different IP types. If the current module can embed the constraint, the embedding of the constraint is completed. Otherwise, the next module is randomly selected to be embedded into the constraint.

And repeating the process until all the constraints contained in the fingerprint are completely embedded, and finishing the protection of the IP module.

Finally, the relevant information generated in the process is registered in an IP database to complete the protection of the IP module.

(5) IP module assembly and distribution, fig. 6 shows a schematic diagram of IP module assembly and distribution in the present invention. The method comprises the following specific steps:

extracting the registered improper protection module 1 … improper protection module n in the IP from the IP database.

And secondly, assembling the protection module m with the protection module 1 … which is subjected to fingerprint protection in the IP according to the original sequence to generate the IP design of fingerprint protection.

And thirdly, returning the IP design to the proxy server r.

And the proxy server r is responsible for distributing the IP design to the requesting user and registering the IP design into the IP database.

Claims

1. A secure IP distribution method, characterized by: finishing the fingerprint protection and distribution of IP design, comprising the following steps:

-IP block splitting, comprising in particular the steps of:

(2) analyzing each module, dividing the IP into a module which is suitable for protection and a module which is not suitable for protection according to the sensitivity of the module and the scale of the module, and dividing the module which is easy to cause larger performance reduction and the module with less unit number into the module which is not suitable for protection by fingerprint embedding;

-IP block protection, comprising in particular the steps of:

(5) registering the information into an IP database to complete the protection of the IP module; -IP module assembly and distribution, comprising in particular the steps of: