Implementation of Authentication Algorithms for FPGA Bit Stream Security

Milind M. Parelkar
Introduction:
Concerns over FPGA security have prompted FPGA vendors to introduce security
features like bitstream encryption into their FPGAs. For example, the Virtex II Pro family
manufactured by Xilinx has Triple-DES security embedded on the chip [6]. There are
some apprehensions as to whether only encryption of the FPGA bitstream without
bitstream authentication is sufficient to safeguard the design as well as the FPGA itself.
Bitstream encryption serves the purpose of safeguarding IP from an intruder so that your
design cannot be reverse-engineered easily. It still doesn’t prevent an attacker from
putting some gibberish bitstream on to a remotely reconfigurable FPGA which might
potentially destroy the FPGA [7]. Hence, bitstream authentication is an equally important
aspect of FPGA security as bitstream encryption.

Algorithms to be implemented and/or extended:

The scope of the project is to implement bitstream authentication using HMACs with
Secure Hash Algorithms. Since, the authentication engine will be a part of the FPGA
fabric, the HDL codes need to be optimized for an ASIC implementation rather than an
FPGA implementation. The algorithms under consideration at this point are:
1. HMAC SHA-1
2. HMAC SHA-256
3. HMAC SHA-384
4. HMAC SHA-512
Some other authentication algorithms may be studied if time permits. In case of some
algorithms mentioned above, already existing codes for FPGA implementations will be
used. The main objective is to optimize these codes for an ASIC implementation and
extend them so that they have a common standard interface. In case of any problems with
previous FPGA implementations of these algorithms, these algorithms will be
implemented from scratch.

Block Diagrams and Signal Descriptions:

Block diagrams for all the algorithms to be implemented are provided in the
specification. Along with the block diagram, a table indicating the functionality of the
signals is also provided. The interfaces closely resemble commercially available IP
Cores. Please note that the Block Diagram for SHA-384 is not provided because it is
exactly similar to SHA-512 except for the size of the message digest. The length of the
message digest for SHA-384 is 384 bits[5].
The top-level view for HMAC is shown in the diagram below.

mi
Message Data In
mo
Last Data Bit Index b MAC

Data Available
Data Read MAC Valid
Key Available
Key Read HMAC
k
Key Core
Start Data Data Write
End Data
Start Key
FIFO Full
End Key
Start
Reset
Clock

Pin Functions:
Signal Name Mode Port Function
Width
(Bits)
Message Data In IN mi Message data is input to the Core through
this port. Data is input as mi -bit blocks when
the DATA READ signal is asserted. After
the entire block of data (512 bits for SHA-1,
SHA-256 and 1024 bits for SHA-384, SHA-
512) is accepted by the core, DATA READ
is de-asserted and no Input Data is accepted
till DATA READ is asserted again.
Last Data Bit Index IN b The index of the last data bit in the last mi -
bit word should be input through this port.
This is used for message padding and
calculation of the length of the message.
b=log2(mi)
Data Available IN 1 Handshaking signal from the FIFO indicating
that Data is available for input to the core.
Data Read OUT 1 Control signal to the input FIFO in order to
read the available data word.
Key Available IN 1 Handshaking signal from the FIFO indicating
that Key is available for input to the core.
Key Read OUT 1 Control signal to the input key FIFO in order
to read the available word of key.
Key IN k The key for the MAC is input in terms of
words k-bit wide.
Start Data IN 1 A pulse on this signal indicates the beginning
 of new message text to be hashed.
End Data IN 1 A pulse on this signal indicates the end of the
current message text to be hashed.
Start Key IN 1 A pulse on this signal indicates the beginning
of key being used for calculating MAC.
End Key IN 1 A pulse on this signal indicates the end of
key being used for calculating MAC.
Start IN 1 This signal indicates start of a MAC
calculation operation for a new message.
Reset IN 1 Master Reset
Clock IN 1 Master Clock
MAC OUT mo MAC is available on this port when the MAC
VALID signal is asserted. The length of the
MAC will be variable depending upon the
algorithm.
MAC Valid OUT 1 Indicates MAC is valid when asserted.
Data Write OUT 1 Control signal to the output FIFO in order to
write the available MAC output.
FIFO Full IN 1 Indicated that FIFO is full and cannot accept
any more data

The top-level entity shown above will be the common interface for all hash functions.
The length of the MAC output will be decided by the hash function used. According to
[8], the length of the MAC should be at least L/2, where L is the length of the hash output
generated by the hash function.

Circuit Operation:
All the SHA functions included in the specification of this project have similar hardware
architectures. The basic concept of all the Hash Functions is the same. All these Hash
functions process an input of arbitrary length and compress it down to a message digest
of fixed length[1,2]. HMACs provide a security feature by virtue of a secret key.

The basic architecture of these functions can be divided into 2 modules.

1. Message Scheduler
2. Message Digest Unit

The Message Scheduler Unit accepts an input message block and processes it to produce
a message word per clock cycle. The Message Digest Unit accepts the output of the
Message Scheduler and along with other constants and some arithmetic and logical
operations produces a Message Digest after n iterative rounds. The value of n depends
upon the algorithm. n=80 for SHA-1, SHA-512 and SHA-384, whereas n=64 for SHA-
256.
Language and Tools
Language: VHDL
Tools:
• Simulator: Aldec Active-HDL v6.2, ModelSim
• Synopsis Design Compiler and related tools
• FPGA Synthesis Tools: Synplicity Synplify Pro v7.6.2, Xilinx XST v6.3
• FPGA Implementation Tools: Xilinx ISE v6.3

Testing
VHDL testbench will be used to test the operation of the circuit. Test vectors provided in
the specification for the HMACs in the NIST standard will be used to test the
functionality of the circuit[5,8].

Optimization Criteria:
The optimization criterion for implementation of bitstream authentication algorithms will
be minimum area. As mentioned earlier, the authentication core will be a part of the
FPGA fabric and hence it is fair enough that the added functionality should not lead to a
large area overhead. An area overhead ultimately results in an increase in the cost of the
chip.

Possible changes in the Specification:

1. The most likely change in the provided specification would be an addition of some
extra control signals to the top-level entities described earlier.
2. Also, the method of providing input data could be modified depending upon the study
of already existing codes.
References:
1. Applied Cryptography – Protocols, Algorithms and Source Codes in C, Bruce
Schneier, John Wiley and Sons, pp. 429 – One Way Hash Functions
2. Cryptography and Network Security: Principles and Practice, 3rd ed., William
Stallings, Prentice Hall, pp. 311 – Message Authentication and Hash Functions
3. T. Grembowski, R. Lien, K. Gaj, N. Nguyen, P. Bellows, J. Flidr,
T. Lehman, B. Schott, "Comparative Analysis of the Hardware Implementations
of Hash Functions SHA-1 and SHA-512" Proc. Information Security Conference,
Sao Paulo, Brazil
4. FPGA implementation of SHA-1 Secure Hash standard, Roar Lien – Master’s
Thesis, GMU
5. FIPS 180-2 Secure Hash Standard – Specifications of SHA functions and source
of test vectors - http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
6. Is Your FPGA Design Secure? – XCell Journal Online -
http://www.xilinx.com/publications/xcellonline/xcell_47/xc_secure47.htm
7. FPGA Viruses - Ilija Hadzic, Sanjay Udani and Jonathan M Smith - Distributed
Systems Laboratory, University of Pennsylvania -
www.cis.upenn.edu/~boosters/fpgavirus.ps
8. FIPS 198, The Keyed-Hash Message Authentication Code (HMAC) Standard,
Crypto ToolKit, http://csrc.nist.gov/CryptoToolkit/tkmsgauth.html