Cryptography on FPGAs: State of the Art Implementations and Attacks · 7
3.2 Black Box Attack
The classical method to reverse engineer a chip is the so called Black Box attack.
The attacker inputs all possible combinations, while saving the corresp onding out-
puts. The intruder is then able to extract the inner logic of the FPGA, with the
help of the Karnaugh map or algorithms that simplify the resulting tables. This
attack is only feasible if a small FPGA with explicit inputs and outputs is attacked
and a lot of processor power is available. The reverse engineering effort grows and
it will become less feasible as the size and complexity of the FPGA increases. The
cost of the attack, furthermore, rises with the usage of state machines, LFSRs (Lin-
ear Feedback Shift Registers), integrated storage, and, if pins can be used, input
and output [Dipert 2000].
3.3 Readback Attack
Readback is a feature that is provided for most FPGA families. This feature allows
to read a configuration out of the FPGA for easy debugging. An overview of the
attack is given in [Dipert 2000]. The idea of the attack is to read the configuration
of the FPGA through the JTAG or programming interface in order to obtain secret
information (e.g. keys, proprietary algorithm). The readback functionality can be
prevented with a security bit. In some FPGA families, more than one bit is used
to disable different features, e.g., the JTAG boundary. In [Aplan et al. 1999], the
idea of using a security antifuse to prevent readout of information is patented.
However, it is conceivable, that an attacker can overcome these countermeasures
in FPGA with fault injection. This kind of attack was first introduced in [Boneh
et al. 1997]. The authors showed how to break public-key algorithms, such as the
RSA and Rabin signature schemes, by exploiting hardware faults. Furthermore,
they give a high level description of transient faults, latent faults, and induced
faults. This publication, was followed by [Biham and Shamir 1997], where the au-
thors introduced differential fault analysis, which can potentially be applied against
all symmetric algorithms in the open literature. Meanwhile there have been many
publications that show different techniques to insert faults, e.g., electro magnetic
radiation [Quisquater and Samyde 2001], infrared laser [Ajluni 1995], or even a flash
light [Skorobogatov and Anderson 2002]. It seems very likely that these attacks can
be easily applied to FPGAs, since they are not especially targeted to ASICs. There-
fore, one is able to deactivate security bits and/or the countermeasures, resulting in
the ability to read out the configuration of the FPGA [Kessner 2000; Dipert 2000].
Despite these attacks Actel Corporation [Actel Corporation 2002] claims that
after the programming phase, the cells of FPGAs cannot be read at all. On the
other hand Xilinx offers the users the software tool JBits [Guccione and Levi ],
which provides an API to access the bitstream information and allows dynamic
reconfiguration for Xilinx Virtex FPGAs. JBits allows a simplified and automated
access to specific part of the bitstream, resulting in a extra advantage for the
attacker who performs a readback attack.
3.4 Cloning of SRAM FPGAs
The security implications that arise in a system that uses SRAM FPGAs are ob-
vious, if the configuration data is stored unprotected in the system but external to
the FPGA. In a standard scenario, the configuration data is stored externally in
ACM Special Issue Security and Embedded Systems Vol. No. March 2003.