# Identifying the IP in an FPGA

Carol Marsh, Tom Kean and David McLaren, Algotronix Ltd and iSLI

CryptArchi 2008, Trégastel, France, 1 - 4 June 2008

02/04/06

## The Tag Idea

The idea is to provide a tag which can be added to an FPGA, ASIC or IP Core which will uniquely identify the design



The tag must communicate with external detection equipment via a covert channel.

#### Temperature will be used as the communications channel

www.algotronix.com www.sli-institute.ac.uk

### The Tag Idea

#### An FPGA design could contain many tags



#### Idea is detect IP rather than protect IP

www.algotronix.com www.sli-institute.ac.uk

# Why is an ID Tag Required?



Chip Photo © Xilinx Inc.

# FPGA package markings identify the FPGA chip, not the user designs within

#### Why does it matter?

Recognition of the user's design within an FPGA is required for:

- Customer Support Determining design version in a failing product
- Detecting Misuse or Theft of entire user design
- Detecting Misuse or Theft of IP cores

#### What if?

after a few months you just can't read the package marking any more?



#### What if?

#### someone maliciously re-marks the package?

- changes speed grade to increase value
- changes date code to sell recycled 'ghost' chips as new

# - puts your logo on a cheaper competitive product

Semiconductor Insights tried to purchase sub-60 nanometer devices from Samsung and Toshiba, it took several attempts before they received legitimate components. In one case they ordered a Toshiba 16-Gbit 56nm MLC NAND flash and received a remarked Samsung 4-Gbit 65-nm MLC NAND flash, which was not only too slow but also had a different pin out. Quirk, G. Under the Hood Special Report: Counterfeit parts, legitimate woes. 8 June 2007, EETIMES

#### Requirements...

FPGA design identification should be just as easy as reading package markings:

- No support from software in the system containing the FPGA is required
- No documentation of chip pin out is required
- Works even when the bitstream is encrypted
- Very low cost

#### All you need is to be able to see the package lid

#### And...

It would be nice if an FPGA design labelling scheme could improve on ink markings by:

- Tracking IP cores within a design as well as complete designs
- Tracking in-the-field changes to the bitstream
- Resisting tampering and forgery

# Introducing DesignTag<sup>™</sup>

There are 2 types of DesignTag: A passive tag – Heat sensor circuit within an FPGA which lies dormant until it detects a heat signature from an <u>external source</u>



An active tag – Heat generator circuit within an FPGA continuously outputting a signature which is detected using an external sensor.



The Active DesignTag<sup>™</sup> is now available from Algotronix Ltd

02/04/06

# Passive DesignTag<sup>TM</sup>

Three part solution:

- A small, low power heat sensor circuit which is added to the FPGA design
- A heat source which provides the temperature signature
- A heat controller which controls the heat source

#### This is currently under development

### **Heat Source**

- A Peltier Cooler which is taped to lid of chip package is used as the heat source
- In the experiments an FPGA on a Xilinx Spartan 3A Evaluation Board is used as the heat controller
- The FPGA is programmed via a laptop with the required 64 bit tag code
- Future developments
  - use PocketPC to control the heat source rather than a bulky laptop and FPGA Evaluation Board

### **Experimental Set Up**



### How it works

- The heat source communicates with the internal sensor circuit by modulating chip package temperature
- Chip packages are designed to be 'transparent' to heat making this a very practical signalling mechanism
- The heat sensor tag in the FPGA detects the heat source and extracts the tag signature
- Response is generated when extracted tag matches design's tag
- It takes approximately 15 minutes to transmit the 64 bits of data
- Each DesignTag<sup>™</sup> requires 225 slices
- 0.5mW additional power per tag when operating

# Active DesignTag<sup>™</sup>

#### **Three Part Solution:**

- A small, low power heat generator circuit which is added to the FPGA design
- A 'reader' which can detect the presence of the tag when held against the chip package
- A database of tag codes and corresponding design information

### **Tag Reader**

- Low cost (\$3) thermocouple which is taped to lid of chip package
- Off the shelf data logging unit interfaces thermocouple to laptop
- Signal processing software running on laptop decodes the tag signal

#### Future developments

- use PocketPC with thermocouple interface on CompactFlash card rather than bulky laptop and data logger
- look at non-contact (infra red) temperature measurement

# **Experimental Set Up**



### How it works

- The tag communicates with the external reader by modulating the temperature of the chip package
- Package temperature changes are around 0.1 deg C and less than random temperature variations
- Spread spectrum code allows tag signal to be extracted from noise
- Time to detect tags depends on number of tags in FPGA and location where experiment is run
- Example: demo at tradeshow booth, roughly 3 min to find first tag, all five tags found in less than 10 min

### **Demodulation Process**

- For experiment using a Spartan 3A evaluation board with Xilinx demonstration design containing PicoBlaze CPU, VGA driver, audio driver etc
- One tag added to the Xilinx demonstration design
- Software matches a correct and incorrect tag against the data from the sensor
- Next few slides show waveforms at the key stages of the tag demodulation process within the reader
- Each DesignTag<sup>™</sup> requires 152 slices
- 5mW additional power per tag when operating, can be switched off 15 min after power on

### Package Temperature



Chip gradually heats up after power on due to normal activity – most of this temperature variation is caused by user design and environment, not tags

### **Differentiate + Quantise**





Interested in temperature changes, not absolute values

#### Expected Tag Code

### Correlation





### **No Match**

### Match

# Summary

- FPGA package markings identify the FPGA chip, not the IP in the FPGA
- DesignTag<sup>TM</sup> provides a method of identifying the IP using temperature as the communications channel
- Passive DesignTag<sup>™</sup>: External heat source with heat sensor in FPGA Need to know tag code your looking for
- Active DesignTag<sup>TM</sup>: Heat source in FPGA with external heat sensor Checks for all tags in the database First product released in DesignTag<sup>TM</sup> range