Recent advances in the size and performance of FPGAs, coupled with advantages in time-to-market, field-reconfigurability and lower up-front costs, make FPGAs ideally suited to a wide range of commercial and defense applications . In addition, FPGAs generality and reconfigurability provide important protections against the introduction of Trojan horses during semiconductor manufacturing process. As a result, FPGA applications increasingly involve highly-sensitive intellectual property and trade-secrets, as well as cryptographic keys and algorithms .
For such applications, FPGAs need to achieve a high level of tamper resistance in order to preserve confidential information and ensure system integrity. Systems that utilize FPGAs for cryptography may also need to comply with tamper-resistance security standards, including applicable Common Criteria protection profiles as well as the upcoming U.S. government FIPS 140-3 standard.
Non-invasive attacks, including both simple and differential power analysis (SPA and DPA), must be addressed by all FPGA-based systems that require any significant degree of tamper resistance. Power analysis attacks can be carried out by attackers with modest skill and resources, since power measurements can be collected and analyzed easily. If a design is not adequately protected, secrets such as sensitive data, IP, trade-secrets and cryptographic keys can be extracted, and adversaries could make unauthorized modifications to the device configuration.
This article introduces SPA and DPA, discusses how these vulnerabilities apply to FPGAs, and provides guidance about the types of countermeasures that can be implemented to protect FPGAs against these attacks.
Introduction to simple and differential power analysis
The energy consumed by a hardware device such as an FPGA depends on the switching activity of its transistors, which in turn depends on the operations it is performing. An attacker who is passively measuring a device's power consumption or electromagnetic emissions will recover some aggregated and noisy information related to the sensitive data being processed. SPA and DPA attacks  use the information obtained from power measurements to extract secret keys from a device.
SPA attacks recover the secret keys by directly observing features within individual power consumption measurements. Implementations that have significantly different power consumption depending on secret key bits are most vulnerable to SPA. For example, implementations of modular exponentiation for RSA or Diffie-Hellman commonly use a key-dependent sequence of square and multiply operations. Similarly, implementations of scalar multiplication in elliptic curve cryptosystems (ECC) generally use a key-dependent sequence of double and add operations. In each case, the pattern of these operations reveals the value of the key. For unprotected devices, this pattern can be observed from a single operation.
Figure 1 shows the power trace from an RSA operation using a standard square and multiply sequence. The square and multiply operations have visibly different power profiles that are easy to distinguish. The secret exponent can be recovered easily from the sequence of squares and multiplies. In particular, each 1 in the secret exponent consists of a squaring step (lower power) followed by a multiplication step (higher power), while a 0 in the exponent involves only a squaring step (lower power). In Figure 1, steps involved in squaring operations have been highlighted in green, while steps involved in multiplication are highlighted in red.
Figure 1: Power trace of a portion of an RSA exponentiation operation, which is vulnerable to simple power analysis (SPA). The square and multiply sequence are shown along with bits of the recovered secret exponent (click on image to enlarge).