Lattice Blog


How FPGAs help advance and protect your A&D design

How FPGAs help advance and protect your A&D design
Posted 02/03/2022 by Edward Peterson

Posted in

Security is an increasingly important consideration for design engineers across all technology applications as the frequency and sophistication of cyber and physical attacks increases. In the aerospace and defense industry, robust hardware security is mission critical to field success and for protecting sensitive information.

Security is a top priority at Lattice and is part of what makes Lattice the FPGA industry leader. Today our security offerings span hardware, software, solution stacks, and supply chain services, giving our customers various ways to protect their designs and systems.

In this blog, we will explore the leadership security features Lattice Field Programmable Gate Arrays (FPGAs) bring to A&D platforms. And it all starts at the architecture level.

Introduced in 2019, the Lattice Nexus™ FPGA platform combines Lattice’s long-standing engineering expertise with a leading 28nm FD-SOI technology process technology to deliver leadership power efficiency, performance, small size, and security features available at both configuration and run-time. Since its introduction, Lattice has introduced four FPGA families based on the Nexus platform, with more to come.

Lattice Nexus

Secure configuration of an FPGA provides for both confidentiality and authentication of the customer’s bitstream, which may contain valuable intellectual property (IP) and sensitive data. This helps safeguard against attacks such as cloning, overbuilding, reverse engineering, and malicious modification/replacement of the bitstream. Nexus-based devices have cryptographic features to enable bitstream protections against various types of attacks:

  • Confidentiality: 256-bit Advanced Encryption Standard (AES-256) to prevent cloning, overbuilding, and reverse engineering of the bitstream
  • Asymmetric (Public Key) Authentication: 256-bit Elliptic Curve Digital Signature Algorithm (ECDSA-256) to prevent malicious modification and/or replacement of the bitstream
  • Symmetric (Secret key) Authentication: 256-bit Hash-Based Message Authentication Code (HMAC) using the Secure Hash Algorithm (SHA-256) to prevent malicious modification and/or replacement of the bitstream

In addition to the cryptographically strong bitstream protections shown above, Lattice Nexus-based FPGAs also include defenses against side-channel attacks (SCA) such as differential power analysis (DPA). These types of attacks do not attempt to circumvent the cryptographic protections directly but attempt to take advantage of potential leakage of security critical parameters (i.e., encryption keys) via the power supply lines or electromagnetic (EM) emanations. The SCA protections included with Nexus substantially increase the difficulty of performing these types of attacks.

Once a Nexus-based device has been securely configured, the customer’s design can then take advantage of several hardened cryptographic accelerators and security functions, as needed for the application. Employing these hardened features helps free up valuable programmable resources for the rest of the customer’s design. Hardened security features of Lattice Nexus FPGAs include:

  • AES-128 / AES-256
  • ECDSA-256 Signature Verification
  • 256-bit HMAC-Symmetric Key Authentication
  • Secure Hash Algorithm 256 bits (SHA-256)
  • True Random Number Generator (TRNG)
  • 256-bit Elliptic-curve Diffie-Hellman (ECDH) Key Exchange Protocol
  • Unique Device Secret (UDS)*

Lattice Nexus FPGA FamiliesThe above cryptographic functions have been validated via the National Institute of Standards and Technology (NIST) Cryptographic Algorithm Validation Program (CAVP) to ensure the implementations are correct and conform to their respective standards.

To provide additional protections, test ports (e.g., JTAG) and configuration ports (e.g., SPI & I2C) can be permanently disabled (hard-locked) on fielded devices or dynamically disabled/enabled (soft-locked)* from within the device. Also, there are hardened readback protections automatically enabled whenever an encrypted bitstream is loaded onto a Nexus-based device.

In summary, Lattice Nexus FGPAs provide the means for customers to robustly ensure the security of their valuable IP contained in the configuration bitstream as well as providing hardened security functions for use at run-time. We encourage you to work with your Lattice FAE or Sales Partner, or to contact us at, to discuss your security needs.

*Feature available on Lattice CertusPro™-NX and Lattice Mach™-NX devices only.