Lattice Blog

Share:

[Blog] Lattice Avant™-X: Securing the Digital Frontier

[Blog] Lattice Avant™-X: Securing the Digital Frontier
Posted 07/30/2024 by Steve McNeil, Security Consultant, Lattice Semiconductor

Posted in

Field programmable gate arrays (FPGAs) play an important role in a multitude of today’s technology. From aerospace and defense to consumer electronics to critical infrastructure and the automotive industry, the prevalence of FPGAs in our lives is growing. Also growing are the threats to those FPGAs. The resources spent to create the IP (Intellectual Property) that runs (firmware) inside FPGAs are vast, as is the technology protected by these FPGAs. This makes FPGAs a potential target for IP theft or subversion.

Security features necessary to protect against IP theft, compromised of customer data, and general system integrity are no longer optional. They are table stakes for many FPGA applications, and in some regions are required by law (e.g. GDPR in the EU, HIPAA in the USA, Data Protection Act 2018 in the UK, etc.). Making this security accessible and easy to implement is a fundamental goal at Lattice and its award-winning mid-range FPGA platform, Lattice Avant™, and the Lattice Avant-X™ FPGA device family is a testament to that fact.

Lattice Avant-X FPGAs incorporate many advanced security features designed to protect IP and secure the device from unauthorized access and attacks without sacrificing SWaP-C (Size, Weight, Power, and Cost). Here are some key security features implemented in Avant-X FPGAs:

Lattice Avant-X Block Diagram

  1. Physically Unclonable Function (PUF): Avant-X FPGAs often utilize PUF technology to create a unique fingerprint for each individual device. This fingerprint is used to both generate and protect cryptographic keys, but also can be used to authenticate the FPGA. All of this provides a foundation for a Hardware-based Root of Trust (HRoT).
  2. Encryption and Decryption: Avant-X FPGAs support encryption and decryption of sensitive data and bitstreams to protect them from interception and unauthorized access during transmission or storage. Supporting multiple AES key strengths (128/256), multiple modes (including GCM), and protection against Differential Power Analysis, the Avant-X can future-proof the data of a variety of markets.
  3. Authentication: Fundamental to any secure platform is the ability to verify the authenticity of data (configuration or user) prior to use. To meet this need, Avant-X provides for both symmetric authentication (AES-GCM) as well as various asymmetric methods including, but not limited to, ECDSA (P384 or P521) and RSA (2048 and 4096).
  4. High Speed Secure Boot: To ensure that only authorized configurations are loaded onto the FPGA, Avant-X devices leverage a PUF, authentication (ECDSA P521 or RSA4096), and encryption/decryption (AES256/GCM) to provide a secure boot. This involves cryptographic authentication of the configuration bitstream prior to it being applied, preventing tampering and any unauthorized modifications. Achieving this while configuring faster than any other FPGA of the same density range (including those with ‘instant-on’ capability) is one of many reasons why Avant-X is best-in-class. Secured and assured boot time of the largest Avant-X device is sub 60 ms.
  5. Anti-Tamper Features: The Avant-X FPGAs incorporate physical security mechanisms to detect and respond to tampering attempts. This can include sensors that detect physical intrusion, such as voltage and temperature variations, or attempts to probe the device via JTAG.
  6. Key Management: Avant-X devices include secure key storage and management capabilities. This ensures that cryptographic keys used for authentication, encryption, and other security functions are stored securely (in black form) within the device and are not accessible to unauthorized entities.
  7. Secure Debugging: Debugging interfaces on Avant-X FPGAs can be protected to prevent unauthorized access. This includes mechanisms to restrict debugging operations to authorized users or devices, thereby minimizing the risk of exploitation. Several methods to block, restrict, or temporarily enable (via internal interface) the JTAG interface are implemented on the Avant-X device.
  8. True Random Number Generator (TRNG): Useful in key generation as well as unique IDs, the Avant-X provides a TRNG capable of qualification to NIST SP 800-90A/B/C.
  9. Secure Communication: To support the secure transmission of data in a system after FPGA configuration, the Avant-X device allows for the use of all hardened security cores (with expanded key sizes and modes). This allows the customer to dedicate portions of the fabric to their IP and not to the tools necessary to protect it. All cryptographic cores used by Avant-X are NIST CAVP validated.
  10. Quantum Agility: Considering the impending threat posed by quantum computers targeting cryptographic systems, the urgency to establish resistance and resilience against such attacks cannot be overstated. Currently, although several Post-Quantum Computing (PQC) algorithms have gained acceptance, there is no officially published standard. For commercial entities like Lattice, implementation in silicon hinges on establishment of a published standard. Avant-X tackles this challenge in two phases. Firstly, it relies on AES256-GCM (a high-key-strength symmetric algorithm) as its primary authentication mode (keeping in mind that quantum attacks are particularly effective against asymmetric algorithms like RSA or ECDSA). Secondly, it considers a forward-looking strategy: a dual-boot configuration. The initial configuration would contain a NIST-approved asymmetric PQC algorithm and boot loading code, safeguarded by the already quantum-resistant AES256-GCM. This first stage then initiates a second stage boot, which loads the user's final FPGA design.

As the digital landscape grows increasingly perilous, Lattice Avant stands at the pinnacle of security, equipped with an arsenal of innovative features designed to help repel even the most formidable threats. By prioritizing encryption, authentication, anti-tamper, high-speed secure boot, and quantum resiliency, Lattice Avant reinforces the defenses for applications where security and trustworthiness are paramount. In the relentless battle to keep data secure, Lattice Avant emerges as the ultimate ally in safeguarding the digital frontier.

To learn more about how Lattice Avant-X FPGAs and security solutions can help you bolster and maintain cyber resiliency, reach out to our team today.

Share: