阅读说明：本技术 面向asic和fpga器件的加密数字ip核授权方法 (Encryption digital IP core authorization method facing ASIC and FPGA device ) 是由 滕虓宇 张昊 张君迈 于 2021-07-16 设计创作，主要内容包括：本发明涉及授权方法,具体涉及面向ASIC和FPGA器件的加密数字IP核授权方法,包括集成一个或多个预先授权IP核的ASIC/FPGA器件,以及与ASIC/FPGA器件通信的核验芯片,IP核中内置有第一密钥对,核验芯片中内置有与第一密钥对配对的第二密钥对,核验芯片利用第二密钥对生成数字签名并进行加密,同时将加密后的数字签名打包至授权请求发送给ASIC/FPGA器件,IP核利用第一密钥对对授权请求进行身份认证,并基于历史授权情况判断是否满足当前授权请求；本发明提供的技术方案能够有效克服现有技术所存在的IP授权方无法对无法对ASIC/FPGA器件中IP的实际使用次数进行有效限制的缺陷。(The invention relates to an authorization method, in particular to an encryption digital IP core authorization method facing an ASIC (application specific integrated circuit) and an FPGA (field programmable gate array) device, which comprises the ASIC/FPGA device integrating one or more pre-authorized IP cores and a verification chip communicated with the ASIC/FPGA device, wherein a first key pair is arranged in the IP core, a second key pair matched with the first key pair is arranged in the verification chip, the verification chip generates a digital signature by using the second key pair and encrypts the digital signature, the encrypted digital signature is packaged to an authorization request and is sent to the ASIC/FPGA device, and the IP core performs identity authentication on the authorization request by using the first key pair and judges whether the current authorization request is met or not based on the historical authorization condition; the technical scheme provided by the invention can effectively overcome the defect that the IP authorization party in the prior art can not effectively limit the actual use times of the IP in the ASIC/FPGA device.)

1. An encryption digital IP core authorization method facing ASIC and FPGA devices is characterized in that: the system comprises an ASIC/FPGA device integrating one or more pre-authorized IP cores and a verification chip communicated with the ASIC/FPGA device, wherein a first key pair is arranged in the IP core, and a second key pair matched with the first key pair is arranged in the verification chip;

the authorization method comprises the following steps:

the verification chip generates a digital signature by using the second key pair and encrypts the digital signature, the encrypted digital signature is packaged to an authorization request and sent to the ASIC/FPGA device, and the IP core performs identity authentication on the authorization request by using the first key pair and judges whether the current authorization request is met or not based on the historical authorization condition.

2. The encryption digital IP core authorization method facing ASIC and FPGA devices of claim 1, characterized in that: the verification chip utilizes a second key pair to generate and encrypt a digital signature, and comprises:

the verification chip firstly utilizes the private key of the verification chip to encrypt random data to generate a digital signature, and then utilizes the IP public key to encrypt the generated digital signature.

3. The encryption digital IP core authorization method facing ASIC and FPGA devices of claim 2, characterized in that: the IP core performs identity authentication on the authorization request by using the first key pair, and the identity authentication comprises the following steps:

the IP core decrypts the encrypted digital signature by using an IP core private key to obtain a digital signature, and then decrypts and verifies the digital signature by using a verification chip public key;

if the decrypted data obtained after decryption and verification is the same as the random data, the verification chip corresponding to the verification chip public key meets the identity authentication requirement, and the IP core judges whether the current authorization request is met or not based on the historical authorization condition;

and if the decrypted data obtained after decryption and verification are different from the random data, the verification chip does not meet the identity authentication requirement, and the IP core does not respond to the current authorization request.

4. The encryption digital IP core authorization method for ASIC and FPGA devices of claim 3, characterized in that: the IP core judges whether the current authorization request is met or not based on the historical authorization condition, and the method comprises the following steps:

the IP core judges that the decrypted data obtained after decryption and verification are the same as the random data, and inquires the historical authorization times of the verification chip on the chain;

and when the historical authorization times of the verification chip are not more than the authorization use times, the IP core responds to the current authorization request, otherwise, the IP core does not respond to the current authorization request.

5. The encryption digital IP core authorization method for ASIC and FPGA devices of claim 4, characterized in that: the IP core responds to the current authorization request and comprises the following steps:

and the IP core generates a binary file or a GDS file required by the production of the ASIC/FPGA device and downloads the binary file or the GDS file into the ASIC/FPGA device for production and use.

6. An encryption digital IP core authorization method facing ASIC and FPGA devices according to claim 2 or 3, characterized in that: the verification chip is internally provided with a random number generator, the random number generator generates different random data each time, and the verification chip packs the random data to an authorization request and sends the authorization request to the ASIC/FPGA device.

7. The encryption digital IP core authorization method for ASIC and FPGA devices of claim 6, characterized in that: the first key pair comprises an IP core private key and a verification chip public key, and the second key pair comprises an IP core public key and a verification chip private key which are respectively matched with the IP core private key and the verification chip public key.

8. The encryption digital IP core authorization method for ASIC and FPGA devices of claim 7, characterized in that: the first key pair is present in the IP code in the form of an encrypted soft core or a fixed core.

9. The encryption digital IP core authorization method facing ASIC and FPGA devices of claim 1, characterized in that: the verification chip is communicated with the ASIC/FPGA device through an I2C, SPI, UART and 7816 universal bidirectional IO port.

Technical Field

The invention relates to an authorization method, in particular to an encryption digital IP core authorization method facing an ASIC (application specific integrated circuit) device and an FPGA (field programmable gate array) device.

Background

An ASIC, i.e., an application specific integrated circuit, refers to an integrated circuit designed and manufactured to meet the needs of a particular user and a particular electronic system. The ASIC is characterized in that the ASIC is oriented to specific requirements, and compared with a general integrated circuit, the ASIC has the advantages of small volume, low power consumption, high reliability, high performance, strong confidentiality, low cost and the like during batch production.

An FPGA (Field-Programmable Gate Array), which is a product of further development based on Programmable devices such as PAL, GAL, CPLD, etc. The FPGA is used as a semi-custom circuit in the field of Application Specific Integrated Circuits (ASIC), which not only solves the defects of the custom circuit, but also overcomes the defect that the gate circuit number of the original programmable device is limited. The circuit design finished by FPGA/CPLD and the like in hardware description language (Verilog or VHDL) can be quickly burned to FPGA for testing through simple synthesis and layout, and is the mainstream of modern IC design verification technology. These programmable devices can be used to implement some basic logic gates (such as AND, OR, XOR, NOT) OR more complex combinational functions such as decoders OR mathematical equations. In most FPGAs, memory elements such as Flip-flops (Flip-flops) or other more complete memory blocks are also included in these programmable devices.

Today, as an Integrated Circuit (IC) is developed to a very large scale, IC design and reuse based on an IP (Intellectual Property) core are important means for ensuring SoC (system on chip) development efficiency and quality. Because of the mass use of the prior ASIC, FPGA and other devices, the IP core is also largely adopted to be integrated into the development of the ASIC and FPGA in the fields of video decoding, communication, security protection and the like, so as to shorten the design and development time.

Digital logic class IP core authorization basically has two forms: HDL language form (soft core), netlist form (fixed core). The soft core is a functional block described by a hardware description language such as Verilog or VHDL, but does not refer to what specific circuit element is used to implement the functions. The soft IP is usually in the form of a hardware description language HDL source file, and the application development process is very similar to the common HDL design, except that the required hardware and software environment is expensive to develop. The soft IP has short design period and less design investment, and because physical realization is not involved, a large play space is reserved for subsequent design, and the flexibility and the adaptability of the IP are improved.

The fixed core is a compromise between a soft core and a hard core, most of the IP cores applied to the ASIC and the FPGA are soft cores, the soft cores are beneficial to a user to adjust parameters and enhance reusability, and the hard IP needs to be customized for a certain ASIC process or a certain FPGA model.

Typically, digital logic IP authorization for ASICs is charged in two forms, one-time fee and Royalty (Royalty). The pay-by-Royalty-based method can obtain the production times by querying the production record of the Foundry (Foundry). However, in practice, it is difficult for the IP authority to know the specific production data for protecting the customer information.

IP authorization based on FPGA generally charges in a one-time payment mode, and once a netlist file of FPGA is produced in a soft core or fixed core mode, the use times of IP are difficult to limit through technical means. Therefore, currently, the IP authorization based on the FPGA can only restrict the number of times of use of the IP by contracts, laws, and the like, and the IP authorizer cannot limit the actual number of times of use.

Disclosure of Invention

Technical problem to be solved

Aiming at the defects in the prior art, the invention provides the encryption digital IP core authorization method facing the ASIC and the FPGA device, which can effectively overcome the defect that an IP authorization party in the prior art cannot effectively limit the actual use times of the IP in the ASIC/FPGA device.

(II) technical scheme

In order to achieve the purpose, the invention is realized by the following technical scheme:

an encryption digital IP core authorization method facing an ASIC (application specific integrated circuit) and an FPGA (field programmable gate array) device comprises the ASIC/FPGA device integrating one or more pre-authorized IP cores and a verification chip communicated with the ASIC/FPGA device, wherein a first key pair is arranged in the IP core, and a second key pair matched with the first key pair is arranged in the verification chip;

the authorization method comprises the following steps:

the verification chip generates a digital signature by using the second key pair and encrypts the digital signature, the encrypted digital signature is packaged to an authorization request and sent to the ASIC/FPGA device, and the IP core performs identity authentication on the authorization request by using the first key pair and judges whether the current authorization request is met or not based on the historical authorization condition.

Preferably, the verification chip generates and encrypts a digital signature using a second key pair, and includes:

the verification chip firstly utilizes the private key of the verification chip to encrypt random data to generate a digital signature, and then utilizes the IP public key to encrypt the generated digital signature.

Preferably, the identity authentication of the authorization request by the IP core using the first key includes:

the IP core decrypts the encrypted digital signature by using an IP core private key to obtain a digital signature, and then decrypts and verifies the digital signature by using a verification chip public key;

if the decrypted data obtained after decryption and verification is the same as the random data, the verification chip corresponding to the verification chip public key meets the identity authentication requirement, and the IP core judges whether the current authorization request is met or not based on the historical authorization condition;

and if the decrypted data obtained after decryption and verification are different from the random data, the verification chip does not meet the identity authentication requirement, and the IP core does not respond to the current authorization request.

Preferably, the determining, by the IP core, whether the current authorization request is satisfied based on the historical authorization condition includes:

the IP core judges that the decrypted data obtained after decryption and verification are the same as the random data, and inquires the historical authorization times of the verification chip on the chain;

and when the historical authorization times of the verification chip are not more than the authorization use times, the IP core responds to the current authorization request, otherwise, the IP core does not respond to the current authorization request.

Preferably, the IP core responds to the current authorization request, including:

and the IP core generates a binary file or a GDS file required by the production of the ASIC/FPGA device and downloads the binary file or the GDS file into the ASIC/FPGA device for production and use.

Preferably, a random number generator is arranged in the verification chip, the random number generator generates different random data each time, and the verification chip packs the random data to an authorization request and sends the authorization request to the ASIC/FPGA device.

Preferably, the first key pair includes an IP core private key and a verification chip public key, and the second key pair includes an IP core public key and a verification chip private key paired with the IP core private key and the verification chip public key, respectively.

Preferably, the first key pair is present in the IP code in the form of an encrypted soft core or a fixed core.

Preferably, the verification chip realizes communication with the ASIC/FPGA device through an I2C, SPI, UART and 7816 universal bidirectional IO port.

(III) advantageous effects

Compared with the prior art, the encryption digital IP core authorization method facing the ASIC and the FPGA device, provided by the invention, realizes effective limitation on the IP use times of the programmable devices based on the ASIC, the FPGA and the like by issuing the verification chip to an IP user and adding the security authentication program in the digital IP core in the encryption soft core or fixed core form, and particularly has the following beneficial effects:

1) the traditional charging mode aiming at the IP authorization of an ASIC/FPGA device is changed, and the benefits of an IP authorization party can be effectively protected;

2) the smart card based on the verification chip has low cost and small volume, and the communication bus can adopt I2C or even 1wire and other simple buses, so that the realization cost of the scheme is very low;

3) because the security level of the existing smart card is very high, the possibility of cracking the smart card is very low or the cracking cost is very high, and the benefits of an IP (Internet protocol) authorized party are effectively protected.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.

FIG. 1 is a schematic flow chart of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

An encryption digital IP core authorization method facing an ASIC (application specific integrated circuit) and an FPGA (field programmable gate array) device comprises the ASIC/FPGA device integrating one or more pre-authorized IP cores and a verification chip communicated with the ASIC/FPGA device, wherein a first key pair is arranged in the IP core, and a second key pair matched with the first key pair is arranged in the verification chip;

the authorization method comprises the following steps:

the verification chip generates a digital signature by using the second key pair and encrypts the digital signature, the encrypted digital signature is packaged to an authorization request and sent to the ASIC/FPGA device, and the IP core performs identity authentication on the authorization request by using the first key pair and judges whether the current authorization request is met or not based on the historical authorization condition.

In the technical scheme of the application, the first key pair exists in the IP code in an encryption soft core or fixed core mode, so that an IP user cannot directly read the first key pair, and the verification chip is internally provided with the second key pair for verifying the validity of the IP authorization in the ASIC/FPGA device. The first key pair comprises an IP core private key and a verification chip public key, and the second key pair comprises an IP core public key and a verification chip private key which are respectively matched with the IP core private key and the verification chip public key.

The verification chip realizes communication with the ASIC/FPGA device through I2C, SPI, UART and 7816 universal bidirectional IO ports.

The verification chip firstly utilizes the private key of the verification chip to encrypt random data to generate a digital signature, and then utilizes the IP public key to encrypt the generated digital signature.

In the technical scheme, a random number generator is arranged in the verification chip, the random number generator generates different random data each time, and the verification chip packages the encrypted digital signature and the random data generated by the random number generator to the authorization request and sends the authorization request to the ASIC/FPGA device.

The IP core decrypts the encrypted digital signature by using the IP core private key to obtain the digital signature, and then decrypts and verifies the digital signature by using the verification chip public key.

If the decrypted data obtained after decryption and verification is the same as the random data, the verification chip corresponding to the verification chip public key meets the identity authentication requirement, and the IP verification judges whether the current authorization request is met or not based on the historical authorization condition; if the decrypted data obtained after decryption and verification are different from the random data, the verification chip does not meet the identity authentication requirement, and the IP core does not respond to the current authorization request.

In the technical scheme of the application, the identity authentication is realized by adopting a mode of digitally signing random data, encrypting the digital signature, and then decrypting and verifying the signature by an IP core. Further, a challenge-response type authentication based on a hash algorithm (SHA) or a symmetric encryption algorithm (DES) using the same key, or a certificate type authentication based on an asymmetric algorithm (RSA or the like) may be employed. Since the random number generator is built in the verification chip, the data transmitted on the bus is encrypted and the random data is changed each time in the challenge response or certificate type authentication, so that the authentication data on the bus is random each time seen by the outside.

And the IP core judges that the decrypted data obtained after decryption and verification are the same as the random data, and inquires the historical authorization times of the verification chip on the chain.

And when the historical authorization times of the verification chip are not more than the authorization use times, the IP core responds to the current authorization request, otherwise, the IP core does not respond to the current authorization request. The authorized use times are IP maximum use times preset on a chain by an IP authorization party aiming at an IP user.

After the IP core responds to the current authorization request, the IP user generates a binary file or a GDS file required by the production of the ASIC/FPGA device through the IP core integrated on the ASIC/FPGA device, and downloads the binary file or the GDS file into the ASIC/FPGA device for production and use.

When the identity authentication in the ASIC/FPGA device passes, the IP core can normally operate the functions therein. And the IP authorizer can control the actual use times of the IP in the corresponding ASIC/FPGA device of the IP user by issuing a verification chip which downloads the identity authentication program and the second key pair in advance.

The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.