Next Article in Journal
A Dynamic Current Pulsing Technique to Improve the Noise Efficiency Factor of Neural Recording Amplifiers
Previous Article in Journal
An Ultra-Low-Quiescent-Current On-Chip Energy Management Circuit in 65 nm CMOS for Energy Harvesting Applications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JLPEA
Volume 15
Issue 4
10.3390/jlpea15040066
jlpea-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Research on the Security of SRAM-Based FPGAs in the Era of Artificial Intelligence

by
Jing Zhou
1,2,*,
Xiangyu Zhao
3,
Shengbing Zhang
1,
Lei Chen
2,
Ke Xiao
2 and
Shuo Wang
2
1
Network Security College, Northwestern Polytechnical University, Xi’an 710072, China
2
Beijing Microelectronics Technology Institute, Beijing 100076, China
3
China Aerospace Science and Technology Corporation, Beijing 100048, China
*
Author to whom correspondence should be addressed.
J. Low Power Electron. Appl. 2025, 15(4), 66; https://doi.org/10.3390/jlpea15040066
Submission received: 11 October 2025 / Revised: 24 November 2025 / Accepted: 25 November 2025 / Published: 28 November 2025
(This article belongs to the Topic Advanced Integrated Circuit Design and Application)
Browse Figures
Versions Notes

Abstract

SRAM-based FPGAs, with their flexible programmability and parallel execution features, have been widely used, and the security of such devices has drawn significant attention. Especially in the era of artificial intelligence, FPGA architectural optimizations and evolving application models have introduced novel security characteristics and threats. In this work, we introduce a taxonomy of FPGA threats and explore new threat features and potential countermeasures in the era of AI. We focus on evaluating the research trends of FPGA security, including both security threats and protection measures. Then, we propose a new perspective on the involvement of FPGA manufacturers in FPGA security and introduce the main security measures used in COTS FPGA products. Finally, we summarize the security challenges and offer future research directions.

1. Introduction

Since the introduction of the “Turing machine” theory in 1936, artificial intelligence (AI) has evolved through several ups and downs into a productivity driver that encompasses machine learning, neural networks, deep learning, large language models, and more. Advanced computing chips are a key driver of the rapid growth of the AI industry. As the foundational hardware powering AI computation, AI chips are designed for processing vast datasets and running sophisticated algorithms, e.g., Graphics Processing Units (GPUs), Field-Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), and Neural Processing Units (NPUs) [1].
Among the abovementioned AI chips, FPGAs [2] possess the capabilities of flexible programmability and efficient parallel computing. Specifically, FPGAs demonstrate significantly higher functional flexibility compared to ASICs while offering substantially faster computing speeds than microprocessors or microcontrollers [3,4,5]. To meet the computing power requirements of AI, modern FPGAs have integrated numerous heterogeneous resources, including dedicated DSPs, GTXs, embedded processors, radio frequency components, and tensor computing units [6,7]. Nowadays, FPGAs are widely utilized in intelligent computing applications, such as computational acceleration, datacenters, and cloud services.
The development of AI technologies, especially deep learning, has rapidly changed the architecture, configuration modes, and ecosystem of FPGAs. Subsequently, the security of FPGAs in the era of AI should also be carefully demonstrated and evaluated. Some survey articles have demonstrated the security of FPGAs and the impacts of AI technology development from various perspectives [8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29]. Here, we summarize 22 survey articles published in the past five years, dividing them into three research directions, as shown in Table 1. Direction 1 (D1) includes FPGA security studies. Direction 2 (D2) includes studies on applications of AI in FPGA security. Direction 3 (D3) includes security studies on FPGA application.
The existing studies have mostly focused on a specific theme or perspective. However, the vigorous development of artificial intelligence has broadly impacted the field of hardware security, especially FPGAs. Only by comprehensively examining the impact of AI on the security technologies of FPGAs can we better meet future challenges and provide strong support for the safe and reliable operation of intelligent computing systems.
We introduce a taxonomy of FPGA threats to survey, classify, and analyze the threats faced by FPGA chips, aiming to make the corresponding defense design more systematic. Figure 1 presents the proposed taxonomy, which consists of the following elements:
Configuration Security: This element focuses on the risks throughout the configuration lifecycle to ensure the integrity and confidentiality of configuration files.
Interface Security: This element covers the security of interfaces between FPGAs and external devices, debug tools, or other chips.
Logic Security: This element targets the security of FPGA internal logic resources and user designs to prevent tempering and malicious logic injecting.
Physical Security: This element focuses on the security of FPGA physical entities and physical characteristics.
The main contributions of this paper can be summarized as follows:
  • Starting from the impacts of AI on aspects such as the architecture of FPGA chips, development methods, and application models, we comprehensively summarize the new characteristics of FPGA security in the AI era, including threat features and potential countermeasures.
  • We summarize the protective measures used in COTS FPGA products, and propose a new perspective on the involvement of FPGA manufacturers in FPGA security. Finally, we outline the necessary future measures recommended for implementation by FPGA manufacturers.
The rest of this paper is organized as follows: In Section 2, we review the architecture and development process of FPGAs and their main security threats pre-AI. In Section 3, we analyze the threats to FPGA chips based on changes in FPGA architecture and market models in the AI era. In Section 4, we introduce security measures used in COTS FPGAs and outline necessary future measures. In Section 5, we present an experimental evaluation of the effectiveness of the main defense measures. We conclude our work and propose future work in Section 6.

2. SRAM-Based FPGA and Its Threat Features Pre-AI

2.1. SRAM-Based FPGA and Development Process

SRAM-based FPGAs are reconfigurable devices. Electronic Design Automation (EDA) development tools implement user functions and configure them. A bitstream generated by EDA tools is written into SRAM-based configuration memory arrays to configure user functions. To achieve this configuration characteristic, the internal circuitry of SRAM-based FPGA chips can be divided into two parts: the configuration circuit and the programmable logics [30], as shown in Figure 2.
The development process of SRAM-based FPGAs [31,32] is also shown in Figure 2. SRAM-based FPGAs support reconfiguration and readback functions, with configuration modules and interfaces remaining open after configuration.
Different application modes yield distinct design concepts. Traditional integrated circuit chips, like GPU and CPU, aim to save every transistor, whereas FPGA chips offer numerous redundant programmable logics and complex configuration circuits. As a result, attacks effective on other chips cannot be directly applied to FPGAs. FPGA chips were initially considered safe. However, in 2004, Ruhr Universität Bochum conducted a detailed analysis of FPGA chip security, publishing the first review article highlighting the need for specialized approaches to FPGA security [33]. In 2008, Drimer published research on the security of volatile FPGAs [34]. The security of FPGAs has since drawn attention.

2.2. The Taxonomy of Threats and Main Security Threats Pre-AI

When assessing the security of FPGAs, it is generally believed that for SRAM-based FPGAs, during the configuration process, there is a possibility that the bitstream carrying user designs may be intercepted, copied, modified, or damaged [35]. As shown in Figure 3, we classified FPGA threats into four types based on the hardware architecture and the implementation process. This taxonomy covers the entire FPGA lifecycle, from FPGA entity and user logic to the bitstream.
From the perspective of system application, the key points of offense and defense are centered on control over the bitstream [24]. The bitstream and the encryption key are the most important security assets. Next, we briefly describe the types of security threats.

2.2.1. Configuration Security

The typical threat in configuration security is cloning attacks. Clone attackers have the ability to physically access configuration interfaces. These attacks occur during processes such as function configuration and updates [36]. Stealing the bitstream, which is the basis of reverse engineering, leads to IP losses for system developers and may enable the implantation of hardware Trojans or other attacks through bitstream modification.
FPGAs support flexible configuration modes and diversified configuration interfaces. For example, the remote configuration function [37,38] provides more possible interfaces for cloning attacks. Ref. [39] summarizes the risks associated with remote dynamic configuration and the commonly used security measures.

2.2.2. Interface Security

The specific threat type in interface security is readback attacks through the debugging communication interface. After the bitstream is loaded, the open configuration ports, used for functions such as readback and partial reconfiguration, create opportunities for readback attacks. The earliest security measure was to determine whether the readback interface should be disabled according to the security level [40].
However, despite these initial security efforts, the readback interface may become vulnerable to readback attacks if not carefully designed by manufacturers. A prime example is the “Starbleed” vulnerability [41] targeting Xilinx 7-series FPGAs, which exploits the readback function of the WBSTAR register and can be regarded as a type of readback attack. Ref. [42] warns that the “Starbleed” vulnerability is still effective against the UltraScale+ series.

2.2.3. Logic Security

There are two typical means of threatening logical security: reverse engineering and hardware Trojan. In these cases, the attackers have the ability to access the EDA tools or modify the RTL codes.
Reverse engineering: The bitstream obtained through clone attacks or readback attacks can be reversed into structural netlists or RTL-level logical descriptions through reverse engineering. FPGA manufacturers typically claim that keeping the bitstream format confidential can defend against reverse engineering. However, in reality, research on reverse engineering has always been highly active, leading to numerous reverse engineering tools, for instance, the Debit toolchain [43] in 2008, the BIL [44] in 2012, the bit2NCD [45] in 2013, BITMAN [46] in 2017, BRET [47] in 2018, and the BitFREE [48] in 2023. New tools are continuously being introduced [49,50,51,52,53,54,55].
Hardware Trojans: Hardware Trojans are special circuit modules that are deliberately implanted or modified to steal or influence circuit information, functions, or performance. The concept was first proposed by Dakshi Agrawal [56] in 2007. Hardware Trojans are mainly implanted in two ways, via either third-party IPs or EDA tools.
Some mature benchmark sets provide examples of implanting hardware Trojans into IPs. For example, the Trust-HUB benchmarks [57] employ a trigger mechanism that activates the hardware Trojan using a single trigger signal in rare events. The De-Trust [58] project includes cases that use multiple discrete trigger signals, allowing each trigger signal to operate normally and remain difficult to detect.
Malware or scripts can be embedded in commercial EDA tools. Hardware Trojans can be implanted by modifying some intermediate files to change the original design functions. Ref. [59] provides two attack examples, which change the design logic through intermediate configuration files in Xilinx ISE and Altera Quartus. Another work, Ref. [60], shows that even with ARM TrustZone protection, the security of the FPGA-based SoC can be compromised via malware embedded in EDA tools. Refs. [61,62] succeeded in implanting the HT by modifying the bitstream. Refs. [63,64] indicate that the direct read–write access to open-source software’s intermediate results creates vulnerabilities for HT injection.

2.2.4. Physical Security

Side-channel attacks steal bitstreams or keys by analyzing the physical side information of FPGAs, making it a typical form physical security threat. Side-channel analysis is the most common non-invasive attack and an essential detection method for evaluating security systems. Side-channel analysis techniques related to FPGAs can be divided into two types. The first type analyzes the security applications and security algorithms implemented on FPGA chips, and the second type analyzes the configuration decryption circuits within FPGA chips.
Research on the first type dates [65,66,67,68] to at least 2003. However, regarding the main topic of this article, we focus more on the second type. According to our research, the first successful instance occurred in 2011. Moradi [69] successfully attacked the bitstream decryption module integrated in Xilinx’s VirtexII-Pro FPGA, showing that even with higher background noise compared to general ICs, the built-in cryptographic circuits of the FPGA were still vulnerable. In 2013, the research by Moradi [70] and Swierczynski [71] used it to crack Altera’s Stratix II and Stratix III series FPGAs. In 2016, Moradi [72] cracked the decryption modules of Xilinx 5, 6, and 7 series FPGAs through electromagnetic side-channel analysis. In 2021, Hettwer [73] conducted side-channel analysis on UltraScale+.

2.2.5. Protection Measures

For Configuration Security, Interface Security, and Logic Security, the industry widely adopts high-security cryptographic algorithms to enhance security and defend against potential attacks. Setting reasonable access permissions [74,75] is also one of the effective protective measures. Physical Unclonable Functions (PUF) [76,77] has also assumed an increasingly important role in the field of FPGA security.
For Physical Security, especially to avoid Side-channel attacks, a wide variety of protective approaches have been emerging, including constant-time execution [78], masking [79,80] and circuit balancing [81]. Given the vulnerability of cryptographic circuits to timing attacks, constant-time execution is a mandatory requirement in cryptographic circuit design. Masking has been theoretically validated as an effective countermeasure against first-order and higher-order side-channel analysis. However, the programmable nature of FPGA devices introduces two key obstacles to its engineering application: first, the random numbers employed for mask generation or the masks themselves cannot be securely transmitted through the bitstream download process; second, the hardware implementation of high-quality TRNG requires significant design costs. These factors collectively limit the engineering deployment of masking technology in FPGA chip designs. Circuit balancing is relatively practical. however, the balanced design of the chip’s underlying circuits introduces significant area and power consumption overhead, which has a certain impact on chip cost and performance. However, achieving balance through logic implementation approach is highly challenging and may compromise the timing performance of the user design.

3. New Features of FPGA Security in the Era of AI

To discuss the impact of the AI era on FPGA security, we need to first consider how AI impacts the structure and applications of FPGA chips.

3.1. Changes in Architecture and Applications of FPGAs

AI technology has undoubtedly had a profound impact on the architecture and application characteristics of FPGAs. Based on extensive research, we believe this impact is mainly manifested in the following three aspects.

3.1.1. Optimization of FPGA Architecture

Microarchitecture Enhancement: To better leverage the advantages of FPGAs in accelerated computing, modern FPGA chips have enhanced their low-precision computing capabilities, added support for floating point operations, and provided abundant storage resources [82,83,84,85,86]. With higher energy-efficiency, Coarse-Grained Reconfigurable Architectures (CGRAs) are emerging as a promising technology research direction [87,88,89].
Heterogeneous Computing Platform: The integration of multiple computing units has become an inevitable development trend to meet AI algorithms’ demands for computing power, communication speed, and energy efficiency. Heterogeneous computing platforms mostly use CPUs as the control cores and GPUs or AI computing engines as dedicated computing units [1,90,91]. The heterogeneous units can be integrated into one chip or through chiplet integration [92,93].

3.1.2. Agilization of the Design Process

Open-Source and Architectural Exploration: The rapid iteration requirements of chip design have made the agile design approach and research on architectural exploration and evaluation an inevitable trend. This has created demand for open-source frameworks to model, rapidly prototype, and evaluate FPGAs [82,83,84,85,86,87,88,89,90,91,92,93,94,95], embedded-FPGAs (eFPGA) [96,97], and CGRAs [98,99,100]. Open-source projects for the documentation of FPGA architectures are models of community collaboration [70,101]. FPGA manufacturers contribute to their own open-source projects too [102]. This trend places more security responsibilities on FPGA manufacturers. However, due to their trusted status, few research efforts consider the role of FPGA manufacturers in the security model 9.
Left Shift of the Design Process: To reduce the development cost of FPGA systems, design methods such as HLS and block design have been widely adopted [103,104,105]. Shifting FPGA system design to the left reduces the hardware development cost, enabling software designers and algorithm designers to conveniently utilize FPGAs for operations such as AI acceleration. Consequently, the security verification and evaluation stages should also be shifted to the left to adapt to this trend [106].

3.1.3. Alteration of Market Model

Expansion of Market Roles: With the development of machine learning technologies, a growing number of researchers have realized that traditional application models and security patterns cannot meet the requirements of modern FPGA security analysis [12,14,15]. The currently proposed application models only analyze the security matrix from the perspective of the application side. Therefore, we incorporate the FPGA chip design and manufacturing stage into the models and repropose the market model, as shown in Figure 4. The market participants of the FPGA application model include the following:
  • Supply Side: Suppliers are the core force in the FPGA market and responsible for the research, development, production, and sales of FPGA products and development EDA tools.
  • Third-Party Providers: With the growth of the open-source community, third-party IP cores and open-source EDA development software have emerged, presenting more options to application developers.
  • Application Side: The application side is composed of expert teams tasked with developing customized applications based on FPGAs and EDA software. The application side includes FPGA cloud services [30,107] and board-level application modes.
  • Client Side: Clients purchase FPGA-based solutions for specific requirements.
More Participation of Third-Party Providers: Third-party providers play an increasingly crucial role in the FPGA ecosystem. Third-party IP cores [102] enable quick function integration into FPGA designs. Open-source EDA development software [108,109,110], on the other hand, offers an alternative to the proprietary tools provided by FPGA manufacturers. These offerings not only benefit small-scale developers but also encourage the development of new design techniques within the FPGA community.
Summarizing the structural features, application characteristics, application models, and market participants of FPGAs facilitates a more targeted analysis of FPGA security. It allows for a more efficient organization of existing research findings, leading to more accurate conclusions. In the subsequent sections, we will conduct a comprehensive review of FPGA security research in the era of AI.

3.2. FPGA Security in the Era of AI

By reviewing the articles on FPGA security research, we summarize the recent research trends regarding the main threats that FPGAs face, as shown in Figure 5.

3.2.1. Heterogeneity Challenges

Heterogeneous architectures challenge common assumptions about isolation and security boundaries. They require security mechanisms to protect interactions between different heterogeneous components.
In addition, attacks propagate through heterogeneous devices. The AXI communication bus inside the SOC-FPGA architecture [111] could be exploited by attackers. Covert channels between independent devices have been detected [112]. Attacks may launch an attack from FPGA to CPU and vice versa. Ref. [113] demonstrates that the embedded processor core is vulnerable to voltage drops generated by the FPGA logic. Ref. [114] shows that the integrated platform is indeed vulnerable to prime-and-probe attacks from the FPGA targeting the CPU’s last-level cache. Refs. [60,115] highlight efficient attacks on the traditional Trusted Execution Environment (TEE). The existing trust execution environments should be upgraded.
Protection research:
Heterogeneous architectures bring risks to configuration security and interface security.
To address the risks in configuration security, Zero Trust Architecture (ZTA) should be investigated. Unlike traditional static authorization methods, ZTA does not inherently trust COTS FPGA products, enabling it to ensure the security of heterogeneous systems in scenarios where boundaries are breached [116,117,118].
To improve interface security, TEEs for FPGAs in remote computing have attracted wide attention [119,120,121,122,123]. Ref. [124] involved a provisioning service to establish trust. Ref. [125] presented a hardware/software security architecture for domain isolation in FPGA clouds.

3.2.2. Open-Source Risks

In recent years, the growth of the open-source environment has made it almost impossible for commercial FPGAs to rely on non-public bitstream structures to prevent reverse engineering, as demonstrated by project such as IceStorm [101] and X-Ray [100]. Numerous examples indicate that as long as the plaintext bitstream can be obtained, reverse engineering can be carried out [126,127]. Therefore, protecting the plaintext bitstream is key to prevention.
The agile chip design approach and open-source environments pose the risk of introducing hardware Trojans. The lightweight hardware Trojan proposed by [128] achieved an attack on an FPGA cloud platform at a relatively low cost. Additionally, research on implanting hardware Trojans into AI models implemented on single-chip FPGA accelerators is also highly active [129,130]. When activated, these HTs can result in significant degradation in inference accuracy or erroneous inference. Ref. [131] introduced several HT models proposed for the floating-point multiplier. Ref. [132] targeted specific IP cores used by processors implemented on FPGAs.
Protection research:
Logic security protection mainly relies on the hardware Trojan detection technique. Hardware Trojan detection through neural network algorithms can overcome difficulties such as the small size and strong concealment of HTs [133,134,135,136,137]. Several AI algorithms are employed, such as GNN or GCN. HT detection on FPGA SoC [138,139,140] or CGRA [141] is attracting growing attention. Another HT detection technique is run-time detection through electro-magnetic (EM) radiation [142,143,144] or power-supply noise monitoring [145].

3.2.3. Cloud Platform Remote Attacks

Heterogeneous computing platforms, along with cloud platform owners and tenant clients, promote remote attacks. High-speed communication interfaces, such as PCIE in distributed embedded systems [146,147] and shared power channels [112], all pose risks of information leakage. Modern shared-FPGA systems are vulnerable to side-channel attacks or fault injection attacks even without physical access [148,149,150,151,152,153,154]. ML algorithms implemented by FPGA acceleration have emerged as significant targets of remote attacks, including their structures, intermediate parameters, and computational results [155,156,157].
These remote attacks can reconstruct the layer and hyper-parameter sequence of neural networks, extract secret keys, or compromise data transfers.
Protection research:
Leakage caused by remote attacks has drawn the attention of researchers in physical security protection technologies.
Ref. [158] introduced “soft protection” against side-channel attacks at the logical level. Additionally, technologies have emerged for side-channel protection by utilizing the routing algorithms of EDA tools [159], dynamic power prediction [160], simulation methodology [161] and the unique dynamic reconfigurable characteristics [162] of FPGAs.

4. Security Measures of FPGA Manufacturers

Although the research on protection measures on the application side is of great importance, we believe that FPGA manufacturers play a fundamental role. Initially, FPGA chips did not integrate favorable protection technologies to ensure the security of user designs during the interview process. With the increasing awareness of FPGA security, FPGA chip manufacturers have integrated encryption algorithms and other security measures in the configuration module to ensure the security of user designs.

4.1. Traditional Security Measures of COTS FPGAs

4.1.1. Resist Configuration Security Threats

FPGA chip manufacturers do not adopt special methods to protect the bitstream from being accessed. Instead, they use cryptographic algorithms to ensure the security of user designs and resist the risks of reverse engineering.
The FPGA chips prior to the Xilinx Virtex series did not employ cryptographic technologies. Starting from the Virtex-II series launched in 2001, cryptographic algorithms were integrated to protect user designs. The Virtex4 and Virtex5 series [163,164] of FPGAs integrated the AES-256 algorithm. Beginning with the Xilinx 7 series of FPGAs, an authentication mechanism was added [165]. The Ultrascale+ series of FPGAs changed the HMAC authentication mechanism of the 7 series to the RSA authentication mechanism [166] and changed the mode from CBC to GCM to further enhance the security performance.
Intel Corporation (formerly Altera Corporation) also uses the AES algorithm as the main cryptographic algorithm. The AES encryption algorithm modes used in Intel’s modern FPGA products are shown in the following table [75]. For older devices prior to 40 nm, such as Cyclone III LS, only BBRAM is provided for key storage, while for devices after 40 nm, both volatile and non-volatile key storage are available.
Compared with the top two mainstream SRAM-based FPGA chip manufacturers, the cryptographic algorithms applied by Lattice and Microchip (formerly Microsemi) are more flexible.
In 2019, Lattice added an unchangeable security module to MachXO3D. This module provides a hardware root of trust and pre-verification encryption functions, such as the ECDSA algorithm, the ECIES-integrated encryption scheme, the AES-256 encryption algorithm, the HMAC authentication algorithm, etc. [167]. Since the Nexus technology platform was launched in 2019, FPGAs such as Certus-NX, CrossLink-NX, and Certus Pro-NX based on Nexus have been using the AES-256 algorithm, the HMAC authentication algorithm, and the ECDSA algorithm, etc. to ensure security. Table 2 shows the security measures used in COTS FPGA products.
Microchip’s PolarFire series FPGAs support multiple encryption algorithms, including AES128/192/256, SHA2-224/256/384/512, HMAC authentication algorithm, RSA/DSA, and ECDSA digital signature algorithm [168]. SmartFusion2 and GLOO2 series FPGAs have a built-in SHA-256 engine to protect data security [169]. Microchip is the only FPGA supplier that provides an encryption mechanism for the key. In the IGLOO2 series, the keys are even mandatorily encrypted, establishing a mandatory mechanism of using keys to load keys [172]. In addition, Microchip does not store key values directly. Instead, it adopts an SRAM-PUF technology called Intrinsic-ID™. When powered, it uses the PUF to dynamically reconfigure the keys, thus eliminating the possibility of directly reading the keys.

4.1.2. Resist Interface Security Threats

The readback mechanism can directly obtain the bitstream, which undoubtedly poses a security risk. Almost all companies turn off readback port when users choose to use the encrypted configuration mode, including Xilinx, Intel, and Lattice. When applying the encrypted mode, Intel’s 20-nm FPGAs further added the control function of access rights to the JTAG port [75].
Only Microchip’s FPGAs provide a verification mechanism for disabling readback debugging. When the code stream is encrypted, Microchip’s FPGAs use the “lock-bits” configuration to control whether to disable the readback debugging function, and the “lock-bits” can only be configured when the correct key verification is successful [172].

4.1.3. Resist Physical Security Threats

After the capabilities and the substantial threats were reported [69,70,71,72], side-channel attacks began receiving attention from manufacturers. Xilinx adopted multiple means, such as pre-authentication, rolling keys, and internal self-authentication in the Ultrascale+ series, to enhance protection against DPA [166]. Lattice provided protection against side-channel attacks through Hardware Root of Trust (HRoT) functions that comply with industry standards and are encryption-agile and customizable [172]. These functions have been applied in new devices of each generation after MachXO3D. Microchip’s FPGAs use the key-tree derivation algorithm to provide DPA protection capabilities, and the key-tree derivation algorithm is available on devices with advanced security features enabled [168,169].

4.1.4. Resist Logic Security Threats

Microchip Corporation launched the DesignShield development tool [172] in 2021, thereby reducing the risks of cloning attacks, intellectual property theft, reverse engineering, or malicious Trojan intrusions. No defense measures against hardware Trojans have been found for other companies.

4.2. Securing the AI Era: Necessary Measures

FPGA manufacturers have been implementing various security measures for FPGAs and FPGA systems. However, it is not enough in the AI Era.
Table 3 summarizes the limitations of the current measures and the existing bypass approaches. Among these, research on Lattice and Microchip FPGAs is relatively scarce, but this does not mean their security measures are unbreakable. From the summary in Table 3, we can identify three key deficiencies in the security strategies of COTS FPGA devices: Trusted Execution Environments need to be upgraded; hardware Trojan detection tools are absence; side-channel protection mechanisms should be strengthened. In the following sections, we will detail our reflections on these three key deficiencies.

4.2.1. Trusted Execution Environment Upgrade

Ref. [115] evaluated the security of the current TEEs and demonstrated their insufficient security.
To address the growing security issues faced by heterogeneity architectures, SoC-FPGA security frameworks, named FPGA-TrustZone [170] and SGX-FPGA [171], were published. Today, offensive and defensive technologies are in a state of constant evolution. Security frameworks to solve the security problems of heterogeneous computing platforms require continuous attention and enhancement.

4.2.2. Hardware Trojan Detection Tools

The threat posed by HTs should not be neglected. Tools can automatically insert HTs into user designs without any a priori knowledge [58,178]. Third-party IPs can also be carriers of HT. Integrating HT detection tools into EDA development flow is a viable and economical solution.
HT detection technology applicable to the EDA process includes logic testing [134,135,136,137,179] or formal verification [180,181,182,183]. However, few manufacturers provide tools [172,184] for hardware Trojan detection in their development environments.
Automating the HT detection flow by integrating detection tools into EDA toolchains remains an important task. The inclusion of such verification steps in the development workflow not only improves efficiency but also ensures that security considerations are addressed early in the FPGA design process.

4.2.3. Side-Channel Protection Mechanisms

Current protection measures used in COTS FPGA products include advanced cryptographic algorithms. Attackers always find a way to carry out successful attacks. Ref. [72] revealed the full 256-bit key with 2000–200,000 traces. Ref. [73] recovered part of the key with less than 50 encryptions.
To improve protection ability, new efficient algorithm [73] is published which is suitable for FPGA chips design scenarios with high requirements for both performance and security. This paper designs a finite field GF(232) multiplication algorithm, and implements an efficient and highly secure FPGA configuration Bitstream decryption authentication method based on the AES256 cryptographic algorithm in CTR mode and the finite field GF(232) multiplication operation.
In addition, protection or detection schemes compatible with EDA are cost-effective and practical. Refs. [185,186] describe tools that to against side-channel attacks. Side-channel leakage detection [187,188] provides automate ways to aware side-channel attacks in the early design stages. Refs. [159,189] utilize routing process of FPGA development flow. FPGA manufacturers could consider to deploy such detection or protection measures into the development environments to provide a viable approach for users to evaluate their designs.

5. Experiments

To comprehensively validate the discussions presented in Section 4, two representative experimental studies were conducted, each targeting a distinct but complementary aspect of FPGA security.
The first set of experiments (Section 5.1) focused on hardware Trojan detection, aiming to evaluate the feasibility and accuracy of integrating intelligent detection algorithms—specifically, graph-based learning approaches such as GCN + GraphSMOTE—into FPGA electronic design automation (EDA) workflows. This section emphasizes how AI-driven techniques can enhance the reliability of FPGA design verification and early-stage trust evaluation.
The second set of experiments (Section 5.2) investigated side-channel resistance in cryptographic modules, assessing the effectiveness of improved AES-based bitstream decryption architectures under correlation power analysis (CPA). These tests aimed to demonstrate that appropriate algorithmic selection and microarchitectural countermeasures can substantially raise the security threshold of configuration circuits.
Together, these experiments provide practical verification of the protection strategies discussed earlier, illustrating both design-time (Trojan detection) and run-time (side-channel protection) perspectives on strengthening FPGA trustworthiness in the AI era.

5.1. Hardware Trojan Detection Experiments

To evaluate the effectiveness and reproducibility of the proposed hardware Trojan detection approach, we conducted a series of experiments based on Trust-Hub benchmarks. The experimental workflow follows the same architecture as that integrated into the HT-FDS (HongTu FPGA Design Suite) environment described earlier, comprising netlist conversion, feature extraction, dataset balancing with GraphSMOTE, and graph-based classification with GCN [184]. The current detection module has been completely redesigned based on a graph neural network framework, replacing earlier clustering-based methods to achieve better adaptability and generalization.

5.1.1. Dataset and Partitioning

The experiments used all gate-level and RTL-level Trojan benchmarks publicly available from Trust-Hub, covering multiple circuit families, such as RS-232, PIC16F84, and MC8051. For each circuit, the corresponding clean and Trojan-infected versions were synthesized into netlists using the HT-FDS synthesis engine.
Each dataset was randomly split into 70% for training, 15% for validation, and 15% for testing, ensuring that Trojan and normal nodes were proportionally distributed across subsets. To ensure statistical robustness, the experiments were repeated five times with different random seeds, and average values were reported.

5.1.2. Feature Extraction and Graph Construction

After synthesis, the netlist was transformed into a graph, where nodes represent logic cells (LUTs, flip-flops, multiplexers, etc.), and edges represent signal connections.
For each node, a feature vector was constructed comprising fan-in/fan-out counts within k-levels, number of flip-flops within k-levels (FF_in_x, FF_out_x), minimum distance to primary inputs and outputs (DPI, DPO), loop count (LOOP_x), and number of multiplexers and inverters (MUX_x, INV_x).
These features were automatically derived from the connectivity graph using the internal parser of HT-FDS and then normalized to zero mean and unit variance before training.

5.1.3. GraphSMOTE Balancing

As Trojan nodes typically account for less than 1% of total nodes, we applied GraphSMOTE to mitigate data imbalance. GraphSMOTE operates in the embedding space extracted by a GraphSAGE encoder, synthesizing structurally consistent minority nodes and their corresponding edges. The edge generator was trained using binary cross-entropy loss with a 0.5 threshold for edge creation, effectively preserving the circuit’s topological integrity while achieving class balance.

5.1.4. GCN-Based Classification and Training Details

The balanced graphs were fed into a two-layer Graph Convolutional Network (GCN). The first layer contained 64 hidden units with ReLU activation, followed by a dropout rate of 0.3 to prevent overfitting. The output layer used softmax activation for binary classification.
The model was trained for 200 epochs using the Adam optimizer (learning rate = 1 × 10−3, weight decay = 5 × 10−4) and cross-entropy loss as the objective function. All experiments were implemented in PyTorch Geometric (v2.4) and executed on an NVIDIA RTX 3090 GPU.

5.1.5. Evaluation Metrics and Baselines

Detection performance was evaluated using the True Positive Rate (TPR), True Negative Rate (TNR), and F1 score. Baseline models for comparison included GraphSAGE [190], Random Forest (RF) [191], and R-HTDetector [192], as well as several approaches discussed in Section 4.2.2, such as LUT-level detection methods [134], neural networks and logistic regression models [135], and Explainable Graph Neural Networks (XGNNs) [136].
As summarized in Table 4, the evaluated methods exhibit different balances between true- and false-positive control. The GCN + GraphSMOTE method achieves relatively consistent results (TPR = 96.1%, TNR = 94.0%, F1 = 88.1%), representing a typical graph-based solution rather than an optimized one, and therefore, serves mainly as a reference for later comparative analysis.
Overall, these observations suggest that graph-based models provide a viable way to represent circuit structures and information flow in hardware Trojan detection. However, their performance remains closely tied to data balance, feature design, and training scale, which highlights the continuing need for more generalizable and interpretable detection frameworks.

5.2. Side-Channel Evaluation of AES-CTR-GCM Decryption

To validate the resistance of improved configuration bitstream decryption architectures against first-order side-channel attacks, we performed illustrative correlation power analysis (CPA) tests on representative FPGA implementations of AES-based modules.
Three variants were examined:
(1)
A conventional AES-256 implementation in CBC mode;
(2)
The AES256_CCM pipelined design proposed in [193].

5.2.1. Experimental Setup

The AES256_GCM pipelined design is shown in Figure 6. It employed the AES256_CTR algorithm for the decryption implementation and the GHASH32 algorithm for the authentication module. To enhance hardware efficiency, a four-stage pipeline design strategy is employed in the AES256_CTR circuit as is shown in Figure 7. The Authentication Circuit using GMAC_GF32 algorithm using only 253 LUTs. The 4-stage pipelined AES256_CTR design consumes more resources.
All modules were developed in Verilog and synthesized using Xilinx Vivado 2021 targeting a Sakura X FPGA, the overall resource utilization (including LUTs, flip-flops, BRAMs) is presented in Figure 8. The AES256_GCM design can operate stably at a clock frequency ranging from 10 MHz to 200 MHz. For security testing here, both AES256_GCM design and AES256_CBC design are set to run at 50 MHz. The Power traces were captured through the on-board shunt resistor using a high-bandwidth differential probe connected to a 500 MS/s digital oscilloscope, with 10,000 sample points per trace.
A single-shot trigger was generated by an I/O strobe at the beginning of each decryption cycle. To reduce noise, each measurement was averaged over multiple acquisitions, and all tests were carried out under constant supply voltage and temperature. These parameters allowed reproducibility and provided a controlled environment for comparing algorithmic resistance.

5.2.2. Attack Method

All variants were analyzed using the standard Hamming-weight CPA model targeting the InvSubBytes operation of the final round.
We conducted simulations using standard test vectors provided by NIST, and the functional correctness of the cryptographic circuit was verified through these simulations. Simulations were performed using NIST standard test vectors with an initial 256-bit key of 603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4. Figure 9 presents the simulation results of the first and second blocks, demonstrating that the cryptographic circuit can correctly decrypt multiple data blocks. Power consumption collection involves transmitting and receiving plaintext-ciphertext pairs via the serial port. Serial port data confirms that GMAC_GF32 algorithm does not affect decryption functionality. Figure 10 illustrates examples of measured power consumption curves, from which it can be clearly observed whether power leakage exists.
For the AES-CBC target, 5000 ciphertext-triggered traces produced clear correlation peaks (maximum ρ ≈ 0.42), enabling full last-round byte recovery. In contrast, the AES256_GCM pipelined design—with four pipeline stages, parallel S-Box organization, and a GF(232) authentication multiplier—showed strong suppression of data-dependent leakage. Even with 100,000 traces, the maximum absolute correlation remained near the noise floor (≈0.08), and no key bytes were recovered.

5.2.3. Discussion

The results, summarized in Table 5, illustrate that the combination of counter-mode operation, pipelining, and integrated GMAC_GF32 authentication materially increased resistance to first-order CPA without compromising functional throughput. The measurements serve as an illustrative proof-of-concept, demonstrating that algorithmic and microarchitectural co-design can significantly enhance the protection of FPGA configuration decryption paths.

6. Conclusions and Future Prospects

The development of AI technology has influenced FPGAs and the entire integrated circuit industry. To keep pace with this rapid development, the FPGA industry technology is evolving in several ways. It achieves greater computing power and higher efficiency by exploring architectural optimization and expands the computing power boundary by embedding other computing chips or modules. Moreover, the design level is left-shifted, and more IP cores are introduced, which makes the development environment more convenient for algorithm engineers. During the lifecycle of FPGAs, the supply side plays a more crucial role.
Therefore, it is necessary to re-evaluate the security features of FPGA in the AI era.
In this paper, we have summarized the new application models and security patterns of FPGAs in the AI era. The optimization in FPGA architecture, changes in the application process, and the alterations in the application model led to more attack channels, diverse attack methods, and higher protection difficulty. FPGA manufacturers need to adopt relevant protection measures from the perspective of protecting the interests of end users. Additionally, FPGA manufacturers should promote FPGA product safety standards and security testing standards to standardize FPGA security. Establishing security verification and risk inspection mechanisms for chip manufacturing and improving the FPGA application development workflow can enhance the overall security of the FPGA system.
In the future, it is clear that FPGAs will play a more important role and drive potentially more significant changes. Tracking these changes, actively seeking countermeasures, and researching corresponding security technologies will be the focus of our future work.

Author Contributions

Conceptualization, J.Z.; methodology, J.Z.; software, K.X.; validation, J.Z., X.Z. and S.Z.; formal analysis, J.Z.; investigation, J.Z., X.Z., S.Z., L.C. and K.X.; resources, L.C.; data curation, K.X.; writing—original draft preparation, J.Z.; writing—review and editing, J.Z., X.Z., L.C., K.X. and S.W.; visualization, S.W.; supervision, J.Z.; project administration, J.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study.

Conflicts of Interest

Author Xiangyu Zhao is employed by the China Aerospace Science and Technology Corporation. The authors declare no conflicts of interest.

References

  1. Meng, Y.; Kuppannagari, S.; Prasanna, V. Accelerating Proximal Policy Optimization on CPU-FPGA Heterogeneous Platforms. In Proceedings of the 2020 IEEE 28th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), Fayetteville, AR, USA, 3–6 May 2020; pp. 19–27. [Google Scholar] [CrossRef]
  2. Trimberger, S. A reprogrammable gate array and applications. Proc. IEEE 1993, 81, 1030–1041. [Google Scholar] [CrossRef]
  3. AMD Solutions for Aerospace and Defense. 2025. Available online: https://www.xilinx.com/applications/aerospace-and-defense.html (accessed on 10 October 2025).
  4. Chen, L.; Zhao, Y.; Wen, Z.; Zhou, J.; Li, X.; Zhang, Y.; Sun, H. 300 Thousand Gates Single Event Effect Hardened SRAM-based FPGA for Space Application (Abstract Only). In Proceedings of the 2015 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA′15); Association for Computing Machinery: New York, NY, USA, 2015; p. 268. [Google Scholar] [CrossRef]
  5. Trimberger, S.M. Three Ages of FPGAs: A Retrospective on the First Thirty Years of FPGA Technology. Proc. IEEE 2015, 103, 318–331. [Google Scholar] [CrossRef]
  6. XILINX. VIRTEX UltraScale+ VU19P FPGA Product Brief. 2020. Available online: https://www.xilinx.com/content/dam/xilinx/publications/product-briefs/virtex-ultrascale-plus-vu19pproduct-brief.pdf (accessed on 10 October 2025).
  7. INTEL. Intel® Stratix® 10 GX 10M FPGA Product Specifications. 2020. Available online: https://www.intel.com/content/www/us/en/products/sku/210290/intel-stratix-10-gx-10mfpga/specifications.html (accessed on 10 October 2025).
  8. Duncan, A.; Rahman, F.; Lukefahr, A.; Farahmandi, F.; Tehranipoor, M. FPGA Bitstream Security: A Day in the Life. In Proceedings of the 2019 IEEE International Test Conference (ITC), Washington, DC, USA, 9–15 November 2019; pp. 1–10. [Google Scholar] [CrossRef]
  9. Zhang, J.; Qu, G. Recent Attacks and Defenses on FPGA-based Systems. ACM Trans. Reconfigurable Technol. Syst. 2019, 12, 1–24. [Google Scholar] [CrossRef]
  10. Huang, Z.; Wang, Q.; Chen, Y.; Jiang, X. A Survey on Machine Learning Against Hardware Trojan Attacks: Recent Advances and Challenges. IEEE Access 2020, 8, 10796–10826. [Google Scholar] [CrossRef]
  11. Xu, X.; Zhang, J. Rethinking FPGA Security in the New Era of Artificial Intelligence. In Proceedings of the 2020 21st International Symposium on Quality Electronic Design (ISQED), Santa Clara, CA, USA, 25–26 March 2020; pp. 46–51. [Google Scholar] [CrossRef]
  12. Turan, F.; Verbauwhede, I. Trust in FPGA-accelerated Cloud Computing. ACM Comput. Surv. 2020, 53, 128. [Google Scholar] [CrossRef]
  13. Matas, K.; La, T.; Grunchevski, N.; Pham, K.; Koch, D. Invited Tutorial: FPGA Hardware Security for Datacenters and Beyond. In Proceedings of the 2020 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA′20); Association for Computing Machinery: New York, NY, USA, 2020; pp. 11–20. [Google Scholar] [CrossRef]
  14. Sunkavilli, S.; Zhang, Z.; Yu, Q. New Security Threats on FPGAs: From FPGA Design Tools Perspective. In Proceedings of the 2021 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Tampa, FL, USA, 7–9 July 2021; pp. 278–283. [Google Scholar] [CrossRef]
  15. Dessouky, G.; Sadeghi, A.-R.; Zeitouni, S. SoK: Secure FPGA Multi-Tenancy in the Cloud: Challenges and Opportunities. In Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P), Vienna, Austria, 6–10 September 2021; pp. 487–506. [Google Scholar] [CrossRef]
  16. Duan, S.; Wang, W.; Luo, Y.; Xu, X. A Survey of Recent Attacks and Mitigation on FPGA Systems. In Proceedings of the 2021 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Tampa, FL, USA, 7–9 July 2021; pp. 284–289. [Google Scholar] [CrossRef]
  17. Pan, Z.; Mishra, P. A Survey on Hardware Vulnerability Analysis Using Machine Learning. IEEE Access 2022, 10, 49508–49527. [Google Scholar] [CrossRef]
  18. Alrahis, L.; Patnaik, S.; Shafique, M.; Sinanoglu, O. Embracing Graph Neural Networks for Hardware Security. In Proceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design (ICCAD′22); Association for Computing Machinery: New York, NY, USA, 2022; pp. 1–9. [Google Scholar] [CrossRef]
  19. Hasnain, A.; Asfia, Y.; Khawaja, S.G. Power profiling-based side-channel attacks on FPGA and Countermeasures: A survey. In Proceedings of the 2022 2nd International Conference on Digital Futures and Transformative Technologies (ICoDT2), Rawalpindi, Pakistan, 24–26 May 2022; pp. 1–8. [Google Scholar] [CrossRef]
  20. Naghibijouybari, H.; Koruyeh, E.M.; Abu-Ghazaleh, N. Microarchitectural Attacks in Heterogeneous Systems: A Survey. ACM Comput. Surv. 2022, 55, 142. [Google Scholar] [CrossRef]
  21. Mahmoud, D.G.; Lenders, V.; Stojilović, M. Electrical-Level Attacks on CPUs, FPGAs, and GPUs: Survey and Implications in the Heterogeneous Era. ACM Comput. Surv. 2022, 55, 58. [Google Scholar] [CrossRef]
  22. Köylü, T.Ç.; Reinbrecht, C.R.W.; Gebregiorgis, A.; Hamdioui, S.; Taouil, M. A Survey on Machine Learning in Hardware Security. J. Emerg. Technol. Comput. Syst. 2023, 19, 18. [Google Scholar] [CrossRef]
  23. Koblah, D.S.; Acharya, R.Y.; Capecci, D.; Dizon-Paradis, O.P.; Tajik, S.; Ganji, F.; Woodard, D.L.; Forte, D. A Survey and Perspective on Artificial Intelligence for Security-Aware Electronic Design Automation. ACM Trans. Des. Autom. Electron. Syst. 2023, 28, 16. [Google Scholar] [CrossRef]
  24. Proulx, A.; Chouinard, J.-Y.; Fortier, P.; Miled, A. A Survey on FPGA Cybersecurity Design Strategies. ACM Trans. Reconfigurable Technol. Syst. 2023, 16, 20. [Google Scholar] [CrossRef]
  25. Rosero-Montalvo, P.D.; István, Z.; Hernandez, W. A Survey of Trusted Computing Solutions Using FPGAs. IEEE Access 2023, 11, 31583–31593. [Google Scholar] [CrossRef]
  26. Erata, F.; Deng, S.; Zaghloul, F.; Xiong, W.; Demir, O.; Szefer, J. Survey of Approaches and Techniques for Security Verification of Computer Systems. J. Emerg. Technol. Comput. Syst. 2023, 19, 6. [Google Scholar] [CrossRef]
  27. Lin, R.; Fu, Y.; Yi, W.; Yang, J.; Cao, J.; Dong, Z.; Xie, F.; Li, H. Vulnerabilities and Security Patches Detection in OSS: A Survey. ACM Comput. Surv. 2024, 57, 23. [Google Scholar] [CrossRef]
  28. Abideen, Z.U.; Gokulanathan, S.; Aljafar, M.J.; Pagliarini, S. An overview of FPGA-inspired obfuscation techniques. ACM Comput. Surv. 2024, 56, 299. [Google Scholar] [CrossRef]
  29. Ahmed, M.K.; Kealoha, M.P.; Mbongue, J.M.; Saha, S.K.; Tchinda, E.N.; Mbua, P.E.; Bobda, C. Multi-Tenant Cloud FPGA: A Survey on Security, Trust, and Privacy. ACM Trans. Reconfigurable Technol. Syst. 2025, 18, 23. [Google Scholar] [CrossRef]
  30. Tan, Z.; Chen, L.; Li, X.; Sun, H.; Sun, J.; Xu, H. A Multi-mode Configuration Circuit Design for SoPC. In Proceedings of the 2022 IEEE 6th Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), Beijing, China, 3–5 October 2022; pp. 1198–1205. [Google Scholar] [CrossRef]
  31. Tian, C.; Chen, L.; Wang, Y.; Wang, S.; Zhou, J.; Pang, Y.; Du, Z. A Survey on FPGA Electronic Design Automation Technology Based on Machine Learning. J. Electron. Inf. Technol. 2023, 45, 1–13. [Google Scholar]
  32. Du, B.; Sterpone, L.; Codinachs, D.M. A new EDA flow for the mitigation of SEUs in dynamic reconfigurable FPGAs. In Proceedings of the 2016 21th IEEE European Test Symposium (ETS), Amsterdam, The Netherlands, 23–27 May 2016; pp. 1–2. [Google Scholar] [CrossRef]
  33. Wollinger, T.; Guajardo, J.; Paar, C. Security on FPGAs: State-of-the-art implementations and attacks. ACM Trans. Embed. Comput. Syst. 2004, 3, 534–574. [Google Scholar] [CrossRef]
  34. Saar, D. Volatile FPGA Design Security—A Survey. Available online: https://saardrimer.com/sd410/papers/fpga_security.pdf (accessed on 17 April 2008).
  35. Actel. Understanding Actel Antifuse Device Security. 2004. Available online: www.actel.com/documents/AntifuseSecurityWP.pdf (accessed on 10 October 2025).
  36. Jiaojiao, T.; Min, X. MRUC Method for FPGA Configuration. In Proceedings of the 2018 IEEE 3rd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), Chongqing, China, 12–14 October 2018; pp. 709–712. [Google Scholar] [CrossRef]
  37. Gao, T.; Xu, X.; Zhang, H.; Yang, H. A highly-integrated wireless configuration circuit for FPGA chip. In Proceedings of the 2014 International Symposium on Integrated Circuits (ISIC), Singapore, 10–12 December 2014; pp. 260–263. [Google Scholar] [CrossRef]
  38. David, R. XAPP1292 Loading Partial Bitstreams Using TFTP. Available online: https://www.xilinx.com/member/forms/download/design-license.html?cid=472824&filename=xapp1292-loading-partial-bitstreams-using-tftp.pdf (accessed on 5 October 2016).
  39. Vliegen, J.; Mentens, N.; Verbauwhede, I. Secure, Remote, Dynamic Reconfiguration of FPGAs. ACM Trans. Reconfigurable Technol. Syst. 2014, 7, 35. [Google Scholar] [CrossRef]
  40. XAPP151, Virtex Series Configuration Architecture User Guide. Available online: https://docs.amd.com/v/u/en-US/xapp151 (accessed on 20 October 2004).
  41. Ender, M.; Moradi, A.; Paar, C. The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs. arXiv 2021, arXiv:2105.13756. [Google Scholar] [CrossRef]
  42. Ender, M.; Leander, G.; Moradi, A.; Paar, C. A Cautionary Note on Protecting Xilinx’ UltraScale(+) Bitstream Encryption and Authentication Engine. In Proceedings of the 2022 IEEE 30th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), New York, NY, USA, 15–18 May 2022; pp. 1–9. [Google Scholar]
  43. Note, J.-B.; Rannaud, É. From the bitstream to the netlist. Proc. FPGA 2008, 8, 264. [Google Scholar]
  44. Benz, F.; Seffrin, A.; Huss, S.A. BIL: A tool-chain for bitstream reverse-engineering. In Proceedings of the 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, 29–31 August 2012; pp. 735–738. [Google Scholar]
  45. Ding, Z.; Wu, Q.; Zhang, Y.; Zhu, L. Deriving an NCD file from an FPGA bitstream: Methodology, architecture and evaluation. Microprocess. Microsyst. 2013, 37, 299–312. [Google Scholar] [CrossRef]
  46. Pham, K.D.; Horta, E.; Koch, D. BITMAN: A tool and API for FPGA bitstream manipulations. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017, Lausanne, Switzerland, 27–31 March 2017; pp. 894–897. [Google Scholar]
  47. Yoon, J.; Seo, Y.; Jang, J.; Cho, M.; Kim, J.; Kim, H.; Kwon, T. A bitstream reverse engineering tool for FPGA hardware trojan detection. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security; Association for Computing Machinery: New York, NY, USA, 2018; pp. 2318–2320. [Google Scholar]
  48. Zhang, T.; Tehranipoor, M.; Farahmandi, F. BitFREE: On significant speedup and security applications of FPGA bitstream format reverse engineering. In Proceedings of the 2023 IEEE European Test Symposium (ETS), Venezia, Italy, 22–26 May 2023; pp. 1–6. [Google Scholar]
  49. McKendrick, R.; Simpson, C.; Nelson, B.; Goeders, J. Leveraging FPGA primitives to improve word reconstruction during netlist reverse engineering. In Proceedings of the 2022 International Conference on Field-Programmable Technology (ICFPT), Hong Kong, 5–9 December 2022; pp. 1–5. [Google Scholar]
  50. Perumalla, A.; Stowasser, H.; Emmert, J.M. Fast FPGA Reverse Engineering for Hardware Metering and Fingerprinting. In Proceedings of the NAECON 2023-IEEE National Aerospace and Electronics Conference, Dayton, OH, USA, 28–31 August 2023; pp. 147–151. [Google Scholar]
  51. Jeong, M.; Lee, J.; Jung, E.; Kim, Y.H.; Cho, K. Extract LUT logics from a downloaded bitstream data in FPGA. In Proceedings of the 2018 IEEE International Symposium on Circuits and Systems (ISCAS), Florence, Italy, 27–30 May 2018; pp. 1–5. [Google Scholar]
  52. Kashani, S.; Emami, M.; Larus, J.R. Bitfiltrator: A general approach for reverse-engineering Xilinx bitstream formats. In Proceedings of the 2022 32nd International Conference on Field-Programmable Logic and Applications (FPL), Belfast, UK, 29 August–2 September 2022; pp. 1–8. [Google Scholar]
  53. Im, N.; Choi, S.; Yoo, H. S-Box attack using FPGA reverse engineering for lightweight cryptography. IEEE Internet Things J. 2022, 9, 25165–25180. [Google Scholar] [CrossRef]
  54. Choi, S.; Yeo, J.; Yoo, H. Extraction of ROM Data from Bitstream in Xilinx FPGA. In Proceedings of the 2020 International SoC Design Conference (ISOCC), Yeosu, Republic of Korea, 21–24 October 2020; pp. 97–98. [Google Scholar]
  55. Zhang, T.; Wang, J.; Chen, Z. A reverse engineering-based framework assisting hardware Trojan detection for encrypted Ips. In Proceedings of the 2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC), Harbin, China, 19–21 July 2018; pp. 1649–1652. [Google Scholar]
  56. Agrawal, D.; Baktir, S.; Karakoyunlu, D. Trojan Detection using IC Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (SSP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 296–310. [Google Scholar]
  57. Baumgarten, A.; Steffen, M.; Clausman, M.; Zambreno, J. A case study in hardware Trojan design and implementation. Int. J. Inf. Secur. 2011, 10, 1–14. [Google Scholar] [CrossRef]
  58. Zhang, J.; Yuan, F.; Xu, Q. DeTrust: Defeating hardware trust verification with stealthy implicitly-triggered hardware Trojans. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS′14); Association for Computing Machinery: New York, NY, USA, 2014; pp. 153–166. [Google Scholar]
  59. Giri, N.; Anandakumar, N.N. Design and Analysis of Hardware Trojan Threats in Reconfigurable Hardware. In Proceedings of the 2020 International Conference on Emerging Trends in Information Technology and Engineering (ic-ETITE), Vellore, India, 24–25 February 2020; pp. 1–5. [Google Scholar] [CrossRef]
  60. Benhani, E.M.; Bossuet, L.; Aubert, A. The Security of ARM TrustZone in a FPGA-Based SoC. IEEE Trans. Comput. 2019, 68, 1238–1248. [Google Scholar] [CrossRef]
  61. Ender, M.; Swierczynski, P.; Wallat, S.; Wilhelm, M.; Knopp, P.M.; Paar, C. Insights into the mind of a trojan designer: The challenge to integrate a trojan into the bitstream. In Proceedings of the 2019 24th Asia and South Pacific Design Automation Conference (ASP-DAC), Tokyo, Japan, 21–24 January 2019; pp. 112–119. [Google Scholar]
  62. Chakraborty, R.S.; Saha, I.; Palchaudhuri, A.; Naik, G.K. Hardware trojan insertion by direct modification of FPGA configuration bitstream. IEEE Des. Test 2013, 30, 45–54. [Google Scholar] [CrossRef]
  63. Zhang, Z.; Njilla, L.; Kamhoua, C.A.; Yu, Q. Thwarting Security Threats from Malicious FPGA Tools with Novel FPGA-Oriented Moving Target Defense. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 2019, 27, 665–678. [Google Scholar] [CrossRef]
  64. Krieg, C.; Wolf, C.; Jantsch, A. Malicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow. In Proceedings of the 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), Austin, TX, USA, 7–10 November 2016. [Google Scholar]
  65. Standaert, F.X.; van Oldeneel tot Oldenzeel, L.; Samyde, D.; Quisquater, J.J. Power analysis of FPGAs: How practical is the attack? In Proceedings of the Field Programmable Logic and Application: 13th International Conference, FPL 2003, Lisbon, Portugal, 2 September 2003; Proceedings 13; Springer: Berlin/Heidelberg, Germany, 2003; pp. 701–710. [Google Scholar]
  66. Archambeau, C.; Peeters, E.; Standaert, F.X.; Quisquater, J.J. Template attacks in principal subspaces. In Proceedings of the Cryptographic Hardware and Embedded Systems-CHES 2006: 8th International Workshop, Yokohama, Japan, 10–13 October 2006; Proceedings 8; Springer: Berlin/Heidelberg, Germany, 2006; pp. 1–14. [Google Scholar]
  67. Mukhtar, N.; Mehrabi, M.A.; Kong, Y.; Anjum, A. Machine-learning-based side-channel evaluation of elliptic-curve cryptographic FPGA processor. Appl. Sci. 2018, 9, 64. [Google Scholar] [CrossRef]
  68. Zhao, M.; Suh, G.E. FPGA-based remote power side-channel attacks. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 20–24 May 2018; pp. 229–244. [Google Scholar]
  69. Moradi, A.; Barenghi, A.; Kasper, T.; Paar, C. On the vulnerability of FPGA bitstream encryption against power analysis attacks: Extracting keys from xilinx Virtex-II FPGAs. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS′11); Association for Computing Machinery: New York, NY, USA, 2011; pp. 111–124. [Google Scholar]
  70. Moradi, A.; Oswald, D.; Paar, C.; Swierczynski, P. Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: Facilitating black-box analysis using software reverse-engineering. In Proceedings of the ACM/SIGDA International Symposium on Field Programmable Gate Arrays (FPGA′13); Association for Computing Machinery: New York, NY, USA, 2013; pp. 91–100. [Google Scholar]
  71. Swierczynski, P.; Moradi, A.; Oswald, D.; Paar, C. Physical Security Evaluation of the Bitstream Encryption Mechanism of Altera Stratix II and Stratix III FPGAs. ACM Trans. Reconfigurable Technol. Syst. 2014, 7, 34. [Google Scholar] [CrossRef]
  72. Moradi, A.; Schneider, T. Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series. In Constructive Side-Channel Analysis and Secure Design; Standaert, F.X., Oswald, E., Eds.; COSADE 2016; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2016; Volume 9689. [Google Scholar] [CrossRef]
  73. Hettwer, B.; Leger, S.; Fennes, D.; Gehrer, S.; Güneysu, T. Side-channel analysis of the xilinx zynq ultrascale+ encryption engine. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021, 2021, 279–304. [Google Scholar] [CrossRef]
  74. Brian, T. Microchip Further Protects FPGA-based Designs with First Tool that Combats Major Industry Threat to System Security in the Field. Available online: https://www.microchip.com/en-us/about/news-releases/products/microchip-further-protects-fpga-based-designs-with-first-tool-th (accessed on 1 June 2021).
  75. Using the Design Security Features in Intel® FPGAs, (intel.com). Available online: https://www.intel.com/content/www/us/en/docs/programmable/683269/current/using-the-design-security-features-in-fpgas.html (accessed on 10 October 2025).
  76. Della Sala, R.; Bellizia, D.; Scotti, G. A Lightweight FPGA Compatible Weak-PUF Primitive Based on XOR Gates. IEEE Trans. Circuits Syst. II Express Briefs 2022, 69, 2972–2976. [Google Scholar] [CrossRef]
  77. PolarFire Family FPGA Security User Guide. 2025 Microchip Technology Inc. and Its Subsidiaries. DS60001726. Available online: https://www.microchip.com/content/dam/mchp/documents/FPGA/ProductDocuments/UserGuides/Microchip_PolarFire_FPGA_and_PolarFire_SoC_FPGA_Security_User_Guide_VA%20(2).pdf (accessed on 10 October 2025).
  78. Farahmand, F.; Sharif, M.U.; Briggs, K.; Gaj, K. A High-Speed Constant-Time Hardware Implementation of NTRUEncrypt SVES. In Proceedings of the 2018 International Conference on Field-Programmable Technology (FPT), Naha, Japan, 10–14 December 2018; pp. 190–197. [Google Scholar] [CrossRef]
  79. Yuan, Z.; Wang, Y.; Li, J.; Li, R.; Zhao, W. FPGA based optimization for masked AES implementation. In Proceedings of the 2011 IEEE 54th International Midwest Symposium on Circuits and Systems (MWSCAS), Seoul, Republic of Korea, 7–10 August 2011; pp. 1–4. [Google Scholar] [CrossRef]
  80. Zhao, Y.; Pan, S.; Ma, H.; Gao, Y.; Song, X.; He, J.; Jin, Y. Side Channel Security Oriented Evaluation and Protection on Hardware Implementations of Kyber. IEEE Trans. Circuits Syst. I Regul. Pap. 2023, 70, 5025–5035. [Google Scholar] [CrossRef]
  81. Amouri, E.; Bhasin, S.; Mathieu, Y.; Graba, T.; Danger, J.-L.; Mehrez, H. Balancing WDDL dual-rail logic in a tree-based FPGA to enhance physical security. In Proceedings of the 2014 24th International Conference on Field Programmable Logic and Applications (FPL), Munich, Germany, 2–4 September 2014; pp. 1–4. [Google Scholar] [CrossRef]
  82. Yazdanshenas, S.; Betz, V. COFFE 2: Automatic Modelling and Optimization of Complex and Heterogeneous FPGA Architectures. ACM Trans. Reconfigurable Technol. Syst. 2019, 12, 3. [Google Scholar] [CrossRef]
  83. Roorda, E.; Rasoulinezhad, S.; Leong, P.H.W.; Wilton, S.J.E. FPGA Architecture Exploration for DNN Acceleration. ACM Trans. Reconfigurable Technol. Syst. 2022, 15, 33. [Google Scholar] [CrossRef]
  84. Li, Y.; Li, X.; Shen, H.; Fan, J.; Xu, Y.; Huang, K. An All-digital Compute-in-memory FPGA Architecture for Deep Learning Acceleration. ACM Trans. Reconfigurable Technol. Syst. 2024, 17, 18. [Google Scholar] [CrossRef]
  85. Shi, K.; Zhou, H.; Wang, L. VIB: A Versatile Interconnection Block for FPGA Routing Architecture. In Proceedings of the 2023 International Conference on Field Programmable Technology (ICFPT), Yokohama, Japan, 12–14 December 2023; pp. 79–87. [Google Scholar] [CrossRef]
  86. Mishra, A.; Rao, N.; Gore, G.; Tang, X. Architectural Exploration of Heterogeneous FPGAs for Performance Enhancement of ML Benchmarks. In Proceedings of the 2023 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS), Hyderabad, India, 19–22 November 2023; pp. 232–235. [Google Scholar] [CrossRef]
  87. Ebrahimi, Z.; Kumar, A. BioCare: An Energy-Efficient CGRA for Bio-Signal Processing at the Edge. In Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Republic of Korea, 22–28 May 2021; pp. 1–5. [Google Scholar] [CrossRef]
  88. Luo, Y.; Tan, C.; Agostini, N.B.; Li, A.; Tumeo, A.; Dave, N.; Geng, T. ML-CGRA: An Integrated Compilation Framework to Enable Efficient Machine Learning Acceleration on CGRAs. In Proceedings of the 2023 60th ACM/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 9–13 July 2023; pp. 1–6. [Google Scholar] [CrossRef]
  89. Akbari, O.; Kamal, M.; Afzali-Kusha, A.; Pedram, M.; Shafique, M. X-CGRA: An Energy-Efficient Approximate Coarse-Grained Reconfigurable Architecture. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2020, 39, 2558–2571. [Google Scholar] [CrossRef]
  90. Zhu, Z.; Zhang, J.; Zhao, J.; Cao, J.; Zhaoa, D.; Jia, G.; Meng, Q. A Hardware and Software Task-Scheduling Framework Based on CPU+FPGA Heterogeneous Architecture in Edge Computing. IEEE Access 2019, 7, 148975–148988. [Google Scholar] [CrossRef]
  91. Tanaka, K.; Arikawa, Y.; Ito, T.; Morita, K.; Nemoto, N.; Miura, F.; Terada, K.; Teramoto, J.; Sakamoto, T. Communication-Efficient Distributed Deep Learning with GPU-FPGA Heterogeneous Computing. In Proceedings of the 2020 IEEE Symposium on High-Performance Interconnects (HOTI), Piscataway, NJ, USA, 19–21 August 2020; pp. 43–46. [Google Scholar] [CrossRef]
  92. Wade, M.; Anderson, E.; Ardalan, S.; Bhargava, P.; Buchbinder, S.; Davenport, M.L.; Fini, J.; Lu, H.; Li, C.; Meade, R.; et al. TeraPHY: A Chiplet Technology for Low-Power, High-Bandwidth In-Package Optical I/O. IEEE Micro 2020, 40, 63–71. [Google Scholar] [CrossRef]
  93. Sarvey, T.E.; Kaul, A.; Rajan, S.K.; Dasu, A.; Gutala, R.; Bakir, M.S. Microfluidic Cooling of a 14-nm 2.5-D FPGA With 3-D Printed Manifolds for High-Density Computing: Design Considerations, Fabrication, and Electrical Characterization. IEEE Trans. Compon. Packag. Manuf. Technol. 2019, 9, 2393–2403. [Google Scholar] [CrossRef]
  94. Tang, X.; Giacomin, E.; Chauviere, B.; Alacchi, A.; Gaillardon, P.-E. OpenFPGA: An Open-Source Framework for Agile Prototyping Customizable FPGAs. IEEE Micro 2020, 40, 41–48. [Google Scholar] [CrossRef]
  95. Evans, A.; Fuguet, C.; Million, D. Invited Paper: Open Source Heterogeneous Chiplet-Based Computing Architectures. In Proceedings of the 2024 ACM/IEEE International Conference On Computer Aided Design (ICCAD), Newark, NJ, USA, 27–31 October 2024; pp. 1–8. [Google Scholar] [CrossRef]
  96. Chung, K.L.; Dao, N.; Yu, J.; Koch, D. How to shrink my fpgas—Optimizing tile interfaces and the configuration logic in fabulous fpga fabrics. In Proceedings of the 2022 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, FPGA′22; Association for Computing Machinery: New York, NY, USA, 2022; pp. 13–23. [Google Scholar] [CrossRef]
  97. Li, A.; Wentzlaff, D. PRGA: An Open-Source FPGA Research and Prototyping Framework. In Proceedings of the 2021 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA′21); Association for Computing Machinery: New York, NY, USA, 2021; pp. 127–137. [Google Scholar] [CrossRef]
  98. Anderson, J.; Beidas, R.; Chacko, V.; Hsiao, H.; Ling, X.; Ragheb, O.; Wang, X.; Yu, T. CGRA-ME: An Open-Source Framework for CGRA Architecture and CAD Research: (Invited Paper). In Proceedings of the 2021 IEEE 32nd International Conference on Application-Specific Systems, Architectures and Processors (ASAP), Virtual, 7–9 July 2021; pp. 156–162. [Google Scholar] [CrossRef]
  99. Tan, C.; Xie, C.; Li, A.; Barker, K.J.; Tumeo, A. OpenCGRA: An Open-Source Unified Framework for Modeling, Testing, and Evaluating CGRAs. In Proceedings of the 2020 IEEE 38th International Conference on Computer Design (ICCD), Hartford, CT, USA, 18–21 October 2020; pp. 381–388. [Google Scholar] [CrossRef]
  100. F4PGA (Formerly SymbiFlow). Project X-Ray. 2018. Available online: https://prjxray.readthedocs.io/en/latest/ (accessed on 10 October 2025).
  101. Wolf, C.; Lasser, M. Project IceStorm. 2015. Available online: https://www.clifford.at/icestorm/ (accessed on 10 October 2025).
  102. Python Productivity for Zynq. Available online: https://pynq.readthedocs.io/en/latest/index.html (accessed on 10 October 2025).
  103. Azzaz, M.S.; Maali, A.; Kaibou, R.; Kakouche, I.; Saad, M.; Hamil, H. FPGA HW/SW Codesign Approach for Real-time Image Processing Using HLS. In Proceedings of the 2020 1st International Conference on Communications, Control Systems and Signal Processing (CCSSP), El Oued, Algeria, 16–17 May 2020; pp. 169–174. [Google Scholar] [CrossRef]
  104. Zhang, Y.; Pan, J.; Liu, X.; Chen, H.; Chen, D.; Zhang, Z. FracBNN: Accurate and FPGA-efficient binary neural networks with fractional activations. In Proceedings of the International Symposium on Field-Programmable Gate Arrays (FPGA’21), Virtual, 28 February–2 March 2021; pp. 171–182. [Google Scholar] [CrossRef]
  105. Lai, Y.H.; Chi, Y.; Hu, Y.; Wang, J.; Yu, C.H.; Zhou, Y.; Cong, J.; Zhang, Z. Hete roCL: A multi-paradigm programming infrastructure for software-defined reconfigurable computing. In Proceedings of the International Symposium on Field-Programmable Gate Arrays (FPGA’19), Seaside, CA, USA, 24–26 February 2019; pp. 242–251. [Google Scholar]
  106. Lan, Q.; Kaul, A.; Pattanaik, N.K.D.; Pattanayak, P.; Pandurangan, V. Securing Applications of Large Language Models: A Shift-Left Approach. In Proceedings of the 2024 IEEE International Conference on Electro Information Technology (eIT), Eau Claire, WI, USA, 30 May–1 June 2024; pp. 1–2. [Google Scholar] [CrossRef]
  107. Zhu, Z.; Liu, A.X.; Zhang, F.; Chen, F. FPGA Resource Pooling in Cloud Computing. IEEE Trans. Cloud Comput. 2021, 9, 610–626. [Google Scholar] [CrossRef]
  108. Ye, H.; Hao, C.; Jeong, H.; Huang, J.; Chen, D. ScaleHLS: Achieving scalable high level synthesis through MLIR. In Proceedings of the Workshop on Languages, Tools, and Techniques for Accelerator Design (LATTE’21), Online, 15 April 2021. [Google Scholar]
  109. Elgammal, M.A.; Mohaghegh, A.; Shahrouz, S.G.; Mahmoudi, F.; Koşar, F.; Talaei, K.; Fife, J.; Khadivi, D.; Murray, K.; Boutros, A.; et al. VTR 9: Open-Source CAD for Fabric and Beyond FPGA Architecture Exploration. ACM Trans. Reconfigurable Technol. Syst. 2025, 18, 39. [Google Scholar] [CrossRef]
  110. Shah, D.; Hung, E.; Wolf, C.; Bazanski, S.; Gisselquist, D.; Milanovic, M. Yosys+nextpnr: An Open Source Framework from Verilog to Bitstream for Commercial FPGAs. In Proceedings of the 2019 IEEE 27th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), San Diego, CA, USA, 28 April–1 May 2019; pp. 1–4. [Google Scholar] [CrossRef]
  111. Thu, M.M.; Réal, M.M.; Pelcat, M.; Besnier, P. Bus Electrocardiogram: Vulnerability of SoC-FPGA Internal AXI Bus to Electromagnetic Side-Channel Analysis. In Proceedings of the 2023 International Symposium on Electromagnetic Compatibility—EMC Europe, Krakow, Poland, 4–8 September 2023; pp. 1–6. [Google Scholar] [CrossRef]
  112. Giechaskiel, I.; Rasmussen, K.B.; Szefer, J. C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 18–21 May 2020; pp. 1728–1741. [Google Scholar] [CrossRef]
  113. Gross, M.; Krautter, J.; Gnad, D.; Gruber, M.; Sigl, G.; Tahoori, M. FPGANeedle: Precise Remote Fault Attacks from FPGA to CPU. In Proceedings of the 28th Asia and South Pacific Design Automation Conference (ASPDAC′23); Association for Computing Machinery: New York, NY, USA, 2023; pp. 358–364. [Google Scholar] [CrossRef]
  114. Weissman, Z.; Tiemann, T.; Moghimi, D.; Custodio, E.; Eisenbarth, T.; Sunar, B. JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020, 2020, 169–195. [Google Scholar] [CrossRef]
  115. Qiu, P.; Wang, D.; Lyu, Y.; Tian, R.; Wang, C.; Qu, G. VoltJockey: A New Dynamic Voltage Scaling-Based Fault Injection Attack on Intel SGX. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2021, 40, 1130–1143. [Google Scholar] [CrossRef]
  116. David, H. Hardware/Software Co-Assurance for the Rust Programming Language Applied to Zero Trust Architecture Development. Ada Lett. 2023, 42, 55–61. [Google Scholar] [CrossRef]
  117. Kulkarni, A.; Niraula, A.; Bhattarai, H.; Niamat, M. A Zero Trust Architecture employing Blockchain and Ring Oscillator Physical Unclonable Function for Internet-of-Things. In Proceedings of the 2024 IEEE International Conference on Electro Information Technology (eIT), Eau Claire, WI, USA, 30 May–1 June 2024; pp. 508–513. [Google Scholar] [CrossRef]
  118. Kulkarni, A.; Hazari, N.A.; Niamat, M.Y. A Zero Trust-Based Framework Employing Blockchain Technology and Ring Oscillator Physical Unclonable Functions for Security of Field Programmable Gate Array Supply Chain. IEEE Access 2024, 12, 89322–89338. [Google Scholar] [CrossRef]
  119. Oh, H.; Nam, K.; Jeon, S.; Cho, Y.; Paek, Y. MeetGo: A Trusted Execution Environment for Remote Applications on FPGA. IEEE Access 2021, 9, 51313–51324. [Google Scholar] [CrossRef]
  120. Zou, Y.; Li, Y.; Wang, S.; Su, L.; Gu, Z.; Lu, Y.; Guan, Y.; Niu, D.; Gao, M.; Xie, Y.; et al. Salus: A Practical Trusted Execution Environment for CPU-FPGA Heterogeneous Cloud Platforms. In Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 4 (ASPLOS′24); Association for Computing Machinery: New York, NY, USA, 2025; pp. 252–266. [Google Scholar] [CrossRef]
  121. Zhao, M.; Gao, M.; Kozyrakis, C. ShEF: Shielded enclaves for cloud FPGAs. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS′22); Association for Computing Machinery: New York, NY, USA, 2022; pp. 1070–1085. [Google Scholar] [CrossRef]
  122. Zhu, J.; Hou, R.; Wang, X.; Wang, W.; Cao, J.; Zhao, B.; Wang, Z.; Zhang, Y.; Ying, J.; Zhang, L.; et al. Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 18–21 May 2020; pp. 1450–1465. [Google Scholar] [CrossRef]
  123. Feng, E.; Feng, D.; Du, D.; Xia, Y.; Zheng, W.; Zhao, S.; Chen, H. SIOPMP: Scalable and Efficient I/O Protection for TEEs. In Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS′24); Association for Computing Machinery: New York, NY, USA, 2024; Volume 2, pp. 1061–1076. [Google Scholar] [CrossRef]
  124. Shen, J.; Chen, Y.; Wong, W.-F.; Chang, E.-C. T-Edge: Trusted Heterogeneous Edge Computing. In Proceedings of the 2024 Annual Computer Security Applications Conference (ACSAC), Honolulu, HI, USA, 9–13 December 2024; pp. 131–143. [Google Scholar] [CrossRef]
  125. Mbongue, J.M.; Saha, S.K.; Bobda, C. A Security Architecture for Domain Isolation in Multi-Tenant Cloud FPGAs. In Proceedings of the 2021 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Tampa, FL, USA, 7–9 July 2021; pp. 290–295. [Google Scholar] [CrossRef]
  126. Wallat, S.; Albartus, N.; Becker, S.; Hoffmann, M.; Ender, M.; Fyrbiak, M.; Drees, A.; Maaßen, S.; Paar, C. Highway to HAL: Open-sourcing the first extendable gate-level netlist reverse engineering framework. In Proceedings of the 16th ACM International Conference on Computing Frontiers; Association for Computing Machinery: New York, NY, USA, 2019; pp. 392–397. [Google Scholar]
  127. Muthukumaran, S.; Venkatesan, A.N.; Pula, K.; Narayanan, R.V.; Vemuri, R.; Emmert, J. Reverse Engineering of RTL Controllers from Look-Up Table Netlists. In Proceedings of the 2023 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Foz do Iguacu, Brazil, 20–23 June 2023; pp. 1–6. [Google Scholar]
  128. Mahmoud, D.G.; Shokry, B.; Lenders, V.; Hu, W.; Stojilović, M. X-Attack 2.0: The Risk of Power Wasters and Satisfiability Don’t-Care Hardware Trojans to Shared Cloud FPGAs. IEEE Access 2024, 12, 8983–9011. [Google Scholar] [CrossRef]
  129. Mukherjee, R.; Chakraborty, R.S. Novel Hardware Trojan Attack on Activation Parameters of FPGA-Based DNN Accelerators. IEEE Embed. Syst. Lett. 2022, 14, 131–134. [Google Scholar] [CrossRef]
  130. Nozaki, Y.; Takemoto, S.; Ikezaki, Y.; Yoshikawa, M. LUT oriented Hardware Trojan for FPGA based AI Module. In Proceedings of the 2020 6th International Conference on Applied System Innovation (ICASI), Taitung, Taiwan, 5–8 November 2020; pp. 46–49. [Google Scholar] [CrossRef]
  131. Nikhila, S.; Yamuna, B.; Balasubramanian, K.; Mishra, D. FPGA Based Implementation of a Floating Point Multiplier and its Hardware Trojan Models. In Proceedings of the 2019 IEEE 16th India Council International Conference (INDICON), Rajkot, India, 13–15 December 2019; pp. 1–4. [Google Scholar] [CrossRef]
  132. Murtaza, A.; Pasha, M.A.; Masud, S.; Qadri, M.Y.; Basit, A. FPGA Based Intelligent Hardware Trojan Design and its SoC Implementation. In Proceedings of the 2023 30th IEEE International Conference on Electronics, Circuits and Systems (ICECS), Istanbul, Turkiye, 4–7 December 2023; pp. 1–4. [Google Scholar] [CrossRef]
  133. Cho, M.; Jang, J.; Seo, Y.; Jeong, S.; Chung, S.; Kwon, T. ‘Towards bidirectional LUT-level detection of hardware Trojans. Comput. Secur. 2021, 104, 102223. [Google Scholar] [CrossRef]
  134. Wu, L.; Zhang, X.; Wang, S.; Hu, W. Hardware Trojan Detection at LUT: Where Structural Features Meet Behavioral Characteristics. In Proceedings of the 2022 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), McLean, VA, USA, 27–30 June 2022; pp. 121–124. [Google Scholar] [CrossRef]
  135. Pazira, M.; Baleghi, Y.; Mahmoodpour, M.-A.; Jafari, H. Neural Networks & Logistic Regression for FPGA Hardware Trojan Detection. In Proceedings of the 2023 5th Iranian International Conference on Microelectronics (IICM), Tehran, Iran, Islamic Republic of, 25–26 October 2023; pp. 82–85. [Google Scholar] [CrossRef]
  136. Wu, L.; Su, H.; Zhang, X.; Tai, Y.; Li, H.; Hu, W. Automated Hardware Trojan Detection at LUT Using Explainable Graph Neural Networks. In Proceedings of the 2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD), San Francisco, CA, USA, 28 October–2 November 2023; pp. 1–9. [Google Scholar] [CrossRef]
  137. Xiao, K.; Chen, L.; Zhang, Y.; Wang, S.; Zhou, J.; Zhang, X.; Jiang, S. A Security-Driven FPGA Application Development Workflow Based on GCN Algorithm. In Proceedings of the 2024 2nd International Symposium of Electronics Design Automation (ISEDA), Xi’an, China, 10–13 May 2024; pp. 796–803. [Google Scholar]
  138. Chithra, C.; Kokila, J.; Ramasubramanian, N. Detection of Hardware Trojans using Machine Learning in SoC FPGAs. In Proceedings of the 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), Bangalore, India, 2–4 July 2020; pp. 1–7. [Google Scholar] [CrossRef]
  139. Alsaiari, U.; Gebali, F. Hardware Trojan Detection Using Reconfigurable Assertion Checkers. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 2019, 27, 1575–1586. [Google Scholar] [CrossRef]
  140. Wang, H.; Basel, H. Hardware Trojan Detection and High-Precision Localization in NoC-Based MPSoC Using Machine Learning. In Proceedings of the 28th Asia and South Pacific Design Automation Conference (ASPDAC′23); Association for Computing Machinery: New York, NY, USA, 2023; pp. 516–521. [Google Scholar] [CrossRef]
  141. Li, Z.; Wang, J.; Huang, Z.; Wang, Q. EA-based Mitigation of Hardware Trojan Attacks in NoC of Coarse-Grained Reconfigurable Arrays. In Proceedings of the 2022 International Conference on Networking and Network Applications (NaNA), Urumqi, China, 3–5 December 2022; pp. 528–533. [Google Scholar] [CrossRef]
  142. Chen, Z.; Guo, S.; Wang, J.; Li, Y.; Lu, Z. Toward FPGA Security in IoT: A New Detection Technique for Hardware Trojans. IEEE Internet Things J. 2019, 6, 7061–7068. [Google Scholar] [CrossRef]
  143. Wang, H.; Panoff, M.K.; Wang, S.; Forte, D. HT-EMIS: A Deep Learning Tool for Hardware Trojan Detection and Identification through Runtime EM Side-Channels. In Proceedings of the Great Lakes Symposium on VLSI 2023 (GLSVLSI′23); Association for Computing Machinery: New York, NY, USA, 2023; pp. 51–56. [Google Scholar] [CrossRef]
  144. He, J.; Ma, H.; Liu, Y.; Zhao, Y. Golden Chip-Free Trojan Detection Leveraging Trojan Trigger’s Side-Channel Fingerprinting. ACM Trans. Embed. Comput. Syst. 2020, 20, 6. [Google Scholar] [CrossRef]
  145. Xiao, Y.; Feng, S. Detecting Hardware Trojans by Monitoring Powersupply Noise Based on Ring Oscillator Network in FPGA. In Proceedings of the 2020 3rd International Conference on Advanced Electronic Materials, Computers and Software Engineering (AEMCSE), Shenzhen, China, 24–26 April 2020; pp. 410–413. [Google Scholar] [CrossRef]
  146. Giechaskiel, I.; Tian, S.; Szefer, J. Cross-VM Information Leaks in FPGA-Accelerated Cloud Environments. In Proceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Tysons Corner, VA, USA, 12–15 December 2021; pp. 91–101. [Google Scholar] [CrossRef]
  147. Ilias, G.; Tian, S.; Jakub, S. Cross-VM Covert- and Side-Channel Attacks in Cloud FPGAs. ACM Trans. Reconfigurable Technol. Syst. 2022, 16, 6. [Google Scholar] [CrossRef]
  148. Zhao, M.; Suh, G.E. Remote Power Side-Channel Attacks on FPGAs. IEEE Des. Test 2025, 42, 13–19. [Google Scholar] [CrossRef]
  149. Zhang, Y.; Yasaei, R.; Chen, H.; Li, Z.; Al Faruque, M.A. Stealing Neural Network Structure through Remote FPGA Side-channel Analysis. In Proceedings of the 2021 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA′21); Association for Computing Machinery: New York, NY, USA, 2021; p. 225. [Google Scholar] [CrossRef]
  150. Moini, S.; Deric, A.; Li, X.; Provelengios, G.; Burleson, W.; Tessier, R.; Holcomb, D. Voltage Sensor Implementations for Remote Power Attacks on FPGAs. ACM Trans. Reconfigurable Technol. Syst. 2022, 16, 11. [Google Scholar] [CrossRef]
  151. Zhang, Y.; Zhang, F.; Yang, B.; Xu, G.; Shao, B.; Zhao, X.; Ren, K. Persistent Fault Injection in FPGA via BRAM Modification. In Proceedings of the 2019 IEEE Conference on Dependable and Secure Computing (DSC), Hangzhou, China, 18–20 November 2019; pp. 1–6. [Google Scholar] [CrossRef]
  152. Moini, S.; Tian, S.; Holcomb, D.; Szefer, J.; Tessier, R. Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs. IEEE J. Emerg. Sel. Top. Circuits Syst. 2021, 11, 357–370. [Google Scholar] [CrossRef]
  153. Tian, S.; Moini, S.; Holcomb, D.; Tessier, R.; Szefer, J. A Practical Remote Power Attack on Machine Learning Accelerators in Cloud FPGAs. In Proceedings of the 2023 Design, Automation & Test in Europe Conference & Exhibition (DATE), Antwerp, Belgium, 17–19 April 2023; pp. 1–6. [Google Scholar] [CrossRef]
  154. Glamocanin, O.; Coulon, L.; Regazzoni, F.; Stojilovic, M. Are cloud FPGA really vulnerable to power analysis attacks? In Proceedings of the 2020 Design, Automation Test in Europe Conference Exhibition (DATE), Grenoble, France, 9 March 2020; pp. 1007–1010. [Google Scholar]
  155. Huegle, L.; Gotthard, M.; Meyers, V.; Krautter, J.; Gnad, D.R.E.; Tahoori, M.B. Power2Picture: Using Generative CNNs for Input Recovery of Neural Network Accelerators through Power Side-Channels on FPGAs. In Proceedings of the 2023 IEEE 31st Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), Marina Del Rey, CA, USA, 8–11 May 2023; pp. 155–161. [Google Scholar] [CrossRef]
  156. Zhang, Y.; Yasaei, R.; Chen, H.; Li, Z.; Faruque, M.A.A. Stealing Neural Network Structure Through Remote FPGA Side-Channel Analysis. IEEE Trans. Inf. Forensics Secur. 2021, 16, 4377–4388. [Google Scholar] [CrossRef]
  157. Meyers, V.; Gnad, D.; Tahoori, M. Reverse Engineering Neural Network Folding with Remote FPGA Power Analysis. In Proceedings of the 2022 IEEE 30th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), New York, NY, USA, 15–18 May 2022; pp. 1–10. [Google Scholar] [CrossRef]
  158. Sengupta, A.; Mazumdar, B.; Yasin, M.; Sinanoglu, O. Logic Locking With Provable Security Against Power Analysis Attacks. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2020, 39, 766–778. [Google Scholar] [CrossRef]
  159. Seifoori, Z.; Mirzargar, S.S.; Stojilović, M. Closing Leaks: Routing Against Crosstalk Side-Channel Attacks. In Proceedings of the 2020 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA′20); Association for Computing Machinery: New York, NY, USA, 2020; pp. 197–203. [Google Scholar] [CrossRef]
  160. Himuro, M.; Iokibe, K.; Toyota, Y. FPGA Switching Current Modeling Based on Register Transfer Level Logic Simulation for Power Side-channel Attack Prediction. In Proceedings of the 2022 International Symposium on Electromagnetic Compatibility—EMC Europe, Gothenburg, Sweden, 5–8 September 2022; pp. 172–177. [Google Scholar] [CrossRef]
  161. Lin, L.; Selvakumaran, D.; Zhu, D.; Chang, N.; Chow, C.; Nagata, M.; Monta, K. Fast and Comprehensive Simulation Methodology for Layout-Based Power-Noise Side-Channel Leakage Analysis. In Proceedings of the 2020 IEEE International Symposium on Smart Electronic Systems (iSES) (Formerly iNiS), Chennai, India, 14–16 December 2020; pp. 133–138. [Google Scholar] [CrossRef]
  162. Kian, A.; Hosseintalaee, H.; Jahanian, A. Protecting the FPGA IPs against Higher-order Side Channel Attacks using Dynamic Partial Reconfiguration. In Proceedings of the 2020 20th International Symposium on Computer Architecture and Digital Systems (CADS), Rasht, Iran, 19–20 August 2020; pp. 1–4. [Google Scholar] [CrossRef]
  163. Virtex-4 FPGA Configuration User Guide. Available online: https://docs.xilinx.com/v/u/en-US/ug071 (accessed on 2 June 2017).
  164. Virtex-5 FPGA Configuration User Guide. Available online: https://docs.xilinx.com/v/u/en-US/ug191 (accessed on 21 February 2023).
  165. Bootgen User Guide (UG1283). Available online: https://docs.xilinx.com/r/2022.2-English/ug1283-bootgen-user-guide (accessed on 14 December 2022).
  166. UltraScale Architecture Configuration User Guide (UG507). Available online: https://docs.amd.com/v/u/en-US/ug570-ultrascale-configuration (accessed on 10 October 2025).
  167. MachXO3D Family Data Sheet. Available online: https://www.latticesemi.com/view_document?document_id=52590 (accessed on 9 October 2023).
  168. AC432: Using SHA-256 System Services in SmartFusion2 and IGLOO2 Devices. Available online: https://www.microchip.com/en-us/application-notes/ac432 (accessed on 17 May 2020).
  169. SmartFusion 2 and IGLOO 2 FPGA Security and Best Practices User Guide (Earlier UG0443). Available online: https://ww1.microchip.com/downloads/aemDocuments/documents/FPGA/ProductDocuments/UserGuides/SmartFusion2_IGLOO2_FPGA_Security_Best_Practices_UG0443_V10.pdf (accessed on 10 October 2025).
  170. Wang, S.; Fan, X.; Xu, X.; Wang, S.; Ju, L.; Zhou, Z. FPGA-TrustZone: Security Extension of TrustZone to FPGA for SoC-FPGA Heterogeneous Architecture. In Proceedings of the 2025 62nd ACM/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 22–25 June 2025; pp. 1–6. [Google Scholar] [CrossRef]
  171. Xia, K.; Luo, Y.; Xu, X.; Wei, S. SGX-FPGA: Trusted Execution Environment for CPU-FPGA Heterogeneous Architecture. In Proceedings of the 2021 58th ACM/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 5–9 December 2021; pp. 301–306. [Google Scholar] [CrossRef]
  172. MachXO5-NX Family Root-of-Trust Devices (FPGA-DS-02120-0.81). Available online: https://www.latticesemi.com/view_document?document_id=54310 (accessed on 5 June 2024).
  173. Benhani, E.M.; Marchand, C.; Aubert, A.; Bossuet, L. On the security evaluation of the ARM TrustZone extension in a heterogeneous SoC. In Proceedings of the 2017 30th IEEE International System-on-Chip Conference (SOCC), Munich, Germany, 5–8 September 2017; pp. 108–113. [Google Scholar] [CrossRef]
  174. Mukhtar, M.A.; Bhatti, M.K.; Gogniat, G. Architectures for Security: A comparative analysis of hardware security features in Intel SGX and ARM TrustZone. In Proceedings of the 2019 2nd International Conference on Communication, Computing and Digital systems (C-CODE), Islamabad, Pakistan, 6–7 March 2019; pp. 299–304. [Google Scholar] [CrossRef]
  175. Ramesh, C.; Patil, S.B.; Dhanuskodi, S.N.; Provelengios, G.; Pillement, S.; Holcomb, D.; Tessier, R. FPGA Side Channel Attacks without Physical Access. In Proceedings of the 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), Boulder, CO, USA, 29 April–1 May 2018; pp. 45–52. [Google Scholar] [CrossRef]
  176. Krautter, J.; Gnad, D.R.E.; Schellenberg, F.; Moradi, A.; Tahoori, M.B. Active Fences against Voltage-based Side Channels in Multi-Tenant FPGAs. In Proceedings of the 2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), Westminster, CO, USA, 4–7 November 2019; pp. 1–8. [Google Scholar] [CrossRef]
  177. Skorobogatov, S.; Woods, C. Breakthrough silicon scanning discovers backdoor in military chip. In Proceedings of the 14th International Conference on Cryptographic Hardware and Embedded Systems (CHES′12); Springer: Berlin/Heidelberg, Germany, 2012; pp. 23–40. [Google Scholar] [CrossRef]
  178. Fyrbiak, M.; Wallat, S.; Swierczynski, P.; Hoffmann, M.; Hoppach, S.; Wilhelm, M.; Weidlich, T.; Tessier, R.; Paar, C. HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion. IEEE Trans. Dependable Secur. Comput. 2019, 16, 498–510. [Google Scholar] [CrossRef]
  179. Zhang, N.; Lv, Z.; Zhang, Y.; Li, H.; Zhang, Y.; Huang, W. Novel Design of Hardware Trojan: A Generic Approach for Defeating Testability Based Detection. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December 2020–1 January 2021; pp. 162–173. [Google Scholar] [CrossRef]
  180. Wang, C.; Cai, Y.; Zhou, Q.; Wang, H. ASAX: Automatic security assertion extraction for detecting Hardware Trojans. In Proceedings of the 2018 23rd Asia and South Pacific Design Automation Conference (ASP-DAC), Jeju, Republic of Korea, 22–25 January 2018; pp. 84–89. [Google Scholar] [CrossRef]
  181. Wu, L.; Li, X.; Zhu, J.; Zheng, J.; Hu, W. Identifying Specious LUTs for Satisfiability Don’t Care Trojan Detection. In Proceedings of the 2021 IEEE 34th International System-on-Chip Conference (SOCC), Las Vegas, NV, USA, 14–17 September 2021; pp. 170–175. [Google Scholar] [CrossRef]
  182. Zhang, J.; Yuan, F.; Wei, L.; Liu, Y.; Xu, Q. VeriTrust: Verification for Hardware Trust. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2015, 34, 1148–1161. [Google Scholar] [CrossRef]
  183. Zhu, J.; Hu, W.; Wu, L.; Zhu, D.; Mu, D. LUT Level Information Flow Tracking for FPGA Design Security Verification. In Proceedings of the GLOBECOM 2024—2024 IEEE Global Communications Conference, Cape Town, South Africa, 12 December 2024; pp. 3093–3098. [Google Scholar] [CrossRef]
  184. Zhang, Y.; Xiao, K.; Wang, S.; Zhou, J. Integration of a Trojan Detection Tool with BFDS: Enhancing Field-Programmable Gate Array Security. In Proceedings of the 2024 4th International Conference on Artificial Intelligence, Automation and Algorithms, Shanghai, China, 29 September 2024; pp. 27–33. [Google Scholar]
  185. Bayrak, A.G.; Velickovic, N.; Regazzoni, F.; Novo, D.; Brisk, P.; Ienne, P. An EDA-friendly protection scheme against side-channel attacks. In Proceedings of the 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE), Grenoble, France, 18–22 March 2013; pp. 410–415. [Google Scholar] [CrossRef]
  186. Buhan, I.; Batina, L.; Yarom, Y.; Schaumont, P. SoK: Design Tools for Side-Channel-Aware Implementations. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ASIA CCS′22); Association for Computing Machinery: New York, NY, USA, 2022; pp. 756–770. [Google Scholar] [CrossRef]
  187. Bhandari, J.; Chowdhury, A.B.; Sinanoglu, O.; Garg, S.; Karri, R.; Knechtel, J. ASCENT: Amplifying Power Side-Channel Resilience via Learning & Monte-Carlo Tree Search. In Proceedings of the 43rd IEEE/ACM International Conference on Computer-Aided Design. Association for Computing Machinery, New York, NY, USA, 27–31 October 2025; pp. 1–8. [Google Scholar] [CrossRef]
  188. Nahiyan, A.; Park, J.; He, M.; Iskander, Y.; Farahmandi, F.; Forte, D.; Tehranipoor, M. SCRIPT: A CAD Framework for Power Side-channel Vulnerability Assessment Using Information Flow Tracking and Pattern Generation. ACM Trans. Des. Autom. Electron. Syst. 2020, 25, 26. [Google Scholar] [CrossRef]
  189. Ma, H.; Zhang, Q.; Gao, Y.; He, J.; Zhao, Y.; Jin, Y. PathFinder: Side channel protection through automatic leaky paths identification and obfuscation. In Proceedings of the 59th ACM/IEEE Design Automation Conference (DAC′22); Association for Computing Machinery: New York, NY, USA, 2022; pp. 79–84. [Google Scholar] [CrossRef]
  190. Ma, P.; Li, J.; Liu, H.; Shi, J.; Zhang, S.; Pan, W.; Hao, Y. Hardware Trojan Detection for Gate-level Netlists Based on Graph Neural Network. J. Electron. Inf. Technol. 2023, 45, 3253–3262. [Google Scholar] [CrossRef]
  191. Kurihara, T.; Togawa, N. Hardware-trojan classification based on the structure of trigger circuits utilizing random forests. In Proceedings of the 2021 IEEE 27th International Symposium on On-Line Testing and Robust System Design (IOLTS), Torino, Italy, 28–30 June 2021; pp. 1–4. [Google Scholar]
  192. Hasegawa, K.; Hidano, S.; Nozawa, K.; Kiyomoto, S.; Togawa, N. R-htdetector: Robust hardware-trojan detection based on adversarial training. IEEE Trans. Comput. 2022, 72, 333–345. [Google Scholar] [CrossRef]
  193. Zhang, Y.; Zhou, J.; Tai, Y.; Cai, H.; Wang, S.; Xiao, K.; Zhang, X.; Dong, H.; Du, Z. Efficient and high-security FPGA configuration bitstream cryptographic algorithm and implementation. Integr. Circuits Embed. Syst. 2025, 25, 48–57. [Google Scholar] [CrossRef]
Jlpea 15 00066 g001
Figure 1. Taxonomy of FPGA threats. We classified the threats into four types according to the architecture and usage characteristics of FPGA chips. Then, we summarized the specific pre-AI attacks by classifying FPGA threat features. Subsequently, we analyzed the threats based on changes in FPGA architecture and market models in the AI era. In addition, we determined potential countermeasures. Finally, we propose security measures used in COTS FPGAs, emphasizing the vital involvement of FPGA manufacturers in FPGA security, and outlining the necessary future measures.
Figure 1. Taxonomy of FPGA threats. We classified the threats into four types according to the architecture and usage characteristics of FPGA chips. Then, we summarized the specific pre-AI attacks by classifying FPGA threat features. Subsequently, we analyzed the threats based on changes in FPGA architecture and market models in the AI era. In addition, we determined potential countermeasures. Finally, we propose security measures used in COTS FPGAs, emphasizing the vital involvement of FPGA manufacturers in FPGA security, and outlining the necessary future measures.
Jlpea 15 00066 g001
Jlpea 15 00066 g002
Figure 2. Design flow and architecture of SRAM-based FPGAs. (A) Design flow from the user FPGA system design to the bitstream. (B) FPGA chip architecture, including configuration circuits and configurable cells.
Figure 2. Design flow and architecture of SRAM-based FPGAs. (A) Design flow from the user FPGA system design to the bitstream. (B) FPGA chip architecture, including configuration circuits and configurable cells.
Jlpea 15 00066 g002
Jlpea 15 00066 g003
Figure 3. The interconnection between taxonomy and FPGA characteristics. Logic Security: Corresponding to the system development phase of FPGAs, this acts as a primary risk point for user logic. Configuration Security: Corresponding to the configuration file loading phase of FPGAs, this serves as a primary risk point during the startup stage. Interface Security: Corresponding to the interaction phase of FPGAs, this includes peripheral connection and debugging communication. Physical Security: This corresponds to the FPGA hardware entity itself.
Figure 3. The interconnection between taxonomy and FPGA characteristics. Logic Security: Corresponding to the system development phase of FPGAs, this acts as a primary risk point for user logic. Configuration Security: Corresponding to the configuration file loading phase of FPGAs, this serves as a primary risk point during the startup stage. Interface Security: Corresponding to the interaction phase of FPGAs, this includes peripheral connection and debugging communication. Physical Security: This corresponds to the FPGA hardware entity itself.
Jlpea 15 00066 g003
Jlpea 15 00066 g004
Figure 4. FPGA application model. A, B, C, and D represent different roles in FPGA application model. E represents two modes of FPGA application, including cloud service and board-level application.
Figure 4. FPGA application model. A, B, C, and D represent different roles in FPGA application model. E represents two modes of FPGA application, including cloud service and board-level application.
Jlpea 15 00066 g004
Jlpea 15 00066 g005
Figure 5. Changes in the architecture and applications of FPGAs and new attack vectors. The left side of the figure shows the changes in FPGA architecture and application approaches in the AI era, with distinct legends highlighting the four types of changes noted in the text. The right side of the figure outlines the security challenges caused by changes in the FPGA architecture and applications, as well as the respective security types of these challenges.
Figure 5. Changes in the architecture and applications of FPGAs and new attack vectors. The left side of the figure shows the changes in FPGA architecture and application approaches in the AI era, with distinct legends highlighting the four types of changes noted in the text. The right side of the figure outlines the security challenges caused by changes in the FPGA architecture and applications, as well as the respective security types of these challenges.
Jlpea 15 00066 g005
Jlpea 15 00066 g006
Figure 6. AES256_GCM Pipelined Design Block Diagram.
Figure 6. AES256_GCM Pipelined Design Block Diagram.
Jlpea 15 00066 g006
Jlpea 15 00066 g007
Figure 7. Schematic Diagram of the Pipelined AES256_CTR Circuit.
Figure 7. Schematic Diagram of the Pipelined AES256_CTR Circuit.
Jlpea 15 00066 g007
Jlpea 15 00066 g008
Figure 8. Overall Resource Utilization (Xilinx Vivado 2021 Implementation). (A) is for AES256_CBC and (B) is for AES256_GCM.
Figure 8. Overall Resource Utilization (Xilinx Vivado 2021 Implementation). (A) is for AES256_CBC and (B) is for AES256_GCM.
Jlpea 15 00066 g008
Jlpea 15 00066 g009
Figure 9. Serial Port Data and Simulation Waveform. (A) is the serial port data of the AES256_GCM pipelined circuit. The plaintext block is set to all zeros to facilitate direct comparison of authentication outputs. (B) is the simulation waveform of the first block of the AES256_GCM pipelined circuit. (C) is the simulation waveform of the second block of the AES256_GCM pipelined circuit.
Figure 9. Serial Port Data and Simulation Waveform. (A) is the serial port data of the AES256_GCM pipelined circuit. The plaintext block is set to all zeros to facilitate direct comparison of authentication outputs. (B) is the simulation waveform of the first block of the AES256_GCM pipelined circuit. (C) is the simulation waveform of the second block of the AES256_GCM pipelined circuit.
Jlpea 15 00066 g009
Jlpea 15 00066 g010
Figure 10. Power Consumption Curves. (A) is for AES256_CBC and (B) is for AES256_GCM.
Figure 10. Power Consumption Curves. (A) is for AES256_CBC and (B) is for AES256_GCM.
Jlpea 15 00066 g010
Table 1. Comparison of security threats in SRAM-based FPGA chips versus other computing chips.
Table 1. Comparison of security threats in SRAM-based FPGA chips versus other computing chips.
ArticleResearch AreaYearTopic
A. Duncan [8]D1: FPGA security studies2019Threats and vulnerabilities associated with FPGA bitstreams.
Jiliang Zhang [9]2019Threats and defense mechanisms in FPGA-based systems, focusing on supply chain and design flow.
Z. Huang [10]D2: Studies on applications of AI in FPGA security2020ML-based approaches against HT attacks from four perspectives: HT detection, DFS, bus security, and secure architecture.
X. Xu [11]D3: Security studies on FPGA application2020The dual impact of machine learning on FPGA security, both as a tool for attack and defense.
Furkan Turan [12]2020Trust models and security challenges in FPGA-accelerated cloud computing platforms and reviews existing solutions.
Kaspar Matas [13]2020Hardware security challenges for FPGAs in datacenters.
S. Sunkavilli [14]D1: FPGA security studies2021Security threats in new FPGA utilization model in the era of machine learning and cloud computing.
G. Dessouky [15]D3: Security studies on FPGA application2021Security challenges and opportunities in secure FPGA multi-tenancy in the cloud.
S. Duan [16]2021Security vulnerabilities and defense mechanisms in FPGA-based hardware acceleration systems.
Z. Pan [17]D2: Studies on applications of AI in FPGA security2022Utilization of machine learning techniques for hardware vulnerability analysis.
Lilas Alrahis [18]2022Application of GNNs in hardware security and attacks on logic locking.
A. Hasnain [19]D1: FPGA security studies2022Power profiling-based side-channel attacks on FPGAs and associated countermeasures.
Hoda Naghibijouybari [20]D3: Security studies on FPGA application2022Microarchitectural attacks in heterogeneous computing systems.
Dina G. Mahmoud [21]2022Electrical-level security threats on CPUs, FPGAs, and GPUs.
Troya Çağıl Köylü [22]D2: Studies on applications of AI in FPGA security2023Applications of machine learning in hardware security.
David Koblah [23]2023Application of artificial intelligence and machine learning in electronic design automation.
Alexandre Proulx [24]D1: FPGA security studies2023Security aspects of SoC FPGA devices incorporating a hard processing system.
P. D. Rosero-Montalvo [25]D3: Security studies on FPGA application2023Security concerns for utilizing FPGAs in cloud computing.
Ferhat Erata [26]2023Methods for security verification across hardware and software layers in computer systems.
Ruyan Lin [27]D1: FPGA security studies2024Methods for detecting vulnerabilities and security patches while identifying research gaps and future directions.
Zain Ul Abideen [28]D3: Security studies on FPGA application2024Reconfigurable-based obfuscation techniques that combat security threats in hardware design.
Muhammed Kawser Ahmed [29]2025Examination of the security concerns associated with multi-tenant cloud FPGAs, providing a comprehensive overview of the related security, privacy and trust issues, and discussing forthcoming challenges in this evolving field of study.
Table 2. Security measures used in COTS FPGA products.
Table 2. Security measures used in COTS FPGA products.
Threat DomainSecurity Measure SummaryFPGA ManufacturersSecurity Measures
Configuration SecurityCryptographic algorithms
and
authentication mechanisms		ManufacturersDeviceSecurity Method
Xilinx28 nm [165]AES CBC + HMAC
14 nm [166]AES GCM + RSA
Intel [75]40 nmAES CTR
28 nmAES CBC
20 nmAES CTR + HMAC
Lattice [167]e
Microchip [168,169]AES + SHA + HMAC + ECDSA
Interface SecurityAccess rights
of readback ports		Intel [75]20 nmThe control function of access rights to the JTAG port
Microchip [74]Verification mechanism for disabling readback debugging
Physical SecurityVarious measuresXilinx14 nm [166]Pre-authentication, rolling keys, and internal self-authentication
PSoC [170]ARM TrustZone
IntelPSoC [171]Software Guard Extensions (SGX)
Lattice [172] Hardware root of trust (HRoT) functions
Microchip [168,169]Key-tree derivation algorithm
Logic SecurityEDA toolMicrochip [74]DesignShield development tool
Table 3. The limitations of the current measures.
Table 3. The limitations of the current measures.
ManufacturersDeviceSecurity MeasuresDefense EffectBypass Approach
Xilinx28 nm [165]AES CBC + HMACMainstream anti-cloning and anti-tampering
capabilities		StarBleed vulnerability [41]
Side-channel analysis [72]
14 nm [166] AES GCM + RSABetter anti-cloning and
anti-tampering
capabilities		GHASH-based checksum and authentication downgrade attacks [42]
Pre-authentication, rolling keys, and internal self-authenticationDPA resistanceSide-channel analysis [73]
PSoC [170]ARM TrustZoneHeterogeneous SoC
protection		Third-party IP attacks [173]
Software-based side-channel attacks [174]
Hardware Trojans [60]
Intel [75]40 nmAES CTRMainstream anti-cloning and anti-tampering
capabilities		Side-channel analysis [175]
28 nmAES CBC
20 nmAES CTR + HMAC
The control function of access rights to the JTAG portDebug interface protection\
PSoC [171]Software Guard Extensions (SGX)Heterogeneous SoC protectionFault injection attack [115]
Software-based side-channel attacks [174]
Lattice [167]AES + HMAC + ECDSAAnti-cloning and
anti-tampering capabilities		Side-channel analysis [176]
Hardware root of trust (HRoT) functionsDPA resistance
MicrochipAES + SHA + HMAC + ECDSA [168,169]Anti-tamper\
Verification mechanism for disabling readback debugging [172]Reverse engineering
protection		Backdoor for accessing FPGA configuration [177]
Key-tree derivation algorithm [168,169]Data security through
system service		\
DesignShield development tool [172]Anti-HT
Table 4. Comparison of hardware Trojan detection methods on Trust-Hub benchmarks. (The GCN + GraphSMOTE approach outperforms other methods.).
Table 4. Comparison of hardware Trojan detection methods on Trust-Hub benchmarks. (The GCN + GraphSMOTE approach outperforms other methods.).
MethodTrue Positive Rate (TPR)True Negative Rate (TNR)F1 Score
GCN + GraphSMOTE [184]96.1%94.0%88.1%
GraphSAGE [190]92.9%99.8%86.2%
Random Forest [191]63.6%100.0%77.8%
R-HTDetector [192]96.8%94.5%59.9%
LUT-Level Detection Methods [134]98.4%100.0%99.5%
Neural Networks and Logistic Regression [135]86%--
XGNNs [136]98.8%98.7%99.2%
Table 5. CPA comparison: Traces are ciphertext-triggered; correlation values represent maximum absolute Pearson correlation observed for the correct hypothesis at the tested byte.
Table 5. CPA comparison: Traces are ciphertext-triggered; correlation values represent maximum absolute Pearson correlation observed for the correct hypothesis at the tested byte.
Target ImplementationTraces UsedMax Observed CorrelationKey Recovered?
AES-256 (CBC, conventional)50000.42Yes
AES256_CTR + GMAC_GF32 (pipelined, as in [193])100,0000.08No
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zhou, J.; Zhao, X.; Zhang, S.; Chen, L.; Xiao, K.; Wang, S. Research on the Security of SRAM-Based FPGAs in the Era of Artificial Intelligence. J. Low Power Electron. Appl. 2025, 15, 66. https://doi.org/10.3390/jlpea15040066

AMA Style

Zhou J, Zhao X, Zhang S, Chen L, Xiao K, Wang S. Research on the Security of SRAM-Based FPGAs in the Era of Artificial Intelligence. Journal of Low Power Electronics and Applications. 2025; 15(4):66. https://doi.org/10.3390/jlpea15040066

Chicago/Turabian Style

Zhou, Jing, Xiangyu Zhao, Shengbing Zhang, Lei Chen, Ke Xiao, and Shuo Wang. 2025. "Research on the Security of SRAM-Based FPGAs in the Era of Artificial Intelligence" Journal of Low Power Electronics and Applications 15, no. 4: 66. https://doi.org/10.3390/jlpea15040066

APA Style

Zhou, J., Zhao, X., Zhang, S., Chen, L., Xiao, K., & Wang, S. (2025). Research on the Security of SRAM-Based FPGAs in the Era of Artificial Intelligence. Journal of Low Power Electronics and Applications, 15(4), 66. https://doi.org/10.3390/jlpea15040066

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop