In order to provide a capability for secure remote reconfiguration of FPGAs, FPGA bitstream needs to be encrypted and authenticated during its transmission through any public network. Bitstream encryption is already implemented in a few modern FPGA families, such as Xilinx Virtex II. An important feature lacking in the current generation of FPGAs is the ability to cryptographically verify the authenticity of the bitstream. In this paper, we propose the use of the EAX mode of operation of Advanced Encryption Standard (AES) for a joint encryption and authentication of the FPGA bitstream, using a single cipher engine. We demonstrate and quantify the advantages of this method compared to a generic scheme relying on different algorithms and different cryptographic engines for performing both operations.
