Blog: How to Secure your IP with IP Encryption

Being able to secure your Intellectual Property (IP) is critical, since your designs represent a significant investment in research and development
—

Aldec supports the encryption of both VHDL and Verilog. It was added to the Verilog standard in Verilog-2005 and became part of VHDL in 2008. Both HDL encryption methodologies are similar, in that they use asymmetric encryption, that is you require both a Public Key for encryption and a private key for decryption. It should go without saying that you should not divulge your Private Key.

For this example explanation, we will look at VHDL IP protection, but Verilog is very similar.

The first thing we need to do is define the protection envelopes – this allows you to select which parts of the HDL should be encrypted. This could be the complete file, to hide everything, or it could be just the architecture, thus hiding just the workings of your IP, but allowing the user to see the interface of the entity.

For VHDL, the encryption envelope is described as follows:


`protect begin
`protect end


After encryption, these regions will comprise the specification of the cryptographic algorithm, key, envelope attributes, and encoded design data.

Encryption tools should be able to recognise and use public keys of tools/vendors authorised to use the IP placed directly in the source code. To guarantee proper recognition by the target tool, the public key should be clearly labelled with the key owner name, the key name, and the encryption method.

The example of the public key properly marked in the VHDL code is shown below:


`protect key_keyowner = "Aldec"
`protect key_method = "rsa"
`protect key_keyname = "ALDEC15_001"
`protect key_public_key
-- place the ALDEC public key here
`protect key_block


To obtain the Aldec public key, please refer to ‘ALDEC Public Key’, in either the Riviera-PRO or Active-HDL user manuals. If you are using the Aldec IP encryption tool however, you will not need to specify the public key (see the example below).

Aldec also provides a stand-alone tool called ‘protectip’. We can run this from the console in Active-HDL or Riviera-PRO with the following command:


!protectip -vhdl Example1.vhd -out Example1.vp


This will take a file (Example1.vhd) with a protection envelope and encrypt it into file Example1.vp. This can then be compiled into the library with:


acom Example1.vp


Please note if you add this file to your design and attempt to compile it by double-clicking on it, it will fail as the Aldec GUI will see .vp files as Verilog, hence why I invoked the VHDL compiler directly in the command line. All you need to remember to do now is to distribute the encrypted file and keep the original safe.

The original design and the encrypted result are shown below: