FPGAs (Field Programmable Gate arrays) have gained massive popularity today as accelerators for a variety of workloads, including big data analytics, and parallel and distributed computing. This has fueled the study of mechanisms to provision FPGAs among multiple tenants as general purpose computing resources on the cloud. Such mechanisms offer new challenges, such as ensuring IP protection and bitstream confidentiality for mutually distrusting clients sharing the same FPGA. A direct adoption of existing IP protection techniques from the single tenancy setting do not completely address these challenges, and are also not scalable enough for practical deployment. In this paper, we propose a dedicated and scalable framework for secure multi-tenant FPGA provisioning that can be easily integrated into existing cloud-based infrastructures such as OpenStack. Our technique has constant resource/memory overhead irrespective of the number of tenants sharing a given FPGA, and is provably secure under well-studied cryptographic assumptions. A prototype implementation of our proposition on Xilinx Virtex-7 UltraScale FPGAs is presented to validate its overheads and scalability when supporting multiple tenants and workloads. To the best of our knowledge, this is the first FPGA provisioning framework to be prototyped that achieves a desirable balance between security and scalability in the multi-tenancy setting.
INTRODUCTION
The modern era of cloud computing has actualized the idea of ubiquitous provisioning of computational resources and services via a network. Cloud-based solutions are now marketed by all leading enterprise IT vendors such as IBM (PureApplication), Oracle (ExaData), Cisco (UCS) and Microsoft (Azure), as well as Web companies such as Amazon (AWS) and Google (Compute Engine). In the midst of this paradigm shift from traditional IT infrastructures to the cloud, FPGAs (Field Programmable Gate Arrays) have risen as attractive computational avenues for accelerating heavy workloads.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). DAC '17, 2017 , San Francisco, CA © 2017 Copyright held by the owner/author(s). ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. https://doi.org/10.1145/nnnnnnn.nnnnnnn Modern FPGAs offer a number of advantages including, but not limited to, reconfigurability, high throughput, predictable latency and low power consumption. They also offer dynamic partial reconfiguration (DPR) capabilities [17] , that allow non-invasive run-time modification of existing circuitry for on-the-fly functionality enhancement. This is particularly beneficial when a given FPGA is shared simultaneously by multiple tenants: an individual tenant can re-configure her share of the FPGA resources at any time, without disturbing the applications being run by other tenants. There is, in fact, a growing demand today for deploying FPGAs as general purpose computing resources on the cloud. Security Challenges. Provisioning FPGAs on the cloud offers a number of challenges such as resource abstraction, ecosystem compatibility (libraries and SDKs) and, most importantly, security. While some of these challenges have been addressed comprehensively in the existing literature [4] , security issues emerging from such a model are largely under-studied. One such security issue is IP protection. Multiple mutually distrusting tenants sharing a common pool of FPGA resources are likely to demand guarantees for bitstream confidentiality. Since FPGAs are inherently designed for single party access, FPGA vendors today focus on ensuring the privacy of bitstreams originating from single users, especially when deployed into hostile industrial/military environments. Mitigation techniques typically used bitstream encryption and authentication, combined with fault-tolerance. However, a direct adoption of such techniques in the multi-tenancy setting potentially blows up resource-requirements, imposes significant key-management overheads, and leads to an overall lack of scalability. This motivates the need for dedicated and scalable security solutions tuned to the multi-tenancy setting. Existing Solutions. While a number of recent works [16, 20, 24] have helped develop general acceptance for FPGAs as generalpurpose computing elements in portable ecosystems, security concerns regarding large-scale FPGA deployment been discussed only in the context of specific applications. For example, the authors of [1] have looked into the security of specific applications such as building databases, where FPGAs are used as accelerators. Their security discussions are more at the application-level rather than the system-level. Other works [4] focus on the threats originating from malicious tenants either crashing the system or attempting illegal memory accesses. Their proposed mitigations are mostly based on virtualization, in the sense that they use dedicated hypervisors and DMA units to regulate the memory access made by each tenant's bitstream file on the host FPGA node. However, they do not consider the threats posed by co-resident VM attacks [10, 22] , where data resident on a target VM can be stolen by a second malicious VM, so long as they co-exist on the same physical node. This poses a massive threat to IP security in the shared tenancy setting, and underlines the need for cryptographic security guarantees in addition to architectural barricading. While a number of cryptographic solutions have been proposed for IP protection in the single tenancy scenario [9, 14] , there exist no equivalent solutions tuned to the shared tenancy setting to the best of our knowledge. Our Proposition. In this paper, we propose a dedicated and scalable framework for secure multi-tenant FPGA provisioning on the cloud. Our framework also has the following desirable features:
• Our framework guarantees bitstream confidentiality in exchange for a constant amount of resource/memory overhead, irrespective of the number of tenants sharing a given FPGA. We achieve this using a novel technique known as key-aggregation that is provably secure under well-studied cryptographic assumptions.
• The only trusted agent in our framework is the FPGA vendor.
Note that even in IP protection solutions in the single tenancy setting, the FPGA vendor is typically a trusted entity. Hence, this is a reasonable assumption. More importantly, the cloud service provider need not be trusted, which is desirable from a tenant's point of view.
• Our framework can be easily integrated into existing cloudbased infrastructures such as OpenStack, and does not interfere with other desirable properties of an FPGA provisioning mechanism, such as resource virtualization/isolation and platform compatibility. Prototype Implementation. We illustrate the scalability of our proposed approach via a prototype implementation on Xilinx Virtex-7 UltraScale FPGAs. Our results indicate that the proposed approach has a fixed overhead of around 10 − 15% of the available FPGA resources. This overhead remains unaltered for any number of tenants/workloads using the FPGA resources at any given point of time. To the best of our knowledge, this is the first FPGA provisioning framework to be prototyped that achieves a desirable balance between security and scalability in the multi-tenancy setting. Applications in the Automotive Setting. FPGAs are being increasingly used as accelerators in automotive applications. In particular, the high parallel processing capabilities of FPGAs provide great advantages in applications such as ADAS, Smart Park Assist systems, and power control systems in modern vehicles. Most FPGAs also come with integrated peripheral cores that implement commonly-used functions like communication over controller area network (CAN) [11] . In an automotive setting, a single FPGA may be required to accelerate applications from multiple stakeholders, that are mutually distrusting and wish to protect their individual IPs. The core techniques underlying our proposed framework in this paper can be equivalently applied to build efficient and scalable IP protection units for such applications.
SECURE MULTI-TENANT FPGA PROVISIONING: OUR PROPOSITION
In this section, we present our proposal for secure provisioning of FPGAs among multiple tenants on the cloud. We assume a basic FPGA provisioning setup on a cloud [4] , as illustrated in Figure  1 . The idea is to abstract the FPGA resources to the client as an accelerator pool. Each FPGA is divided into multiple slots (e.g. A, B, C and D in Figure 1) , with one or more slots assigned to a tenant. The dynamic partial reconfiguration mechanism of modern FPGAs allows a tenant to view each such slot as a virtual FPGA, with specific resource types, available capacity and compatible interfaces. The DMA controller module is meant primarily for bandwidth and priority management across the various FPGA partitions. At the hypervisor layer, the controller module chooses available FPGA nodes based on their compatibility with a tenant's requirements, and helps configure them with the desired bitstream file via the service layer.
The tenant essentially sees a VM, embedded with a virtual FPGA and containing the necessary APIs and controller modules to configure the FPGA. The allocation of resources to various tenants and the creation of corresponding VMs is handled by a separate controller module. More details of this basic setup can be found in [4] . Our aim is to propose an efficient and secure mechanism that ensures IP protection in this setup, without compromising on the other well-established features such as virtualization, inter-VM isolation and platform compatibility.
Bring Your Own Keys (BYOK)
The fundamental idea underlying our security proposal is as follows: each tenant encrypts her bitstream using a secret-key of her own choice before configuring the virtual FPGA with the same. Since bitstreams would potentially be encrypted in bulk, a symmetrickey encryption algorithm such as AES-128 is the ideal choice in this regard. Note that this approach immediately assures bitstream confidentiality. In particular, since neither the service provider nor any malicious agent can correctly guess the key chosen by a tenant (except with negligible probability), they can no longer gain access to her bitstream. Notwithstanding its apparent benefits, the aforementioned BYOKbased bitstream encryption technique poses two major challenges in the shared FPGA setting -synchronizing bitstream encryption and decryption for different tenants, and efficient key-management. The main novelty of our proposal is in the application of keyaggregation [21] -a provably secure cryptographic technique -to efficiently solve both these challenges. We begin by providing a brief overview of a key-aggregate cryptosystem (KAC), along with a concrete construction for the same. We then demonstrate how KAC solves the key-management and synchronization challenges posed by the BYOK-based approach. 
Key-Aggregate Cryptosystems (KAC)
KAC is a public-key mechanism to encapsulate multiple decryptionkeys corresponding to an arbitrarily large number of independently encrypted entities into a single constant-sized entity. In a KAC, each plaintext message/entity is associated with a unique identity id, and is encrypted using a common master public-key mpk, generated by the system administrator. The system administrator also generates a master secret-key msk, which in turn is used to generate decryption keys for various entities. The main advantage of KAC is its ability to generate constant-size aggregate decryption keys, that combine the power of several individual decryption keys. In other words, given ciphertexts C 1 , C 2 · · · , C n corresponding to identities id 1 , id 2 , · · · , id n , it is possible to generate a constant-size aggregate decryption key sk S for any arbitrary subset of identities S ⊆ {id 1 , · · · , id n }. In addition, the aggregate key sk S cannot be used to decrypt any ciphertext C j corresponding to an identity id j S. Figure 2 illustrates the concept of a KAC scheme with a simple toy example. Observe that the individual secret-keys sk 1 and sk 3 for the identities id 1 and id 3 are compressed into a single aggregate-key sk 1, 3 , that can be used to decrypt both the ciphertexts C 1 and C 3 , but not C 2 . Additionally, sk 1,3 has the same size as either of sk 1 and sk 3 , individually. A Concrete KAC Construction on Elliptic Curves. Algorithm 1 briefly describes a provably secure construction for KAC to illustrate its key-aggregation property. The main mathematical structure used by the construction is a prime order sub-group of elliptic curve points G, generated by a point P, and a bilinear map e that maps pairs of elements in G to a unique element in another group G T . The construction supports a maximum of n entities, and is provably secure against chosen-plaintext-attacks under a variant of the bilinear Diffie-Hellman assumption [12] . We refer the reader to [21] for more details on the correctness and security of the construction. Note that the notations P 1 + P 2 and [a]P denote point addition and scalar multiplication operations, respectively, over all elliptic curve points P, P 1 , P 2 and all scalars a. Observe that the aggregate key sk S is a single elliptic-curve point (with a fixed representation size), irrespective of the size of the subset S. Take as input the number of entities n 3:
Let P be an elliptic curve point of prime order q that generates a group G with a bilinear map e : G × G −→ G T .
4:
Randomly choose α, γ in the range [0, q − 1] and output the following:
Take as input the master public key mpk, an entity identity i ∈ [1, n] and a plaintext bitstream M.
8:
Randomly choose r in the range [0,q-1] and set:
where H is a collision-resistant hash function and ⊕ denotes the bit-wise XOR operation 9: Output the ciphertext C = (c 0 , c 1 , c 2 ) 10: end procedure 11: procedure KAC.AggregateKey(msk, mpk, S)
12:
Take as input the master secret key msk = γ , the master public key mpk and a subset of entities S ⊆ [1, n].
13:
Compute a S = j ∈S α n+1−j P
14:
Output the aggregate key sk S = [γ ] a S
15:
Also output a S and b i, S = j ∈S\{i } α n+1−j+i P for each i ∈ S 16: end procedure 17: procedure KAC.Decrypt(sk S , a S , b i, S , C)
18:
Take as input a ciphertext C = (c 0 , c 1 , c 2 ) corresponding to an entity with identity i, an aggregate key sk S such that i ∈ S, along with a S and b i, S as defined above. 19: Output the decrypted message M as:
where H is the same collision-resistant hash function as used in KAC.Encrypt 20: end procedure
Combining BYOK with KAC
The crux of our proposal lies in combining BYOK with KAC for efficient key-management and synchronization of bitstream encryptiondecryption. We achieve this via the following three-step proposal:
Step-1: Setup. In this step, the FPGA vendor sets up a KAC system by generating a master public key and a master secret key. Each manufactured FPGA can be divided into a maximum of n partitions, where each partition is associated with a unique partition identity id, and represents an independent virtual FPGA from the tenant point of view. Each FPGA contains a KAC decryption engine, that is pre-programmed to use a single aggregate decryption key sk S Figure 3 : Secure FPGA Provisioning Scheme: Combining KAC with BYOK corresponding to the subset S of partition ids it hosts. In a Xilinx Virtex-7 FPGA, the aggregate key can be securely stored in either a dedicated non-volatile RAM (often backed up by a small externally connected battery), or in the eFUSE 1 .
Step-2: Bitstream Encryption. In keeping with the idea behind BYOK, each tenant encrypts her bitstream using her own AES-128 key. Commercially available software tools such as Xilinx Vivado already provide such facilities. We simply propose augmenting this functionality to additionally encrypt the AES-128 key using the master public key of the KAC. The second encryption is performed under the identity id of the partition assigned to the tenant.
Step-3: Bitstream Decryption. Bitstream encryption occurs onchip in two steps. Each FPGA is provided with a single KAC decryption core, while each individual partition is provided with its own AES-128 decryption core. The KAC decryption engine is first used to recover the AES-128 key chosen by the tenant. Since a single tenant is expected to use the same AES-128 key in a given session, the KAC decryption core needs to be invoked only once per tenant. The recovered key is subsequently used to decrypt any number of encrypted bitstreams and program the FPGA partition with the same. Quite evidently, the proposal has the following desirable features from the point of view of efficiency as well as security:
• Constant Secure Storage Overhead per FPGA: Each FPGA stores a single aggregate decryption key that suffices for all its partitions. As already mentioned, KAC generates constantoverhead aggregate-keys irrespective of the number of entities they correspond to. Hence, the memory requirement per FPGA for secure key storage remains the same irrespective of the maximum number of partitions n. In other words, the Publish the master public key mpk
4:
for each manufactured FPGA do
5:
for each FPGA partition do
6:
Assign a unique random identity id to the partition 7: end for 8: Let S denote the set of all id-s corresponding to partitions on the same FPGA 9: sk S , a S , {b id, S } id∈S ← KAC.AggregateKey (msk, S) 10: Embed sk S in a tamper-proof non-volatile memory segment on the FPGA 11: Embed a S in a non-volatile memory segment on the FPGA (need not be secure/tamper-proof ).
12:
Embed each b id, S in a non-volatile memory segment of the partition with identity id (again need not be secure/tamper proof ) 13: end for 14: Each FPGA is provisioned with a single KAC decryption engine, while each FPGA partition is provisioned with its own AES-128 decryption engine. 15 Suppose a tenant is assigned an FPGA partition with identity id.
18:
K ← AES.KeyGen 
Submit (C 1 , C 2 ) to the framework for configuring the FPGA partition. 22 : end procedure 23: procedure Bitstream Decryption(C 1 , C 2 ) 24:
Bitstream ← AES.Decrypt (K, C 1 ) 26: end procedure framework scales to any arbitrarily large n without incurring any additional overhead for secure key storage.
• Constant Encryption and Decryption Latency: The encryption and decryption latencies for both KAC and AES-128 are constant, and independent of the maximum number of partitions n supported by an FPGA. In particular, the encryption and decryption sub-routines in Algorithm 1 involve a constant number of elliptic curve operations, and hence require a constant amount of time.
• No Leakage to the Cloud Service Provider: The new scheme achieves synchronization between the encryption and decryption engines via a public-key mechanism that is set up by the FPGA vendor. Since the entire bitstream decryption happens on-chip, the confidentiality of the bitstream as well as that of the AES-128 key from the cloud service provider (as well as any external malicious agents) are guaranteed by the security of AES-128 and the CPA security of the KAC scheme, respectively.
PROTOTYPE IMPLEMENTATION
In this section, we present a prototype implementation for the secure FPGA provisioning framework described in the previous section. In particular, we focus on the overhead and performance results for the security-related components, namely KAC and AES-128. The results are presented in two parts. The first part focuses on the on-chip decryption engines, while the second part focuses on the software tool for generating the encrypted bitstreams and encrypted AES-128 keys.
On-Chip Decryption Engines
We implemented the decryption engines for KAC and AES-128 on a Virtex-7 UltraScale FPGA. In this section, we present postplacement and routing results to illustrate their overhead and operational latencies. To implement the KAC decryption engine, we chose an elliptic curve that offers a a 128-bit security level from the family of pairing-friendly Barreto-Naehrig (BN) curves [2] . The curve and all associated operations (point addition and doubling) are defined over a finite field F p (where p is a 256-bit prime). On this curve, we implemented the well-known bilinear Tate pairing operation [6] , which in turn uses Miller's algorithm [18] followed by a final exponentiation [7] . The group order q for the pairing operation is a 128-bit prime factor of p 12 − 1. The Miller's algorithm operates over F p and the quadratic extension field F p 2 , and runs for log 2 q many iterations. The final exponentiation is performed in the extension field F p 12 , and raises the output of Miller's algorithm to the power p 12 − 1 /q. Additional mathematical details related to the Tate pairing algorithm can be found in [6, 7] . Note that while alternative elliptic curves with smaller characteristics primes (e.g. p = 2 or p = 3) afford more hardware-efficient pairing implementations [5, 15, 19] , the security guarantees provided by such curves are presently under threat due to recent advances in DLP [13] . Finally, for the hash function H in Algorithm 1, we use an FPGA-based implementation of SHA-256 [3] . Multipliers using DSP Blocks. A novel feature of our Tate pairing implementation as compared to existing work [8] is the use of DSP blocks to design efficient multipliers over the field F p . Modern FPGAs such as the Xilinx Virtex-7 UltraScale are inherently equipped with numerous DSP blocks, which can be used to design low-latency circuits for arithmetic operations. We exploited this fact to design a high-speed F p multiplier, that optimally uses these DSP blocks based on an efficient tiling algorithm [23] for operand decomposition.
Hardware Implementation Results. The post-route area and timing reports for the arithmetic cores over F p is presented in Table 1. The post-route timing reports for the elliptic curve operations (point addition and point doubling) as well as the Tate pairing implementation are summarized in Table 2 . Table 3 summarizes the overall area and timing reports for the KAC and AES-128 decryption engines. As depicted in Algorithm 1, the decryption algorithm uses the Tate pairing core twice to compute the two pairings, followed by an application of the product. Finally, the SHA-256 module is used to hash the output of this multiplication core, and recover the bitstream. To optimize area requirements, multiple operations using the same FPGA module are performed serially.
Software Encryption Engine
The software encryption engine in our prototype implementation allows a tenant to encrypt her bitstream using an AES-128 key of her own choice, and subsequently, encrypt this key under the KAC scheme. As mentioned previously, BYOK-based bitstream encryption can be readily availed using commercial design tools such as Xilinx Vivado. We implemented the KAC encryption engine in software using the open-source Pairing-Based Cryptography (PBC) library 2 , that provides APIs to compute Tate pairings over the BN family of elliptic curves. The only pre-requisite for using the PBC library is the open-source GNU Multiple Precision Arithmetic Library 3 . The PBC library works on a variety of operating systems, including Linux, Mac OS, and Windows (32 and 64 bits). We present implementation results for the KAC encryption engine using the PBC library in Table 4 . The target platform is a standard desktop computer, with an Intel Core i5-4570 CPU, 3.8 Gb RAM, and an operating frequency of 3.20GHz. It is important to note that similar to the decryption operation, the latency for KAC encryption is also independent of the number of partitions a given FPGA can support. 
SCALABILITY OF OUR FRAMEWORK
In order to elucidate the scalability of our proposed framework, we demonstrate how the following parameters of our prototype implementation scale with the maximum number of tenants/partitions per FPGA:
• Secure Storage on FPGA: In Figure 4a , we compare the amount of secure key storage required per FPGA in our proposed framework (combining KAC with BYOK) against a framework that simply uses BYOK. The latter scheme would require to store the AES-128 key for every tenant on the corresponding FPGA partition allocated to her. Naturally, the storage requirement grows with the number of partitions that a given FPGA can support. In our proposition, the aggregation capability of KAC ensures that the tamper-resistant non-volatile storage requirement is independent of number of partitions that a given FPGA can support. In other words, our FPGA provisioning scheme has a far superior scalability in terms of secure key storage, as compared to a simple BYOK-based provisioning scheme.
• On-Chip Resource Overhead: Since our framework requires only a single KAC decryption engine per FPGA, the on-chip resource overhead remains almost constant with respect to the number of partitions that a given FPGA can support. This is illustrated in Figure 4b . The only slight increase is due to the presence of an AES-decryption engine in every FPGA partition. However, as demonstrated in Table 3 , the resource overhead for an AES-128 decryption engine is negligible as compared to the KAC decryption engine. Thus our framework is also scalable with respect to its on-chip resource overhead.
• Bitstream Encryption/Decryption Performance: Finally, as already mentioned, the bitstream encryption/decryption latency (both KAC and AES-128) of our framework is independent of the number of partitions that a given FPGA can support.
In summary, the incorporation of KAC plays a crucial role in ensuring that our framework retains the same levels of performance and efficiency for arbitrarily large number of tenants sharing a single FPGA node. To the best of our knowledge, this is the first FPGA provisioning framework to be prototyped that achieves a desirable balance between security and scalability in the multi-tenancy setting.
CONCLUSION
In this paper, we proposed a dedicated and scalable framework for secure multi-tenant FPGA provisioning on the cloud. Our framework guarantees bitstream confidentiality in exchange for a constant amount of resource/memory overhead, irrespective of the number of tenants sharing a given FPGA. We achieved this using a novel technique known as key-aggregation that is provably secure under well-studied cryptographic assumptions. Our framework can be easily integrated into existing cloud-based infrastructures such as OpenStack, and does not interfere with other desirable properties of an FPGA provisioning mechanism, such as resource virtualization/isolation and platform compatibility. We illustrated the scalability of our proposed approach via a prototype implementation on Xilinx Virtex-7 UltraScale FPGAs. Our results indicate that the proposed approach has a fixed overhead of around 10 − 15% of the available FPGA resources. This overhead remains unaltered for any number of tenants/workloads using the FPGA resources at any given point of time.
