As part of the COREnext project, researchers at Nokia have demonstrated a secure FPGA offloading framework for cloud computing environments. The demonstration showcases how data processing tasks can be safely offloaded from CPUs to FPGAs (Field Programmable Gate Arrays) in containerised, cloud-native architectures, such as those using Kubernetes and Docker, without compromising data confidentiality.
FPGA Acceleration in Cloud Environments
In modern cloud infrastructures, microservices are deployed on CPUs and can offload computationally demanding tasks, such as digital signal processing (DSP) or machine learning algorithms, to FPGA accelerators. This approach significantly boosts performance and energy efficiency.
However, this setup introduces security challenges. When multiple microservices share an FPGA, each allocated to a different logical array, a malicious service could potentially gain unauthorised access to another’s data. To prevent such breaches, the team at Bell Labs developed a multi-layer encryption and key management mechanism ensuring secure communication between CPUs and FPGAs.
WATCH THE DEMONSTRATION HERE
The Security Architecture
The solution integrates two layers of encryption:
- AES Encryption for Data Protection
Before data is sent from the CPU to the FPGA for processing, it is encrypted using the Advanced Encryption Standard (AES). This ensures that even if a malicious service accesses the data stream, it cannot decrypt or interpret the information. - ECC Encryption for Secure Key Exchange
To address the challenge of securely sharing the AES key itself, the system uses Elliptic Curve Cryptography (ECC) for asymmetric encryption.
- Each FPGA logical array is wrapped with a security layer that includes a True Random Number Generator (TRNG).
- The TRNG generates a unique pair of public and private keys.
- The public key is sent to the CPU, which encrypts its AES key using this public key.
- The encrypted AES key is transmitted back to the FPGA, where the private key decrypts it.
Once the AES key is securely received, the FPGA decrypts incoming data, processes it, and re-encrypts the results before returning them to the CPU, ensuring end-to-end protection of sensitive data.
Secure Communication in Action
During the live demonstration, the Bell Labs team connected remotely to a cloud server in France to showcase the encryption process in real time. The system dynamically generated a new ECC key pair for each session, ensuring that every transaction used a fresh public key while maintaining the same AES key on the CPU side.
Each run of the demo illustrated the following workflow:
- The CPU requests a public key from the FPGA.
- The CPU encrypts its AES key with that public key.
- The encrypted AES key is sent to the FPGA and securely decrypted.
- Data is transferred, decrypted, processed, and re-encrypted automatically.
Every time a new session began, the FPGA regenerated a new public key, confirming the dynamic and secure key exchange mechanism in operation.
Towards Secure, High-Performance Cloud Acceleration
This demonstration validates that secure FPGA offloading is achievable within cloud-native infrastructures. The combined use of AES for data encryption and ECC for secure key exchange provides a robust defense against potential attacks and data leaks.
By embedding security directly into the hardware and orchestration layer, the COREnext project moves a step closer to enabling trustworthy, high-performance computing in distributed and virtualised environments.