Frai,
There are many who claim "oh, this is easy..."
However, back in the Virtex II Pro days, we issued a challenge, and more than 7 universities and research groups accepted the challenge.
We provided a 2vp7 pcb with usb port, and pins for access to power, that had the key battery installed (300 mA lithiumm coin cell), and the part was programmed with a 3DES encrypted bitstream.
All 7 challengers gave up. Their basic conclusion was all the things they thought would work, differential power attack, spoofing by power glitches, attack with freeze spray, etc. FAILED.
Now, can someone crack the scheme, and get the unencrypted bitstream? Well, we are unable to get anyone interested to try it, as they tried the obviously less secure 3DES, and didn't get anywhere.
Also, I presume the NSA tried, as they eventually approved V4. If I was the NSA, I would have put a great deal of effort to try to break it if I knew that the devices would go into all modern crypto-systems! However, I know nothing of what they did (their report is classified).
Unfortunately, no one publishes a master's thesis or PhD thesis that says "I failed to crack this encryption" so there are no records of these attempts failing. But, no one has been able to get at the key, or to find anything about the bitstream, ever since we first introduced the features starting with Virtex II.
On the other hand, polarized light, and a high school microscope, can be used to read the state of any efuses in a chip (which is why they are excluded as a solution by the standards). The fact that some vendors scramble their efuse contents just means that they do not really understand what security is all about ("there is no security in obscurity"). Once the "secret" is out (by reverse engineering the hardware or software), then all of the products shipped become vulnerable.
Our approach has no secrets whatsoever: the algorithm is public, as is the design of the encryptor and decryptor. That is why it complies with the standards for constructing a secure system.
Austin