Shouldn't be too complicated. Signed executables first. Then embed a smallish (56 bit would be more than enough, but is likely to be 128 bit) key into each system, and then have them linked by database to the serial for the system itself. Nintendo keeps a database of these at manufacture. Serials and Keys should not be in any way mathematically linked. Any downloaded roms get encrypted by Nintendo before the user downloads. Any emulator runs the rom through a decrypter while loading the rom into ram. Here's a fun one. Signed executables on DVD, but downloaded executables are signed and are also encrypted by the same embedded key, and any executable run from the embedded flash or SD Card will only execute if run through the encryption key first. Here's another one, don't just include an encryption key, include a codec on an IC that is fed data, and is expected to return good data based on it's embedded key so that the key itself can never be extracted. Beyond that, don't make it codec, just make it a decoder so if the signature is cracked, you can't have a nifty program that uses the rev to encrypt it's own executables.