fast symmetric crypto on embedded cpus
play

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud - PowerPoint PPT Presentation

Oct 02, 2023 •215 likes •929 views

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands June 5, 2014 Summer School on the design and security of cryptographic algorithms and devices for real-world applications Embedded CPUs 4-bit

  1. Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands June 5, 2014 Summer School on the design and security of cryptographic algorithms and devices for real-world applications

  2. Embedded CPUs 4-bit CPUs 16-bit CPUs ◮ TMS 1000 ◮ TI MSP430 ◮ Intel 4004 ◮ Microchip Technology PIC24 ◮ Atmel MARC4 32-bit CPUs ◮ Toshiba TLCS-47 ◮ ARM11 8-bit CPUs ◮ ARM Cortex-M ∗ ◮ Atmel AVR ◮ ARM Cortex-A ∗ ◮ Intel 8051 ◮ Atmel AVR32 ◮ Microchip Technology PIC ◮ MIPS32 ◮ STMicroelectronics STM8 ◮ AIM 32-bit PowerPC ◮ STMicroelectronics STM32 Fast symmetric crypto on embedded CPUs 2

  3. Symmetric crypto Fast symmetric crypto on embedded CPUs 3

  4. Symmetric crypto Fast symmetric crypto on embedded CPUs 3

  5. Symmetric crypto Fast symmetric crypto on embedded CPUs 3

  6. Symmetric crypto Fast symmetric crypto on embedded CPUs 3

  7. Symmetric crypto Fast symmetric crypto on embedded CPUs 3

  8. Optimizing crypto ◮ This talk: optimize for speed ◮ Implement algorithms in assembly ◮ Available instructions and registers are determined by the target architecture Fast symmetric crypto on embedded CPUs 4

  9. Optimizing crypto ◮ This talk: optimize for speed ◮ Implement algorithms in assembly ◮ Available instructions and registers are determined by the target architecture ◮ Throughput : number of instructions (of a certain type) we can do per cycle Fast symmetric crypto on embedded CPUs 4

  10. Optimizing crypto ◮ This talk: optimize for speed ◮ Implement algorithms in assembly ◮ Available instructions and registers are determined by the target architecture ◮ Throughput : number of instructions (of a certain type) we can do per cycle ◮ Latency of an instruction: number of cycles we have to wait before using the result Fast symmetric crypto on embedded CPUs 4

  11. Optimizing crypto ◮ This talk: optimize for speed ◮ Implement algorithms in assembly ◮ Available instructions and registers are determined by the target architecture ◮ Throughput : number of instructions (of a certain type) we can do per cycle ◮ Latency of an instruction: number of cycles we have to wait before using the result ◮ Latency and throughput are determined by the microarchitecture Fast symmetric crypto on embedded CPUs 4

  12. Optimizing crypto ◮ This talk: optimize for speed ◮ Implement algorithms in assembly ◮ Available instructions and registers are determined by the target architecture ◮ Throughput : number of instructions (of a certain type) we can do per cycle ◮ Latency of an instruction: number of cycles we have to wait before using the result ◮ Latency and throughput are determined by the microarchitecture ◮ Optimizing software in assembly means: ◮ Find good representation of data ◮ Choose suitable instructions that implement the algorithm ◮ Schedule those instruction to hide latencies ◮ Assign registers efficiently (avoid spills) Fast symmetric crypto on embedded CPUs 4

  13. Keccak on ARM11 Joint work with Bo-Yin Yang and Shang-Yi Yang Fast symmetric crypto on embedded CPUs 5

  14. The ARM11 ◮ 16 32-bit integer registers (1 used as PC, one used as SP): 14 freely available ◮ Executes at most one instruction per cycle ◮ 1 cycle latency for all relevant arithmetic instructions, 3 cycles for loads from cache ◮ Standard 32-bit RISC instruction set; two exceptions: Fast symmetric crypto on embedded CPUs 6

  15. The ARM11 ◮ 16 32-bit integer registers (1 used as PC, one used as SP): 14 freely available ◮ Executes at most one instruction per cycle ◮ 1 cycle latency for all relevant arithmetic instructions, 3 cycles for loads from cache ◮ Standard 32-bit RISC instruction set; two exceptions: ◮ One input of arithmetic instructions can be rotated or shifted for free as part of the instruction ◮ This input is needed one cycle earlier in the pipeline ⇒ “backwards latency” + 1 Fast symmetric crypto on embedded CPUs 6

  16. The ARM11 ◮ 16 32-bit integer registers (1 used as PC, one used as SP): 14 freely available ◮ Executes at most one instruction per cycle ◮ 1 cycle latency for all relevant arithmetic instructions, 3 cycles for loads from cache ◮ Standard 32-bit RISC instruction set; two exceptions: ◮ One input of arithmetic instructions can be rotated or shifted for free as part of the instruction ◮ This input is needed one cycle earlier in the pipeline ⇒ “backwards latency” + 1 ◮ Loads and stores can move 64-bits between memory and 2 adjacent 32-bit registers (same cost as 32-bit load/store) Fast symmetric crypto on embedded CPUs 6

  17. Keccak ◮ State of 5 × 5 matrix of 64 -bit lanes ◮ Absorb message in blocks of 128 bytes ◮ Perform state transformation in 24 rounds; each round: ◮ Compute b 0 , . . . , b 4 as XORs of columns ◮ Compute c 0 , . . . , c 4 , each as b i ⊕ ( b j ≪ 1) Fast symmetric crypto on embedded CPUs 7

  18. Keccak ◮ State of 5 × 5 matrix of 64 -bit lanes ◮ Absorb message in blocks of 128 bytes ◮ Perform state transformation in 24 rounds; each round: ◮ Compute b 0 , . . . , b 4 as XORs of columns ◮ Compute c 0 , . . . , c 4 , each as b i ⊕ ( b j ≪ 1) ◮ Update state columnwise ◮ Pick up 5 lanes from a diagonal ◮ XOR each lane with one of the c i ◮ Rotate each lane by a different fixed distance ◮ Obtain each new lanes as l i ⊕ (( ¬ l j )& l k ) Fast symmetric crypto on embedded CPUs 7

  19. Keccak ◮ State of 5 × 5 matrix of 64 -bit lanes ◮ Absorb message in blocks of 128 bytes ◮ Perform state transformation in 24 rounds; each round: ◮ Compute b 0 , . . . , b 4 as XORs of columns ◮ Compute c 0 , . . . , c 4 , each as b i ⊕ ( b j ≪ 1) ◮ Update state columnwise ◮ Pick up 5 lanes from a diagonal ◮ XOR each lane with one of the c i ◮ Rotate each lane by a different fixed distance ◮ Obtain each new lanes as l i ⊕ (( ¬ l j )& l k ) ◮ One lane per column is additionally XORed with a round constant Fast symmetric crypto on embedded CPUs 7

  20. A 64 -bit hash-function on a 32 -bit CPU ◮ Represent each lane in two registers, XOR and AND are trivial ◮ How about 64 -bit rotate with 32 -bit registers? Fast symmetric crypto on embedded CPUs 8

  21. A 64 -bit hash-function on a 32 -bit CPU ◮ Represent each lane in two registers, XOR and AND are trivial ◮ How about 64 -bit rotate with 32 -bit registers? ◮ Answer by the Keccak implementation guide: bit interleaving ◮ Put all bits from even positions into one 32 -bit register, all odd bits into the other ◮ Perform all rotates for free on 32-bit registers Fast symmetric crypto on embedded CPUs 8

  22. A 64 -bit hash-function on a 32 -bit CPU ◮ Represent each lane in two registers, XOR and AND are trivial ◮ How about 64 -bit rotate with 32 -bit registers? ◮ Answer by the Keccak implementation guide: bit interleaving ◮ Put all bits from even positions into one 32 -bit register, all odd bits into the other ◮ Perform all rotates for free on 32-bit registers ◮ a ← b ⊙ ( c ≪ n ) is free rotation, but a ← ( b ⊙ c ) ≪ n is not Fast symmetric crypto on embedded CPUs 8

  23. A 64 -bit hash-function on a 32 -bit CPU ◮ Represent each lane in two registers, XOR and AND are trivial ◮ How about 64 -bit rotate with 32 -bit registers? ◮ Answer by the Keccak implementation guide: bit interleaving ◮ Put all bits from even positions into one 32 -bit register, all odd bits into the other ◮ Perform all rotates for free on 32-bit registers ◮ a ← b ⊙ ( c ≪ n ) is free rotation, but a ← ( b ⊙ c ) ≪ n is not ◮ Don’t rotate output, rotate for free when the value is used as input ◮ When both inputs of an instruction need to be rotated: a ← ( b ≪ n 1 ) ⊙ ( c ≪ n 2 ) . ◮ Compute: a ← b ⊙ ( c ≪ ( n 2 − n 1 )) and set the implicit rotation distance of a to n 1 Fast symmetric crypto on embedded CPUs 8

  24. A 64 -bit hash-function on a 32 -bit CPU ◮ Represent each lane in two registers, XOR and AND are trivial ◮ How about 64 -bit rotate with 32 -bit registers? ◮ Answer by the Keccak implementation guide: bit interleaving ◮ Put all bits from even positions into one 32 -bit register, all odd bits into the other ◮ Perform all rotates for free on 32-bit registers ◮ a ← b ⊙ ( c ≪ n ) is free rotation, but a ← ( b ⊙ c ) ≪ n is not ◮ Don’t rotate output, rotate for free when the value is used as input ◮ When both inputs of an instruction need to be rotated: a ← ( b ≪ n 1 ) ⊙ ( c ≪ n 2 ) . ◮ Compute: a ← b ⊙ ( c ≪ ( n 2 − n 1 )) and set the implicit rotation distance of a to n 1 ◮ Need to keep implicit rotation distances invariant over loop iterations ◮ Full unrolling essentially makes all rotates free Fast symmetric crypto on embedded CPUs 8

  25. Memory access overhead ◮ 200 -byte state is way too large for 56 register bytes ◮ Simple structure of main transformations: ◮ Load 5 half-lanes ◮ Load 5 values c i ◮ Perform arithmetic ( 10 XOR, 5 AND) ◮ Store 5 result lanes Fast symmetric crypto on embedded CPUs 9

  26. Memory access overhead ◮ 200 -byte state is way too large for 56 register bytes ◮ Simple structure of main transformations: ◮ Load 5 half-lanes ◮ Load 5 values c i ◮ Perform arithmetic ( 10 XOR, 5 AND) ◮ Store 5 result lanes ◮ This means 50% load/store overhead ◮ Even worse for computation of b i and c i Fast symmetric crypto on embedded CPUs 9

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey

Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey

FAST: Fast Architecture Sensitive Tree Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey SIGMOD 2010 Presented by: Andy Hwang 2 Motivation Index trees are not optimized for architecture

697 views • 26 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides
Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian

Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian

Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian Rechberger TU Graz and DTU Security of modern IT Systems User Secure System Communication Protocol Cryptographic Primitive Security of modern IT

523 views • 51 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

CS 166: Information Security Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 Y y 0 y 1 y 2 y 3 y 4 y 5 y

690 views • 45 slides
Crypto: Symmetric-Key Cryptography Slides credit: Dan Boneh, David Wagner, Doug Tygar Dawn

Crypto: Symmetric-Key Cryptography Slides credit: Dan Boneh, David Wagner, Doug Tygar Dawn

Computer Security Course. Dawn Song Crypto: Symmetric-Key Cryptography Slides credit: Dan Boneh, David Wagner, Doug Tygar Dawn Overview Cryptography: secure communication over insecure communication channels Three goals

475 views • 30 slides
On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group,

On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group,

On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group, Universit catholique de Louvain, Belgium Latincrypt 2019 Santiago de Chile Wednesday October 2 1 / 15 Table of Contents Introduction Results

670 views • 44 slides
Fast Eigenvalue Computation of Symmetric Rationally Generated Toeplitz Matrices Luca Gemignani

Fast Eigenvalue Computation of Symmetric Rationally Generated Toeplitz Matrices Luca Gemignani

Fast Eigenvalue Computation of Symmetric Rationally Generated Toeplitz Matrices Luca Gemignani Dipartimento di Matematica, Universit` a di Pisa, Italy gemignan@dm.unipi.it This is a joint work with K. Frederix & M. Van Barel Cortona 2008

334 views • 18 slides
Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics Password-based Crypto Random Number Generators Symmetric Key Encryption key generation R k Gen K R M Enc C C Dec M

726 views • 29 slides
Accurate and Fast Evaluation of Elementary Symmetric Functions Stef Graillat LIP6/PEQUAN -

Accurate and Fast Evaluation of Elementary Symmetric Functions Stef Graillat LIP6/PEQUAN -

Accurate and Fast Evaluation of Elementary Symmetric Functions Stef Graillat LIP6/PEQUAN - Universit Pierre et Marie Curie (Paris 6) - CNRS Joint work with Hao Jiang and Roberto Barrio 21st IEEE International Symposium on Computer Arithmetic

294 views • 28 slides
Database of Long-Lived Symmetric Cryptographic Keys

Database of Long-Lived Symmetric Cryptographic Keys

Database of Long-Lived Symmetric Cryptographic Keys dra%-ie)-karp-crypto-key-table-03 R. Housley T. Polk S. Hartman D. Zhang Updates on

321 views • 9 slides
Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret key Only Alice and Bob know the secret key Private key Only Alice's knows Alice's private key (Bob doesn't know and never finds out)

1.07k views • 35 slides
Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a

Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a

Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a fast, secure conversation How can they agree on a shared symmetric key without it being transmitted in the clear? How can they be sure who

767 views • 27 slides
Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr

Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr

RUHR-UNIVERSITT BOCHUM Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 1 RUHR-UNIVERSITT

686 views • 47 slides

More recommend