how much crypto in one microjoule
play

How much crypto in one microJoule? Ingrid Verbauwhede - PDF document

May 24, 2023 •449 likes •603 views

Real World Crypto Stanford, CA January 2013 How much crypto in one microJoule? Ingrid Verbauwhede ingrid.verbauwhede-at-esat.kuleuven.be KU Leuven, COSIC Acknowledgements: Current and former Ph.D. students at UCLA and KU Leuven KU Leuven

  1. Real World Crypto – Stanford, CA January 2013 How much crypto in one microJoule? Ingrid Verbauwhede ingrid.verbauwhede-at-esat.kuleuven.be KU Leuven, COSIC Acknowledgements: Current and former Ph.D. students at UCLA and KU Leuven KU Leuven - COSIC Real World Crypto 2013 - 1 Stanford, January 2013 Light weight crypto for IoT • Example: Medical Internet of Things • Design constraints: area - time - energy/power • Energy – Flexibility trade-off • ASIC design, hardware specialization • Cost of crypto primitives • Cost of countermeasures KU Leuven - COSIC ECRYPT - VAMPIRE 2012 - 2 Antwerp, November 2012 Ingrid Verbauwhede, KU Leuven - COSIC 1

  2. Real World Crypto – Stanford, CA January 2013 Medical Internet of Things IMEC: Human++, NERF - brain stimulant Deep Brain stimulation [ Sources: ¡J. ¡Rabaey, ¡National ¡Institutes ¡of ¡Health, ¡Neurology ¡journal] ¡ KU Leuven - COSIC Real World Crypto 2013 - 3 Stanford, January 2013 Medical implants • Power is limited – Cooling!! – Implanted devices only temperature ∆ < 1 ° C • Energy Battery is limited – Pace maker battery is not rechargeable – One AAA battery is 1300 … 5000 Joules • How much crypto in one micro Joule or 10 microWatt ? KU Leuven - COSIC Real World Crypto 2013 - 4 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 2

  3. Real World Crypto – Stanford, CA January 2013 Other applications • Smartcards • RFID tags • Smart meters • Keys • … Ari Juels: RFID tracking problem KU Leuven - COSIC Real World Crypto 2013 - 5 Stanford, January 2013 IoT Devices NEED BOTH • Efficient, lightweight implementations – Within power, area, timing budgets – Public key: 2048 bits RSA, 200 bit ECC on 8 bit µ C and 100 µ W – Public key on a passive RFID tag • Trustworthy implementation – Resistant to attacks – Active attacks: probing, power glitches, JTAG scan chain – Passive attacks: side channel attacks KU Leuven - COSIC Real World Crypto 2013 - 6 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 3

  4. Real World Crypto – Stanford, CA January 2013 Hardware Design Parameters Embedded security: Area, delay, power, energy , physical security KU Leuven - COSIC Real World Crypto 2013 - 7 Stanford, January 2013 Power and Energy are not the same! • Power = P = I x V (current x voltage) (= Watt) – instantaneous – Typically checked for cooling or for peak performance • Energy = Power x execution time (= Joule) – Battery content is expressed in Joules – Gives idea of how much Joules to get the job done Low power processor ≠ low energy solution ! Power Power Time Time KU Leuven - COSIC Real World Crypto 2013 - 8 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 4

  5. Real World Crypto – Stanford, CA January 2013 Cost of crypto primitives Crypto for 1 micro-Joule: Energy - flexibility trade-off KU Leuven - COSIC Real World Crypto 2013 - 9 Stanford, January 2013 Illustrate with examples • Example 1: Secret Key: AES, KATAN • Example 2: NIST SHA3 • Example 3: Public key, ECC for RFID • Example 4: cost of physical security KU Leuven - COSIC Real World Crypto 2013 - 10 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 5

  6. Real World Crypto – Stanford, CA January 2013 Example: Rijndael/AES S S S S S S S S S S S S S S S S round Key Schedule round S S S S S S S S S S S S S S S S MixColumns MixColumns MixColumns MixColumns round . . . . . round • key length: 16/24/32 bytes • block length: 16/24/32 bytes KU Leuven - COSIC Real World Crypto 2013 - 11 Stanford, January 2013 Throughput – Energy numbers Throughput Power Figure of Merit AES 128bit key (Gb/s/W = Gb/J) 128bit data 0.18um CMOS 11 (1/1) 3.84 Gbits/sec 350 mW FPGA [1] 1.32 Gbit/sec 490 mW 2.7 (1/4) Intel ISA for AES [6] 95 W 0.34 (1/33) 32 Gbit/sec ASM StrongARM [2] 31 Mbit/sec 240 mW 0.13 (1/85) 0.015 (1/800) Asm Pentium III [3] 41.4 W 648 Mbits/sec C Emb. Sparc [4] 133 Kbits/sec 0.0011 (1/10.000) 120 mW Java [5] Emb. Sparc 450 bits/sec 0.0000037 (1/3.000.000) 120 mW [ 1] Amphion CS5230 on Virtex2 + Xilinx Virtex2 Power Estimator [2] Dag Arne Osvik: 544 cycles AES – ECB on StrongArm SA-1110 [3] Helger Lipmaa PIII assembly handcoded + Intel Pentium III (1.13 GHz) Datasheet [4] gcc, 1 mW/MHz @ 120 Mhz Sparc – assumes 0.25 u CMOS [5] Java on KVM (Sun J2ME, non-JIT) on 1 mW/MHz @ 120 MHz Sparc – assumes 0.25 u CMOS [6] Shay Gueron, Intel KU Leuven - COSIC Real World Crypto 2013 - 12 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 6

  7. Real World Crypto – Stanford, CA January 2013 Match between algorithm & platform Application Close the gap: • Dedicated HW: ASIC, SOC • Programmable HW: FPGA ASIC Cost • Dedicated instructions, hand- Power coded assembly Fixed • Compiled code • JAVA on virtual machine, ??? compiled on a real machine Platform General Purpose Energy - flexibility trade-off KU Leuven - COSIC Real World Crypto 2013 - 13 Stanford, January 2013 1 microJoule • 11000 bits AES (optimized version) • 3000 to 10K gates area = small KU Leuven - COSIC Real World Crypto 2013 - 14 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 7

  8. Real World Crypto – Stanford, CA January 2013 Light weight crypto: KATAN - KTANTAN CHES 2009: De Canniere, Dunkelman, Knezevic 80 bits key 32 - 48 - 64 bits block 254 rounds Max 1000 gates Key size Block size Datapath + Control Memory “ redundant ” logic [slide input: Miroslav Kne ž evi ć ] KU Leuven - COSIC Real World Crypto 2013 - 15 Stanford, January 2013 1 microJoule • 110000 bits KATAN, <1000 gates • 11000 bits AES (ASIC) 3000 to 10K gates ‘ light ’ ≠ low Joules only small area KU Leuven - COSIC Real World Crypto 2013 - 16 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 8

  9. Real World Crypto – Stanford, CA January 2013 SHA3 – competition: One size fits all KU Leuven - COSIC Real World Crypto 2013 - 17 Stanford, January 2013 SHA 3 ASIC (90nm) synthesis Throughput Mbits Gate Energy (@250MHz) (GE) (pJ/bit) SHA256 2000 12K 2 Blake 6000 30K 2.5 Grøstl 13000 86K 2.5 JH 4600 30K 2 Keccak 15000 30K 1 Skein 6700 43K 6 [slide input: Miroslav Kne ž evi ć ] KU Leuven - COSIC Real World Crypto 2013 - 18 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 9

  10. Real World Crypto – Stanford, CA January 2013 Keccak in SW • Keccak on ATtiny45 at 8MHz • 540 microWatt at 1MHz (spec) • 716 * 10^3 clock cycles to hash 500 Bytes • Result: 100 pJ/bit • So again: SW is 100 less efficient than HW J. Balasch, B. Ege, Th. Eisenbarth, B. Gérard, Z Gong, T Güneysu, S Heyse, S Indesteege, S Kerckhof, F Koeune, T Nad, T Plos, T Pöppelman, F Regazzoni, F Standaert, G Van Assche, I von Maurich, L van Oldeneel Open Source Implementations of Hash Functions in an Atmel AtTiny45, ECRYPT. KU Leuven - COSIC Real World Crypto 2013 - 19 Stanford, January 2013 1 microJoule • 110000 bits KATAN, < 1000 gates • 11000 bits AES encryption, 3000 gates • 1000 bits Keccak hash, 30K gates KU Leuven - COSIC Real World Crypto 2013 - 20 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 10

  11. Real World Crypto – Stanford, CA January 2013 Example 3:Public key - Elliptic Curve Cryptography Push for lowest energy to fit budget of IoT KU Leuven - COSIC Real World Crypto 2013 - 21 Stanford, January 2013 Challenge: low power public key … Address at all design abstraction levels! • Protocol : asymmetric (most work for the reader) Scalable • Algorithm : Elliptic curve (163 bits) Tracking Cloning instead of RSA (min 1024 bits) • Field Operation : Binary and not Prime Binary field 2^163 fields: easier field operations Elliptic curve • Projective coordinate system: (X, Y, Projective Z) instead of (x,y): no field inversions Java Montgomery ladder JCA • Special coordinate system : no need to store Y coordinates (Lopez-Dahab) Common Z coord JVM and common Z (only one Z coordinate) 8 bit uP CPU REG MALU • Minimize storage : Only 5 registers MEM MEM (with mult/add/square unit) or 6 Vcc Vcc registers (with mult/add-only unit) compared to 9+ registers before. D Q D Q CLK CLK KU Leuven - COSIC Real World Crypto 2013 - 22 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 11

  12. Real World Crypto – Stanford, CA January 2013 Results • Results: ECC co-processor that can compute: – ECC point multiplications (163 by 4) – Scalar modular operations (8 bit processor with redundancy) • Schnorr (secure ID transfer, but no tracking protection): one PM • More advanced protocols: up to four PM on tag • 14K gates, 79K cycles • At 500 KHz, corresponds to 30 microWatt and 158 msec • One point multiplication = 4.8 microJoule KU Leuven - COSIC Real World Crypto 2013 - 23 Stanford, January 2013 1 microJoule • 110000 bits KATAN • 11000 bits AES encryption • 1000 bits KECCAK hash • 1/5 of one point multiplication Still to add physical security … KU Leuven - COSIC Real World Crypto 2013 - 24 Stanford, January 2013 Ingrid Verbauwhede, KU Leuven - COSIC 12

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation &amp; opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform Stable Coin Dapps Sum $ Bitcoin 154.00 $ Ethereum 29.00 $ XRP 18.70 $ BCH 7.70 $ EOS 7.20 $ LiteCoin 7.00 $ BNB 4.70 $ Tether

160 views • 12 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

Public key crypto RSA Essentials Public Key Crypto in Java Radboud University Nijmegen Public key protocols Diffie-Hellman and El Gamal Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

1.23k views • 100 slides
Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

849 views • 25 slides
Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements intermission More crypto protocols and failures Stephen McCamant More causes of crypto failure University of Minnesota, Computer Science &amp;

430 views • 4 slides
Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements intermission More crypto protocols and failures Stephen McCamant More causes of crypto failure University of Minnesota, Computer Science &amp;

329 views • 5 slides
Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was

Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was

Miscellany! Lecture 20 The Last Lecture! Public-Key Crypto Maths Initially public-key crypto was based on hardness of problems in modular arithmetic and number theory (RSA/factoring, modular discrete log) Problems from several other areas, since

400 views • 17 slides
Blockchain and Crypto By David and Lukas Blockchain and Crypto By David and Lukas Topics

Blockchain and Crypto By David and Lukas Blockchain and Crypto By David and Lukas Topics

Blockchain and Crypto By David and Lukas Blockchain and Crypto By David and Lukas Topics Overview What is Bitcoin? What is a Blockchain? Blockchain and Bitcoin In-Depth Transactions New Blocks Forks Nakamotos Forerunners Smart

708 views • 48 slides
MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go

MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go

QCon NYC 25 JUNE 2019 MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go security coordinator Go crypto/ packages owner and maintainer 00. INTRO SECTION 1 Cryptography is H ard

806 views • 46 slides
Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer RHEL Crypto Team 2019-01-26 Everyone tells you that you shouldnt

348 views • 30 slides
HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING CryptoLint tool to perform static analysis on Android apps to detect how they are using crypto libraries CRYPTO MISUSE IN ANDROID APPS 15,134 apps

1.6k views • 133 slides
The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL

The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL

The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL | THE SECURITY STRONGHOLD CRYPTO CRIME IS STARING US IN THE FACE...and its just a child CRYPTO CRIME EXPEDITION FUTURE PAST PRESENT (my

611 views • 49 slides
got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW

got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW

got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW crypto more secure? JMS538S SW6316 OXUF943SE INIC-1607E x x x x JMS569 INIC-3608 x x 2 Speakers intro Gunnar Alendal: Christian Kison:

718 views • 56 slides

More recommend