nacl s crypto box in hardware
play

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, - PowerPoint PPT Presentation

Oct 01, 2022 •34 likes •394 views

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, Peter Schwabe, and Wolfgang Wieser Cryptography Research, TU Graz (IAIK), Radboud University Nijmegen September 14, 2015 CHES 2015, Saint-Malo, France NaCl and crypto box

  1. NaCl’s crypto box in hardware Michael Hutter, J¨ urgen Schilling, Peter Schwabe, and Wolfgang Wieser Cryptography Research, TU Graz (IAIK), Radboud University Nijmegen September 14, 2015 CHES 2015, Saint-Malo, France

  2. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast 2

  3. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast ◮ crypto box offers public-key authenticated encryption ◮ X25519 Diffie-Hellman key exchange (using Curve25519), ◮ Salsa20 stream cipher, and ◮ Poly1305 message-authentication code. 2

  4. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast ◮ crypto box offers public-key authenticated encryption ◮ X25519 Diffie-Hellman key exchange (using Curve25519), ◮ Salsa20 stream cipher, and ◮ Poly1305 message-authentication code. ◮ Allows fast and secure end-to-end communication via the Internet ◮ 128-bit security ◮ See also http://nacl.cr.yp.to 2

  5. ...but how does it perform in hardware? 3

  6. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) 3

  7. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) ◮ So why not using SSL or IPSec? ◮ Proposal from Gross et al. [1] at last year’s RFIDsec ◮ Chosen set of IPSec primitives: AES-128 and ECDH using NIST P-192 ◮ Still may require too much resources (52 kGEs)... 3

  8. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) ◮ So why not using SSL or IPSec? ◮ Proposal from Gross et al. [1] at last year’s RFIDsec ◮ Chosen set of IPSec primitives: AES-128 and ECDH using NIST P-192 ◮ Still may require too much resources (52 kGEs)... . . . can we do better? 3

  9. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl 4

  10. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption 4

  11. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces 4

  12. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures 4

  13. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures ◮ Low power, not low energy 4

  14. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures ◮ Low power, not low energy ◮ Constant-runtime implementation 4

  15. Hardware architecture overview 32 32 Memory I/O AMBA Interface RAM ROM Controller Address 32 Buffer Logic Prog. ROM 99 ALU Instr. Decoder Accu ◮ 32-bit architecture with single-port memory 5

  16. Hardware architecture overview 32 32 Memory I/O AMBA Interface RAM ROM Controller Address 32 Buffer Logic Prog. ROM 99 ALU Instr. Decoder Accu ◮ 32-bit architecture with single-port memory ◮ ASIP tailored for crypto box using microcode-control ◮ Self-written ”compiler” (written in Java) that generates machinecode ◮ Automatically outputs RTL of the program ROM (ready to integrate) ◮ Easy to use and to add functionality 5

  17. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths 6

  18. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths ◮ Support for single-level subroutines ◮ 11-bit register stores return address, program counter update ◮ Subroutine addressing: decoder using a look-up table (ROM) 6

  19. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths ◮ Support for single-level subroutines ◮ 11-bit register stores return address, program counter update ◮ Subroutine addressing: decoder using a look-up table (ROM) ◮ 256-bit multiplication controller (optional) 6

  20. 2-column product-scanning multiply control C[10] C[5] C[0] C[10] C[5] C[0] A[0]B[5] A[0]B[5] A[5]B[5] A[0]B[0] A[5]B[5] A[0]B[0] A[5]B[0] A[5]B[0] ◮ We implemented product-scanning multiplication and process two columns in parallel ◮ Column-wise product-scanning multiplication (left) ◮ 2-column parallel product-scanning multiplication (right). ◮ Allows to hold one operand in a register while next operand is pre-fetched from memory 7

  21. Memory paging ◮ Most of the time, crypto box primitives require access to a limited number of RAM locations only ◮ Reduce length of address bits in opcode ◮ Divide memory into virtual memory pages ◮ One memory page consists of 4 × 256 bits of RAM ◮ Special instructions: ◮ Memory Page Select ( MPS ) ◮ Memory Page Increment ( MPI ) ◮ Memory Page Decrement ( MPD ) ◮ Savings ◮ Only 5 opcode bits are required ◮ 2 bits to address a single 256-bit row of the currently selected page ◮ 3 bits to address a single 32-bit word 8

  22. ALU rotate 0 SB . . . sel carry rotate n en carry clk sel rotation sel add mode out 0 4 67 MOL Accu 32 32 32 32 + 32 32 0 + + data in en reg Buf. 0 clk mult counter en adder sel en mode sel en0 en accu clk ◮ 32-bit digit-serial multiplier ◮ Parameterizable digit width w = 2 , 4 , 8 , 12 , 16 bits ◮ Also re-used for addition and subtraction ◮ Pre-fetch buffer used to store one 32-bit operand ◮ 32-bit logic operations: AND, OR, XOR ◮ 99-bit accumulator register with rotation unit 9

  23. Crypto services 1. X25519 Diffie-Hellman key agreement 2. Authenticated encryption using a streaming API ◮ Message is processed in chunks of 64 bytes ◮ Support for authenticated decryption of a 32-byte message Command Hex Description DH-1 0x00 X25519 Diffie-Hellman key exchange: computes public key 0x01 X25519 Diffie-Hellman key exchange: computes session key DH-2 INIT 0x02 HSalsa20: computes extended session key FIRST 0x03 XSalsa20: computes first cipher block 0x04 XSalsa20: computes next cipher block UPDATE FINALIZE 0x05 Poly1305: computes authentication tag 0x06 XSalsa20/Poly1305: decrypts and authenticates a single block DECRYPT 10

  24. Subroutines ◮ Addition, subtraction, and multiplication ◮ Modular reduction in F 2 255 − 19 (iterative approach) ◮ Modular inversion based on Fermat’s little theorem ( 11 M + 254 S) 11

  25. Subroutines ◮ Addition, subtraction, and multiplication ◮ Modular reduction in F 2 255 − 19 (iterative approach) ◮ Modular inversion based on Fermat’s little theorem ( 11 M + 254 S) ECC scalar multiplication: ◮ Differential addition-and-doubling using Montgomery ladder ◮ Costs: 5 M + 4 S + 8 add + 1 M a 24 ◮ 6 working registers (plus the register to store the base point x D ) ◮ Variable a 24 = ( a + 2) / 4 is stored in ROM 11

  26. Tools and macros ◮ Cadence Encounter RTL Compiler v08.10 ◮ UMC 130nm LL logic CMOS process (1 GE equals 5.12 µm 2 ) ◮ Target frequency set to 1 MHz ◮ Results are for post-synthesis not considering overhead of P&R ◮ Cadence Encounter Power System v08.10 used for power estimations after P&R ◮ We used a synchronous 2 304-bit RAM block implemented as either ◮ standard-cell based RAM ( ∼ 18.3 kGEs) or ◮ register-file RAM macro ( ∼ 3.7 kGEs). 12

  27. Performance of crypto box Speed [Cycles] Area [GEs] w Ctrl Total incl. RAM ROM DH-1 DH-2 FIRST UPDATE DECRYPT +ALU std-cells macro 2 3 455 394 3 455 428 8 117 9 291 9 085 10 555 307 29 319 14 648 4 1 957 282 1 957 316 7 705 8 465 8 049 10 761 308 29 526 14 855 8 1 151 906 1 151 940 7 685 8 427 7 513 11 484 311 30 252 15 581 12 971 682 971 716 7 557 8 171 7 385 11 794 313 30 564 15 893 16 811 170 811 184 7 443 7 943 7 271 13 869 311 32 637 17 966 ◮ INIT takes 6 641 cycles and FINALIZE needs 62 cycles for all multiplier digit-sizes w . ◮ Controller (incl. program ROMs) requires 6.3-6.9 kGEs ◮ Power: 40-70 µ W (half of power is spent for RAM) ◮ Critical path: 53.4-82.6 ns (adder structure in multiplier) 13

Recommend

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Obviously infeasible to break Tanja Lange, T. U. Eindhoven by best attacks in literature. Joint work

1.46k views • 133 slides
NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

874 views • 50 slides
(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg (Tweet)NaCl NaCl http://nacl.cr.yp.to Networking and Cryptography library Contributions by Matthew Dempsky, Adam Langley, Niels Duif, Bo-Yin

371 views • 7 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto? Bob and Alice and the secret message Mathematical dependance on a relatively small pre-shared key When used right: Prevents

801 views • 30 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

896 views • 50 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific

The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific

The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific environment to function 1 Changes in salt concentration can disrupt form of non-covalent bonds 2 Block active sites Catecholase leads to

147 views • 10 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran,

TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran,

TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran, Trong-Thuc Hoang, Akira Tsukamoto, Kuniyasu Suzaki, and Cong-Kha Pham Outline Motivation Hardware Structure for Trusted Execution Environments

470 views • 33 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Roberto Guanciale Estonian Winter School Day 02 Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations Apps Crypto Service OS Hypervisor/ Separation Kernel Hardware Host 1 Motivations Separation

850 views • 63 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

604 views • 32 slides

More recommend