Implementation & Benchmarking of Padding Units & HMAC for SHA-3 candidates in FPGAs & ASICs

Size: px

Start display at page:

Download "Implementation & Benchmarking of Padding Units & HMAC for SHA-3 candidates in FPGAs & ASICs"

Simon Hudson
5 years ago
Views:

edu Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA

1 Implementation & Benchmarking of Padding Units & HMAC for SHA-3 candidates in FPGAs & ASICs Ambarish Vyas Cryptographic Engineering Research Group (CERG) Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA Master s Thesis Presentation Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 1 / 6

2 Outline Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 2 / 6

3 NIST SHA-3 Contest Hash function Padding Background Assumptions Interface and Protocol 51 candidates 14 5 SHA 3 Oct 200 July 2009 Dec 2010 Mid 2012 NIST announced new competition SHA-3 in Nov 2007, currently in Round 3 5 finalists. Jan 2011-Mar 2012: Evaluation Period for Round 3 Candidates. Evaluation Efficiency in FPGAs and ASICs is an important criteria to evaluate the algorithms. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 3 / 6

4 Cryptographic Hash functions Hash function Padding Background Assumptions Interface and Protocol Arbitrary Length Message M Hash Function Message Digest Fixed Length Cryptographic hash functions takes message as input and gives an output of fixed length called Message Digest. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 4 / 6

5 Application-Digital Signatures Hash function Padding Background Assumptions Interface and Protocol Message Message Alice Hash Function Hash Function Bob Hash value Signature Hash value#1 Signature YES =? NO Alice s Private Key Public Key algorithm Hash value#2 Public Key algorithm Alice s Public Key Provides Message Integrity and User Authentication. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 5 / 6

6 What is Padding? Hash function Padding Background Assumptions Interface and Protocol Majority of the cryptographic hash functions process messages divided in fixed length blocks. M Message K Padding bits N*BlockSize If the size of the input message which is to be hashed is not a multiple of a block size one needs to pad it with a padding string. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 6 / 6

7 Motivation Hash function Padding Background Assumptions Interface and Protocol One of the topic of debate in the cryptographic community is whether padding should be included in hardware design or should it be done externally in software and not taken in consideration while evaluating the designs We propose that padding should be included in the designs for fair evaluations, but should be designed intelligently so that the overall Throughput/Area ratio is not affected by an undesirable amount and the ranking of the algorithms do not change. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 7 / 6

8 Goals Hash function Padding Background Assumptions Interface and Protocol Specialized Padding units in FPGAs for all SHA-3 Round 3 Finalists. Universal Padding Unit in ASIC for all SHA-3 Round 3 Finalists HMAC wrapper for all SHA-3 Round 3 Finalists. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC / 6

9 Previous Work-Padding Unit Hash function Padding Background Assumptions Interface and Protocol To the best of my knowledge there are only two Research groups i.e. Baldwin et al. and Jungk et al. who have implemented padding in hardware for the SHA-3 finalists. Baldwin et al. have designed two versions: 1. Message size is a multiple of a word (32 bits). 2. Message size is not restricted by the padding circuit. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 9 / 6

10 Previous Work Padding Unit Hash function Padding Background Assumptions Interface and Protocol Drawbacks-Jungk They do not give out much details and do not have comprehensive performance analysis and reports on effect of padding when included in hardware. Drawbacks-Baldwin Both designs are extreme cases, one is too optimistic and one is overly pessimistic. They show that padding when included in hardware effects the clock frequnecy by a considerable amount. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 10 / 6

11 Previous Work-HMAC Hash function Padding Background Assumptions Interface and Protocol There are no HMAC implementation based on SHA-3 candidates till date. There is one HMAC implementation based on SHA-2 by Juliato et al. which is comprehensive and has in depth analysis of energy, throughput, throughput/area criteria. Drawbacks-Juliato generated are for Virtex-2 and Virtex-E which are old devices and do not have as many resources as the modern FPGAs. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 11 / 6

12 Assumptions Hash function Padding Background Assumptions Interface and Protocol Padding Assumption Message size M is a multiple of a byte: M mod = 0. FPGA Resources No Embedded Resources like Block Rams, DSP units, or Multipliers are used. Only Configurable Logic Blocks (CLBs) in Xilinx FPGAs and Adaptive Look-Up Tables (ALUTs) in Altera. Interface and Protocol Interface and Protocol proposed by CERG, GMU with slight modification. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 12 / 6

13 Interface Hash function Padding Background Assumptions Interface and Protocol clk rst clk rst clk rst ext_idata w fifoin_full fifoin_write clk rst Input din dout full empty write read FIFO idata w fifoin_empty fifoin_read clk rst SHA Core odata din dout w fifoout_full src_ready dst_ready fifoout_write src_read dst_write clk rst Output ext_odata din dout w fifoout_empty full empty fifoout_read write read FIFO Figure: Interface of SHA core and a typical configuration with surrounding input and output FIFOs. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 13 / 6

14 Protocol Hash function Padding Background Assumptions Interface and Protocol a) w bit last = 1 msg_len b) w bit last = 0 seg_0_len seg_0 Last = 1 indicates last segment of a message. Length of the last segment should be multiple of Byte. message last = 0 seg_1_len seg_1 Note: Segment size must be a multiple of block size unless it is the last segment of a message. last = 1 seg_n 1_len seg_n 1 w = 32 for SHA 2 w = 64 for all SHA 3 candidates Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 14 / 6

15 Outline Overview of Padding Rules SHA-2 Padding Adder Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 15 / 6

16 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE M K L Message Length N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

17 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE M K L Message Length Grøstl N*BlockSize M K L Message #Blocks N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

18 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE M K L Message Length Grøstl N*BlockSize M K L Message #Blocks N*BlockSize Keccak M K Message N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

19 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE JH M K L M K L Message Length Message Length Grøstl N*BlockSize M K L Message #Blocks N*BlockSize BlockSize N*BlockSize Keccak M K Message N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

20 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE JH M K L M K L Message Length Message Length Grøstl N*BlockSize M K L Message #Blocks Skein N*BlockSize M K Message BlockSize M K Message Keccak M N*BlockSize K N*BlockSize (a) N*BlockSize (b) Message N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

21 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder BLAKE JH M K L M K L Message Length Message Length Grøstl N*BlockSize M K L Message #Blocks Skein N*BlockSize M K Message BlockSize M K Message Keccak M N*BlockSize K N*BlockSize (a) SHA-2 N*BlockSize (b) M K L Message N*BlockSize Message Length N*BlockSize Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 16 / 6

22 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder Table: Overview of Padding Schemes of 5 Candidates and SHA-2.( stands for concatenation Sr. No. Algorithm Padding Scheme 1. BLAKE-256 M (Message Length) 64 BLAKE-512 M (Message Length) Grøstl M (Number of Blocks) Keccak M JH M (Message Length) Skein If Message length is a Multiple of a byte : M Else : M SHA-256 M (Message Length) 64 SHA-512 M (Message Length) 12 Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 17 / 6

23 Padding Schemes Overview of Padding Rules SHA-2 Padding Adder Table: Minimum and Maximum number of bits required to be added by the Padding schemes Sr. No. Algorithm Minimum bits Maximum bits 1. BLAKE L+2 BlockSize+L+1 2. Grøstl L+1 BlockSize+L 3. Keccak 2 BlockSize+1 4. JH BlockSize 2*BlockSize-1 5. Skein 1 BlockSize-1 6. SHA-2 L+1 BlockSize+L Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 1 / 6

24 SHA-2 Padding Rule Overview of Padding Rules SHA-2 Padding Adder Message Length S P M P M P S-P : Start Pad String, M-P : Middle Pad String. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 19 / 6

25 Padding Unit with comparators Overview of Padding Rules SHA-2 Padding Adder i== i<64 S P M P S P M P din (63:56) din (7:0) i< i== 64 dout Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 20 / 6

26 Calculation of i Overview of Padding Rules SHA-2 Padding Adder Case i = Case i = 64 (Length mod 64) Length mod 64 i = 16 Case 3 i = 65 Case 1: Complete words of message. Case 2: Incomplete word of message. Case 3: Complete words of padding. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 21 / 6

27 LUT-Decoder Logic Overview of Padding Rules SHA-2 Padding Adder S P M P S P M P SelPad(7) SelInp(7) din (63:56) din (7:0) SelPad(0) SelInp(0) 64 dout Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 22 / 6

28 LUT-Decoder Logic Overview of Padding Rules SHA-2 Padding Adder Length(5:3) LUT 1 LUT 2 x"ff" x"00" Case 1 Case 3 SelInp SelPad LUT 1 b" " b" " b" " b" " b" " b" " b" " b" " LUT 2 b" " b" " b" " b" 10000" b" 1000" b" 100" b" 10" b" 1" Note: stands for do not care Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 23 / 6

29 Comparator Vs Decoder Overview of Padding Rules SHA-2 Padding Adder Padding Unit Virtex 5 Virtex 6 Area Max.Clock Area Max.Clock Type [CLB slices] [MHz] [CLB slices] [MHz] Comparator Decoder V6 V5 V6 Comparator Decoder Max.Clock[MHz] V Area[CLB slices] Figure: Maximum clock frequnecy vs. Area of general padding for both versions in two Xilinx families. V5- Virtex 5 and V6- Virtex 6. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 24 / 6

30 Adder size Overview of Padding Rules SHA-2 Padding Adder Table: Counter Size used in the the Padding rules Algorithm Variant Counter Size BLAKE JH Grøstl SHA bit bit bit bit bit bit bit bit JH and SHA-2 have a very short critical path and such a wide adder is certain to increase the critical path due to the carry chain propagation and thus can decrease the high performance of the algorithm. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 25 / 6

31 Adder configuration Overview of Padding Rules SHA-2 Padding Adder INPUT #1 INPUT #2 ADD OUTPUT INPUT #1 INPUT #2 ADD OUTPUT SHA 256 SHA 512 JH 256/512 Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 26 / 6

32 Multistage Adder Overview of Padding Rules SHA-2 Padding Adder w=32 : N=4 ; w=64 : N= din w carry[n 1] carry[n 2] carry[2] carry[1] REG (N 1) REG (N 2) REG 1 REG *w dout Each adder is 16-bits wide and it takes clock cycles for 12-bit output and 4 clock cycles for 64-bit output. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 27 / 6

33 SCCA Vs Multistage Adder Overview of Padding Rules SHA-2 Padding Adder Table: Area and maximum clock frequency results for combinational standard carry chain adder ( + in VHDL) Virtex 5 Virtex 6 Stratix III Stratix IV Area Max.Clock Area Max.Clock Area Max.Clock Area Max.Clock Adder size [CLB slices] [MHz] [CLB slices] [MHz] [ALUTs] [MHz] [ALUTs] [MHz] 64-bits bits Table: Area and maximum clock frequency results for Multi-Stage adder Virtex 5 Virtex 6 Stratix III Stratix IV Area Max.Clock Area Max.Clock Area Max.Clock Area Max.Clock Adder size [CLB slices] [MHz] [CLB slices] [MHz] [ALUTs] [MHz] [ALUTs] [MHz] 64-bits bits Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 2 / 6

34 Overview of Padding Rules SHA-2 Padding Adder Max.Clock[MHz] (a) SCCA Multi Stage V6 V5 V5 V Area[CLB slices] Max.Clock[MHz] (b) SCCA Multi Stage S4 S3 S4 S Area[ALUTs] Figure: Maximum clock frequnecy vs. Area for both versions of adders on 2 xilinx families and 2 Altera families.(a) plot for 64-bit adder,(b) plot for 12-bit adder. V5- Virtex 5, V6- Virtex 6, S3- Stratix III, and S4- Stratix 4 Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 29 / 6

35 BLAKE-Top Overview of Padding Rules SHA-2 Padding Adder Figure: BLAKE-256 DataIn 64 Figure: BLAKE-512 DataIn 64 BytePadBK 0 64 len DataOut BytePadBK len 127:64 len 63: DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 30 / 6

36 BLAKE- BytePadBK Overview of Padding Rules SHA-2 Padding Adder SelPad(7) SelPad(6) SelPad(1) 1 0 DataIn(63:56) DataIn(55:4) DataIn(15:) DataIn(7:0) LastWord SelPad(0) SelInp(7) SelInp(6) SelInp(1) SelInp(0) 64 Note: All Constants are in Hexadecimal notation DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 31 / 6

37 Keccak Overview of Padding Rules SHA-2 Padding Adder Figure: Top Figure: BytePadKK DataIn 64 BytePadKK SelPad(7) SelPad(6) SelPad(1) LastWord SelPad(0) DataIn(63:56) DataIn(55:4) DataIn(15:) DataIn(7:0) SelInp(7) SelInp(6) SelInp(1) SelInp(0) DataOut 64 Note: All Constants are in Hexadecimal notation DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 32 / 6

38 Skein Overview of Padding Rules SHA-2 Padding Adder Figure: Top DataIn 64 BytePadSK 64 DataOut SelInp(7) 00 DataIn(63:56) Figure: BytePadSK DataIn(55:4) DataIn(15:) DataIn(7:0) 1 0 SelInp(6) 64 SelInp(1) SelInp(0) DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 33 / 6

39 Grøstl,JH,SHA-2:BytePadMul Overview of Padding Rules SHA-2 Padding Adder SelPad(7) SelPad(6) SelPad(1) DataIn(63:56) DataIn(55:4) DataIn(15:) DataIn(7:0) SelInp(7) SelInp(6) SelInp(1) SelPad(0) SelInp(0) 64 DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 34 / 6

40 JH,Grøstl-Top Overview of Padding Rules SHA-2 Padding Adder Figure: Grøstl DataIn 64 Figure: JH DataIn 64 BytePadMul 64 # Blocks 64 len 127:64 BytePadMul len 63: DataOut DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 35 / 6

41 SHA2-Top Overview of Padding Rules SHA-2 Padding Adder Figure: SHA-256 DataIn 32 Figure: SHA-512 DataIn 64 BytePadSH 32 len 64 63:32 31:0 len 127:64 BytePadMul len 63: DataOut DataOut Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 36 / 6

42 Overview of Padding Rules SHA-2 Padding Adder Architecture with Padding Vs without Padding: 256-bit Architecture Virtex 5 Virtex 6 Stratix III Stratix IV Tp A Tp/A Tp A Tp/A Tp A Tp/A Tp A Tp/A BLAKE-256 No-Pad Pad [%] Grøstl-256 No-Pad Pad [%] JH-256 No-Pad Pad [%] Keccak-256 No-Pad Pad [%] Skein-256 No-Pad Pad [%] SHA-256 No-Pad Pad [%] Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 37 / 6

43 Overview of Padding Rules SHA-2 Padding Adder Architecture with Padding Vs without Padding: 512-bit Architecture Virtex 5 Virtex 6 Stratix III Stratix IV Tp A Tp/A Tp A Tp/A Tp A Tp/A Tp A Tp/A BLAKE-512 No-Pad Pad [%] Grøstl-512 No-Pad Pad [%] JH-512 No-Pad Pad [%] Keccak-512 No-Pad Pad [%] Skein-512 No-Pad Pad [%] SHA-512 No-Pad Pad [%] Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 3 / 6

44 Throughput/Area: Altera 256-bit Overview of Padding Rules SHA-2 Padding Adder Throughput/Area (a) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Throughput/Area (b) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Figure: (a) is graph for Stratix III and (b) is Stratix IV Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 39 / 6

45 Throughput/Area: Altera 512-bit Overview of Padding Rules SHA-2 Padding Adder Throughput/Area (a) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Throughput/Area (b) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Figure: (a) is graph for Stratix III and (b) is Stratix IV Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 40 / 6

46 Throughput/Area: Xilinx 256-bit Overview of Padding Rules SHA-2 Padding Adder Throughput/Area (a) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Throughput/Area (b) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Figure: (a) is graph for Virtex 5 and (b) is Virtex 6 Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 41 / 6

47 Throughput/Area: Xilinx 512-bit Overview of Padding Rules SHA-2 Padding Adder Throughput/Area (a) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Throughput/Area (b) No Pad Pad 0 BLAKE Groestl JH Keccak Skein SHA 2 Figure: (a) is graph for Virtex 5 and (b) is Virtex 6 Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 42 / 6

48 Outline Block Diagram Byte Pad Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 43 / 6

49 Universal Padding Unit Block Diagram Byte Pad Two groups George Mason University, Virginia USA (GMU) and Swiss Federal Institute of Technology Zurich (ETHZ) contributed one set of implementations each of all candiates (256-bit variants) with Round 3 tweaks. Standard-cell based 65nm CMOS technology was used to implement all 12 hash cores along with SHA-2 as a reference. As area was limited on the chip having individual padding unit for each algorithm was not a buyable solution. Solution Universal padding unit independent of the core was developed which pads the input depending on the algorithm. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 44 / 6

50 Placement of the Padding Unit. Block Diagram Byte Pad InpWordWrxSI FinWordxSI FinBlockxSI InWrEnxSI MsgLenxDI 64 Input Block AlgSelxSI 3 LFSR 64 PadDataxDI Padding Unit PadDataxDO 64 Input Register DataxDI N DataxDO 512/10 HASH CORE 256 DataCntxDI 64 OutWordWrxSO FinBlockxSO OutRdyxSI SipoEnxSI PenUltCyclexSO OutWrEnxSO FinWordxSI : Set when Final word of message written to padding unit. OutWordxSO : Set when valid output is written to SIPO. FinBlockxSO : Set when final Block is written to the Hash core. OutRdyxSI : Set when Padding Unit can start writing a new block. DataxDO Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 45 / 6

51 Universal Padding Unit Block Diagram Byte Pad Two versions were developed of the Universal Padding Unit. Universal Byte Pad Message ending on the boundary of a byte. Universal Word Pad Message ending on the boundary of a word (w = 64 bits). Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 46 / 6

52 Universal Byte Pad Block Diagram Byte Pad AlgSelxSI == Keccak AlgSelxSI /= Skein SelPad(7) AND PadDataxDI(63:56) PadDataxDI(7:0) 2 SelPadLast 1 0 SelPadLast AlgSelxSI == Keccak AlgSelxSI /= Skein 0 LastWord SelPad(0) SelInp(7) SelInp(0) 64 DoutPadded Note: All Constants are in Hexadecimal notation Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 47 / 6

53 Universal Padding Block Diagram Byte Pad DataCntxDI 64 LastWord SelInp SelPad AlgSelxSI 3 PadDataxDI 64 Byte Pad Len 127:64 << 3 Len 63: >>6 # Blocks ExtraBlock SelData PadDataxDO Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 4 / 6

54 Block Diagram Byte Pad Padding Unit Version Area [kge] Max.Clock[MHz] Byte Word Table: Area and maximum clock frequency results for implemented cores 256-bit variant on ASIC Algorithm Group Area [kge] Max.Clock[MHz] Overhead[%] BLAKE Grøstl JH Keccak Skein SHA-2 GMU ETHZ GMU ETHZ GMU ETHZ GMU ETHZ GMU ETHZ GMU ETHZ Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 49 / 6

55 Block Diagram Byte Pad Table: Area and maximum clock frequency results for both version of universal padding unit on Xilinx FPGAs Padding Unit Virtex 5 Virtex 6 Area Max.Clock Area Max.Clock Version [CLB slices] [MHz] [CLB slices] [MHz] Byte Word Table: Area and maximum clock frequency results for both version of universal padding unit on Altera FPGAs Padding Unit Stratix III Stratix IV Area Max.Clock Area Max.Clock Version [ALUTs] [MHz] [ALUTs] [MHz] Byte Word Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 50 / 6

56 Graphs Block Diagram Byte Pad (a) Hash unit Pad unit Area[kGE] BLAKEGroestl JH Keccak Skein SHA 2 (b) Area[kGE] BLAKEGroestl JH Keccak Skein SHA 2 Figure: Area overhead due to addition of universal padding unit byte version for GMU and ETHZ implementations in ASIC. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 51 / 6

57 Block Diagram Byte Pad Area[CLB slices] (a) Hash unit Pad unit 0 BLAKE Groestl JH Keccak Skein SHA 2 Area[ALUTs] (b) Hash unit Pad unit 0 BLAKE Groestl JH Keccak Skein SHA 2 Figure: Area overhead due to addition of universal padding unit byte version for GMU implementations in FPGA. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 52 / 6

58 Outline MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 53 / 6

59 Message Aunthentication Code MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top MAC is a secret key algorithm which provides Message Integrity and Message Authentication. A B Insecure Channel MAC Function MAC Function MAC Accept Y = N MAC Reject Figure: Communication between User A and User B over an unsecured channel. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 54 / 6

60 Hash based MAC MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top The operation can be described in 4 steps: Step 1: Pre-Processing of Key Key size=blocksize: K=Key, Key<Blocksize: K=Key , Key>Blocksize: K=H(Key) Step 2: XOR with ipad and HASH H(K ipad) msg Step 3: XOR with opad and HASH H((K opad) H((K ipad) msg)) Step 4: Truncate MAC MAC = truncate[h((k opad) H((K ipad) msg))] Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 55 / 6

61 Hash based MAC MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top PAD to blocksize b Note: b: Block size of hash function. ipad = 0x36 repeated b/ times. opad = 0x5C repeated b/ times. IPAD b b Message K i M1 M2 Mn b PAD to blocksize b OPAD b b Hash Function b h Intermediate HMAC PAD to blocksize K o HMAC b Hash Function h MAC Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 56 / 6

62 Interface MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top Interface is the same as discussed in Padding Unit section with the exception of Hash Core replaced by HMAC Unit. clk rst clk rst clk rst ext_idata w fifoin_full fifoin_write clk rst Input din dout full empty write read FIFO idata w fifoin_empty fifoin_read clk rst din HMAC Unit dout w odata fifoout_full src_ready dst_ready fifoout_write src_read dst_write clk rst Output ext_odata din dout w fifoout_empty full empty fifoout_read write read FIFO Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 57 / 6

63 Protocol MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top Input to HMAC unit Input to SHA core w bit last = 0 KeySize w bit last = 0 BlockSize w bit last = 0 BlockSize KEY K IPAD K OPAD last = 1 MsgLen last = 1 MsgLen last = 1 HashSize Message Message Intermediate HMAC Note: K = preprocess(key) Part 1 Input Part 2 Input Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 5 / 6

64 MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top KeyWrite KeyRead SelPad clk write read w din rst dout RAM wdin w ShaCoreOut w 0 SelDin 2 ipad opad 0 0 w din w 1 w 2 w w din w BlockSize w 1 HashSize w 1 din w w SelInp w clk din Hash Core rst dst_ready src_ready src_read dst_write dout w DestOutReady SourceInReady CoreRead CoreWrite dout HmacIn dout din ShaCoreOut HmacWrite HmacRead write read RAM clk rst Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 59 / 6

65 Top level MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top din rst clk w rst clk w w KeyRead KeyWrite src_read dst_read src_ready dst_ready CONTROLLER SelPad 2 SelInp 3 SelDin 2 SourceInReady DestOutReady CoreWrite CoreRead HmacWrite DATAPATH w dout HmacRead Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 60 / 6

66 -256 bit MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top Architecture Stratix III Stratix IV Tp A Tp/A Tp A Tp/A BLAKE-256 Hash Core HMAC [%] Grøstl-256 Hash Core HMAC [%] JH-256 Hash Core HMAC [%] Keccak-256 Hash Core HMAC [%] Skein-256 Hash Core HMAC [%] SHA-256 Hash Core HMAC [%] Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 61 / 6

67 -512 bit MAC HMAC Algorithm Interface and Protocol HMAC HMAC Top Architecture Stratix III Stratix IV Tp A Tp/A Tp A Tp/A BLAKE-512 Hash Core HMAC [%] Grøstl-512 Hash Core HMAC [%] JH-512 Hash Core HMAC [%] Keccak-512 Hash Core HMAC [%] Skein-512 Hash Core HMAC [%] SHA-512 Hash Core HMAC [%] Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 62 / 6

68 Outline Conclusions Future work Questions?? Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 63 / 6

69 Conclusions Conclusions Future work Questions?? Padding Unit in FPGAs The rankings of the algorithms is not affected after adding support to Padding rule. Padding Unit in FPGAs The worst hit on Throughput/Area ratio over all the devices is 1%. Padding Unit in FPGAs The worst affected in terms of the Throughput/Area ratio in both 256 and 512-bit variants on Virtex 5 and Stratix IV is JH. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 64 / 6

70 Conclusions Conclusions Future work Questions?? Padding Unit in FPGAs The worst affected in terms of the Throughput/Area ratio in both 256 and 512-bit variants on Stratix III is Keccak. Padding Unit in FPGAs Skein is the least affected except for Virtex 6. It is due to the fact that it has a very simple Padding scheme with no counter. Padding Unit in FPGAs BLAKE is also less affected because it is one of the biggest of the 5 algorithms and also has small throughput. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 65 / 6

71 Conclusions Conclusions Future work Questions?? Universal Padding Unit in ASICs It can run at a maximum clock frequency of 1.42 GHz, which is faster than all the algorithms. Universal Padding Unit in ASICs The area is 2.13 kge for the byte version which results in around maximum of 6% area overhead. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 66 / 6

72 Conclusions Future work Questions?? Future Work Implementing all algorithms supporting padding in hardware on FPGA boards and doing experimental testing to see if the testing results are the same as what obtained after Post-Place and Routing. Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 67 / 6

73 Questions!!!! Conclusions Future work Questions?? THANK YOU!! Master s Thesis Presentation Vyas SHA-3:Implementation of Padding Units & HMAC 6 / 6

Low-Area Implementations of SHA-3 Candidates

Low-Area Implementations of SHA-3 Candidates Jens-Peter Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu Department of ECE, Volgenau School of IT&E, George Mason University, Fairfax, VA, USA SHA-3 Project Review Meeting