!"#$%&'()*+%&,-%&.*/.&0"&#%(1.*"0* 2+345*!%(,',%6.7*87'()*9/:37* :."&).*A%7"(*8('B.&7'6=* 8C2C3C*

Transcription

1 !"#$%&'()*+%&,-%&.*/.&0"&#%(1.*"0* 2+345*!%(,',%6.7*87'()*9/:37* :."&).*A%7"(*8('B.&7'6=* 8C2C3C*!"

2 Motivation & Goals #"

3 NIST Evaluation Criteria 2.1D&'6=" 2"E-%&.* FG1'.(1=* +%&,-%&.*FG1'.(1=*" $%&'(" 9/:37* 9H.I'J'H'6=* 2'#$H'1'6=* K'1.(7'()* 3

4 Results of Security Evaluation SHA-3 Zoo Page 4

5 Lessons from the Past: AES Contest )"

6 AES Contest Round 2 of AES Contest, 2000 Speed in FPGAs Votes at the AES 3 conference 6

7 AES Final Candidates: FPGA Virtex 1000: Speed Throughput [Mbit/s] Serpent I George Mason University University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars I

8 GMU Results: Encryption in cipher feedback modes (CBC, CFB, OFB) - Virtex FPGA Throughput [Mbit/s] Rijndael Serpent I Twofish Serpent I1 RC6 Mars Area [CLB slices]

9 NSA Results: Encryption in cipher feedback modes (CBC, CFB, OFB) - ASIC, 0.5 µm CMOS Throughput [Mbit/s] RC6 Serpent I1 Twofish Rijndael Mars Area [CLB slices]

10 Limitations of the AES Evaluation Optimization for maximum throughput in the feedback modes of operatation Single high-speed architecture per candidate No use of embedded resources of FPGAs (Block RAMs, dedicated multipliers) Single FPGA family from a single vendor Xilinx Virtex 10

11 SHA-3 Round 2!!"

12 Features of the SHA-3 Round 2 Evaluation Optimization for maximum throughput to area ratio 10 FPGA families from two major vendors : Xilinx and Altera But still Single high-speed architecture per candidate No use of embedded resources of FPGAs (Block RAMs, dedicated multipliers, DSP units) 12

13 Overall Normalized Throughput/Area: 256-bit variants Normalized to SHA-256, Averaged over 10 FPGA families

14 Overall Normalized Throughput/Area: 512-bit variants Normalized to SHA-512, Averaged over 10 FPGA families

15 Throughput vs. Area Normalized to Results for SHA-256 and Averaged over 11 FPGA Families 256-bit variants 15

16 Throughput vs. Area Normalized to Results for SHA-512 and Averaged over 11 FPGA Families 512-bit variants 16

17 New in Round 3 Multiple Hardware Architectures Effect of the Use of Embedded Resources Low-Area Implementations 17

18 Common Background!*"

19 Uniform Evaluation Language: VHDL Tools: FPGA vendor tools Interface Benchmarking 19

20 Why Interface Matters? Pin limit Total number of i/o ports! Total number of an FPGA i/o pins Support for the maximum throughput Time to load the next message block! Time to process previous block 20

21 SHA Core: Interface & Typical Configuration <;=" 6(4" <;=" 6(4" <;=" 6(4" 1> " 9" +,-./0,:;;" <;=" 6(4" L($D6* 9L9M* 8./" 8-:4",:;;" 12345" +,-./096.41" 96.41" 6178" <;=" 6(4" 2+3*1"&.*.8747" -8747" 8./" 8-:4" 9" 9" +,-./012345" +,-./06178" (6<061785" (6<06178" 8( " 8( " +,--:40,:;;" +,--: " <;=" 6(4" MD6$D6* 9L9M* 1> " 8./" 8-:4" 9",:;;" +,--: " 12345" +,--:406178" 96.41" 6178" SHA core is an active component; surrounding FIFOs are passive and widely available Input interface is separate from an output interface Processing a current block, reading the next block, and storing a result for the previous message can be all done in parallel 21

22 Benchmarking platforms two major vendors: Altera and Xilinx (~90% of the market) 11 FPGA families Altera Technology Low-cost Highperformance Low-cost Xilinx Highperformance 90 nm Cyclone II Stratix II Spartan 3 Virtex 4 65 nm Cyclone III Stratix III Virtex nm Cyclone IV Stratix IV Spartan 6 Virtex 6 22

23 3N+FO%"?"3: "N--;",-6" " C1/<D276=./E"-31/F(-:6<1"4--;G" 96.H1/"./"I16;G"7.218"74"7/"" "$JKLM$KNO"E1/167A-/"-,"" LIK&M&PNO"61(:;4(",-6"" MJQK&IQN"RIS$"3;7T-62(" #B"

24 Why Athena? "The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest. from "Athena, Greek Goddess of Wisdom and Craftsmanship" #V"

25 (5/4D1(.(G".23;121/47A-/G"7/8"A2./E"7/7;5(.("./"J%61Q*#",.* @1/8-6" #)"

26 %D6"#%6.,*B.&'T1%R"(*-,"81(.E/("4D6-:ED"(.2:;7A-/"./"X74<D" 2-81" OR (:33-64",-6"#DHR41"&.*$&"1.77'()* 7: ".I6&%1R"(*%(,*6%JDH%R"(*"0*&.7DH67* -3A2:2"-3A-/("-,"4--;(" X1(4"476E14"<;-<=",61Y:1/<5" X1(4"(476A/E"3-./4"-,"3;7<121/4" #Z"

27 Generation of Results Facilitated by ATHENa batch mode of FPGA tools vs. ease of extraction and tabulation of results Excel, CSV (available), LaTeX (coming soon) optimized choice of tool options 27

28 Relative Improvement of Results from Using ATHENa Virtex 5, 256-bit Variants of Hash Functions Area Thr Thr/Area 0 Ratios of results obtained using ATHENa suggested options vs. default options of FPGA tools 28

29 Multiple Architectures #["

30 Study of Multiple Architectures Analysis of multiple hardware architectures per each finalist, based on the known design techniques, such as Folding Unrolling Pipelining Identifying the best architecture in terms of the throughput to area ratio Analyzing the flexibility of all algorithms in terms of the speed vs. area trade-offs 30

31 Performance Metrics - Area We force these vectors to look as follows through the synthesis and implementation options: Areaa 31

32 /&'#%&=*U.7')(.&7* Ekawat Homsirikamol a.k.a Ice Marcin Rogawski Developed optimized VHDL implementations of 14 Round 2 SHA-3 candidates + SHA-2 in two variants each (256 & 512-bit output), using several alternative architectures per each variant

33 Starting Point: Basic Iterative Architecture datapath width = state size one clock cycle per one round/step Block processing time = #R! T #R = number of rounds/steps T = clock period Currently, most common architecture used to implement SHA-1, SHA-2, and many other hash functions. 33

34 Horizontal Folding - /2(h) datapath width = state size two clock cycles per one round/step Block processing time = (2!#R) * T T/2 < T < T typically T " T/2 Area/2 < Area' < Area Typically Throughput/Area ratio increases 34

35 Vertical Folding - /2(v) datapath width = state size/2 two clock cycles per one round/step Block processing time = (2!#R) * T typically T " T Area/2 < Area' < Area 35

36 Unrolling - x2 datapath width = state size one clock cycle per two rounds Block processing time = (#R/2) * T T < T < 2!T typically T " 2!T Area/2 < Area' < 2!Area Typically Area " 2!Area Typically Throughput/Area ratio decreases 36

37 How to Increase the Speed? : The case for pipelining and parallel processing Protocols: IPSec, SSL, WLAN (802.11) Minimum Required Throughput Range: 100 Mbit/s - 40 Gbit/s (based on the specs of Security Processors from Cavium Networks, HiFn, and Broadcom) Supported sizes of packets: 40B B 1500 B = Maximum Transmission Unit (MTU) for Ethernet v2 576 B = Maximum Transmission Unit (MTU) for Internet IPv4 Path Most Common Operation Involving Hashing: HMAC 37

38 Cumulative Distribution of Packet Sizes 38

39 Multiple Packets Available for Parallel Processing 39

40 Parallel Processing Using Multi-Unit Architecture Data Stream Data Stream k

41 Pipelining - x2-ppl2, x1-ppl2 41

42 Results For Multiple Architectures V#"

43 Comprehensive Evaluation two major vendors: Altera and Xilinx (~90% of the market) two most recent high-performance families Altera Technology Low-cost Highperformance Low-cost Xilinx Highperformance 90 nm Cyclone II Stratix II Spartan 3 Virtex 4 65 nm Cyclone III Stratix III Virtex nm Cyclone IV Stratix IV Spartan 6 Virtex 6 43

44 BLAKE-256 in Virtex 5 44

45 Groestl-256 in Virtex 5 Groestl P/Q quasi-pipelined architecture; one unit shared between P and Q Groestl P+Q parallel architecture; two independent units for P and Q 45

46 JH-256 in Virtex 5 JH MEM round constants stored in memory JH OTF round constants computed on-the-fly 46

47 Keccak-256 in Virtex 5 47

48 Skein-256 in Virtex 5 48

49 SHA-256 in Virtex 5 49

50 256-bit variants in Virtex 5 50

51 512-bit variants in Virtex 5 51

52 256-bit variants in Stratix III 52

53 512-bit variants in Stratix III 53

54 Conclusions for Multiple Architectures )V"

55 Summary Keccak consistently outperforms SHA-2, front runner for high-speed implementations, but not suitable for folding JH performs better than SHA-2 most of the time, not suitable for folding or inner-round pipelining Groestl better than SHA-2 only for one out of four FPGA families, but only with relatively large area; suitable for vertical folding Skein the only candidate benefiting from unrolling; easy to pipeline after unrolling BLAKE most flexible; can be folded horizontally and vertically, can be effectively pipelined, however relatively slow compared to other candidates. 55

56 Conclusions Using multiple architectures provides a more comprehensive view of the algorithms Algorithms differ substantially in terms of their flexibility and suitability for folding, unrolling, and pipelining Pipelined architectures the best in terms of the throughput to area ratio for 4 out of 5 candidates Two front-runners: Keccak, JH 56

57 ! "#$ $ "%&#'( %")$

58 !"#"$!%&% ''( ' )!"# '$$% $' ' '$ '$ ) " ' *

59 !"#"$!% $' ' +,-',. ''/ 0!"#122" $$%' $$%'! 6 89# #8:9 8;9 ' 8: 4 8:9 ;: <' ' 8#=8 8: : >9?' ' 8;: :== 8: 8=8: 8=?" 89 =:> 9! 8#9 9 8;9 6 $$%' $$%'! 6 8: : 8# ' 8= 9=# 8: 8=8: 8=?" 89 >;8: >9! 8#9 9 8;9

60 '$ ) % < $' ' A $''%B%' 8>> % ' &' A '% B; 'B '*) &&A +,!%'#9$$% B '!'',&&& +,-',A * % ' A %'C' 'A "34'A%'C' %'< ) 'A

61 '!'',&&

62 '!%'#.D*E6F AD6AD '% / -',.D*E6F AD6AD5!>=/ *) &&.DE3AD'AD '% /!'',&&&.DEAD'AD5!F8=/

63 !"# '%'!" "# 55# 55,%' 3!=,=,,: $% >,>,A, '' &# '' # 559>

64 !"# '%'!" "# 55# 55,%' 3!=,=,,: $% >,>,A, '' &# '' # 559>!" "# 5! 5! 6 6 $% 6 6 &# 6 # 5!

65 ' ',

66 ' ', ',B9,>'

67 6 *) &&.>/A!'',&&&.;/A!%'#.8=/A-',.#9/ % ''.%'#'/,3!!,,B!%'#6 %'2.,=8,#/,',B,!%'# 6 %'2.,=8,#/ +,-', #9

68 5!>=3! B+,-',

69 5!6 '!'',&&&

70 +,-', ' '( ( )('(* )*!+,-" D*E6 AD6AD5!./D*E6. # 6 9 8#9AA 8;9 3 #; 89>AA# 8=9."# "# 6 8:AA 8# 3 8#> 99A8A= #8 % 6 8> >8=AA #9 3 8:8; #A8A #: "# "# 6 8=>AA 8# 3 8=98 :9A8#A 9 6 9=# 8=AA #= 3 == 8AA >9: $% 6 >;8: 89AA >9 3 #8 899A>A ; &# 6 8##9 8#AA ##=A8A =>8 % 6 8> >8=AA #9 3 8;8 #=8A8A >8:

71 '!'',&&& ' '( ( )('(* )*!+-) DEADF'AD5!./DE. # 6 >9 >#=8AA 3 8>: :AA8= 9."# "# 6 =9 >:AA ># 3 8:# 8::#A8A# 9 % 6 89> ;==AA 89: :;AA89 # "# "# 6 =9 >:AA ># 3 8== 8;A8A ;> 6 9>; :>AA := 3 9= >>#=A9A 8= $% 6 >9> ###8AA 8#; 3 >98 :>#A;A 8: &# 6 8#:>9 >8AA # 3 8>8# >::AA ## % 6 89> ;==AA 89: ;9AA 8:#

72 $$%' $ ' / "# 8# 9 ;> "# ># ;> 88= #= >9: > := 8= 8:; $% >9 ; #: $% 8#; 8: &# 88 =>8 89 &# # ## # 8;9 8=9 # 9 *, "# 98 8>> "# 8# #> 89 > 9 8:8 8 :: >8# $% >8 # ; $% #9 >8 8> &# 8>9 8## ; &# ;; ;= 8 # : 4 4 # 4 4

73 4 C$$%''$6' ' '6 3 $' ' : 9 > # -',!%'#!'',&&& *) && 8 6

74 * 6 $' '!"# '$ ) ( ' ''$ '+, '$$ % < $%G ) )'$' ') & % % * 5!' '% $< '%' '$$ ' H')<'' '$' ) +#+$%%& * %%,# &&* #%%% -.*'#$/*$ *0$1*,#$2*#*

75 Low-Area Implementations )\"

76 Lightweight Implementations of the SHA-3 Finalists Jens-Peter Kaps, Panasayya Yalla, Kishore Kumar Surapathi, Bilal Habib, Susheel Vadlamudi, and Smriti Gurung

77

78 Implementation Results Xilinx Spartan 3 Xilinx Virtex V Altera Cyclone II! Xilinx Spartan 3, ISE 12.3, after P&R, Optimized through ATHENa

79 Implementation Results! Xilinx Spartan 3, ISE 12.3, after P&R, Optimized through ATHENa

80 Detailed Results Area Block Maximum Large Messages Short Messages Algorithm (slices) RAMs Delay (ns) T TP (Mbps) TP/Area (Mbps/slice) TP (Mbps) TP/Area (Mbps/slice) BLAKE Grøstl JH Keccak Skein ! Xilinx Spartan 3, ISE 12.3, after P&R, Optimized through ATHENa

81 Reproducibility of Results ZB"

82 GMU Source Codes First batch of GMU Source Codes made available at the ATHENa website at: Included in this release: best non-pipelined architectures for each of the 14 Round 2 candidates and SHA-2 best non-pipelined architectures for each of the 5 Round 3 candidates Each code supports two variants: with 256-bit and 512-bit output. 64

83 GMU Database of Results Available in the ATHENa database at 20 functions (14 Round 2 SHA Round 3 SHA-3 + SHA-2) x 2 variants x 11 FPGA families = 440 combinations (440-not_fitting) = 379 optimized results Support for easy replication of all results. We invite other groups to submit results to our database 65

84 L(B'6%R"(*6"*87.*3N+FO%*V*3N+FO%*U%6%J%7.* 5 Database query ATHENa Server 6 User Ranking of designs 1 ATHENa scripts and configuration files8 HDL + scripts + configuration files FPGA Synthesis and Implementation 2 3 Result Summary + Database Entries HDL + FPGA Tools 4 Database Entries 0 Designer Interfaces + Testbenches ZZ"

85 Thank you! Questions? Questions? CERG: ATHENa: 67