FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data

Transcription

1 : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data Jin Hyung Park and Dong Hoon Lee Center for Information Security Technologies, Korea University

2 Introduction 1 IV(Counter) The counter is incremented for each block + (i 1) K Block Cipher Encryption K Block Cipher Encryption K Block Cipher Encryption Plaintext 0 Ciphertext 0 Plaintext 1 Ciphertext 1 Plaintext i-1 Ciphertext i-1 1 st block 2 nd block i th block

3 Introduction 2 IV(Counter) The counter is incremented for each block + (i 1) K Block Cipher Encryption K Block Cipher Encryption K Block Cipher Encryption Plaintext 0 Ciphertext 0 Plaintext 1 Ciphertext 1 Plaintext i-1 Ciphertext i-1 1 st block 2 nd block i th block

4 Introduction 2 1 st block 2 nd block CTR 0 : 0x 0x 0x 0x 01 CTR 1 : 0x 0x 0x 0x Round Key 8A 48 ED AC 02 Round Key 8A 48 ED AC 4F 7B F 7B E BA 6A 50 5E BA 6A 50 8A 48 ED AC 59 B3 C4 38 8A 48 ED AC 59 B3 C4 38 4F 7B F 7B E BA 6A 50 5E BA 6A B3 C B3 C4 3A < Initial Whitening phase of AES >

5 Introduction 2 CTR 0 : 0x 0x 0x 0x 01 CTR 1 : 0x 0x 0x 0x Round Key 02 Round Key 01 Counter-mode Caching** *

6 Round Function - 4 Transformations 3 [0] [4] [8] [12] [0] [4] [8] [12] [0] [4] [8] [12] [1] [5] [9] [13] [1] [5] [9] [13] [5] [9] [13] [1] [2] [3] [6] [7] [10] [11] [14] [15] S-Box [2] [3] [6] [7] [10] [11] [14] [15] Shift [10] [14] [2] [6] [15] [3] [7] [11] [0] [4] [8] [12] [5] [9] [13] [1] [10] [14] [2] [6] [15] [3] [7] [11] [0] [4] [8] [12] [5] [9] [13] [1] [10] [14] [2] [6] [15] [3] [7] [11] [0] [4] [8] [12] [5] [9] [13] [1] [10] [14] [2] [6] [15] [3] [7] [11] Round Key [0] [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]

7 AES Implementation Methods 4 static const u32 Te0[256] = { 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, 0x U, 0x U, 0xce6767a9U, 0x562b2b7dU, 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, }; static const u32 Te3[256] = { 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, 0x U, 0x U, 0x6767a9ceU, 0x2b2b7d56U, 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, }; s0 = GETU32(in ) ^ rk[0]; s1 = GETU32(in + 4) ^ rk[1]; s2 = GETU32(in + 8) ^ rk[2]; s3 = GETU32(in + 12) ^ rk[3]; < OpenSSL > /* round 1: */ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];

8 AES Implementation Methods 4 static const u32 Te0[256] = { 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, 0x U, 0x U, 0xce6767a9U, 0x562b2b7dU, 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, }; static const u32 Te3[256] = { 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, 0x U, 0x U, 0x6767a9ceU, 0x2b2b7d56U, 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, }; s0 = GETU32(in ) ^ rk[0]; s1 = GETU32(in + 4) ^ rk[1]; s2 = GETU32(in + 8) ^ rk[2]; s3 = GETU32(in + 12) ^ rk[3]; < OpenSSL > Vulnerable to Cache timing attack /* round 1: */ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];

9 AES Implementation Methods 5 < 8 plaintext blocks > Block 0 : MSB b 0 b 1 b 2 b 3 b 12 b 13 b 14 Block 1 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 2 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 3 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 4 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 5 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 6 : b 0 b 1 b 2 b 3 b 12 b 13 b Block 7 : b 0 b 1 b 2 b 3 b 12 b 13 b LSB < 8 [128-bits] registers > MSB Register 0 : Register 1 : Register 2 : Register 3 : Register 4 : Register 5 : Register 6 : Register 7 : LSB < bitsliced form transformation (OpenSSL implementation based on [1]) >

10 AES Implementation Methods 6 Instruction AESENC AESENCLAST AESDEC AESDECLAST AESKEYGENASSIST AESIMC PCLMULQDQ Description Perform one round of an AES encryption flow Perform the last round of an AES encryption flow Perform one round of an AES decryption flow Perform the last round of an AES decryption flow Assist in AES round key generation Assist in AES Inverse Mix Columns Carryless multiply < Crypto++ > *block = _mm_xor_si128( *block, skeys[0] ) ; /* round 1: */ *block = _mm_aesenc_si128 ( *block, skeys[1] ) ;

11 AES Implementation Methods 7 Method Performance (Cycles per Byte) Test Environment Reference Table-based α (not for CTR) Core 2 Quad Q66 INDOCRYPT 28 [1] Bitslicing 9.32 Core 2 Quad Q Core 2 Quad Q9550 CHES 29 [2] AES-NI Westmere Processor INTEL whitepaper [3] 0.57 Skylake Core i5 Crypto++ Benchmark [4] [1] : Daniel J. Bernstein and Peter Schwabe, New AES software speed records, INDOCRYPT 28 [2] : Emilia Käsper and Peter Schwabe, Faster and Timing-Attack Resistant AES-GCM, CHES 29 [3] : Shay Gueron, Intel Advanced Encryption Standard (AES) New Instructions Set, May, 2010 ( The first Westmere-based processors (that supports AES-NI) were launched on Jan, ) [4] : Crypto Benchmarks,

12 Problem 8 Bitslice AES-NI aesenc xmm15, xmm1 only 1 instruction performs round operation During a format conversion, each byte of input is sliced bitwise. And the sliced bits are spread in the corresponding positions of each register Necessary input bytes to calculate the rest are spread to whole register Almost the whole instructions of previous implementation should be performed with additional operations (save, load, merge) Adding some operations to calculate the rest becomes a considerable burden even if instruction latency and throughput differ from each instruction Such operations (for the rest) should be composed of several instructions

13 Our Work (FACE) 9 Extends the counter-mode caching FACE FACE The first to combine counter-mode caching with bitsliced implementation The first to apply counter-mode caching up to the round transformations of AES-NI FACE the highest throughput

14 Fast AES Counter mode Encryption 10 FACE (Fast AES Counter Mode Encryption) - 12 bytes bytes bytes K - 4K

15 Fast AES Counter mode Encryption 11 FACE rd0 Initialization Vector (128 bits Counter Value) : Different Part : Available Part of Cache Block-to- Transformation Round 0(Initial Whitening) 1 st Block : 256 block The difference last 1 byte Block-to- Transformation 1 st block s Counter Value + Interval Round 0(Initial Whitening) 2 nd Block :

16 Fast AES Counter mode Encryption 11 FACE rd0 Block-to- Transformation Initialization Vector (128 bits Counter Value) Round 0(Initial Whitening) Round Key : Different Part : Available Part of Cache 1 st Block : 256 block The difference 1 st block s Counter Value + Interval last 1 byte Block-to- Transformation Round 0(Initial Whitening) Round Key 2 nd Block :

17 Fast AES Counter mode Encryption 11 FACE rd0 Initialization Vector (128 bits Counter Value) : Different Part : Available Part of Cache Block-to- Transformation Round 0(Initial Whitening) Round Key 1 st Block : First Block 256 block The difference last 1 byte Block-to- Transformation 1 st block s Counter Value + Interval Round 0(Initial Whitening) 1 Byte Difference Cache 3 columns 2 nd Block : Round Key Second Block

18 Fast AES Counter mode Encryption 12 FACE rd1 The difference last 1 byte 1 ST Block : Round 0 : Different Part : Correlation of transformation with bytes : Available Part of Cache Round 0 2 nd Block :

19 MixColumns FACE Fast AES Counter mode Encryption 12 FACE rd1 Round 0 The difference 1 ST Block : : Different Part : Correlation of transformation with bytes : Available Part of Cache last 1 byte SubBytes ShiftRows AddRoundKey This difference spreads Round 0 MixColumns 2 nd Block : SubBytes ShiftRows AddRoundKey

20 MixColumns FACE Fast AES Counter mode Encryption 12 FACE rd1 Round 0 The difference 1 ST Block : : Different Part : Correlation of transformation with bytes : Available Part of Cache last 1 byte This difference spreads SubBytes ShiftRows AddRoundKey First Block 3 columns Round 0 MixColumns 4 Byte Difference Cache 2 nd Block : SubBytes ShiftRows AddRoundKey Second Block 255

21 Fast AES Counter mode Encryption 13 FACE rd1+ lookup table Pre-computation 1 ST Block : Round 0 : Different Part : Correlation of transformation with bytes : Byte that is used as index SubBytes ShiftRows AddRoundKey Round 0 MixColumns 2 nd Block : SubBytes ShiftRows AddRoundKey ctr[15] xor Round 0 s rk[15] MixColumns

22 Fast AES Counter mode Encryption 13 FACE rd1+ lookup table Pre-computation 1 ST Block : Round 0 : Different Part : Correlation of transformation with bytes : Byte that is used as index _in 0,0 [3] SubBytes ShiftRows AddRoundKey in 12 in 13 in 14 in 15 First Block 2 40 Round 0 MixColumns _in 1,0 [3] in 12 2 nd Block : in 13 in 14 in 15 Second Block SubBytes ShiftRows AddRoundKey Lookup Table lookup index last byte of the counter Index Cached MixColumns

23 Fast AES Counter mode Encryption 14 Leverage FACE rd1 & FACE rd1+ Counter b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 b 9 b 10 b 11 b 12 b 13 b 14 b 15 Counter Initial whitening (Round 0) 1 Caching Procedure () Round 0 SubBytes( ) Saved (FACE rd1 ) ShiftRows( ) MixColumns( ) AddRoundKey( ) Complete (Up to ) after memory load and merge 1 Index(b 15 ) Value(4 Bytes) 0 0x64E2F9C x 0x1A83B211 0x73816F1F 0x6C8EB21D Look-up Table

24 Fast AES Counter mode Encryption 15 FACE rd2 : Different Part : Correlation of transformation with bytes : Available Part of Cache The difference 1 ST Block : the first column 4 bytes 2 nd Block :

25 Fast AES Counter mode Encryption 15 FACE rd2 : Different Part : Correlation of transformation with bytes : Available Part of Cache The difference Round 3 1 ST Block : the first column 4 bytes This difference spreads all s SubBytes ShiftRows AddRoundKey MixColumns Round 3 2 nd Block : SubBytes ShiftRows AddRoundKey MixColumns

26 Fast AES Counter mode Encryption 15 FACE rd2 : Different Part : Correlation of transformation with bytes : Available Part of Cache The difference the first column 4 bytes This difference spreads all s 1 ST Block : SubBytes ShiftRows AddRoundKey Round 3 [ The case of [0] ] = Round Key Round Key MixColumns 16 bytes intermediate result 2 nd Block : SubBytes ShiftRows AddRoundKey Round Round Key Cache Round Key = MixColumns

27 Fast AES Counter mode Encryption 16 FACE rd2+ lookup table Pre-computation 1 ST Block : Round 3 : Different Part : Correlation of transformation with bytes : Byte that is used as index SubBytes ShiftRows AddRoundKey MixColumns Round 3 2 nd Block : SubBytes ShiftRows AddRoundKey MixColumns

28 Fast AES Counter mode Encryption 16 FACE rd2+ : Different Part : Correlation of transformation with bytes Round 3 lookup table Pre-computation 1 ST Block : SubBytes ShiftRows AddRoundKey [ The case of [0] ] Round Key Round Key = MixColumns Round 3 2 nd Block : SubBytes ShiftRows AddRoundKey Round Key Round Key By FACErd1+, ctr[15] determines = MixColumns

29 Fast AES Counter mode Encryption 16 FACE rd2+ lookup table Pre-computation 1 ST Block : Round 3 : Different Part : Correlation of transformation with bytes : Byte that is used as index [ The case of [0] ] SubBytes ShiftRows AddRoundKey _in 0,0 [3] in MixColumns Round 3 _in 1,0 [3] in 12 in 13 in 14 in 15 FACE rd2 FACE rd2 First Block [0] 2 nd Block : in 13 in 14 in 15 Second Block [0] SubBytes ShiftRows AddRoundKey Lookup Table lookup index last byte of the counter Index Cached MixColumns

30 Fast AES Counter mode Encryption 16 FACE rd2+ lookup table Pre-computation 1 ST Block : Round 3 : Different Part : Correlation of transformation with bytes : Byte that is used as index [ The case of [0] ] SubBytes ShiftRows AddRoundKey _in 0,0 [3] in MixColumns Round 3 _in 1,0 [3] in 12 in 13 in 14 in 15 FACE rd2 FACE rd2 First Block [0] 2 nd Block : in 13 in 14 in 15 Second Block [0] lookup index last byte of the counter SubBytes ShiftRows AddRoundKey The whole operations up to round 2 can be done by 2 memory load and 1 XOR operations only! MixColumns Index Cached Lookup Table

31 Cache timing Attacks ** ARMageddon, USENIX cached non-cached < Cache timing variation > fixed-time instructions does not use conditional branches does not use memory access patterns depend on secret data depend on secret data depend on secret data

32 Cache timing Attacks ** ARMageddon, USENIX cached non-cached < Cache timing variation > fixed-time instructions does not use conditional branches does not use memory access patterns depend on secret data depend on secret data depend on secret data Our method looks like vulnerable to timing attacks (the use of lookup tables) But, FACE has no operations that depend on secret data - In case of FACE rd0, FACE rd1, and FACE rd2, the size of cache is small and the indices are fixed (i.e. constant data) - In case of FACE rd1+ and FACE rd2+, the index is merely a part of counter that does not need to be secret and the index increases linearly

33 Evaluations 18 BS08 KS09 Test Env_1 Test Env_2 Test Env_3 CPU Intel Core 2 Quad Q9550 Intel Core i7 4770K Intel Core i7 87K Frequency 2.8 GHz 3.5 GHz 3.7 GHz RAM 4 GB 8 GB 16 GB OS Linux x86_64 * Linux x86_64 Linux x86_64

34 Evaluations 19 Test Env_1 Test Env_2 Test Env_3 Intel Core 2 Quad Q9550 Intel Core i7 4770K Intel Core i7 87K 2.8 GHz 3.5 GHz 3.7 GHz 4 GB 8 GB 16 GB Linux x86_64 Linux x86_64 Linux x86_64

35 Conclusion 20

36 Conclusion 20 Thank you for your attention! Any Questions?