The Intel AES-NI and the SHA-3 Candidates
|
|
- Aleesha Lane
- 5 years ago
- Views:
Transcription
1 The Intel AES-NI and the SHA-3 Candidates << S( ) MC( ) +.. Ryad Benadjila + Olivier Billet + Shay Gueron Matt Robshaw + University of Haifa and Intel Corp. + Orange Labs
2 Introduction Context: Software performance on existing and future CPUs is important for the SHA-3 competition Intel (and AMD) plan to introduce a new set of instructions performing AES in hardware AES inspired candidates may (or may not) benefit from these Purpose of the study: Find a methodology to simulate AES instructions performance on current CPUs only by using publicly available information Check the resulting speed up for SHA-3 candidates Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 2/27
3 AES-NI instructions set
4 AES-NI: Intel s new instructions AES-NI stands for AES New Instructions Will be implemented in the forthcoming Westmere CPUs ( 32 nm CPUs) to appear in 2010 Minor microarchitecture evolutions from Nehalem current Core TM i7 and Core TM i5 to Westmere AES-NI = 6 new instructions as an extension of Nehalem s SSE4.2: 128 bit xmm registers are used ( 16 in 64 -bit mode) 4 instructions for the AES round encryption and decryption aesenc, aesdec, aesenclast, aesdeclast 2 instructions for the key schedule aeskeygenassist, aesimc Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 3/27
5 AES-NI: the detail 128 xmm0 0 x 14 x 13 x 15 x 8 x 12 x 11 x 10 x 9 x 7 x 6 x 5 x 4 x 3 x 2 x 1 x 0 Encryption example: xmm0 = input and output state xmm1 or memory = round key k 14 k 13 k 15 k 8 x 0 x 1 x 6 x 2 x 4 k 12 xmm0 x 8 k 11 x 12 x 5 x 9 x 10 x 14 x 13 k 10 xmm1 or [mem128] k 9 k 7 k 6 k 5 k 4 aesenc xmm0, xmm1/[mem128] SubBytes S(.) x 0 x 1 x 6 x 2 x 4 k 3 k 2 k 1 k 0 x 8 x 12 x 5 x 9 x 10 x 14 x 13 0 aesenc xmm0, xmm1/[mem128] Tmp Tmp xmm0 SubBytes (Tmp) Tmp ShiftRows (Tmp) Tmp MixColumns(Tmp) xmm0 (Tmp xmm1/[mem128]) x 3 x 7 x 11 x 15 x 0 x 4 x 8 x 12 x 13 x 1 x 6 x 5 x 9 x 10 x 14 x 2 x 3 x 7 x 11 x MixColumns MC(.) x 3 x 0 x 10 x 15 x 7 - < << <<< x 4 x 11 ShiftRows x 5 x 9 x 14 x 2 x 3 x 8 x 7 x 15 x 12 x 13 x 6 x 1 x 11 AddRoundKey + 0 xmm1 /[mem128] k 0 k 4 k 8 k 12 k 13 k 1 k 6 k 5 k 9 k 10 k 14 k 2 k 3 k 7 k 11 k Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 4/27
6 AES-NI: the detail AES-NI uses the equivalent inverse cipher for decryption: aesdec xmm0, xmm1/[mem128] Tmp xmm0 Tmp InvShiftRows (Tmp) Tmp InvSubBytes (Tmp) Tmp InvMixColumns(Tmp) xmm0 (Tmp xmm1/[mem128]) aesdeclast xmm0, xmm1/[mem128] Tmp xmm0 Tmp InvShiftRows (Tmp) Tmp InvSubBytes (Tmp) xmm0 (Tmp xmm1/[mem128]) aesenclast xmm0, xmm1/[mem128] Tmp xmm0 Tmp ShiftRows (Tmp) Tmp SubBytes (Tmp) xmm0 (Tmp xmm1/[mem128]) aesimc xmm0, xmm1/[mem128] xmm0 InvMixColumns(xmm1/[mem128]) Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 5/27
7 AES-NI: beyond basic instructions ShiftRows and InvShiftRows performed with a non AES-NI operation pshufb xmm0, xmm1/[mem128] shuffles the bytes of xmm0 Then, isolate all the missing AES round primitives: SubBytes = pshufb aesenclast MixColumns = aesdeclast aesenc Rijndael round on a 256 -bit state : (pblendw+pshufb) Adapt close MDS operations: ( ) ( ) 2 1 x0 1 2 x 1 = ( y0 y 1 ) y 0 y 1 = x 0 0 x 1 0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 6/27
8 AES based SHA-3 candidates
9 SHA-3 candidates and AES-NI AES inspired candidates that are likely to benefit from AES-NI: Those that use the AES round function transparently Those that use at least one of the key components of the AES round: the AES SBox and/or the AES MDS matrix (or their inverse) But: too distant designs end up losing performance table lookups become more efficient than AES-NI AES-NI might help preventing side channel attacks in this case though Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 7/27
10 SHA-3 candidates and AES-NI AES inspired SHA-3 candidates and AES-NI: Candidate AES-NI OK? Why? ECHO 224/256 AES round based 384/512 AES round based LANE 224/256 AES round based 384/512 AES round based SHAvite-3 224/256 AES round based 384/512 AES round based Fugue 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Groestl 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Twister 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Candidate AES-NI OK? Why? Vortex 224/256 AES round based 384/512 Rijndael 256 based Lesamnta 224/256 MDS adapted to fit AES 384/512 Non AES MDS in key schedule Cheetah 224/256 Small use of AES elements 384/512 Non AES MDS matrix LUX 224/256 Rijndael 256 based 384/512 Non AES MDS matrix ARIRANG 224/256 Minor use of AES elements 384/512 Non AES MDS matrix AES-NI transparently used AES-NI not much used/can be used with adjustments AES-NI can t be used (or with significant performance loss) Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 8/27
11 Uncovering AES-NI
12 Uncovering: purpose and methodology Purpose: Find how the aesenc family of instructions works from the microarchitectural perspective Use this information to find a suitable replacement pattern with instructions that would work on available Nehalem Core TM i7 Methodology: Use only publicly available tools and documents, namely: The Intel AES-NI White Paper The Intel Core TM microarchitecture documentation IACA (Intel Architecture Code Analyzer): a static code analysis tool with hardcoded microarchitectural information Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 9/27
13 Uncovering: purpose and methodology The IACA tool gives the following analysis for aesenc and aesdec: Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesenc xmm1, xmm0 Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesdec xmm1, xmm0 The latency of 6 cycles is in line with the information given in the AES-NI White paper The aesenc and aesdec symmetry is explained by the equivalent inverse cipher Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 10/27
14 Uncovering: the µop scheme puzzle Latency information insufficient to find a good replacement for AES-NI It is too coarse: we need to analyze AES-NI deeper get the exact type and scheduling of the 3 µop Let s summarize what we have so far: 3 µop : two on Port0 and one on Port5 Each µop can have any latency 6 No obvious scheduling rule Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 11/27
15 Uncovering: the µop scheme puzzle Latency information insufficient to find a good replacement for AES-NI It is too coarse: we need to analyze AES-NI deeper get the exact type and scheduling of the 3 µop Let s summarize what we have so far: 3 µop : two on Port0 and one on Port5 Each µop can have any latency 6 No obvious scheduling rule huge number of possible patterns! Port 0 Port # Cycles Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 12/27
16 Uncovering: the µop scheme puzzle Fortunately, we can find and use additional information: The Intel Core TM microarchitecture documentation states that: All µop on Port0 (resp. on Port5) have a latency of 1, 4 or 5 cycles (resp. 1 cycle) Port0 and Port5 have a latency of 1 cycle two parallel and independent µop scheduled on the same port can t start at the same cycle The AES-NI White paper tells that aesenc and aesdec are highly parallelizable when there is no critical path discards sequential µop on Port0, also means a latency of 4 or 5 for at least one Port5 used among other ports for SSE xor operations, and they run in a 1 cycle latency AddRoundKey operation of both aesenc and aesdec, should run in the last cycle Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 13/27
17 Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: # Cycles 4 5 # Cycles 4 5 # Cycles Port 0 Port 5 Let s find out the correct one Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 14/27
18 AddRoundKey AddRoundKey Introduction AES-NI SHA-3 Uncovering AES-NI Results AddRoundKey Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: SubBytes 1 MixColumns 2 SubBytes 1 MixColumns 2 SubBytes 1 MixColumns # Cycles 4 5 # Cycles 4 5 # Cycles Remember: we have to sequentially perform both SubBytes and MixColumns on Port0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 15/27
19 Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: x 14 x 13 x 12 x 11 x 10 x 9 x 15 x 8 xmm x 7 x 6 x 5 x 4 x 3 x 2 x 1 x Implicit ShiftRows x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 14 x 2 x 13 x # Cycles 4 5 # Cycles 4 5 # Cycles µop 1 x 10 x 15 x 3 x 7 x 11 µop Remember: we have to sequentially perform both SubBytes and MixColumns on Port0 The most natural way: split { SubBytes+MixColumns } in two independent µop and parallely work on the two halves of the AES state Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 16/27
20 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The IACA tool analysis: Total Latency: 6 Cycles; Total number of Uops bound to ports: 4 Num of Ports pressure in cycles Uops 0 - DV D 3 - D X 1 X CP movdqu xmm2, xmm0 mulps xmm0, xmm1 1 CP mulps xmm2, xmm1 1 1 CP xorps xmm0, xmm2 Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesenc xmm1, xmm0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 17/27
21 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The first instruction movdqu acts like a fence dependency on xmm k and the xorps µop prevents reordering of the two mulps µop Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 18/27
22 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The first instruction movdqu acts like a fence dependency on xmm k prevents reordering of the two mulps µop and the xorps µop dependency on xmm i prevents reordering of the pattern with other instructions µop 4 µop instead of 3 not a problem, movdqu can be scheduled on Ports 0,1,5 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 19/27
23 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k But... junk registers must be used to avoid a critical path take care of data dependency surrounding the replacement Length of the pattern and prefetch pipeline not an issue Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 20/27
24 Implementations, measurements and results
25 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 21/27
26 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Intel SDE emulator for correctness Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Compile Westmere Toggle use aesenc/aesdec Checking Correctness Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 22/27
27 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Intel SDE emulator for correctness Measure performance on Nehalem with the replacement code Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Compile Nehalem Toggle aesenc/aesdec replacement( ) Timing Measurements Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 23/27
28 Implementation and measurements Implementation: AES-NI instructions take full advantage of parallelism maximize parallelism by removing critical paths Same level of optimization applied to all the candidates as fair as possible Measurements: ad hoc measurements with the rdtsc timers on the same Core TM i7 machine running amd64 OS noise removed: high priority scheduling, averaging... for stable measurements Some CPU options (Hyperthreading, Turbo Boost) turned off Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 24/27
29 The results AES-NI versus previous performance results: Performance (c/b) Version AES-NI Previous Vortex 224/ / SHAvite-3 224/ / ECHO 224/ / LANE 224/ / Performance (c/b) Version AES-NI Previous Lesamnta 224/ / LUX 224/ / Cheetah 224/ / ARIRANG 224/ / Performance (c/b) Version AES-NI Previous Fugue 224/ / Groestl 224/ / Twister 224/ / Reference figures on the platform: c/b c/b Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 25/27
30 The results Some details: Version AES-NI #AES/Byte SP DP + Vortex 224/ / SHAvite-3 224/ / ECHO-SP 224/ / ECHO 224/ / LANE 224/ / *Single-Pipe designs + Double-Pipe designs Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 26/27
31 Conclusion Significant improvements for some algorithms mainly those that use the full AES round and that benefit from instruction parallelism This work focused on the performance side of AES-NI but side channel attacks resistance is also an important feature More details on implementation tricks for each candidate are in the paper AES-NI/Replacement source codes are available : improvements and comments are welcome! Results on 32 bit CPUs (only 8 xmm registers) would be an interesting extension of this work Next step: test the ready-to-run implementations on Westmere! Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 27/27
32 Thank you for your attention
Intel s New AES Instructions
Intel s New AES Instructions Enhanced Performance and Security Shay Gueron - Intel Corporation, Israel Development Center, Haifa, Israel - University of Haifa, Israel 1 Overview AES basics Performance
More informationFACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data
: Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data Jin Hyung Park and Dong Hoon Lee Center for Information Security Technologies, Korea University Introduction 1 IV(Counter)
More informationVortex. A New Family of One-Way Hash Functions. Based on AES Rounds and Carry-less Multiplication. Intel Corporation, IL
Vortex A New Family of One-Way Hash Functions Based on AES Rounds and Carry-less Multiplication Shay Gueron Michael E. Kounavis Intel Corporation, IL Intel Corporation, US and University of Haifa, IL Information
More informationSharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl
Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo,
More informationSoftware Benchmarking of the 2 nd round CAESAR Candidates
Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1, Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK October 20, 2016 SPEED-B, Utrecht, The Netherlands
More informationImplementing AES : performance and security challenges
Implementing AES 2000-2010: performance and security challenges Emilia Käsper Katholieke Universiteit Leuven SPEED-CC Berlin, October 2009 Emilia Käsper Implementing AES 2000-2010 1/ 31 1 The AES Performance
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 5 Advanced Encryption Standard Advance Encryption Standard Topics Origin of AES Basic AES Inside Algorithm Final Notes Origins
More informationBYTE SLICING GRØSTL Optimized Intel AES-NI and 8-bit Implementations of the SHA-3 Finalist Grøstl
BYTE SLICING GRØSTL Optimized Intel AES-NI and 8-bit Implementations of the SHA-3 Finalist Grøstl Kazumaro Aoki 1, Günther Roland 2, Yu Sasaki 1 and Martin Schläffer 2 1 NTT Corporation, Japan 2 IAIK,
More informationImplementing Lightweight Block Ciphers on x86 Architectures
Implementing Lightweight Block Ciphers on x86 Architectures Ryad Benadjila 1 Jian Guo 2 Victor Lomné 1 Thomas Peyrin 2 1 ANSSI, France 2 NTU, Singapore SAC, August 15, 2013 Talk Overview 1 Introduction
More informationAES Advanced Encryption Standard
AES Advanced Encryption Standard AES is iterated block cipher that supports block sizes of 128-bits and key sizes of 128, 192, and 256 bits. The AES finalist candidate algorithms were MARS, RC6, Rijndael,
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationRevisiting the IDEA Philosophy
Revisiting the IDEA Philosophy Pascal Junod 1,2 Marco Macchetti 2 1 University of Applied Sciences Western Switzerland (HES-SO) 2 Nagracard SA, Switzerland FSE 09 Leuven (Belgium), February 24, 2009 Outline
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationHardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES
Hardware-ocused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES Akashi Satoh and Sumio Morioka Tokyo Research Laboratory IBM Japan Ltd. Contents Compact and High-Speed
More informationDEMYSTIFYING INTEL IVY BRIDGE MICROARCHITECTURE
DEMYSTIFYING INTEL IVY BRIDGE MICROARCHITECTURE Roger Luis Uy College of Computer Studies, De La Salle University Abstract: Tick-Tock is a model introduced by Intel Corporation in 2006 to show the improvement
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationAn Instruction Set Extension for Fast and Memory- Efficient AES Implementation. Stefan Tillich, Johann Großschädl, Alexander Szekely
Institute for Applied Information Processing and Communications () GRAZ UNIVERSITY OF TECHNOLOGY An Instruction Set Extension for Fast and Memory- Efficient AES Implementation Stefan Tillich, Johann Großschädl,
More informationWeek 5: Advanced Encryption Standard. Click
Week 5: Advanced Encryption Standard Click http://www.nist.gov/aes 1 History of AES Calendar 1997 : Call For AES Candidate Algorithms by NIST 128-bit Block cipher 128/192/256-bit keys Worldwide-royalty
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 7 September 23, 2015 CPSC 467, Lecture 7 1/1 Advanced Encryption Standard AES Alternatives CPSC 467,
More informationWhoamI. Attacking WBC Implementations No con Name 2017
Attacking WBC Implementations No con Name 2017 1 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationChapter 7 Advanced Encryption Standard (AES) 7.1
Chapter 7 Advanced Encryption Standard (AES) 7.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Objectives To review a short history of AES To define
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationImplementation of the block cipher Rijndael using Altera FPGA
Regular paper Implementation of the block cipher Rijndael using Altera FPGA Piotr Mroczkowski Abstract A short description of the block cipher Rijndael is presented. Hardware implementation by means of
More informationUsing Error Detection Codes to detect fault attacks on Symmetric Key Ciphers
Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,
More informationThe Encryption Standards
The Encryption Standards Appendix F Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide F-1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics
More informationBlock Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1
Block Ciphers Lucifer, DES, RC5, AES CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk Block Ciphers 1 ... Block Ciphers & S-P Networks Block Ciphers: Substitution ciphers
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationOptimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2,
Optimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2, Pursuing M.Tech., VLSI, U.V.Patel college of Engineering and Technology, Kherva, Mehsana, India
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationAES Cryptosystem Acceleration Using Graphics Processing Units. Ethan Willoner Supervisors: Dr. Ramon Lawrence, Scott Fazackerley
AES Cryptosystem Acceleration Using Graphics Processing Units Ethan Willoner Supervisors: Dr. Ramon Lawrence, Scott Fazackerley Overview Introduction Compute Unified Device Architecture (CUDA) Advanced
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More information2 Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis
2 Gbit/s Hardware Realizations of RIJNDAEL and SERPENT: A Comparative Analysis Adrian K. Lutz 1, Jürg Treichler 2, Frank K. Gürkaynak 3, Hubert Kaeslin 4, Gérard Basler 2, Andres Erni 1, Stefan Reichmuth
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationApache Commons Crypto: Another wheel of Apache Commons. Dapeng Sun/ Xianda Ke
Apache Commons Crypto: Another wheel of Apache Commons Dapeng Sun/ Xianda Ke About us Dapeng Sun @Intel Apache Commons Committer Apache Sentry PMC Xianda Ke @Intel Apache Commons Crypto Apache Pig(Pig
More informationThe Grindahl hash functions
The Grindahl hash functions Søren S. Thomsen joint work with Lars R. Knudsen Christian Rechberger Fast Software Encryption March 26 28, 2007 Luxembourg 1/ 17 1 Introduction 2 Grindahl 3 Design considerations
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationSymmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.
Symmetric Key Encryption Symmetric Key Encryption and 3- Tom Chothia Computer Security: Lecture 2 Padding Block cipher modes Advanced Encryption Standard ( AES ) AES is a state-of-the-art block cipher.
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationImplementation of Full -Parallelism AES Encryption and Decryption
Implementation of Full -Parallelism AES Encryption and Decryption M.Anto Merline M.E-Commuication Systems, ECE Department K.Ramakrishnan College of Engineering-Samayapuram, Trichy. Abstract-Advanced Encryption
More informationLecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram
Lecture 2B RTL Design Methodology Transition from Pseudocode & Interface to a Corresponding Block Diagram Structure of a Typical Digital Data Inputs Datapath (Execution Unit) Data Outputs System Control
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationASIC Performance Comparison for the ISO Standard Block Ciphers
ASIC Performance Comparison for the ISO Standard Block Ciphers Takeshi Sugawara 1, Naofumi Homma 1, Takafumi Aoki 1, and Akashi Satoh 2 1 Graduate School of Information Sciences, Tohoku University Aoba
More informationHigh Aberrance AES System Using a Reconstructable Function Core Generator
High Aberrance AES System Using a Reconstructable Function Core Generator Third Prize High Aberrance AES System Using a Reconstructable Function Core Generator Institution: Participants: Instructor: I-Shou
More informationCountermeasures against EM Analysis
Countermeasures against EM Analysis Paolo Maistri 1, SebastienTiran 2, Amine Dehbaoui 3, Philippe Maurine 2, Jean-Max Dutertre 4 (1) (2) (3) (4) Context Side channel analysis is a major threat against
More informationDesign of block ciphers
Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, 2016 1 / 49 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 64
More informationDesign and Implementation of Rijndael Encryption Algorithm Based on FPGA
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 2, Issue. 9, September 2013,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationHardware Implementation of Cryptosystem by AES Algorithm Using FPGA
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IMPACT FACTOR: 6.017 IJCSMC,
More informationMasking as a Side-Channel Countermeasure in Hardware
Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures
More information128 Bit ECB-AES Crypto Core Design using Rijndeal Algorithm for Secure Communication
IJSRD - International Journal for Scientific Research & Development Vol. 2, Issue 03, 2014 ISSN (online): 2321-0613 128 Bit ECB-AES Crypto Core Design using Rijndeal Algorithm for Secure Communication
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationArea Optimization in Masked Advanced Encryption Standard
IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,
More informationBlock Ciphers: Fast Implementations on x86-64 Architecture
Block Ciphers: Fast Implementations on x86-64 Architecture University of Oulu Department of Information Processing Science Master s Thesis Jussi Kivilinna May 20, 2013 Abstract Encryption is being used
More informationSymmetric Key Cryptography
Symmetric Key Cryptography Michael Huth M.Huth@doc.ic.ac.uk www.doc.ic.ac.uk/~mrh/430/ Symmetric Key Cryptography (3.1) Introduction Also known as SECRET KEY, SINGLE KEY, PRIVATE KEY Sender and Receiver
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationYarn password hashing function
Yarn password hashing function Evgeny Kapun abacabadabacaba@gmail.com 1 Introduction I propose a password hashing function Yarn. This is a memory-hard function, however, a prime objective of this function
More informationFPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM
FPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM P. Aatheeswaran 1, Dr.R.Suresh Babu 2 PG Scholar, Department of ECE, Jaya Engineering College, Chennai, Tamilnadu, India 1 Associate
More informationDesign and Implementation of Rijindael s Encryption and Decryption Algorithm using NIOS- II Processor
Design and Implementation of Rijindael s Encryption and Decryption Algorithm using NIOS- II Processor Monika U. Jaiswal 1, Nilesh A. Mohota 2 1 Student, Electronics Department, JDCOEM, Nagpur, India 2
More informationThe Use of Finite Field GF(256) in the Performance Primitives Intel IPP
The Use of Finite Field GF() in the Performance Primitives Intel IPP Software & Service Group/ VCSD/CIP/IPP Sergey Kirillov Oct, 00 Agenda Short IPP review GF() operations being in focus Methods for implementation
More informationA New hybrid method in watermarking using DCT and AES
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 10, Issue 11 (November 2014), PP.64-69 A New hybrid method in watermarking using
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationFully Pipelined High Throughput Cost Effective FPGA Based Implementation of AES Algorithm
Fully Pipelined High Throughput Cost Effective FPGA Based Implementation of AES Algorithm Athira Das A J 1, Ajith Kumar B P 2 1 Student, Dept. of Electronics and Communication, Karavali Institute of Technology,
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationLightweight Block Cipher Design
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014 Outline 1 Motivation 2 Industry 3 Academia 4 A Critical View 5 Lightweight: 2nd Generation 6 Wrap-Up Outline
More informationLightweight Block Cipher Design
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia 2015 Outline 1 Motivation 2 Industry 3 Academia 4 Lightweight: 2nd Generation 5 NIST Initiative Outline 1 Motivation
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationThe SKINNY Family of Lightweight Tweakable Block Ciphers
The SKINNY Family of Lightweight Tweakable Block Ciphers Jérémy Jean joint work with: Christof Beierle Stefan Kölbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO
More informationSide-Channel Protections for Cryptographic Instruction Set Extensions
Side-Channel Protections for Cryptographic Instruction Set Extensions Sami Saab, Pankaj Rohatgi, and Craig Hampel Rambus Cryptography Research Division 425 Market St Fl 11 San Francisco CA 94105 2496 {firstname}.{lastname}@cryptography.com
More informationA Structure-Independent Approach for Fault Detection Hardware Implementations of the Advanced Encryption Standard
A Structure-Independent Approach for Fault Detection Hardware Implementations of the Advanced Encryption Standard Presented by: Mehran Mozaffari Kermani Department of Electrical and Computer Engineering
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationLow area implementation of AES ECB on FPGA
Total AddRoundkey_3 MixCollumns AddRoundkey_ ShiftRows SubBytes 1 Low area implementation of AES ECB on FPGA Abstract This project aimed to create a low area implementation of the Rajindael cipher (AES)
More informationMitigating Exploits, Rootkits and Advanced Persistent Threats
Mitigating Exploits, Rootkits and Advanced Persistent Threats David Durham, Senior Principal Engineer Intel Corporation Hot Chips Tutorial 1 Hot Chips 2014 Tutorial Agenda Problem Better Protection Solid
More informationEfficient Area and High Speed Advanced Encryption Standard Algorithm
International Journal of Emerging Engineering Research and Technology Volume 3, Issue 7, July 2015, PP 140-146 ISSN 2349-4395 (Print) & ISSN 2349-4409 (Online) Efficient Area and High Speed Advanced Encryption
More informationAdvanced Encryption Standard and Modes of Operation
Advanced Encryption Standard and Mode of Operation G. Bertoni L. Breveglieri Foundation of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) i a ymmetric cryptographic algorithm AES
More informationVLSI Implementation of Advanced Encryption Standard using Rijndael Algorithm
VLSI Implementation of Advanced Encryption Standard using Rijndael Algorithm Aditya Agarwal Assistant Professor, Electronics and Communication Engineering SRM University, NCR Campus, Ghaziabad, India ABSTRACT
More informationDigital Logic Design using Verilog and FPGA devices Part 2. An Introductory Lecture Series By Chirag Sangani
Digital Logic Design using Verilog and FPGA devices Part 2 An Introductory Lecture Series By A Small Recap Verilog allows us to design circuits, FPGAs allow us to test these circuits in real-time. The
More informationRecent Topics on Symmetric Ciphers - Security and implementation of S-box - October Mitsuru Matsui Mitsubishi Electric Corporation
Recent Topics on Symmetric Ciphers - Security and implementation of S-box - October 5 2006 Mitsuru Matsui Mitsubishi Electric Corporation Overview Trends of Block/Hash Primitives and Intel Processors Security
More informationImplementation and Performance analysis of Skipjack & Rijndael Algorithms
Implementation and Performance analysis of Skipjack & Rijndael Algorithms By Viswanadham Sanku 1 Topics Skipjack cipher operations Design principles & cryptanalysis Implementation & optimization Results
More informationComparison of Performance of AES Standards Based Upon Encryption /Decryption Time and Throughput
Comparison of Performance of AES Standards Based Upon Encryption /Decryption Time and Throughput Miss Navraj Khatri Mr Jagtar Singh Mr Rajeev dhanda NCCE,Israna,K.U Senior lecturer,ncce,israna,k.u Assistant
More informationEngineering Aspects of Hash Functions
Engineering Aspects of Hash Functions Saif Al-Kuwari Department of Computer Science University of Bath, Bath, BA2 7AY, UK Abstract Hash functions have numerous applications in cryptography, from public
More informationA Novel Approach of Area Optimized and pipelined FPGA Implementation of AES Encryption and Decryption
International Journal of Scientific and Research Publications, Volume 3, Issue 9, September 2013 1 A Novel Approach of Area Optimized and pipelined FPGA Implementation of AES Encryption and Decryption
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationAccelerating AES with Vector Permute Instructions
Accelerating AES with Vector Permute Instructions Mike Hamburg Computer Science Dept., Stanford University mhamburg@cs.stanford.edu Abstract. We demonstrate new techniques to speed up the Rijndael (AES)
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationSpeeding Up AES By Extending a 32 bit Processor Instruction Set
Speeding Up AES By Extending a bit Processor Instruction Set Guido Marco Bertoni ST Microelectronics Agrate Briaznza, Italy bertoni@st.com Luca Breveglieri Politecnico di Milano Milano, Italy breveglieri@elet.polimi.it
More informationPARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER
PARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER Philip Brisk, Adam Kaplan, Majid Sarrafzadeh Computer Science Department, University of California Los Angeles 3532C Boelter Hall, Los Angeles, CA 90095-1596
More informationA High-Speed Unified Hardware Architecture for AES and the SHA-3 Candidate Grøstl
A High-Speed Unified Hardware Architecture for AES and the SHA-3 Candidate Grøstl Marcin Rogawski Kris Gaj Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu Department of ECE,
More information