The Intel AES-NI and the SHA-3 Candidates

Transcription

1 The Intel AES-NI and the SHA-3 Candidates << S( ) MC( ) +.. Ryad Benadjila + Olivier Billet + Shay Gueron Matt Robshaw + University of Haifa and Intel Corp. + Orange Labs

2 Introduction Context: Software performance on existing and future CPUs is important for the SHA-3 competition Intel (and AMD) plan to introduce a new set of instructions performing AES in hardware AES inspired candidates may (or may not) benefit from these Purpose of the study: Find a methodology to simulate AES instructions performance on current CPUs only by using publicly available information Check the resulting speed up for SHA-3 candidates Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 2/27

3 AES-NI instructions set

4 AES-NI: Intel s new instructions AES-NI stands for AES New Instructions Will be implemented in the forthcoming Westmere CPUs ( 32 nm CPUs) to appear in 2010 Minor microarchitecture evolutions from Nehalem current Core TM i7 and Core TM i5 to Westmere AES-NI = 6 new instructions as an extension of Nehalem s SSE4.2: 128 bit xmm registers are used ( 16 in 64 -bit mode) 4 instructions for the AES round encryption and decryption aesenc, aesdec, aesenclast, aesdeclast 2 instructions for the key schedule aeskeygenassist, aesimc Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 3/27

5 AES-NI: the detail 128 xmm0 0 x 14 x 13 x 15 x 8 x 12 x 11 x 10 x 9 x 7 x 6 x 5 x 4 x 3 x 2 x 1 x 0 Encryption example: xmm0 = input and output state xmm1 or memory = round key k 14 k 13 k 15 k 8 x 0 x 1 x 6 x 2 x 4 k 12 xmm0 x 8 k 11 x 12 x 5 x 9 x 10 x 14 x 13 k 10 xmm1 or [mem128] k 9 k 7 k 6 k 5 k 4 aesenc xmm0, xmm1/[mem128] SubBytes S(.) x 0 x 1 x 6 x 2 x 4 k 3 k 2 k 1 k 0 x 8 x 12 x 5 x 9 x 10 x 14 x 13 0 aesenc xmm0, xmm1/[mem128] Tmp Tmp xmm0 SubBytes (Tmp) Tmp ShiftRows (Tmp) Tmp MixColumns(Tmp) xmm0 (Tmp xmm1/[mem128]) x 3 x 7 x 11 x 15 x 0 x 4 x 8 x 12 x 13 x 1 x 6 x 5 x 9 x 10 x 14 x 2 x 3 x 7 x 11 x MixColumns MC(.) x 3 x 0 x 10 x 15 x 7 - < << <<< x 4 x 11 ShiftRows x 5 x 9 x 14 x 2 x 3 x 8 x 7 x 15 x 12 x 13 x 6 x 1 x 11 AddRoundKey + 0 xmm1 /[mem128] k 0 k 4 k 8 k 12 k 13 k 1 k 6 k 5 k 9 k 10 k 14 k 2 k 3 k 7 k 11 k Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 4/27

6 AES-NI: the detail AES-NI uses the equivalent inverse cipher for decryption: aesdec xmm0, xmm1/[mem128] Tmp xmm0 Tmp InvShiftRows (Tmp) Tmp InvSubBytes (Tmp) Tmp InvMixColumns(Tmp) xmm0 (Tmp xmm1/[mem128]) aesdeclast xmm0, xmm1/[mem128] Tmp xmm0 Tmp InvShiftRows (Tmp) Tmp InvSubBytes (Tmp) xmm0 (Tmp xmm1/[mem128]) aesenclast xmm0, xmm1/[mem128] Tmp xmm0 Tmp ShiftRows (Tmp) Tmp SubBytes (Tmp) xmm0 (Tmp xmm1/[mem128]) aesimc xmm0, xmm1/[mem128] xmm0 InvMixColumns(xmm1/[mem128]) Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 5/27

7 AES-NI: beyond basic instructions ShiftRows and InvShiftRows performed with a non AES-NI operation pshufb xmm0, xmm1/[mem128] shuffles the bytes of xmm0 Then, isolate all the missing AES round primitives: SubBytes = pshufb aesenclast MixColumns = aesdeclast aesenc Rijndael round on a 256 -bit state : (pblendw+pshufb) Adapt close MDS operations: ( ) ( ) 2 1 x0 1 2 x 1 = ( y0 y 1 ) y 0 y 1 = x 0 0 x 1 0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 6/27

8 AES based SHA-3 candidates

9 SHA-3 candidates and AES-NI AES inspired candidates that are likely to benefit from AES-NI: Those that use the AES round function transparently Those that use at least one of the key components of the AES round: the AES SBox and/or the AES MDS matrix (or their inverse) But: too distant designs end up losing performance table lookups become more efficient than AES-NI AES-NI might help preventing side channel attacks in this case though Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 7/27

10 SHA-3 candidates and AES-NI AES inspired SHA-3 candidates and AES-NI: Candidate AES-NI OK? Why? ECHO 224/256 AES round based 384/512 AES round based LANE 224/256 AES round based 384/512 AES round based SHAvite-3 224/256 AES round based 384/512 AES round based Fugue 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Groestl 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Twister 224/256 Non AES MDS matrix 384/512 Non AES MDS matrix Candidate AES-NI OK? Why? Vortex 224/256 AES round based 384/512 Rijndael 256 based Lesamnta 224/256 MDS adapted to fit AES 384/512 Non AES MDS in key schedule Cheetah 224/256 Small use of AES elements 384/512 Non AES MDS matrix LUX 224/256 Rijndael 256 based 384/512 Non AES MDS matrix ARIRANG 224/256 Minor use of AES elements 384/512 Non AES MDS matrix AES-NI transparently used AES-NI not much used/can be used with adjustments AES-NI can t be used (or with significant performance loss) Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 8/27

11 Uncovering AES-NI

12 Uncovering: purpose and methodology Purpose: Find how the aesenc family of instructions works from the microarchitectural perspective Use this information to find a suitable replacement pattern with instructions that would work on available Nehalem Core TM i7 Methodology: Use only publicly available tools and documents, namely: The Intel AES-NI White Paper The Intel Core TM microarchitecture documentation IACA (Intel Architecture Code Analyzer): a static code analysis tool with hardcoded microarchitectural information Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 9/27

13 Uncovering: purpose and methodology The IACA tool gives the following analysis for aesenc and aesdec: Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesenc xmm1, xmm0 Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesdec xmm1, xmm0 The latency of 6 cycles is in line with the information given in the AES-NI White paper The aesenc and aesdec symmetry is explained by the equivalent inverse cipher Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 10/27

14 Uncovering: the µop scheme puzzle Latency information insufficient to find a good replacement for AES-NI It is too coarse: we need to analyze AES-NI deeper get the exact type and scheduling of the 3 µop Let s summarize what we have so far: 3 µop : two on Port0 and one on Port5 Each µop can have any latency 6 No obvious scheduling rule Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 11/27

15 Uncovering: the µop scheme puzzle Latency information insufficient to find a good replacement for AES-NI It is too coarse: we need to analyze AES-NI deeper get the exact type and scheduling of the 3 µop Let s summarize what we have so far: 3 µop : two on Port0 and one on Port5 Each µop can have any latency 6 No obvious scheduling rule huge number of possible patterns! Port 0 Port # Cycles Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 12/27

16 Uncovering: the µop scheme puzzle Fortunately, we can find and use additional information: The Intel Core TM microarchitecture documentation states that: All µop on Port0 (resp. on Port5) have a latency of 1, 4 or 5 cycles (resp. 1 cycle) Port0 and Port5 have a latency of 1 cycle two parallel and independent µop scheduled on the same port can t start at the same cycle The AES-NI White paper tells that aesenc and aesdec are highly parallelizable when there is no critical path discards sequential µop on Port0, also means a latency of 4 or 5 for at least one Port5 used among other ports for SSE xor operations, and they run in a 1 cycle latency AddRoundKey operation of both aesenc and aesdec, should run in the last cycle Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 13/27

17 Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: # Cycles 4 5 # Cycles 4 5 # Cycles Port 0 Port 5 Let s find out the correct one Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 14/27

18 AddRoundKey AddRoundKey Introduction AES-NI SHA-3 Uncovering AES-NI Results AddRoundKey Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: SubBytes 1 MixColumns 2 SubBytes 1 MixColumns 2 SubBytes 1 MixColumns # Cycles 4 5 # Cycles 4 5 # Cycles Remember: we have to sequentially perform both SubBytes and MixColumns on Port0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 15/27

19 Uncovering: the µop scheme puzzle 3 possible µop decompositions of aesenc: x 14 x 13 x 12 x 11 x 10 x 9 x 15 x 8 xmm x 7 x 6 x 5 x 4 x 3 x 2 x 1 x Implicit ShiftRows x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 14 x 2 x 13 x # Cycles 4 5 # Cycles 4 5 # Cycles µop 1 x 10 x 15 x 3 x 7 x 11 µop Remember: we have to sequentially perform both SubBytes and MixColumns on Port0 The most natural way: split { SubBytes+MixColumns } in two independent µop and parallely work on the two halves of the AES state Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 16/27

20 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The IACA tool analysis: Total Latency: 6 Cycles; Total number of Uops bound to ports: 4 Num of Ports pressure in cycles Uops 0 - DV D 3 - D X 1 X CP movdqu xmm2, xmm0 mulps xmm0, xmm1 1 CP mulps xmm2, xmm1 1 1 CP xorps xmm0, xmm2 Total Latency: 6 Cycles; Total number of Uops bound to ports: 3 Num of Ports pressure in cycles Uops 0 - DV D 3 - D CP aesenc xmm1, xmm0 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 17/27

21 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The first instruction movdqu acts like a fence dependency on xmm k and the xorps µop prevents reordering of the two mulps µop Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 18/27

22 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k The first instruction movdqu acts like a fence dependency on xmm k prevents reordering of the two mulps µop and the xorps µop dependency on xmm i prevents reordering of the pattern with other instructions µop 4 µop instead of 3 not a problem, movdqu can be scheduled on Ports 0,1,5 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 19/27

23 Finding the replacement The proposed replacement pattern: aes enc dec enclast declast xmm i, xmm j aes enc dec enclast declast xmm i, [mem128] movdqu xmm k, xmm i movdqu xmm k, xmm i mulps xmm i, xmm j mulps xmm i, [mem128] mulps xmm k, xmm j mulps xmm k, xmm j xorps xmm i, xmm k xorps xmm i, xmm k But... junk registers must be used to avoid a critical path take care of data dependency surrounding the replacement Length of the pattern and prefetch pipeline not an issue Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 20/27

24 Implementations, measurements and results

25 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 21/27

26 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Intel SDE emulator for correctness Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Compile Westmere Toggle use aesenc/aesdec Checking Correctness Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 22/27

27 The big picture The Methodology: 2 versions of the code: AES-NI Replacement Intel SDE emulator for correctness Measure performance on Nehalem with the replacement code Optimized assembly implementations LANE* LUX224/256 ECHO* Vortex* Cheetah224/256 SHAvite-3* ARIRANG224/256 Compile Nehalem Toggle aesenc/aesdec replacement( ) Timing Measurements Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 23/27

28 Implementation and measurements Implementation: AES-NI instructions take full advantage of parallelism maximize parallelism by removing critical paths Same level of optimization applied to all the candidates as fair as possible Measurements: ad hoc measurements with the rdtsc timers on the same Core TM i7 machine running amd64 OS noise removed: high priority scheduling, averaging... for stable measurements Some CPU options (Hyperthreading, Turbo Boost) turned off Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 24/27

29 The results AES-NI versus previous performance results: Performance (c/b) Version AES-NI Previous Vortex 224/ / SHAvite-3 224/ / ECHO 224/ / LANE 224/ / Performance (c/b) Version AES-NI Previous Lesamnta 224/ / LUX 224/ / Cheetah 224/ / ARIRANG 224/ / Performance (c/b) Version AES-NI Previous Fugue 224/ / Groestl 224/ / Twister 224/ / Reference figures on the platform: c/b c/b Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 25/27

30 The results Some details: Version AES-NI #AES/Byte SP DP + Vortex 224/ / SHAvite-3 224/ / ECHO-SP 224/ / ECHO 224/ / LANE 224/ / *Single-Pipe designs + Double-Pipe designs Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 26/27

31 Conclusion Significant improvements for some algorithms mainly those that use the full AES round and that benefit from instruction parallelism This work focused on the performance side of AES-NI but side channel attacks resistance is also an important feature More details on implementation tricks for each candidate are in the paper AES-NI/Replacement source codes are available : improvements and comments are welcome! Results on 32 bit CPUs (only 8 xmm registers) would be an interesting extension of this work Next step: test the ready-to-run implementations on Westmere! Asiacrypt 2009 The Intel AES-NI and the SHA-3 Candidates 27/27

32 Thank you for your attention