Master of Science Program in Computer Engineering

Transcription

1 Cybersecurity for IoT Secure Hardware Department of Electrical, Computer and Biomedical Engineering of University of Pavia Master of Science Program in Computer Engineering Instructor: Paris Kitsos Pavia

2 Part 1 Pipelining and Retiming 2

3 Delay of a Design Delay = latency x clock period 3

4 Minimum Clock Period 4

5 Minimum Clock Period This is the time need for the output of a flip-flop to switch to a new value after a clock edge has occured 5

6 Minimum Clock Period This is the time need for the logic to calculate a new output. Depends on the gates and wires 6

7 Minimum Clock Period This is the time need for the flipflop to capture stable input data at the next clock edge. The next clock edge cannot come earlier then the dashed line 7

8 Minimum Clock Period In this case, the timing of the system is OK, since the actual Tclk > Tclk,min 8

9 Minimum Clock Period The margin between the actual clock period and the minimal clock period is called slack. Tslack = Tclk - Tclk,min 9

10 Minimum Clock Period If the slack is negative, the system has a timing violation. This system will not perform as expected, since its clock frequency is too high. 10

11 Minimum Clock Period Once the technology is chosen, Tclk->Q and Tsetup are fixed. An example from the Xilinx device datasheet is shown on the right. 11

12 Minimum Clock Period However, even after the technology is chosen, the designer can still influence Tlogic and Trouting by making modifications to the HDL code. Thus, if we want to decrease the minimum clock period, we need to consider these terms. 12

13 Minimization of Delay Delay = latency (clock cycles) x clock period Parallel Computations Reduce the # cycles required Pipelining and Retiming Reduce the clock period 13

14 Pipelining and Retiming A pipeline register can cut a piece of combinational logic in smaller pieces. This reduces the Tclk,min for the entire design 14

15 Retiming Sometimes, the partitioning is not nicely 50/50. In that case the benefit of pipeline registers to reduce Tclk,min is small, since the design has to be operated at the speed of the slowest stage To maximize the benefit of the (pipeline) registers, they should be balanced so that each stage of combinational logic takes the same amount of logic delay 15

16 Pipelining vs Retiming Pipelining is done by the designer, typically by rewriting HDL Retiming is done by the tools, during logic Synthesis Of course, the designer can also rewrite the HDL 16

17 Pipelining Cut a long combinational path in half by inserting a register Increases the latency cycle count of the design to get form the input to the output, you will need an extra clock cycle Inserted Register 17

18 Rules for Consistent Pipelining... Assume a network of modules (combinational or sequential ) as follows. We will demonstrate how to move pipeline registers around while avoiding inconsistent pipelining 18

19 Rules for Consistent Pipelining... You can add a register in front. It increases the latency of the network with one cycle, but the network will have the same functionality 19

20 Rules for Consistent Pipelining... You can absorb a register at a single input if you recreate it at ALL the outputs of the module. This transformation will not change the latency nor the functionality of the network. 20

21 Rules for Consistent Pipelining... Move it over another module absorb register at the module inputs, recreate it to the module outputs 21

22 Rules for Consistent Pipelining... Move it over the last module absorb register at the module inputs, recreate it at the module output 22

23 Rules for Consistent Pipelining... All of these have the same behavior 23

24 Rules for Consistent Pipelining... We can add multiple registers at the front... 24

25 Rules for Consistent Pipelining... and redistribute them using consistent pipelining 25

26 Rules for Consistent Pipelining... Or 26

27 Rules for Consistent Pipelining... Tclk,min = 90ns Latency = 1 cycle Throughput = 1 / cycle Tclk,min = 30ns Latency = 3 cycles Throughput = 1 / cycle 27

28 Rules for Consistent Pipelining... Following these rules, you'll find that you cannot pipeline loops (i.e. increase the number of registers in a feedback path) There is a single register in this path 28

29 Rules for Consistent Pipelining... To pipeline, add a register at the front 29

30 Rules for Consistent Pipelining... To move the pipeline register to the module output, ALL the inputs need to absorb a register 30

31 Rules for Consistent Pipelining... In the resulting network, there is still only one register in the loop 31

32 Part 2 Hardware architectures (Block ciphers and Hash Function) 32

33 Basic Architectures There are four types of architectures about bloc ciphers Iterative architecture Use only one round Partial loop unrolling Use more rounds Loop unrolling Use all rounds (Outer-round pipelining) Use inner- and outer-round pipelining 33

34 Iterative architecture 34

35 Partial loop unrolling 35

36 Loop unrolling 36

37 Inner- and outer-round pipelining Total # of pipeline stages = #rounds K (K=1) 37

38 Inner- and outer-round pipelining Total # of pipeline stages = #rounds K 38

39 Partial loop unrolling example: DES register 39 39

40 DES register 40 40

41 DES register 41 41

42 DES register 42 42

43 Triple-DES Plaintext 64 K1 64 DES Encryption Key K2 64 DES Decryption Key Sceduling Ki IP 16 Rounds K3 64 Ciphertext DES Encryption 64 IP -1 43

44 Triple-DES: Iterative architecture 64 Plaintext 64 Key IP PC1 MUX MUX Register Basic Round Ki PC2 Basic Key Round IP -1 Round Key 64 Ciphertext 44

45 Triple-DES: Partial loop unrolling 64 Plaintext 64 Key IP PC 1 MUX Round 1 K1 PC2 Key round1 Register Round 2 K2 PC2 Key round2 Round 16 K16 PC2 Key round16 64 IP Ciphertext 45

46 Triple-DES: Loop unrolling 64 Plaintext 64 Key IP PC 1 Round 1 K1 PC2 Key round1 Round 2 K2 PC2 Key round2 Register Round 47 K47 PC2 Key round47 Round 48 K48 PC2 Key round48 64 IP Ciphertext 46

47 KASUMI Block Cipher Application KASUMI block cipher is used: In new GSM encryption algorithm A5/3 In 3G and 4G, f8 and f9 algorithms In Transport Layer Securities (TLS) 47 47

48 KASUMI Block Cipher Is the 64-bit block cipher Is a Feistel block cipher with 8 rounds The odd rounds have different structure than even rounds Uses 64-bit plaintext/ciphertext and 128-bit key 48 48

49 KASUMI Block Cipher 64 Απλό Κείμενο 32 L 0 R 0 KL 1 KO 1,KI Είσοδος L 0 R 0 16 Είσοδος L 0 R 0 FL1 FO KO i,1 FO2 KO 2,KI 2 FL2 KL 2 KIi,1 FI i,1 FI i,2 KOi,2 KI i,2 S9 ZE S7 KI i,j,1 16 L Είσοδος 0 R 0 KL i,1 AND <<<1 KL 3 KO 3,KI 3 TR KL i,2 FL3 FO3 KI i,j,2 <<<1 OR KO i,3 S9 S7 L' 16 R' FI i,3 KI i,3 ZE KO 8,KI 8 KL 8 TR FO8 FL L 8 R 8 Κρυπτοκείμενο L 32 3 R 3 Έξοδος L 32 4 R 4 Έξοδος 49 49

50 KASUMI Key Scheduling 128 K K1 K2 K3 K4 K5 K6 K7 K <<<1 <<<1 <<<1 <<<1 <<<1 <<<1 <<<1 <<<1 <<<4 <<<4 <<<4 <<<4 <<<4 <<<4 <<<4 <<<4 <<<3 <<<3 <<<3 <<<3 <<<3 <<<3 <<<3 <<<3 <<<5 <<<5 <<<5 <<<5 <<<5 <<<5 <<<5 <<<5 C1 C2 C3 C4 C5 C6 C7 C

51 KASUMI: Partial loop unrolling 64 Plaintext REGISTER 64 MUX RKi 128 ORC REGISTER RKi+1 ERC REGISTER 64 Ciphertext 51

52 KASUMI: Loop unrolling 64 Plaintext RK ORC Register RK ERC Register RK ORC Register RK ERC Register 64 Ciphertext 52

53 Round Implementation KLi 32 Pipeline register KOi KIi R i Pipeline register 32 L0 R KOi,1 ORC FLi FOi KIi,1 FIi,1 Pipeline register Pipeline register KOi,2 KIi,2 FIi,1 Pipeline register KOi+1 KIi KLi+1 32 Pipeline register Pipeline register ERC FOi FLi KOi,3 KIi,3 Pipeline register FIi, L3 32 R

54 Whirlpool Hash Function Endorsed by European NESSIE project Uses modified AES internals as compression function Addressing concerns on use of block ciphers seen previously 54

55 Whirlpool Overview 55

56 Whirlpool Block Cipher W Designed specifically for hash function use With security and efficiency of AES But with 512-bit block size and hence hash Similar structure & functions as AES but input is mapped row wise has 10 rounds uses different S-box design & values 56

57 Whirlpool Block Cipher W 57

58 Whirlpool Architecture Message n 256 Padder m i H 512 t-1 W W out H t 512 The Padder pads the input data and converts them to (n+256)-bit padded message An interface with 256- bit input for Message is considered The n, specifies the total length of the message 58 58

59 Whirlpool Architecture Input Data E E γ S S S R 512 π (Cyclically Shiftings) E E a i0 xor a i1 xor a i3 xor a i5 xor a i7 a i2 a i3 xor a i6 a i1 xor a i4 θ Round Key 512 σ[k] X X 2 X Output Data b i

60 Whirlpool Architecture feedback data σ[k] temp 512 Mux Input Register γ π θ Output Register 512 Input data feedback data Key Input Register σ[k] Κ r 1<=r<= Mux γ π θ Key ROM (cr ) This implementation has two similar parallel datapaths, the data randomizing and the key schedule The input block mi is set to the Input data simultaneously with the initial vector (IV) to the Key In a clock cycle, one execution round is executed and, simultaneously, the appropriate round key is calculated. Latency = 10 clock cycles W out H i

61 Questions?? 61