Compact implementations of Grøstl, JH and Skein for FPGAs

Transcription

1 Compact implementations of Grøstl, JH and Skein for FPGAs Bernhard Jungk Hochschule RheinMain University of Applied Sciences Wiesbaden Rüsselsheim Geisenheim Abstract. This work is motivated by future developments of mass markets, where cryptographic infrastructures will become more and more important. One core component of such an infrastructure is a secure cryptographic hash function, which is used for a lot of applications like challenge-response authentication systems or digital signature schemes. Low budget impelementations of such components are therefore very important. In particular, the National Institute of Standards and Technology (NIST) has started a competition for a new secure hash algorithm (SHA-3). New hash functions should outperform older hash functions and thus we study the performance of some of the candidates. A significant comparison between the submitted candidates is only possible, if third party implementations of all proposed hash functions are provided. Of the submitted candidates, we implemented Grøstl, JH and Skein. Our focus on low budget cryptographic solutions makes it natural to investigate possible optimizations for area efficient implementations, and to neglect pure high-throughput considerations. Our results show, that - while all investigated candidates are quite large compared to a compact AES implementation - it is possible to implement all candidates reasonably small. In our evaluation JH is by far the most compact implementation, whereas Skein is the largest one. Our Grøstl implementation on the other hand is smaller than Skein and much faster than both other candidates and easily beats them in the throughput-area ratio by a factor of four. Key words: Cryptography, Hash Function, SHA-3, Compact Implementation, FPGA 1 Introduction The National Institute of Standards and Technology (NIST) has started a competition for a completely new hash function, very similar to the past AES competition (cf. [12]), to overcome the security problems and speculations about the SHA-1 (cf. [21]) and the SHA-2 family (e.g. [18,9])

2 of hash functions. Similar to the former AES effort, the rules of this competition require third party software and hardware implementations of all proposed candidates to evaluate the overall performance and resource requirements. In the present paper, the focus lies on implementations of the SHA-3 candidates Grøstl (cf. [7]), JH (cf. [22]) and Skein (cf. [6]). The Grøstl hash function borrows many ideas from the Rijndael/AES algorithm (cf. [17]), whereas the other algorithms are brand new. For some applications, FPGA implementations of cryptographic primitives provide better performance at lower cost compared to software implementations or are more flexible as custom ASIC chips. Especially low-end and slow embedded platforms for the mass market demand low cost solutions, therefore one main goal of the present work are compact implementations. Three FPGA-based implementations were developed and evaluated to explore the possible throughput-area trade-off of the different candidates. Most of the applied optimizations are of architectural nature, reducing the number of LUTs by arranging the necessary registers, RAMs and logic or by pipelining. However, the main optimization technique is the reduction of parallelism. To our best knowledge, this work reports the smallest implementations computing 256 bit hash digests, available that include padding. Grøstl needs 470 slices on a Virtex-5, JH needs 205 and Skein 555. The throughput of Grøstl (1132 MBit/s) is much higher than the throughput of Skein (237 MBit/s) and JH (27 MBit/s). Therefore, the throughput-area ratio is clearly dominated by Grøstl. 2 Previous work To our best knowledge no compact FPGA implementations of Grøstl, JH and Skein exist, except the results for Grøstl ([11]). Other teams often investigated either ASIC oder FPGA implementations for high-throughput applications (e.g. [19,20,2,8] and [14]). Nevertheless, some ideas of these papers are applicable to the present work, too. For example, the throughput of the serialized and hence smaller versions of Grøstl can be very similar to a fully parallel design, if the compression function is pipelined. The Grøstl hash function benefits from its similarity to the AES cipher, because some of the optimizations applied to AES (e.g. [4,3,5,16,15]) can be adapted to Grøstl. Good examples are the ideas for a compact AES implementation described in [5]. Especially the iterative design of this

3 implementation can be applied to Grøstl after some modifications. Other examples are AES S-box optimizations (e.g. [3]). For JH and Skein little previous work exists and therefore the work on the present compact implementations has to be investigated basically from scratch. One known actually non-optimization on most FPGA platforms are carry look-ahead adders, because they are actually often slower then the ripple-carry adder designs on FPGAs (cf. [24]). 3 Hardware Interface One important aspect of hardware architectures is the interface. Especially for compact implementations, the interface may have a major impact on the overall area. Thus not all comparisons of hardware implementations are meaningful, if the interface differs. The implemented interface is compliant to the Fast Simplex Link (FSL) specification (cf. [23]). The FSL is a popular method to connect IP cores to microprocessors, e.g. the Xilinx Microblaze softcore processor. The FSL interface is a generic 32 bit wide unidirectional link with an optional FIFO and optional clocks on the master and slave side, which then may be asynchronous. Two synchronous links form the complete bidirectional interface of our Grøstl implementations (see Tab. 1). The incoming link (slave) is utilized to transfer the input to the hash function in the following manner: Each input message block, consisting of 512 bits, is sent through the 32 bit wide interface. The length of the message block is transfered as a 9 bit vector for 256 bit hash digests. Signal Name I/O Description FSL Clk I FSL Clock for synchronous FIFO mode FSL Rst I Peripheral reset FSL M Data O Master input data (32 bits) FSL M Write O Master writes data to the FIFO FSL M Full I Master FIFO is full FSL S Data I Slave output data (32 bits) FSL S Read O Slave reads data from the FIFO FSL S Exists I Data exists in the slave FIFO FSL S Control O Control signal Tab. 1: Relevant parts of the FSL interface without the support for an asynchronous FIFO.

4 If necessary, the message block has to be filled with zeros to be of the correct length. The output is handled analogous using the outgoing link (master) without sending the accompanying length information, because the length is fixed. For the area and speed measurements, the FSL implementation, consisting of two FIFOs, is not included, because the implementation details are configurable and thus they vary, depending on the requirements of the application. 4 Implementations 4.1 Grøstl Most of the area savings can be achieved, when the parallelism is limited, by reducing the data path width. The general idea is to decompose the computation of a complete round into eight smaller parts. Thus only one eighth of the original S-boxes and MixBytes calculations are required for the 256 bit Grøstl variant, at the expense of an eightfold increase of clock cycles necessary for the computation of the complete compression function. The implementation consists of three main details: Usage of distributed RAM. An implicit ShiftBytes transformation. Pipelining of the round transformation. We can use LUTs configured as 16/32 bit deep and 32 bit wide distributed RAM instead of flip-flops, because the complete 512/1024 bit state is never required in one clock cycle. For the Grøstl hash function, two memories are necessary, one for each permutation P and Q. Both RAMs consist of Fig. 1: Compact implementation of Grøstl.

5 Fig. 2: Pipelined Grøstl compression function. eight individual RAMs representing the rows of the state matrix (Fig. 1). The usage of the distributed RAM makes it possible to implement the ShiftBytes sub-transformation implicitly, by calculating appropriate read addresses. The last important part of the optimization is the pipelining of the Grøstl round transformation. In addition to the speed-up, we gain additional area savings. This is only possible, if we add enough pipeline stages, to store the complete internal state in the pipeline, before the first part of the computation is completed. Then, we may read and write to the same addresses in the distributed RAM in each Grøstl round, which otherwise would not be possible and thus would require an additional round counter as offset to the read and write addresses (cf. [10]). The optimization is similar to the one proposed for AES in [5]. The main difference is the removal of the second memory necessary for the proposed AES implementation, which results in a significant additional area reduction for Grøstl due to its large internal state. An additional RAM of the same size is needed for the storage of the intermediate output h of the compression function, which is very similar to the other memories. Pipelining significantly increases the throughput and reduces the area, compared to the earlier implementation (cf. [10]). The most obvious place to introduce a pipeline is the compression function (Fig. 2). The best number of additional pipeline steps is 8 for the 256 bit implementation (16 for the larger variant). This choice follows from the decomposition of the complete Grøstl state in eight sub-states and the interleaving of the P and Q instances. The optimization of the S-box is based on finite field arithmetic, which is used to calculate each value on-the-fly instead of the usage of a lookup

6 table. The basic idea is a change of the representation of each finite field element to a computationally more efficient one (cf. [3]). This change works, because all finite fields with the same cardinality are isomorphic (cf. [13], Theorem 2.5). The performance of this architecture is quite good, because only 160 clock cycles are needed for a complete computation of the compression function (8 clock cycles per round for P and Q, 10 rounds and thus = 160). 4.2 JH The architecture of JH can be similarly decomposed (Fig. 3), to allow for a very compact implementation. However, since the JH round function is much smaller than the Grøstl implementation, the pipelining to achieve a high clock frequency is not needed. Unfortunately, due to the high number of rounds, the absolute throughput of a JH implementation with an 8 bit wide data bus is quite low. The JH architecture works as follows. The padded message block is copied into the input RAM, which is used for the grouping of bits required by JH. In the first round this input is copied to a temporary RAM, which allows the implementation to load new data, while the compression function is still running. Furthermore the input is injected into the execution of the compression function (XOR) in the first round. Fig. 3: The JH architecture.

7 Fig. 4: The compact core of the JH implementation. The core of the compression function transforms one constant and four bytes of the state ram alternately, such that the constants needed by the S-boxes are input to the core and stored by it right before they are used. The output of the JH core is written to either the constants RAM, the state RAM, or the output RAM. The output RAM takes care of the degrouping. The core itself (Fig. 4) consists of two S-boxes and a linear transformation. The permutation is achieved by writing to the state RAM according to the specification of the permutation. For the S-boxes and the linear transformation, we used the Boolean expressions presented in [22]. The construction needs at least 6400 clock cycles to compute the compression function completely (128 bytes state, 32 bytes constants and 40 rounds, thus ( ) 40 = 6400), and is therefore very slow compared to the Grøstl implementation. 4.3 Skein The overall architecture of the Skein implementation (Fig. 5) is much like the other two architectures. Like it was for Grøstl, a natural internal data width is 64 bit, because of the usage of 64 bit parts of its internal state. The computation of the round function works as follows. First the message block is copied in 64 bit blocks to the state RAM. Then the input is copied to a temporary RAM on the one hand and used as the input to the Skein core on the other hand. The Skein core computes exactly one round, including the key injection every fourth round. In all rounds, except for the last key injection, the

8 Fig. 5: The Skein architecture. output of the core is copied back to the state RAM. The last key injection is special, because there is actually an odd number of key injections, whereas the number of rounds in Skein is even. Thus we add an artificial 73th round, which does nothing but injecting the key. After this very last round, the saved message from the temporary RAM is added (XORed) to the output of the core and fed into the key schedule. The Skein round function itself consists of three 64 bit adders, rotation and XOR (Fig. 6). The logic delay of the 64 bit adders combined with the required barrel shifter is high, therefore it is necessary to boost the clock frequency by pipelining. Unfortunately, the permutation required by the Skein specification complicates this endeavor, leading to a complicated pipeline structure. Fig. 6: Pipelining the Skein round function.

9 Strictly speaking, the core consists of two pipelines, each of different depth. The 64 bit adders are cut in half, by using 32 bit adders and a pipeline step. This way, we need only three 32 bit adders. Furthermore the barrel shifter is implemented in the longer pipeline, thus reducing the logic delay of the shifting as much as possible in this design. The optimal pipeline depth would be 8 cycles. However, the permutation in the round computation would require to insert wait cycles. As far as we know, the current pipelining is the best possible one in the current architecture. The performance of this design is dominated by the large number of rounds required. Overall the architecture requires 584 clock cycles for one execution of the compression function (72 rounds + 1 extra round for the key injection and 8 clock cycles for each round, thus 73 8 = 584). 5 Evaluation We have implemented compact designs of Grøstl, JH and Skein and generated post place and route results for Virtex-5 FPGAs. The numbers of the throughput, tp, and the throughput-area ratio, tp-area are calculated by the following formula, where p is the clock period, b is the block size, cycles is the number of clock cycles for the round transformation and area is the number of used slices. b tp = p cycles tp-area = tp area The three implementations give very different post place and route results (Tab. 2). The Grøstl implementation has the highest throughput and uses less slices than Skein, which makes it the winner in two categories, namely absolute throughput and the throughput-area ratio. The winner in the area category is JH, which consumes much less area than Grøstl. The main cause for the large differences in the throughput is caused by the high number of rounds in JH and Skein compared to Grøstl. A possible countermeasure would be to unroll parts of the design and introduce longer pipelines, but obvious unrolling is inhibited by the permutation layers in the round transformations of JH and Skein. Therefore, the throughput difference will probably always remain quite large. Another important aspect is a comparison with existing work. We are not aware of any other compact implementations of Grøstl, JH and

10 Algorithm Data path Slices BRAM MHz MBit/s MBit/s/Slice Grøstl JH Skein Tab. 2: Implementation results for Virtex-5 FPGAs. Algorithm Digest Slices BRAM MHz MBit/s MBit/s/Slice Grøstl [7] n/a JH [8] n/a Skein [8] n/a Tab. 3: Third party results for Virtex-5 FPGAs. Skein, therefore we can only compare our results to high-throughput implementations. Tab. 3 shows the results with the highest throughput as shown on the SHA-3 Zoo hardware page [1]. Another problem with this comparison is their omission of the padding function and the usage of block ram in some implementations. Thus, a comparison is very rough. Nonetheless, the numbers are interesting in certain aspects. For example, it s interesting to see, that the throughput-area ratio of JH drops really bad. This points to the conclusion, that the 8 bit data path was a sub-optimal choice and that the additional control logic and multiplexers are competing with the area savings achieved by the reduction of the parallelism. 6 Conclusion and Further Work The present paper focuses on FPGA implementations of the SHA-3 candidates Grøstl, JH and Skein. One optimized implementation of each candidate was evaluated. The performance of Grøstl is considered the best, because the throughput-area ratio is much higher than that of JH or Skein. Additionally the area of Grøstl could be further reduced using a reduced data path width (8 bit) and thus Grøstl would compete with JH regarding the absolute required area, which is currently the winner in this area. Probably, the JH and Skein implementations could be improved, too, but it seems unlikely, that they will ever beat Grøstl. The further work of the author will concentrate on compact implementations of BLAKE and Keccak, which were not yet implemented due to time constraints.

11 References 1. SHA-3 Zoo: Hardware Implementations (2011), Hardware Implementations 2. Baldwin, B., Hanley, N., Hamilton, M., Lu, L., Byrne, A., O Neill, M., Marnane, W.: FPGA Implementations of the Round Two SHA-3 Candidates. The second SHA-3 Candidate Conference (2010) 3. Canright, D.: A Very Compact S-Box for AES. In: Proceedings of 7th International Workshop on Cryptographic Hardware and Embedded Systems (CHES). pp Springer-Verlag (2005) 4. Canright, D., Osvik, D.A.: A More Compact AES. Selected Areas in Cryptography: 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13-14, 2009, Revised Selected Papers pp (2009) 5. Chodowiec, P., Gaj, K.: Very compact FPGA implementation of the AES algorithm. In: Proceedings of 5th International Workshop on Cryptographic Hardware and Embedded Systems (CHES). pp Springer-Verlag (2003) 6. Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein Hash Function Family. Submission to NIST (Round 3) (2010), 7. Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl a SHA-3 candidate. Submission to NIST (2008), 8. Homsirikamol, E., Rogawski, M., Gaj, K.: Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. Cryptology eprint Archive, Report 2010/445 (2010) 9. Isobe, T., Shibutani, K.: Preimage attacks on reduced Tiger and SHA-2. In: Fast Software Encryption. Lecture notes in computer science, vol Springer (2009) 10. Jungk, B., Reith, S.: On FPGA-based implementations of Grøstl. Cryptology eprint Archive, Report 2010/260 (2010) 11. Jungk, B., Reith, S.: On FPGA-Based Implementations of the SHA-3 Candidate Grostl. International Conference on Reconfigurable Computing and FPGAs 2011 pp (2010) 12. Kayser, R.F.: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. In: Federal Register, vol. 72, pp National Institute of Standards and Technology (November 2007) 13. Lidl, R., Niederreiter, H.: Finite Fields (Encyclopedia of Mathematics and its Applications). Cambridge University Press (1996) 14. Matsuo, S., Knežević, M., Schaumont, P., Verbauwhede, I., Satoh, A., Sakiyama, K., Ota, K.: How Can We Conduct Fair and Consistent Hardware Evaluation for SHA-3 Candidate? The second SHA-3 Candidate Conference (2010) 15. McLoone, M., McCanny, J.: High Performance Single-Chip FPGA Rijndael Algorithm Implementations. In: Proceedings of 3rd International Workshop on Cryptographic Hardware and Embedded Systems (CHES). pp Springer-Verlag, London, UK (2001) 16. Pramstaller, N., Mangard, S., Dominikus, S., Wolkerstorfer, J.: Efficient AES Implementations on ASICs and FPGAs. In: Advanced Encryption Standard AES, pp Springer-Verlag (2005) 17. Rijmen, V., Daemen, J.: The Design of Rijndael. Springer (2002) 18. Sanadhya, S., Sarkar, P.: New collision attacks against up to 24-step SHA-2. In: Progress in Cryptology-INDOCRYPT. Lecture notes in computer science, vol Springer (2008)

12 19. Tillich, S., Feldhofer, M., Issovits, W., Kern, T., Kureck, H., Mühlberghuber, M., Neubauer, G., Reiter, A., Köfler, A., Mayrhofer, M.: Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. Cryptology eprint Archive, Report 2009/349 (2009) 20. Tillich, S., Feldhofer, M., Kirschbaum, M., Plos, T., Schmidt, J.M., Szekely, A.: High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. Cryptology eprint Archive, Report 2009/510 (2009) 21. Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Proceedings of Crypto. Lecture notes in computer science, vol. 3621, pp Springer (2005) 22. Wu, H.: The Hash Function JH. Submission to NIST (round 3) (2011), round3.pdf 23. Xilinx: LogiCORE IP Fast Simplex Link (FSL) V20 Bus (v2.11c) (2010) 24. Xing, S., h. Yu, W.W.: FPGA Adders: Performance Evaluation and Optimal Design. IEEE Des. Test 15, (1998)