Fast implementation and fair comparison of the final candidates for Advanced Encryption Standard using Field Programmable Gate Arrays

Transcription

1 Kris Gaj and Pawel Chodowiec Electrical and Computer Engineering George Mason University Fast implementation and fair comparison of the final candidates for Advanced Encryption Standard using Field Programmable Gate Arrays

2 AES Contest - NIST Evaluation Criteria Security Software Efficiency Hardware Efficiency Flexibility

3 AES Contest Effort June Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica August final candidates Mars, RC6, Rijndael, Serpent, Twofish Round 1 Security Software efficiency Round 2 Security Hardware efficiency October winner: Rijndael Belgium

4 Hardware Efficiency Comparisons Government and large companies NSA IBM ASIC Mitsubishi Academia and small business USC WPI FPGA GMU UC Berkeley MICRONIC

5 Primary ways of implementing cryptography ASIC Application Specific Integrated Circuit in hardware FPGA Field Programmable Gate Array designs must be sent for expensive and time consuming fabrication in semiconductor foundry designed all the way from behavioral description to physical layout bought off the shelf and reconfigured by designers themselves no physical layout design; design ends with a bitstream used to configure a device

6 Which way to go? ASICs High performance Low power Low cost (but only in high volumes) FPGAs Off-the-shelf Low development costs Short time to the market Reconfigurability

7 Reconfigurability External ROM and microprocessor enables changing an FPGA function in several milliseconds Encryption vs. decryption vs. key scheduling FPGA Key scheduling 5-15 ms Various algorithms FPGA FPGA FPGA Encryption FPGA Decryption 5-15 ms FPGA AES Triple DES 5-15 ms 5-15 ms IDEA

8 Target FPGA devices Xilinx Virtex - XCV µm CMOS process CLB slices 10 4-kbit block RAMs 1 mln equivalent logic gates Up to 200 MHz clock Configurable Logic Block slices (CLB slices) Programmable Interconnects Block RAMs

9 Methodology and Tools Implementation Code in VHDL Verification 2. Synthesis and Implementation 1. Functional simulation Xilinx, Foundation Series v. 2.1 Aldec, Active-HDL Netlist with timing Bitstream 3. Timing simulation Aldec, Active-HDL 4. Experimental Testing USC-ISI, SLAAC-1V FPGA board

10 Primary parameters of hardware implementations for secret-key block ciphers Latency Throughput M i+2 M i Encryption/ decryption C i Time to encrypt/decrypt a single block of data M i+1 M i Encryption/ decryption C i+2 C i+1 C i Number of bits encrypted/decrypted in a unit of time Throughput = Block_size Number_of_blocks_processed_simultaneously Latency

11 Dependence of the encryption time on latency and throughput Message size Latency (Message_size Block_size) Throughput Time Encryption time

12 control Top level block diagram input/key Control unit input interface encryption/decryption output interface key scheduling memory of internal keys output

13 Primary factor in choosing the encryption/decryption unit architecture Symmetric-key cipher mode of operation: 1. Non-feedback cipher modes ECB, counter mode 2. Feedback cipher modes CBC, CFB, OFB

14 Non-feedback Counter Mode - CTR IV IV+1 IV+2 IV+N-1 IV+N... E E E... E E M 0 M 1 M 2 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = M i AES(IV+i) for i=0..n

15 Feedback cipher modes - CBC IV M 1 M 2 M 3 M N-1 M N... E E E E E... C 1 C 2 C 3 C N-1 C N C 1 = AES(M i IV) C i = AES(M i C i-1 ) for i=2..n

16 Feedback cipher modes CBC, CFB, OFB

17 Basic iterative architecture multiplexer register one round combinational logic

18 Architectures suitable for feedback modes register round 1 MUX MUX one round combinational logic round 2 round K.... round 1 round round #rounds

19 Partial Loop Unrolling multiplexer register K rounds combinational logic round 1 round round K

20 Loop Unrolling: Speed vs. Area Throughput - basic architecture - loop unrolling - resource sharing basic architecture loop-unrolling k=2 k=3 k=4 k=5 resource sharing Area

21 Decreasing area by resource sharing Before After D0 D1 D0 D1 F F multiplexer F D0 D1 D0 register D1 register

22 First basic architecture of Serpent - Serpent I1 Ki bit register regular Serpent round x S-box 0 32 x S-box 1 32 x S-box to bit multiplexer K32 linear transformation 128 output

23 Alternative basic architecture of Serpent: Serpent I8 128 K bit register K0 round 0 K7 32 x S-box 0 linear transformation round 7 32 x S-box 7 linear transformation 128 output 128 one implementation round of Serpent = 8 regular cipher rounds

24 Our Results: Basic architecture - Speed Throughput [Mbit/s] Serpent Rijndael Twofish RC6 Mars 3DES

25 Our Results: Basic architecture - Area Area [CLB slices] Rijndael Twofish RC6 Mars Serpent 3DES

26 Comparison with results of other groups: Speed Throughput [Mbit/s] Serpent I Our Results University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars I

27 Comparison with results of other groups: Area Area [CLB slices] Our Results Twofish RC6 University of Southern California Worcester Polytechnic Institute Serpent I Rijndael Mars Serpent I8

28 Our Results: Encryption in cipher feedback modes (CBC, CFB, OFB) - Virtex FPGA Throughput [Mbit/s] Twofish Serpent I1 Rijndael Serpent I8 100 RC6 Mars Area [CLB slices]

29 NSA Results: Encryption in cipher feedback modes (CBC, CFB, OFB) - ASIC, 0.5 µm CMOS Throughput [Mbit/s] RC6 Serpent I1 Twofish Rijndael Mars Area [CLB slices]

30 Conclusions for feedback cipher modes (1) (CBC, CFB, OFB) Speed (throughput) should be the primary criteria of comparison Basic iterative architecture is the most appropriate for comparison and future implementations Serpent and Rijndael are over twice as fast as the next best candidate for all implementations

31 Conclusions for feedback cipher modes (2) (CBC, CFB, OFB) Results confirmed by - three independent university groups for FPGAs, and - NSA group for ASICs Results of comparison independent of implementation technology (FPGAs vs. ASICs)

32 # votes Survey filled by 167 participants of the Third AES Conference, April 2000 Rijndael Serpent Twofish RC6 Mars

33 Our Results: Basic architecture - Speed Throughput [Mbit/s] Serpent Rijndael Twofish RC6 Mars

34 Non-Feedback Cipher Modes ECB, counter

35 Comparison for non-feedback cipher modes, e.g. Counter Mode - CTR IV IV+1 IV+2 IV+N-1 IV+N... E E E... E E M 0 M 1 M 2 M N-1 M N C 1 C 2 C 3 C N-1 C i = M i AES(IV+i) for i=0..n C N

36 NSA approach: Traditional methodology register MUX K registers MUX one round, no pipelining combinational logic round 1 = one pipeline stage round 2 = one pipeline stage round K = one pipeline stage.... K registers round 1 = one pipeline stage round 2 = one pipeline stage.... round #rounds = one pipeline stage

37 Our approach: New methodology a) register MUX k registers MUX b) one round, no pipelining combinational logic one round = k pipeline stages.... d) k registers c) round 1 = k pipeline stages round 2 =k pipeline stages round #rounds =k pipeline stages k registers round 1 = k pipeline stages round 2 = k pipeline stages round K = k pipeline stages MUX

38 Our approach: Inner-Round Pipelining multiplexer register1 pipeline stage 1 one round register2 pipeline stage register k pipeline stage k

39 Comparison of the traditional and new design methodologies Throughput mixed inner and outer-round pipelining K=2 K=3 - inner-round pipelining - mixed inner and outer-round pipelining - basic architecture - outer-round pipelining inner-round pipelining k=2 k opt K=2 basic architecture K=3 K=4 outer-round pipelining Area

40 Latency vs. area dependence for the new design methodology Latency inner-round pipelining mixed inner and outer-round pipelining k opt k=2 K=2 K=3 - inner-round pipelining - mixed inner and outer-round pipelining - basic architecture - outer-round pipelining basic architecture K=2 K=3 K=4 K=5 outer-round pipelining Area

41 NSA architecture: Full outer-round pipelining #rounds registers round 1 = one pipeline stage round 2 = one pipeline stage.... round #rounds = one pipeline stage Total # of pipeline stages = #rounds

42 NSA Results: Full outer-round pipelining Throughput [Gbit/s] CMOS ASIC 0.5 µm Serpent Rijndael Twofish RC6 Mars

43 Our approach: Full mixed inner- and outer-round pipelining k registers round 1 = k pipeline stages round 2 =k pipeline stages round #rounds =k pipeline stages.... Total # of pipeline stages = #rounds k

44 Our Results: Full mixed pipelining Virtex FPGA Throughput [Gbit/s] Serpent Twofish RC6 Rijndael

45 Speed-up compared to the basic architecture 100 Our results NSA Rijndael Serpent Serpent Twofish RC6 Mars I8 I1

46 Our Results: Full mixed pipelining Area [CLB slices] ,700 dedicated memory blocks, RAMs 21,000 46,900 12,600 Serpent Twofish RC6 Rijndael 80 RAMs

47 Our Results: Increase in the circuit latency Latency without and with pipelining [µs] x x x Serpent I8 Twofish RC6 x Rijndael

48 Conclusions for non-feedback cipher modes (1) ECB, counter All ciphers can achieve approximately the same speed. Area should be the primary criteria of comparison. Architecture with inner round pipelining combined with full outer round pipelining is the most appropriate for comparison and future implementations Serpent, Twofish and Rijndael are the most cost-efficient and take approximately the same amount of area

49 Conclusions for non-feedback cipher modes (2) ECB, counter No agreement regarding the methodology and architecture used for comparison NSA methodology favored ciphers with short cipher round large number of rounds Our methodology fair practical (superior throughput/area ratio)

50 Importance of the AES candidate hardware efficiency comparison Important factor used to differentiate among final candidates - objective and commonly accepted measures - good agreement among results from various groups - large differences among final candidates Efficient architectures and methodologies developed for all algorithms

51 Basic building blocks of FPGA devices Virtex CLB slice = 1/2 of a CLB CLB - Configurable Logic Block Logic mode Memory mode 8 combinational logic one-bit register one-bit register 4 4 RAM 16x1 RAM 16x1 one-bit register one-bit register