Fast implementations of secret-key block ciphers using mixed inner- and outer-round pipelining

Transcription

1 Pawel Chodowiec, Po Khuon, Kris Gaj Electrical and Computer Engineering George Mason University Fast implementations of secret-key block ciphers using mixed inner- and outer-round pipelining

2 Most popular secret-key ciphers American standards DES 56 bit key AES-contest Triple DES 112, 168 bit keys AES - Rijndael 128, 192, and 256 bit keys Other popular algorithms IDEA Blowfish RC5 CAST Serpent Twofish RC6 Mars

3 June 1998 AES Contest 15 Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica August final candidates Mars, RC6, Rijndael, Serpent, Twofish Round 1 Security Software implementations Round 2 Security Hardware implementations October winner: Rijndael Belgium

4 Selected applications of secret-key ciphers E-banking Internet ATM machines Home-banking Inter-bank transfers Server-browser - Virtual Private Networks - Electronic Payment Cards - SSL IPSec SET Wireless communication Mobile phones Satellite communication High-speed networks ATM, B-ISDN, HDTV

5 Target FPGA devices Xilinx Virtex - XCV µm CMOS process CLB slices 10 4-kbit block RAMs 1 mln equivalent logic gates Up to 200 MHz clock Configurable Logic Block slices (CLB slices) Programmable Interconnects Block RAMs

6 Methodology and Tools Implementation Code in VHDL Verification 2. Synthesis and Implementation 1. Functional simulation Xilinx, Foundation Series v. 2.1 Aldec, Active-HDL Netlist with timing Bitstream 3. Timing simulation Aldec, Active-HDL 4. Experimental Testing USC-ISI, SLAAC-1V FPGA board

7 Primary parameters of hardware implementations of secret-key block ciphers Latency Throughput M i+2 M i Encryption/ decryption C i Time to encrypt/decrypt a single block of data M i+1 M i Encryption/ decryption C i+2 C i+1 C i Number of bits encrypted/decrypted in a unit of time Throughput = Block_size Number_of_blocks_processed_simultaneously Latency

8 Typical Internal Structure of a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i:=i+1 i<#rounds? #rounds times Round Key[#rounds+1] Final transformation

9 Basic iterative architecture multiplexer register one round combinational logic

10 Basic architecture: Timing CLK IN P1 P2 P3 C1 C2 OUT #rounds clock_period

11 Basic architecture: Throughput Throughput [Mbit/s] Virtex Serpent Rijndael Twofish RC6 Mars 3DES

12 Area [CLB slices] Basic architecture: Area Virtex Twofish RC6 Rijndael Mars Serpent 3DES

13 Traditional methodology register one round, no pipelining MUX combinational logic #rounds registers K registers round 1 = one pipeline stage round 2 = one pipeline stage round K = one pipeline stage MUX.... round 1 = one pipeline stage round 2 = one pipeline stage.... round #rounds = one pipeline stage

14 Outer-Round Pipelining multiplexer register1 pipeline stage 1 = round 1 K rounds register2 pipeline stage 2 = round register K pipeline stage K = round K

15 Outer-Round Pipelining: Timing CLK IN P1 P2 P3 P4 C1 C2 P5 C3 P6 C4 OUT #rounds clock_period K=2

16 Throughput vs. area dependence for traditional design methodology Throughput - basic architecture - outer-round pipelining K=2 basic architecture K=3 K=4 K=5 outer-round pipelining Area

17 Our methodology a) register MUX b) k registers MUX one round, no pipelining combinational logic one round = k pipeline stages.... d) #rounds k registers round 1 = k pipeline stages round 2 =k pipeline stages round #rounds =k pipeline stages c) K k registers round 1 = k pipeline stages round 2 = k pipeline stages round K = k pipeline stages MUX

18 Inner-Round Pipelining multiplexer register1 pipeline stage 1 one round register2 pipeline stage register k pipeline stage k

19 Inner-Round Pipelining: Timing CLK IN P1 P2 P3 P4 P5 P6 C1 C2 C3C4 OUT #rounds (k reduced_clock_period) k=2

20 Throughput vs. area dependence for the new design methodology Throughput mixed inner and outer-round pipelining K=2 K=3 - inner-round pipelining - mixed inner and outer-round pipelining - basic architecture - outer-round pipelining inner-round pipelining k=2 k opt K=2 basic architecture K=3 K=4 outer-round pipelining Area

21 Latency vs. area dependence for the new design methodology Latency inner-round pipelining mixed inner and outer-round pipelining k opt k=2 K=2 K=3 - inner-round pipelining - mixed inner and outer-round pipelining - basic architecture - outer-round pipelining basic architecture K=2 K=3 K=4 K=5 outer-round pipelining Area

22 Number of the pipeline stages per round basic architecture - inner-round pipelining - mixed inner- and outer-round pipelining DES Rijndael RC6 Twofish Serpent

23 basic Clock frequency [MHz] inner-round pipelining mixed pipelining DES Rijndael RC6 Twofish Serpent

24 Limits on the minimum clock period after pipelining (1) 1. Delay of a single round divided by k = number of internal pipeline stages r1 r2 r1 op1 op2 op3 op4 op5 k=2 T CLKmin 2. Delay of the longest indivisible operation r1 r2 r3 r4 r1 op1 op2 op3 op4 op5 k=4 T CLKmin

25 Limits on the minimum clock period after pipelining (2) 3. Delays within the control unit r1 T CLKmin r2 r1 op1 op2 op3 op4 op5 cntr1 cntr2 cntr1 Control Unit rc 4. Maximum latency 5. Maximum input/output bandwidth

26 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Throughput [Mbit/s] basic inner-round pipelining mixed pipelining 16,768 15,232 13,056 12,160 7,469 3,805 1, Serpent Rijndael Twofish RC6 3DES

27 6 Latency [µs] basic inner-round pipelining mixed pipelining Serpent Rijndael Twofish RC6 3DES

28 basic Area [CLB slices] inner-round pipelining mixed pipelining devices 3 devices 2 devices 12, DES 1,711 1,076 21,000 Twofish 3,458 1,137 46,800 RC6 2, RAMs 2,507 12, RAMs Rijndael 4,507 5,623 19,700 Serpent

29 NSA architecture Full outer-round pipelining #rounds registers round 1 = one pipeline stage round 2 = one pipeline stage.... round #rounds = one pipeline stage Total #rounds pipeline stages

30 NSA: Full outer-round pipelining Throughput [Gbit/s] CMOS ASIC 0.5 µm Serpent Rijndael Twofish RC6 Mars

31 Full mixed inner- and outer-round pipelining k registers round 1 = k pipeline stages round 2 =k pipeline stages round #rounds =k pipeline stages.... Total #rounds k pipeline stages

32 Throughput [Gbit/s] Our results: Full mixed pipelining Virtex FPGA, 0.22 µm Serpent Twofish RC6 Rijndael

33 Speed-up compared to the basic architecture 100 Our results NSA Rijndael Serpent Serpent Twofish RC6 Mars I8 I1

34 Full Mixed Inner and Outer-Round Pipelining Cipher 1 Cipher 2 round 1 round 1 round 2 minimum clock period round 10 round 16 Speed = block size min_clock_period

35 Application of the inner-round pipelining in the secret-key cipher design April 2000, AES 3, Advanced Encryption Standard Conference K. Gaj, P. Chodowiec George Mason University A.J. Elbirt, W. Yip, B. Chetwynd, C. Paar Worcester Polytechnic Institute - small (2-3) and arbitrarily chosen number of pipeline stages August 2000, CHES, Cryptographic Hardware and Embedded Systems Conference S. Trimberger, Xilinx, R. Pang, A. Singh, UCSB 12 Gbps DES implementation

36 Conclusions (1) New methodology for high-throughput implementation of secret-key ciphers proposed and analyzed optimum number of pipeline stages inside of a cipher round very high throughput ultimate throughput/area ratio throughput independent of the - number of cipher rounds - complexity of a cipher round

37 Conclusions (2) Five modern secret-key ciphers, including two new federal standards, AES and Triple DES implemented Throughputs from 12.2 to 16.8 Gbit/s for AES candidates (128-bit i/o block) 7.5 Gbit/s for Triple DES (64-bit i/o block) Fastest reported designs of the AES candidates in any technology