Software Benchmarking of the 2 nd round CAESAR Candidates

Size: px

Start display at page:

Download "Software Benchmarking of the 2 nd round CAESAR Candidates"

Regina Dorsey
6 years ago
Views:

1 Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1, Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK October 20, 2016 SPEED-B, Utrecht, The Netherlands Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 1 /40

2 Motivation 1 Use Case 1: Lightweight applications (resource constrained environments) Use Case 2: High-performance applications critical: efficiency on 64-bit CPUs (servers) and/or dedicated hardware desirable: efficiency on 32-bit CPUs (small smartphones) desirable: constant time when the message length is constant message sizes: usually long (more than 1024 bytes), sometimes shorter Use Case 3: Defense in depth 1 CAESAR usecases on CAESAR mailing list (16. July 2016) by Dan J. Bernstein: Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 2 /40

3 Overview 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 3 /40

4 Classification of the 2 nd round CAESAR Candidates 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 4 /40

5 CAESAR competition CAESAR Competition for Authenticated Encryption: Security, Applicability and Robustness 57 first round candidates (9 withdrawn) 30 second round candidates 16 third round candidates Application of AE IPsec, SSL/TLS, SSH Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 5 /40

6 CAESAR competition CAESAR Competition for Authenticated Encryption: Security, Applicability and Robustness 57 first round candidates (9 withdrawn) 30 second round candidates 16 third round candidates Application of AE IPsec, SSL/TLS, SSH Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 5 /40

7 CAESAR competition CAESAR Round 2 candidates ACORN AEGIS AES-COPA AES-JAMBU AES-OTR AEZ Ascon CLOC Deoxys ELmD HS1-SIV ICEPOLE Joltik Ketje Keyak MORUS Minalpher NORX OCB OMD PAEQ POET PRIMATEs SCREAM SHELL SILC STRIBOB Tiaoxin TriviA-ck π-cipher Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 6 /40

8 Type Block Cipher 15 1 Compression Function 2 Permutations 4 8 Stream Cipher Sponge Construction Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 7 /40

9 Underlying Primitive Others 9 10 AES AES Round SPN Dedicated Permutation Dedicated Stream Cipher Dedicated Block Cipher SHA2 ARX LRX Keccak Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 8 /40

10 Parallel Encryption/Decryption Fully/Fully Fully/No No/No Partly/Partly Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 9 /40

11 Online Encryption/Decryption Fully/Fully 27 3 No/No Encryption of a message block M i only depends on message blocks M 1... M i 1. Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 10 /40

12 Inverse Free Yes No Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 11 /40

13 Security Proof Yes 24 6 No Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 12 /40

14 Nonce-Misuse Resistance None Intermediate Max (Offline Ciphers) Longest Common Prefix (Online Ciphers) Longest common prefix: an adversary can observe the longest common prefix of messages for repeated nonces Max: the repetition of nonces only leak the ability to see a repeated message Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 13 /40

15 Software Optimizations 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 14 /40

16 Software Optimizations Streaming SIMD Extensions AES New Instructions No Software Optimization Advanced Vector Instructions 4 4 NEON Dedicated Processor Optimizations Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 15 /40

17 AES-New Instructions Instructions Introduced with Intel R 2010 Westmere microarchitecture Consists of 6 new instructions that are implemented in hardware Four instructions for encryption/decryption (i.e. AESENC, AESENCLAST, AESDEC, AESDECLAST) Two instructions for the keyschedule (i.e. AESKEYGENASSIST, AESIMC) Performance 10 times faster for parallel modes (i.e. CTR) 2-3 times faster for non-parallel modes (i.e. CBC) Security Improved security against side channel attacks [Gue12] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 16 /40

18 AES-New Instructions Instructions Introduced with Intel R 2010 Westmere microarchitecture Consists of 6 new instructions that are implemented in hardware Four instructions for encryption/decryption (i.e. AESENC, AESENCLAST, AESDEC, AESDECLAST) Two instructions for the keyschedule (i.e. AESKEYGENASSIST, AESIMC) Performance 10 times faster for parallel modes (i.e. CTR) 2-3 times faster for non-parallel modes (i.e. CBC) Security Improved security against side channel attacks [Gue12] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 16 /40

19 AES-New Instructions Instructions Introduced with Intel R 2010 Westmere microarchitecture Consists of 6 new instructions that are implemented in hardware Four instructions for encryption/decryption (i.e. AESENC, AESENCLAST, AESDEC, AESDECLAST) Two instructions for the keyschedule (i.e. AESKEYGENASSIST, AESIMC) Performance 10 times faster for parallel modes (i.e. CTR) 2-3 times faster for non-parallel modes (i.e. CBC) Security Improved security against side channel attacks [Gue12] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 16 /40

Streaming SIMD Extensions Instructions Vector-mode operations that enables parallel execution of one instruction on multiple data 16 128-bit registers (xmm0-15) Expanded over Intel R processor

20 Streaming SIMD Extensions Instructions Vector-mode operations that enables parallel execution of one instruction on multiple data bit registers (xmm0-15) Expanded over Intel R processor generations to include SSE2, SSE3/SSE3S and SSE4 Image: Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 17 /40

21 Advanced Vector Extensions Instructions Introduced with Intel R SandyBridge microarchitecture Extends SSE 128-bit registers with 16 new 256-bit registers (ymm0-15) Support of three-operand non-destructive operations (two-operand instructions e.g. A = A + B are replaced by three-operand instructions e.g. A = B + C) AVX2 instructions expand integer vector types and vector shift operations Performance AVX is 1.8 times faster than fastest SSE4.2 instructions [Len14] AVX2 is 2.8 times faster than fastest SSE4.2 instructions [Len14] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 18 /40

22 Advanced Vector Extensions Instructions Introduced with Intel R SandyBridge microarchitecture Extends SSE 128-bit registers with 16 new 256-bit registers (ymm0-15) Support of three-operand non-destructive operations (two-operand instructions e.g. A = A + B are replaced by three-operand instructions e.g. A = B + C) AVX2 instructions expand integer vector types and vector shift operations Performance AVX is 1.8 times faster than fastest SSE4.2 instructions [Len14] AVX2 is 2.8 times faster than fastest SSE4.2 instructions [Len14] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 18 /40

23 NEON Instructions Advanced SIMD instructions for ARM processors available since CORTEX-A microarchitecture bit registers (dual view bit registers) Performance 2-8 times performance boost [neo] Image: Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 19 /40

NEON Instructions Advanced SIMD instructions for ARM processors available since CORTEX-A microarchitecture 32 64-bit registers (dual view 16 128-bit registers) Performance 2-8 times

24 NEON Instructions Advanced SIMD instructions for ARM processors available since CORTEX-A microarchitecture bit registers (dual view bit registers) Performance 2-8 times performance boost [neo] Image: Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 19 /40

25 Benchmarking Framework 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 20 /40

26 High Resolution Methods for CPU Timing Information High Resolution Timers HPET (High Precision Event Timer) QueryPerformanceCounter time() and clock() posix functions TSC (Timer Stamp Counter) Timer Stamp Counter 64-bit machine state register containing the number of cycles since last reset RDTSC instruction to read out Use CPUID instruction against out-of-order execution Our framework uses RDTSCP [Pao10] which is an optimised RDTSC + CPUID Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 21 /40

27 High Resolution Methods for CPU Timing Information High Resolution Timers HPET (High Precision Event Timer) QueryPerformanceCounter time() and clock() posix functions TSC (Timer Stamp Counter) Timer Stamp Counter 64-bit machine state register containing the number of cycles since last reset RDTSC instruction to read out Use CPUID instruction against out-of-order execution Our framework uses RDTSCP [Pao10] which is an optimised RDTSC + CPUID Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 21 /40

28 Benchmarking Framework SUPERCOP [Ber16] Uses timer stamp counter as timer (with RDTSC and CPUID) Recommends turn-off of hyper threading/idle state during measurements Complex benchmarking framework for cryptographic primitives BRUTUS [Saa16] Uses clock() as timer No noise reduction Small codebase, rapid testing cycle Our Framework Optimized timer stamp counter (i.e. RDTSCP) [Pao10] Reduction of noise using single-user mode, averaging and median Focus on authenticated encryption and real-world usecases Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 22 /40

29 Benchmarking Framework SUPERCOP [Ber16] Uses timer stamp counter as timer (with RDTSC and CPUID) Recommends turn-off of hyper threading/idle state during measurements Complex benchmarking framework for cryptographic primitives BRUTUS [Saa16] Uses clock() as timer No noise reduction Small codebase, rapid testing cycle Our Framework Optimized timer stamp counter (i.e. RDTSCP) [Pao10] Reduction of noise using single-user mode, averaging and median Focus on authenticated encryption and real-world usecases Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 22 /40

30 Benchmarking Framework SUPERCOP [Ber16] Uses timer stamp counter as timer (with RDTSC and CPUID) Recommends turn-off of hyper threading/idle state during measurements Complex benchmarking framework for cryptographic primitives BRUTUS [Saa16] Uses clock() as timer No noise reduction Small codebase, rapid testing cycle Our Framework Optimized timer stamp counter (i.e. RDTSCP) [Pao10] Reduction of noise using single-user mode, averaging and median Focus on authenticated encryption and real-world usecases Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 22 /40

31 Measurement Setup MacBook Pro Early 2011 Intel R Core i5-2415m SandyBridge Dell Latitude E7470 Intel R Core i5-6300u SkyLake Compiler: clang compiler version (clang ) gcc compiler version ( ubuntu ) Compiler flags: -Ofast -fno-stack-protector -march=native Operating System in single-user mode to get rid of noise (e.g. context switches) Calculate the median of 91 averaged timings of 200 measurements [KR11] Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 23 /40

32 Benchmarking Settings and Real-World Usecases Table: Real-world use case settings for our benchmarking. Message Size Associated Data Size 2 Comments 1 byte 5 byte one keystroke (e.g. SSH) 16 bytes 5 byte small payload 557 byte 5 byte average IP packet size kb 5 byte ethernet MTU, TLS 16 kb 5 byte max TCP packet size 1 MB 5 byte file upload Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 24 /40

33 Results 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 25 /40

34 Comparison of all CAESAR 2 nd Round Candidates Performance (cpb) Message length (bytes) acorn128v2_opt aeadaes256ocbtaglen128v1_opt aegis128l_aesnib aes128gcmv1_openssl aes128n8t8clocv2_aesni aes128n8t8silcv2_aesni aes128otrpv3_nip7m1 aescopav2_ref aesjambuv2_aesni aezv4_aesni ascon128av11_opt64 deoxysneq256128v13_aesni elmd600v2_ref hs1sivlov1_ref icepole128av2_ref joltikneq6464v13_ref ketjesrv1_reference minalpherv11_ref morus v1_avx2 norx6441_ymm omdsha512k512n256tau256v2_avx1 paeq64_aesni pi64cipher256v2_goptv poetv2aes4_ni primatesv1gibbon80_ref scream10v3_sse seakeyakv2_sandybridge shellaes128v2d4n80_ref stribob192r2_ssse3 tiaoxinv2_nim trivia0v2_sse4 Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 26 /40

35 Comparison of all Block Cipher based schemes Performance (cpb) Message length (bytes) aeadaes256ocbtaglen128v1_opt aegis128l_aesnib aes128gcmv1_openssl aes128n8t8clocv2_aesni aes128n8t8silcv2_aesni aes128otrpv3_nip7m1 aescopav2_ref aesjambuv2_aesni aezv4_aesni deoxysneq256128v13_aesni elmd600v2_ref joltikneq6464v13_ref poetv2aes4_ni scream10v3_sse shellaes128v2d4n80_ref tiaoxinv2_nim Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 27 /40

36 Comparison of all Sponge based schemes aes128gcmv1_openssl ascon128av11_opt64 icepole128av2_ref ketjesrv1_reference norx6441_ymm pi64cipher256v2_goptv primatesv1gibbon80_ref seakeyakv2_sandybridge stribob192r2_ssse3 Performance (cpb) Message length (bytes) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 28 /40

37 Comparison of all Stream Cipher based schemes acorn128v2_opt aes128gcmv1_openssl hs1sivlov1_ref morus v1_avx2 trivia0v2_sse4 Performance (cpb) Message length (bytes) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 29 /40

38 Comparison of all Permutation based schemes aes128gcmv1_openssl minalpherv11_ref paeq64_aesni Performance (cpb) Message length (bytes) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 30 /40

39 Comparison of all Compression Function based schemes aes128gcmv1_openssl omdsha512k512n256tau256v2_avx1 Performance (cpb) Message length (bytes) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 31 /40

40 Comparison in the TLS setting joltikeq12864v13_ref primatesv1gibbon80_ref minalpherv11_ref aescopav2_ref shellaes128v2d8n80_ref ketjesrv1_reference stribob192r2_ssse3 omdsha512k128n128tau128v2_sse4 icepole128av2_ref scream10v3_sse acorn128v2_opt trivia0v2_sse4 pi64cipher128v2_goptv hs1sivlov1_ref aesjambuv2_aesni ascon128av11_opt64 paeq80_aesni lakekeyakv2_generic64 aes128n8t8silcv2_aesni aes128n12t8clocv2_aesni norx6441_ymm aes128gcmv1_openssl poetv2aes4_ni deoxysneq128128v13_aesni aeadaes128ocbtaglen128v1_opt morus v1_avx2 aes128otrpv3_nip7m2 aezv4_aesni aegis128l_aesnic tiaoxinv2_nim Performance (cpb) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 32 /40

41 Comparison in the SSH setting primatesv1gibbon80_ref joltikeq12864v13_ref minalpherv11_ref shellaes128v2d8n80_ref omdsha512k128n128tau128v2_sse4 aescopav2_ref scream10v3_sse icepole128av2_ref pi64cipher128v2_goptv ketjesrv1_reference stribob192r2_ssse3 acorn128v2_opt trivia0v2_sse4 hs1sivlov1_ref lakekeyakv2_generic64 aes128gcmv1_openssl aeadaes128ocbtaglen128v1_opt norx6441_ymm paeq80_aesni poetv2aes4_ni deoxysneq128128v13_aesni morus v1_avx2 aes128n8t8silcv2_aesni ascon128av11_opt64 aes128n12t8clocv2_aesni aesjambuv2_aesni aes128otrpv3_nip7m2 tiaoxinv2_nim aezv4_aesni aegis128l_aesnic Performance (cpb) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 33 /40

42 Currently fastest cipher (Software) cpb: 3.67 cpb: Performance (cpb) Performance (cycles/byte) cpb: 0.84 cpb: 1.98 cpb: 1.47 cpb: 1.34 cpb: 1.21 cpb: 1.12 cpb: 0.87 cpb: 0.79 cpb: 0.67 cpb: 0.71 cpb: Message length (bytes) cpb: cpb: cpb: 0.54 cpb: Associated Data (bytes) cpb: 0.56 cpb: 0.44 cpb: 0.64 cpb: 0.46 cpb: 0.48 cpb: 0.49 Message (bytes) cpb: Performance (cpb) Message Size Figure: Tiaoxin v2.0 (SSE and AES-NI optimized) Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 34 /40

43 Conclusions 1. Classification of the 2 nd round CAESAR Candidates 2. Software Optimizations 3. Benchmarking Framework 4. Results 5. Conclusions Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 35 /40

44 Conclusions New framework to benchmark Authenticated Encryption ciphers Very simple, only focus on AE ciphers Timer Stamp Counter (with optimized RDTSCP instruction) Reduction of noise during measurements Comparison of CAESAR 2 nd round Candidates TLS setting SSH setting 23 out of 30 ciphers offer at least one optimization Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 36 /40

45 Further Work Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 37 /40

46 Questions? Thank you for your attention! Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 38 /40

47 References I Daniel J. Bernstein. Supercop Shay Gueron. Intel R advanced encryption standard (aes) new instructions set. Technical report, Intel Corporation, Ted Krovetz and Phillip Rogaway. The Software Performance of Authenticated-Encryption Modes, pages Springer, Gregory Lento. Optimizing performance with intel R advanced vector extensions. performance-xeon-e5-v3-advanced-vector-extensions-paper. html, Neon. Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 39 /40

48 References II Gabriele Paoloni. How to benchmark code execution times on intel R ia-32 and ia-64 instruction set architectures. Technical report, Intel Corporation, Markku-Juhani Saarinen. The BRUTUS automatic cryptanalytic framework. Journal of Cryptographic Engineering, 6(1):75 82, Ralph Ankele - Royal Holloway, University of London Software Benchmarking of the 2 nd round CAESAR Candidates slide 40 /40

ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015

S C I E N C E P A S S I O N T E C H N O L O G Y ASCON: A Submission to CAESAR Graz University of Technology www.iaik.tugraz.at The Team Christoph Dobraunig Maria Eichlseder Florian Mendel Martin Schläffer