ECE646 Project Final Report: Towards an Area-Constrained Implementation of the SHA-3 Final Round Keccak Algorithm. Project by Kim Turley

Transcription

1 ECE646 Project Final Report: Towards an Area-Constrained Implementation of the SHA-3 Final Round Keccak Algorithm Project by Kim Turley

2 Project Overview Goal: To explore in detail the elements of an areaconstrained version of Keccak that achieves acceptable levels of throughput Justification: The ability to function well in areaconstrained environments is a selection criteria for SHA-3 contest, and Keccak has not yet been shown to perform on the level of other algorithms Design Choices: Keccak-1600, Altera Cyclone III, Quartus II Web Edition, Verilog, Area measured in #Logic Elements and #Registers

3 Outline Past Work Approach to the Problem Set-up Development Environment Tested Existing Implementation Code Wrote Verilog Skeleton Code Implemented and compiled all round modules Implemented overall round module

4 Past Work Keccak Group Implementation (Including Area Constrained) Low-Area Implementations: Area-efficient FPGA Implementations of the SHA-3 Finalists - - Bernhard Jungk and Jurgen Apfelbeck Lightweight Implementations of SHA-3 Candidates on FPGAs - - Jens-Peter Kaps, Panasayya Yalla, Kishore Kumar Surapathi, Bilal Habib, Susheel Vadlamudi, Smriti Gurung, and John Pham Compact FPGA Implementations of the Five SHA-3 Finalists, Stephanie Kerckhof, Francois Durvaux, Nicolas Veyrat-Charvillon, Francesco Regazzoni, Guerric Meurice de Dormale, Francois-Xavier Standaert

5 Jungk et.al. Keccak Top-Level Diagram Jungk has created an architecture that provides a framework for approaching the low-area problem by pipelining several rounds and efficiently implementing the pipeline. My framework will utilize Jungk's round structure

6 Kerckhof et.al. Keccak Top-Level Diagram Kerckhof's implementation has several inefficiencies, and does not provide a strong basis on which to begin development of a low-area algorithm

7 Kaps et.al. Keccak Top-Level Diagram The GMU I/O Framework will be used to facilitate testing and comparison of my implementation

8 Evaluation of Existing Work Additional unaddressed constraints Requirement for comparability Programming style Kaps' padding style most approachable Jungk's logical structure most efficient Kerckhof's does not account for Keccak's best features

9 Approach Design will be implemented in dataflow-style verilog to provide maximum control over the gate choice Operations will be created modularly so the design can be implemented with varying degrees of pipelining Identify operations that can be combined to reduce logical footprint

10 Development Environment and Existing Implementations Developing in Quartus II Web Edition Constrains Project to Using an Altera Platform Code is from the Keccak group's area-constrained implmentation

11 Skeleton Code Keccak[r,c](M) { Initialization and padding Padding in Software GMU IMPLEMENTATION Absorbing phase forall block Pi in P S[x,y] = S[x,y] xor Pi[x+5*y], S = Keccak-f[r+c](S) forall (x,y) such that x+5*y < r/w Squeezing phase Z = empty string while output is requested Z = Z S[x,y], S = Keccak-f[r+c](S) forall (x,y) such that x+5*y < r/w return Z Keccak-f[b](A) { forall i in 0 nr-1 A = Round[b](A, RC[i]) return A Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0 4 D[x] = C[x-1] xor rot(c[x+1],1), forall x in 0 4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0 4,0 4) ρ and π steps B[y,2*x+3*y] = rot(a[x,y], r[x,y]), forall (x,y) in (0 4,0 4) χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0 4,0 4) ι step A[0,0] = A[0,0] xor RC JUNGK IMPLEMENTATION return A

12 Round Module Block Diagram A[x,y] RC Round Ɵ A[x,y] C[0] = A[0,0]xorA[0,1]xor...xorA[0,4] C[4] = A[4,0]xorA[4,1]xor...xorA[4,4] D[0] = C[0-1] xor rot(c[0+1],1) C[x,y] D[4] = C[4-1] xor rot(c[4+1],1) A[0,0] = A[0,0]xorD[0] A[0,1] = A[0,1]xorD[0] D[x,y] A[1,0] = A[1,0]xorD[1] A[4,4] = A[4,4]xorD[4] Ρ and π B[y,2*x+3*y] = rot(a[x,y], r[x,y] B[x,y] χ A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]) A[x,y] ι A[0,0] = A[0,0] xor RC A[x,y]

13 Generating Module Code Use Java (Eclipse Development Environment) to generate thousands of lines of dataflow-style code Easy to modify statements as needed (ex assign vs always-block code) only need to change one line of code

14 //theta Theta /* for(i=0; i<5; i++){ for(j=0; j<math.pow(2,l); j++){ for(k=0; k<5; k++){ System.out.println("assign a_out["+i+"]["+k+"]["+j+"] = a_in["+(i+5-1)%5+"]["+0+"]["+j+"] ^ a_in["+(i+5-1)%5+"]["+1+"]["+j+"] ^ a_in["+(i+5-1)%5+"]["+2+"] ["+j+"] ^ a_in["+(i+5-1)%5+"]["+3+"]["+j+"] ^ a_in["+ (i+5-1)%5+"]["+4+"]["+j+"] ^ a_in["+(i+1)%5+"]["+0+"] ["+(j+64-1)%64+"] ^ a_in["+(i+1)%5+"]["+1+"]["+(j+64-1)%64+"] ^ a_in["+(i+1)%5+"]["+2+"]["+(j+64-1)%64+"] ^ a_in["+(i+1)%5+"]["+3+"]["+(j+64-1)%64+"] ^ a_in["+ (i+1)%5+"]["+4+"]["+(j+64-1)%64+"];"); // Display the string. out.write("\r\n"); //

15 //rho for(x = 0; x<5; x++){ for(y = 0; y< 5; y++){ switch (x){ case 0: switch(y){ case 0: t = -1; break; case 1: t = 7; break; case 2: t = 1; break; case 3: t = 13; break; case 4: t = 19; break; break; case 1: switch(y){ case 0: t = 0; break; case 1: t = 23; break; case 2: t = 3; break; case 3: t = 8; break; case 4: t = 10; break; break; case 2: switch(y){ case 0: t = 18; break; case 1: t = 2; break; case 2: t = 17; break; case 3: t = 4; break; case 4: t = 21; break; break; case 3: switch(y){ case 0: t = 6; break; case 1: t = 9; break; case 2: t = 16; break; case 3: t = 5; break; case 4: t = 14; break; break; case 4: switch(y){ case 0: t = 12; break; case 1: t = 22; break; case 2: t = 20; break; case 3: t = 15; break; case 4: t = 11; break; break; for (z = 0; z< 64; z++){ System.out.println("assign a_out["+x+"] ["+y+"]["+z+"] = a_in["+x+"]["+y+"]["+ (z+320-(t+1)*(t+2)/2)%64+"];"); Rho

16 //pi for(i = 0; i<5; i++){ for(j = 0; j<5; j++){ switch(i){ case 0: switch(j){ case 0: x = 0; y = 0; break; case 1: x = 3; y = 0; break; case 2: x = 1; y = 0; break; case 3: x = 4; y = 0; break; case 4: x = 2; y = 0; break; break; case 1: switch(j){ case 0: x = 1; y = 1; break; case 1: x = 4; y = 1; break; case 2: x = 2; y = 1; break; case 3: x = 0; y = 1; break; case 4: x = 3; y = 1; break; break; case 2: switch(j){ case 0: x = 2; y = 2; break; case 1: x = 0; y = 2; break; case 2: x = 3; y = 2; break; case 3: x = 1; y = 2; break; case 4: x = 4; y = 2; break; break; case 3: switch(j){ case 0: x = 3; y = 3; break; case 1: x = 1; y = 3; break; case 2: x = 4; y = 3; break; case 3: x = 2; y = 3; break; case 4: x = 0; y = 3; break; break; case 4: switch(j){ case 0: x = 4; y = 4; break; case 1: x = 3; y = 4; break; case 2: x = 0; y = 4; break; case 3: x = 3; y = 4; break; case 4: x = 1; y = 4; break; break; for(k=0; k<64; k++){ System.out.println("assign a_out["+i+"]["+j+"] ["+k+"] = a_in["+x+"]["+y+"]["+k+"];"); Pi

17 Chi //chi for(x = 0; x < 2; x++){ for(y=0; y<5; y++){ for(z=0; z<64; z++){ System.out.println("assign a_out["+x+"]["+y+"] ["+z+"] = a_in["+x+"]["+y+"]["+z+"] ^ (~a_in["+ (x+1)%5+"]["+y+"]["+z+"] & a_in["+(x+2)%5+"] ["+y+"]["+z+"]);");

18 Iota //iota for(x=0; x<5; x++){ for(y=0; y<5; y++){ for(z=0; z<64; z++){ System.out.println("assign a_out["+x+"]["+y+"]["+z+"] = a_in["+x+"]["+y+"]["+z+"] + RC[ir] ["+x+"]["+y+"]["+z+"];");

19 Round

20 Input//Output Trigger 5-Bit Counter Clock-In Logic Clock Divider

21 Results

22 Conclusions and Future Work All area could be reduced by approx 1/6 by reusing the counter and triggers for clock-in, rounds, and clock-out stages Throughput could be increased by pipelining, but clock-in//clock-out happen at a faster rate than round logic Optimizations of sequential logic still possible