A High-Speed Unified Hardware Architecture for AES and the SHA-3 Candidate Grøstl

Size: px

Start display at page:

Download "A High-Speed Unified Hardware Architecture for AES and the SHA-3 Candidate Grøstl"

Blaise Jennings
6 years ago
Views:

1 A High-Speed Unified Hardware Architecture for AES and the SHA-3 Candidate Grøstl Marcin Rogawski Kris Gaj Cryptographic Engineering Research Group (CERG) Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA 5th EUROMICRO Conference on Digital System Design DSD 2 DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... / 43

2 Outline Introduction Introduction DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 2 / 43

3 Motivation: SHA-3 Contriution Introduction Related work Methodology SHA-3 Competition and evaluation criteria (security, software and hardware performance, flexiility) Final round candidates: Blake, Grøstl, JH, Keccak, Skein NIST wepage: NIST also plans to (...) select the SHA-3 winner later in 22. DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 3 / 43

4 Motivation: Application to IPSec Introduction Related work Methodology Protocol Security Service Provided ESP confidentiality, integrity, and data origin authentication AH integrity and data origin authentication IKE negotiates connection parameters Supported Algorithms e.g.: (AES-CTR or AES-CBC) and (HMAC-SHA or AES- XCBC-MAC) e.g.: HMAC-SHA or AES- XCBC-MAC e.g.: DH and AES-PRNG DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 4 / 43

5 Introduction Related work Methodology Motivation: SHA-3 Competition (round 3) - Comprehensive studies Software enchmarking General CPUs: ebash - Bernstein and Lange Microcontrollers: XBX - Wenzel-Benner and Gräf Hardware enchmarking ASICs: Guo et al. DSD, DATE 2, Gürkaynak et al. SHA-3 2 FPGA high-speed: Homsirikamol et al. CHES, Mahoo et al. SHA-3 2 FPGA high-speed: (emedded-resources) Sharif et al. ECRYPT II, Shahid et al. FPT FPGA low-area: Kerckhof et al. CARDIS, Kaps et al. Indocrypt, Jungk et al. ReConFig DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 5 / 43

6 Introduction Related work Methodology Motivation: SHA-3 candidates - Unique Features Hash function mode of operation: Skein in tree hash mode: Schorr et al. ReConFig Hash function and lock cipher in a single core: Skein and Threefish: At et al. NTMS 2 Fugue (round 2) and AES: Järvinen SHA-3 Grøstl- (round 2) and AES: Järvinen SHA-3 Grøstl (round 3) and AES: [This work] DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 6 / 43

7 Methodology /2 Introduction Introduction Related work Methodology Grøstl - Homsirikamol et al. (CHES ), AES - (Cryptographic Engineering ch.) - starting points source_codes A for authenticated encryption ased on HMAC-Grøstl and AES-CTR mode FIFO-ased interface Long messages analysis - comparison to existing designs Short messages analysis - application for IPSec (up to 536 ytes) DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 7 / 43

Methodology 2/2 Introduction Introduction Related work Methodology High-speed FPGA devices: Altera (Stratix III and Stratix IV) and Xilinx (Virtex-5 and Virtex-6) Low-cost 65nm Altera Cyclone III

8 Methodology 2/2 Introduction Introduction Related work Methodology High-speed FPGA devices: Altera (Stratix III and Stratix IV) and Xilinx (Virtex-5 and Virtex-6) Low-cost 65nm Altera Cyclone III (previous work comparison) Altera Quartus. and Xilinx ISE 3. ATHENa Automated Tool for Hardware EvaluatioN Benchmarking open-source tool, written in Perl, aimed at an AUTOMATED generation of OPTIMIZED results for MULTIPLE hardware platforms Currently under development at George Mason University. 3" DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 8 / 43

9 Block cipher in Counter mode AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Initialization vector Counter M#(i) Key Block cipher C#(i) +(n ) M#(i+n ) Key Block cipher C#(i+n ) DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 9 / 43

10 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Hash-ased message authentication code (HMAC) select hkey hkey ipad hkey ipad data H( hkey ipad data ) hkey opad hkey opad H( hkey ipad data ) H( hkey opad H( hkey ipad data )) MAC(data) t= leftmost t ytes of H( hkey opad H( hkey ipad data )) DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... / 43

11 AES and Grøstl rounds AES round input AddRoundKey SuBytes ShiftRows MixColumns output last output Groestl 256: s=52 defined. Groestl 52: s=24 AES and Grøstl applications AES and Grøstl Figure similarities : The Grøstl hash function. AES and Grøstl differences AES and Grøstl together 3.2 The compression function construction The compression function f is ased on two underlying l-it permutatio defined as follows: Groestl P/Q transformation f(h, m) =P (h m) Q(m) h. The construction input of f is illustrated in Figure 2. In Section 3.4, we descri s h m AddRoundConstant SuBytes ShiftBytes MixBytes Tweaks on Grøstl (P and Q differences): s P Q Figure 2: The compression function f. P and Q are l-it perm output 3.3 The output transformation Let trunc n (x) e the operation that discards all ut the trailing n its of transformation Ω is defined as Ω(x) =trunc n (P (x) x). DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... / 43 f

12 Grøstl s hardware architectures AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Parallel Architecture msg Basic Iterative Architecture Jarvinen 2 msg Quasi-Pipelined Architecture msg IV "" P Q P/Q IV P/Q # IV "" P/Q #2 digest digest digest DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 2 / 43

13 AES- and Grøstl-256 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Grøstl-256 AES- functionality hash function lock cipher rounds lock size 52 finalization yes no 2 data pipes doule (P and Q) single 3 Comments: four instances of AES in parallel needed (non-feedack modes only), 2 Grøstl s output transformation (finalization) will affect short messages throughput, 3 Grøstl s quasi-pipelined architecture has to e used. DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 3 / 43

14 AES/Grøstl together Introduction AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Groestl din 64 SIPO Main Key AES #i ks Key Expansion unit Counter Last RdSuKey din IV AddRoundKey SuBytes ShiftRows h h /2 /2.. PISO sel_p/q AddConstant SuBytes MixColumn dout 64 dout sel_p/q ShiftBytes MixBytes DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 4 / 43

15 AES/Grøstl together - SuBytes AES and Grøstl applications AES and Grøstl differences AES and Grøstl together Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key ks Key Expansion unit Counter AddRoundKey SuBytes ShiftRows MixColumn Last RdSuKey AES #i din dout Groestl IV h h /2 /2.. PISO 64 dout sel_p/q sel_p/q din 64 SIPO AddConstant SuBytes ShiftBytes MixBytes DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 5 / 43

16 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - ShiftRows/ShiftBytes Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key ks Key Expansion unit 2 Counter AddRoundKey SuBytes ShiftRows MixColumn Last RdSuKey AES #i din dout Groestl IV h h /2.. PISO /2 64 dout din 64 SIPO sel_p/q AddConstant SuBytes sel_p/q ShiftBytes 2 ShiftRows MixBytes DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 6 / 43

17 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - AddRoundKey/AddConstant Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i Groestl din 64 SIPO ks Key Expansion unit Counter Last RdSuKey din IV 2 AddRoundKey 3 SuBytes ShiftRows h h /2 /2.. PISO 3 AddConstant AddRoundKey sel_p/q SuBytes MixBytes 64 MixColumn dout dout sel_p/q ShiftBytes 2 ShiftRows DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 7 / 43

18 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - MixColumn/MixBytes Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i Groestl din 64 SIPO ks Key Expansion unit 2 Counter AddRoundKey 3 SuBytes ShiftRows MixColumn 4 Last RdSuKey din dout IV 3 AddConstant AddRoundKey h sel_p/q h /2 /2.. SuBytes 4 PISO 64 dout 2 sel_p/q ShiftBytes ShiftRows Shared MixBytes DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 8 / 43

19 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - AES last round Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i Groestl din 64 SIPO ks Key Expansion unit 2 Counter AddRoundKey 3 SuBytes ShiftRows MixColumn 4 Last RdSuKey 5 din dout h IV h /2.. /2 PISO 64 dout sel_p/q AddConstant sel_p/q ShiftBytes SuBytes 3 AddRoundKey 2 ShiftRows 4 Shared MixBytes 5 DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 9 / 43

20 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - 3rd pipeline stage Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i Groestl din 64 SIPO ks Key Expansion unit 2 Counter AddRoundKey 3 SuBytes ShiftRows 6 MixColumn 4 Last RdSuKey 5 din dout h IV h /2.. /2 PISO 64 dout sel_p/q AddConstant sel_p/q ShiftBytes SuBytes 3 AddRoundKey 2 ShiftRows 4 Shared MixBytes 6 5 DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 2 / 43

21 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - The Counter from AES-CTR Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i ks Groestl 64 din Counter SIPO 7 Key Expansion unit 7 Counter Last RdSuKey din IV 6 AddRoundKey 3 SuBytes 2 ShiftRows 5 h h /2.. /2 PISO AddConstant sel_p/q SuBytes 3 AddRoundKey 4 Shared MixBytes 6 5 MixColumn 4 dout 64 dout sel_p/q ShiftBytes 2 ShiftRows DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 2 / 43

22 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - The AES Key Expansion Unit Groestl 256 : =52, AES, ks= Groestl 52 : =24, AES 256, ks=256 Main Key AES #i Groestl 64 din Counter SIPO +ks 7 ks ks 8 Key Expansion unit 7 Counter Last RdSuKey din IV 8 Key Expansion unit 6 AddRoundKey 3 SuBytes 2 ShiftRows 5 h h /2.. /2 PISO AddConstant sel_p/q SuBytes AddRoundKey 3 4 Shared MixBytes 6 5 MixColumn 4 dout 64 dout sel_p/q ShiftBytes 2 ShiftRows DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

23 AES and Grøstl applications AES and Grøstl differences AES and Grøstl together AES/Grøstl together - Proposed Design All uses are -it wide unless specified otherwise. Groestl 256 : =52 Groestl 52 : =24 AES: ks=/4 din 64 SIPO +ks ctr 2 ks ks x /2 LastRdSuKey IV 2 R ks KeyExpansion RdSuKey LastRdSuKey R3 R4 h PISO 64 dout AddRoundConstant AddRoundKey R2 SuBytes R SharedMixBytes ShiftBytes ShiftRows DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

24 Inner Pipelining (Receiver side) Inner Pipelining High-level scheduling lock I #(i) cycle: R: Q() P() A() Q() P() A()... A(9) I Q() P() R: I Q() P() A() Q() P()... P(9) A(9) I Q() R2: A(9) I Q() P() A() Q()... Q(9) P(9) A(9) I lock I #(i) DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

25 Core Interface 2. Typical scenario Introduction accepted y the destination circuit at the next rising edge of the clock. Active HIGH. Inner Pipelining High-level scheduling In a typical scenario, the SHA core is assumed to e surrounded y two standard FIFO modules: Input FIFO and Output FIFO, as shown in Fig. 2. Fig. 2: A typical configuration of a SHA core connected to two surrounding FIFOs. The Input FIFO serves as a source of input data, and the Output FIFO as a destination for output data. DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

26 High-level scheduling Introduction Inner Pipelining High-level scheduling Receiver Input Interface I# idle key I# idle I#2 idle I#3... idle I#m+ idle Computational Unit Groestl(I#) AES(idle) Groestl(I#) AES(I#) Groestl(I#2) AES(I#2)... Groestl(I#m) AES(I#m) Groestl(I#m+) Groestl(I#m+2) AES(idle) AES(idle) Output Interface idle O# idle... O#m idle O#m idle HMAC (I ) I# = ipad hkey Ciphertext = I#, I#2,..., I#m I#m+ = opad hkey Plaintext = O#, O#2,..., O#m I#m+2 = H(ipad hkey I) HMAC(I) - HMAC value for a given ciphertext I Sender Groestl-256: 52-it input lock Groestl-52: 24-it input lock Input Interface I# idle I# idle I#2 idle I#3 key... idle I#m+ idle Computational Unit AES(idle) Groestl(I#) AES(I#) AES(I#2)... AES(idle) AES(idle) Groestl(idle) Groestl(O#) Groestl(O#m) Groestl(I#m+) AES(idle) Groestl(I#m+2) Output Interface idle O# idle... O#m idle HMAC (O) I# = ipad hkey Plaintext = I#, I#2,..., I#m I#m+ = opad hkey Ciphertext = O#, O#2,..., O#m I#m+2 = H(ipad hkey O) HMAC(O) - HMAC value for a given ciphertext O Groestl-256: 52-it input lock Groestl-52: 24-it input lock DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

27 Throughput for long messages Inner Pipelining High-level scheduling throughput = locksize T (Time HE (N + ) Time HE (N)) () throughput long = locksize cycles T (2) HMAC-Grøstl-256 and AES--CTR core parameters: lock size = 52, cycles = 3 Time HE (i) - time for Hash/Encryption process of i-th lock of data DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

28 Inner Pipelining High-level scheduling HMAC-Grøstl - Throughput for short messages throughput HMAC/Grøstl throughput Grøstl = #locks 5 + #locks (3) select hkey hkey hkey ipad ipad data H( hkey ipad data ) 4 throughput = locksize #locks (5 + #locks) (cycles T ) (4) hkey opad 2 hkey ipad data hkey opad H( ) H( hkey opad H( hkey ipad data )) MAC(data) t= leftmost t ytes of hkey opad H( hkey ipad data H( )) 3 5 Five additional locks come from: Two HMAC-Key injections [-2], first hashing result [3], Grøstl finalization operation [4-5]. DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

29 Comparison to Järvinen design High-Speed FPGA results Comparison to Järvinen on Cyclone III - Area DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

30 Comparison to Järvinen design High-Speed FPGA results Comparison to Järvinen on Cyclone III - Frequency DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 3 / 43

31 Comparison to Järvinen design High-Speed FPGA results Comparison to Järvinen on Cyclone III - Throughput DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 3 / 43

32 Comparison to Järvinen design High-Speed FPGA results Comparison to Järvinen on Cyclone III - Throughput/Area DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

33 High-Speed FPGA - Area Comparison to Järvinen design High-Speed FPGA results DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

34 High-Speed FPGA - Frequency Comparison to Järvinen design High-Speed FPGA results DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

35 Comparison to Järvinen design High-Speed FPGA results High-Speed FPGA - Throughput for long messages DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

36 HMAC-Grøstl for short messages Comparison to Järvinen design High-Speed FPGA results DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

37 Introduction with 3 pipeline stages pays relatively small penalty in terms of extra circuitry (+3% in Virtex-5) and throughput drop (-29% in Virtex-5) Proposed coprocessor can e used directly for IPSec HMAC-Grøstl with AES-CTR and possily any non-feedack mode It can e implemented even on the smallest device in high-speed families from Altera (Stratix-III, Stratix-IV) and Xilinx (Virtex-5 and Virtex-6) Altera Cyclone III-ased coprocessor outperform alternative design y 57% and % in case of authenticated encryption (ESP) and authentication (AH), respectively Grøstl s similarity to AES will e eneficiary in hardware in case of SHA-3 Grøstl DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

38 Thank you! Introduction Thank you! Questions? Questions? CERG: Our resources: CERG: ATHENa: ATHENa: ATHENaDB: 44 DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

39 Backup slides Introduction Backup slides from here DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

40 AES/Grøstl together - Shared MixBytes AES i[7] 8 x2 m[7][5] x3 m[7][4] x4 m[7][3] x5 m[7][2] x7 m[7][] i[6] i[] 8 8 cm #6 cm # m[6][5..] m[][5..] i[7..] 64 it input to MixColumn/MixBytes o[7..] 64 it output from MixColumn/MixBytes a[7..] 64 it output from MixColumn g[7..] 64 it output from MixBytes m[i][5..] i th yte results of multiplication y constants m[7][4..] m[][4..] 4 4 Network of XORs in Groestl MixBytes cm #7 m[7][] 48 Groestl g[7] g[] m[7][5..] m[7][5..3] m[5][5..3] m[3][5..3] m[][5..3] m[6][5..3] m[4][5..3] m[2][5..3] m[][5..3] 6 6 a[7..] g[7..] Network of XORs in AES MixColumn Network of XORs in AES MixColumn 64 a[7] a[4] a[3] a[] o[7..] DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 4 / 43

41 Comparison to Groestl and 2xAES-CTR Separately on Cyclone III - Throughput DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture... 4 / 43

42 Comparison to Groestl and 2xAES-CTR Separately on Cyclone III - Area DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

43 Comparison to Groestl and 2xAES-CTR Separately on Cyclone III - Throughput/Area DSD 2 M.Rogawski, K. Gaj A High-Speed Unified Hardware Architecture / 43

Use of Embedded FPGA Resources in Implementations of Five Round Three SHA-3 Candidates

Use of Embedded FPGA Resources in Implementations of Five Round Three SHA-3 Candidates Malik Umar Sharif, Rabia Shahid, Marcin Rogawski and Kris Gaj George Mason University, USA Agenda SHA-3 High Speed