Lightweight Implementations of SHA-3 Candidates on FPGAs

Transcription

1 Lightweight of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic Engineering Research Group (CERG) Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA 2th International Conference on Cryptology in India Indocrypt 2 Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs / 27

2 Outline Introduction Introduction Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 2 / 27

3 Hash Function Competition Hash Function Competition Previous Work Goal A hash algorithm reads an arbitrary length message and produces a fixed bit string called hash value/message digest. Main applications: Digital signatures, Message Authentication Codes (MAC), Universal Unique IDentifier(UUID/GUID), password tables and many more. NIST competition for new secure hash algorithm SHA-3 Announced in Nov 27, 64 entries submitted. 4 selected for Round 2. Currently in Round 3 5 finalists. NIST s selection criteria: Security, HW/SW speed, scalability. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 3 / 27

4 Hash Function Competition Hash Function Competition Previous Work Goal A hash algorithm reads an arbitrary length message and produces a fixed bit string called hash value/message digest. Main applications: Digital signatures, Message Authentication Codes (MAC), Universal Unique IDentifier(UUID/GUID), password tables and many more. NIST competition for new secure hash algorithm SHA-3 Announced in Nov 27, 64 entries submitted. 4 selected for Round 2. Currently in Round 3 5 finalists. NIST s selection criteria: Security, HW/SW speed, scalability. Motivation Analyze performance of candidates in a constrained FPGA environment determine scalability on FPGAs. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 3 / 27

5 Hash Function Competition Previous Work Goal Previous Work on SHA-3 Candidates Several Throughput/Area optimized implementations on FPGAs were published: Gaj et al.[ches 2], Matsuo et al.[sha-3 conference 2], Baldwin et al.[sha-3 conference 2]. Only two specific for low-area implementations of SHA-3 finalists: Kerckhof et al.[hash 2], Jungk et al.[reconfig 2]. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 4 / 27

6 Hash Function Competition Previous Work Goal Previous Work on SHA-3 Candidates Several Throughput/Area optimized implementations on FPGAs were published: Gaj et al.[ches 2], Matsuo et al.[sha-3 conference 2], Baldwin et al.[sha-3 conference 2]. Only two specific for low-area implementations of SHA-3 finalists: Kerckhof et al.[hash 2], Jungk et al.[reconfig 2]. Problem: Rating algorithm performance when are on different devices, made with different implementation goals and features, vary in both: area and throughput, and support different I/O interface widths. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 4 / 27

7 Hash Function Competition Previous Work Goal Our Goal: Comprehensive set of lightweight implementations of all Round 2 SHA-3 Candidates (except SIMD) and all SHA-3 Finalists. All optimized for the same target maximum Throughput to Area ratio for given area budget. All use the same standardized interface. Implemented on different families for fair comparison with other reported results. Target Details: Xilinx Spartan 3, low cost FPGA family Budget: 4-6 slices, Block RAM (BRAM) Implemented 256 bit digest versions only Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 5 / 27

8 Assumptions Interface and Protocol Assumptions Implementing for minimum area alone can lead to unrealistic run-times. Target: Achieve the maximum Throughput/Area ratio for a given area budget. Realistic scenario: System on Chip: Certain area only available. Standalone: Smaller Chip, lower cost, but limit to smallest chip available, e.g. 768 slices on smallest Spartan 3 FPGA. Makes fair comparison of lightweight implementations possible. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 6 / 27

9 Interface and Protocol Introduction Assumptions Interface and Protocol Based on Interface and I/O Protocol from Gaj et al.[ches 2]. msg len ap, seq len ap (after padding ) in -bit words. msg len bp, seq len bp (before padding) in bits. n 2 msg len bp = seq len ap i + seq len bp n i= n msg len ap = seq len ap i w = 6 bits. w i= clk clk rst rst SHA Core w din dout src_ready dst_ready src_read dst_write w bits msg_len_ap msg_len_bp message w bits seq_len_ap seq seq_len_ap seq seq_len_ap n seq_len_bp n seq n a)sha Interface b)sha Protocol Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 7 / 27

10 BLAKE-256 Algorithm Introduction BLAKE-256 Grøstl JH Keccak Skein M 52 P C P A B C D CM <<<6 Init. G G G G <<<2 P P2 G G G G CM CM G A B C Ti 4x <<< 8 <<< 7 D 256 IV H Key Features Salt value: A user Dependant constant 28 bits set all to 8 G functions : XOR, addition, shifting. P,P2 : Permutation Blake scales very well. Folded up to 4 times vertically and 4 times horizontally. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 8 / 27

11 BLAKE-256 Implementation BLAKE-256 Grøstl JH Keccak Skein din Reg REG_ dout REG_2 D C B A DRAM 5 Port A BRAM Port B 3 6 DRAM DRAM DRAM A REG_B CM REG_A <<<R3 <<<R REG_B2 B B C D REG_C <<<R4 <<<R2 A C D Implementation Salt : BRAM State: DRAM Quasi pipelined Half G function Registers: Reduce critical path Permutation causes a large controller with 2 addresses. BRAM contains constants, message, IV, intermediate hash. Scalability: Unfolding leads to worse TP/A. Improvement: Rescheduling of G results in 29 clock per block versus 35. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 9 / 27

12 Grøstl Algorithm Introduction BLAKE-256 Grøstl JH Keccak Skein IV 52 M 52 Hi P Addp 52 S Box x Sft Row Mix Hi 52 Addq S Box Sft Row Mix 255 H Q 52 x Key Features Based on AES like architecture S-BOX, shift rows, Mixed columns Grøstl scales well, like AES. Folded up to 8 times vertically. Small storage requirements. Uses many narrow memory accesses in parallel (8 per column). Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs / 27

13 Grøstl Implementation Introduction BLAKE-256 Grøstl JH Keccak Skein dout Port A BRAM Port B 3 5 B A Reg din Reg GFMul Reg SBox SBox B Reg 2 Add Constant SBox A 2 4xDRAM 4xDRAM 4xDRAM 4xDRAM A SBox Implementation State p,q : DRAM Shift Rows : how data accessed from DRAM Mix Column : GF-multiplier(half multiplier) Finalization takes as many clock cycles as block. BRAM stores only intermediate hash and IV. One new column every 3 clock cycles, P & Q interleaved. Scalability: Reducing number of clock cycles per column by adding S-Boxes and/or GF-Multiplier. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs / 27

14 JH Algorithm Introduction BLAKE-256 Grøstl JH Keccak Skein M M E Group R 8 S box L P De group 42x S 256 R6 C S box L P 23 H 768 Key Features Grouping: reordering of 24 bits state SBOX : Permutation Linear transformation : rotation and XOR De-grouping: inverse of grouping Permutation, grouping, and de-grouping makes scaling difficult Folding increases size Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 2 / 27

15 JH Implementation Introduction BLAKE-256 Grøstl JH Keccak Skein din Port A BRAM Port B 6 Reg 3 dout 5 2 Group De group Reg 3 S box L P Reg Reg 4 DRAM R 6 Implementation State: BRAM R8 function: Implemening 8X2 S-BOX for R8(S and S) R6 function :2 S-BOX for R6(S) -bit datapath to maximize use of BlockRAM. On-the-fly generation of round constants. Scalability: 64-bit datapath only viable without BlockRAM. Improvement: Group can be performed on M and de-group only on H Kerckhof et al.[ecrypt II 2]. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 3 / 27

16 Keccak Algorithm Introduction BLAKE-256 Grøstl JH Keccak Skein M Rotate Const θ ρ & π χ 88 zeros x Key Features θ simple XOR ρ, π rotation and reordering operate on columns χ logical operation on rows Dependency on Previous states prevents folding. Round Const ι H Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 4 / 27

17 Keccak Implementation BLAKE-256 Grøstl JH Keccak Skein 5 din out_ Reg RegA_out rc_a 3 Chi_B RegB_out var_out RegC_out 3 Chi_B 3 2 Port B 3 A BRAM Port A 63 rc_a 63 3 var_out 63 3 Chi_B dout out_ Chi Reg B Reg C Reg A <<< A A Reg V Rho&Pi 63 var_out Implementation Round constants, States: BRAM Quasi-pipelined θ & ρ & π Fixed rotations turn into variable rotator for small datapaths. ρ & π contains the rotator. Scalability: 64-bit datapath only viable without BlockRAM. Adding 2 more 64-bit registers saves approx 7 clock cycles. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 5 / 27

18 Skein Algorithm Introduction BLAKE-256 Grøstl JH Keccak Skein M 52 M 52 4xMIX P 52 4x Keygen 52 8x+ Threefish Tweak IV 255 H Key Features Mix function : Addition, Rotation and XOR Tweak constant : Key Generation for each block 64-bit adders lead to long delay. Algorithm cannot be folded. 64 <<<R 64 MIX Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 6 / 27

19 Skein Implementation Introduction BLAKE-256 Grøstl JH Keccak Skein 3 Reg din Port A BRAM Port B Tweak reg reg <<<R 63 dout 3 Implementation State: BRAM Key Generation,Mix : bit adder bit adder leads critical path through barrel shifter. Barrel shifter is single largest block in the design (92 slices). Finalization takes as many clock cycles as block hash. Scalability: Running Keygen and MIX in parallel. Improvement: Addition of Registers to cut down the critical path delay. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 7 / 27

20 Throughput versus Area on Spartan-3 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk 5 Shabal 4 Round 2 Round 2 & 3 Round 3 Throughput (Mbps) 3 BLAKE- 2 BLAKE-256 Grøstl-Grøstl SHAvite-3 BMW JH42 Fugue Luffa ECHO Hamsi Keccak CubeHash JH Skein Area (slices) Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 8 / 27

21 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Ranking by Throughput over Area on Spartan-3..8 Long Messages Short Messages TP/Area (Mbps/slice) BLAKE- Grøstl- SHAvite-3 ECHO Fugue JH42 Keccak Skein Shabal BLAKE-256 Grøstl BMW Luffa Hamsi JH CubeHash Algorithms with finalization rounds perform worse for short messages. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 9 / 27

22 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Implementation Summary of Finalists for Long Messages Algorithm Block Size (bits) b Clock Cycles to hash N blocks clk = st + ( l + p) N + end Throughput b (l + p) T BLAKE ( + 38) N /( 35 T ) Grøstl ( + 55) N /( 547 T ) JH ( + 83) N 5 52/(845 T ) Keccak ( ) N /(3764 T ) Skein ( + 247) N /(2439 T ) st: Clock cycles computing initial steps before processing. l + p : Loading and processing cycles per block. end : Clock cycles needed for finalization and output of hash. st and end ignored for long messages as their influence goes toward zero. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 2 / 27

23 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Implementation of Finalists on Xilinx Spartan-3 Long Message Short Message Area (slices) Block RAMs Maximum Delay (ns) T Throughput (Mbps) TP/Area (Mbps/slice) Throughput (Mbps) TP/Area (Mbps/slice) Algorithm BLAKE Grøstl JH Keccak Skein Short Message : clock cycles associated with initialization, loading, processing, finalization No. of blocks of message(n)= after padding for short message Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 2 / 27

24 Throughput over Area of 5 Finalists of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk TP/Area (Mbps/slice) Xilinx Virtex 5 Long Messages Short Messages. Grøstl JH42 BLAKE-256 Keccak Skein TP/Area (Mbps/slice) Xilinx Virtex 6 Long Messages Short Messages. Grøstl JH42 BLAKE-256 Keccak Skein No difference in ranking on the two devices. Keccak better than JH here, compared to Spartan-3. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 22 / 27

25 Throughput over Area of 5 Finalists of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Xilinx Spartan 6 Altera Cyclone ii.6.4 Long Messages Short Messages.6.4 Long Messages Short Messages TP/Area (Mbps/slice) TP/Area (Mbps/LE) Grøstl JH42 BLAKE-256 Keccak Skein. Grøstl better than BLAKE on Cyclone ii. Small changes in ranking depending on device. BLAKE-256 JH42 Grøstl Keccak Skein Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 23 / 27

26 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Comparison with [Kerckhof] (Virtex 6) Range of our Grøstl(K) Throughput (Mbps) Skein(K) 3 BLAKE-256 Grøstl JH42(K) 2 BLAKE-256(K) Keccak(K) Keccak Skein JH Area (slices) Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 24 / 27

27 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Comparison with [Jungk] (Virtex 5) 2 Range of our Grøstl(J) Keccak(J) Throughput (Mbps) 8 6 BLAKE-256(J) 4 BLAKE-256 Skein(J) Grøstl 2 JH42 Keccak Skein JH42(J) Area (slices) Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 25 / 27

28 Announcement Introduction of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk All the above data will shortly be available in the ATHENa database. Source codes will be available on the ATHENa webpage at the end of December. Follow the GMU Source Codes Link Thanks This work has been supported in part by NIST through the Recovery Act Measurement Science and Engineering Research Grant Project under contract no. 6NANBD4. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 26 / 27

29 of SHA-3 R-2 Candidates of SHA-3 Finalists Comparison with Kerckhof Comparison with Jungk Thanks for your attention. Indocrypt 2 J.-P. Kaps, Smriti Gurung, et al. Lightweight of SHA-3 on FPGAs 27 / 27