Parallel and Pipeline Processing for Block Cipher Algorithms on a Network-on-Chip

Transcription

1 Parallel and Pipeline Processing for Block Cipher Algorithms on a Network-on-Chip Yoon Seok Yang, Jun Ho Bahn, Seung Eun Lee, and Nader Bagherzadeh Department of Electrical Engineering and Computer Science University of California, Irvine Irvine, California, , USA {yangys, jbahn, seunglee, nader}@uci.edu Abstract The computational performance of Network-on-Chip (NoC) and Multi-Processor System-on-Chip (MPSoC) for implementing cryptographic block ciphers can be improved by exploiting parallel and pipeline execution. In this paper, we present a parallel and pipeline processing method for block cipher algorithms: Encryption Standard (), Triple- Algorithm (), and Advanced Encryption Standard () based on pure software implementation on an NoC. The algorithms are decomposed into task loops, functions, and data flow for parallel and pipeline execution. The tasks are allocated by the proposed mapping strategy to each Processing Element (PE) which consists of a 3- bit Reduced Instruction Set Computer (RISC) core, internal memory, router, and Network Interface (NI) to communicate between PEs. The proposed approach is simulated by using Networked Processor Array (NePA), the cycle-accurate SystemC and Hardware Description Language (HDL) model platform. We show that our method has the advantage of flexibility as compared to previous implementations of cryptographic algorithms based on hardware and software co-design or traditional hardwired ASIC design. In addition, the simulation result presents that the parallel and pipeline processing approach for software block ciphers can be implemented on various NoC platforms which have different complexities and constraints. Key Words: security, block cipher, network-on-chip, parallel and pipeline processing, software implementation 1. Introduction As algorithms have become more complex and diverse, hardware IPs or SoCs which consist of devices such as CPU, DSP, memory, and co-processing components are used to implement them. In order to run a block cryptographic algorithm which is one of the computational intensive applications, a dedicated hardware design is used to execute the algorithm rapidly and effectively. However, a hardware implementation has disadvantages in flexibility and compatibility in contrast with a software implementation. One of the ways to maximize flexibility and computational power is using a multi-core platform such as MPSoC and NoC. This approach has problems in software scheduling and partitioning for application-level parallelism which increases overall performance effectively. In this paper, a parallel and pipeline execution methodology for a software block cipher is implemented on NePA NoC platform [6] which has a general NoC architecture without specialized hardware logics typically used in traditional ASIC design for a block cipher. The proposed method supports task concurrency, balanced task distribution, and high flexibility for the NoC environment. Since this method adopts software block ciphers, it can decrease time-to-market and turn-around time to implement various cryptographic algorithms. The main contributions of this paper are as: A software approach for block cipher algorithms on an NoC platform. Detailed modeling the approach based on SystemC and HDL level hardware platform. The organization of this paper is as follows: Section provides the related work about the implementation of block cipher algorithms on various systems. Section 3 introduces the parallel and pipeline processing method for block ciphers on NePA. Section 4 describes the implementation. Section 5 presents the experimental results. Section 6, summarizes and concludes this paper.

2 . Related work Several implementation methods for block cipher algorithms have been proposed. One of the methods is fully hardwired or an FPGA implementation of the block cipher algorithms [16], [1]. Another method is mixing DSP/RISC and dedicated hardware such as co-processing blocks, or inserting special instructions to improve not only flexibility but also computing power for calculation of cryptographic functions. For the improvement of overall performance, dedicated and specialized cryptographic hardware modules are used with DSP or RISC processors [11], [15]. Other researchers have proposed specialized instruction set architectures to accelerate cipher algorithms on hardware and software co-design platforms [9], [7], [13]. The third method is using MPSoC, NP (Network Processor), or NoC platform which has a multi-core processing architecture. The authors of [8] have suggested maximizing the throughput of a pipelined multiprocessor system by effective assignment of flow tasks to pipeline stages on an NP platform. In the paper [14], they have introduced a methodology for profiling and scheduling networking workloads and applications on a highly parallel network processor architecture. In their papers [16], [9], [8], [14], they have shown various parallel and pipeline task scheduling and mapping methodologies for block cipher algorithms. The proposed parallel and pipeline NoC implementation for block ciphers have been developed on their platforms. 3. Networked Processor Array (NePA) NoC Platform system which is a mesh-based multi-processor SoC is proposed as shown in Figure 1. This reconfigurable multiprocessor platform includes multiple RISC processors, memory blocks, and several specific IPs. Each PE has a CompactOR, internal data/instruction memory, a generic network interface, and a router adopting both a normal routing algorithm and an adaptive routing algorithm. Open- RISC core [1], one of open core processors, is used as the main processor of the NePA platform. In addition, generic network interface (NI) blocks and routing units [10], [5] are integrated to the NePA platform for a mesh-based network. The routers allow to transport not only application data but also control data between PEs by a memory mapped interface protocol. Each PE executes a part of block cipher functions by the parallel and pipeline execution method on the platform without dedicated cryptographic co-processor modules or hardwired logics. NePA router has a -port north/south and 1-port west/east interfaces to interconnect between PEs on the D meshed network. One of the main purposes of this research is to improve the computational performance of block ciphers by incorporating an NoC architecture. To achieve this goal, NePA is designed in SystemC as well as in Verilog HDL to simulate and verify the performance of the proposed parallel and pipeline processing method for block ciphers. Moreover, a set of tool chain is provided. 4. Parallel and pipeline processing for block ciphers 4.1. Overview of block cipher algorithms 8X8 NoC platform Processing Element Instruction Memory 3-bit 64-bit Code Code 3-bit Compact Memory OR 3-bit 64-bit 3-bit Register values Block Control Unit Network Interface Register PE Router Figure 1. Target NePA NoC platform based on 8x8 mesh network. In order to meet the high-performance and low-power requirements, a scalable, flexible, and reconfigurable multiprocessor platform, Networked Processor Array (NePA) PE PE Block cipher algorithms use symmetric and secret keys to encrypt and decrypt a plaintext composed of fixed-length block data with mathematical transformations. Each plaintext block is the same length as all of the other input blocks, for example 64 or 18 bits. In the operation of a block cipher, a ciphertext is encrypted by using a plaintext and a key block. The benefit of block ciphers is diffusion where bits are spread throughout the ciphertext such that a change of single bit in either the key or the plaintext causes a significant change in the ciphertext. The disadvantage is that algorithms take a long time to produce a ciphertext, compared to stream ciphers, and single bit error can be propagated to an entire block. Encryption Standard ( []), Triple- Algorithm ( [3]), and Advanced Encryption Standard ( [4]) are widely used in symmetric cryptography standard algorithms released by the National Institute Standard and Technology (NIST).

3 Instruction level Determination of concurrent and sequential tasks Block cipher algorithms (C code) Profiling Sequential tasks Concurrent tasks Scheduling and mapping tasks on NoCs x x 4 3 x 3 4 x 4 Number of PEs Pipeline depths pipelined PEs 4 pipelined PEs 8 pipelined PEs Group1 Group3 Group4 Pipelined PE groups Group Group5 Run tasks on the desired NoC Processing Element (PE) 8 x 8 16 pipelined PEs Figure. The procedure of the proposed parallel and pipeline processing for block ciphers 4.. Methodology of parallel and pipeline processing for block ciphers Figure illustrates the main steps of the proposed parallel and pipeline processing method for block ciphers on NePA. This approach starts at profiling block cipher algorithms written in C. The aim of the profile is to classify execution groups which can be performed concurrently or sequentially in instruction, function, and round (a group of iterative functions defined in each block cipher algorithm) level. Guided by the profiling results, the groups of functions and rounds are determined, which are assigned and run as parallel and pipeline tasks in a PE. In [14], the authors use an annotated directed acyclic graph (ADAG) to generate a group of pipelined tasks by the dynamic profiling and instruction tracing method. While in this paper profiling, grouping, and allocating tasks are carried out manually considering the overall performance of the NePA system and the workload which is scheduled to PEs. As another issue in the proposed implementation, a scheduling and mapping procedure is suggested to assign the tasks to PEs. The scheduling and mapping step is obviously one of the key factors to execute the partitioned block cipher programs on NePA. It is performed by the information based on the organization of the concurrent and sequential tasks generated from the profiling step. Furthermore, the scheduling and mapping procedure depends on additional information like the number of PEs, pipeline depth, and pipelined PE groups. In summary, the method is performed in four steps as follows: 1. Profiling block cipher algorithms In the first step, the block ciphers programmed in C language are profiled as function-level and roundlevel lists to extract sequential and concurrent features. In profiling, there are instruction-level, function-level, and round-level profiling methods.,, and block ciphers are profiled into function-level and round-level modules except instruction-level in order to exploit high level profiling approach instead of bottom level instruction profiling approach.. Determination of concurrent and sequential tasks In the second step, the profiled groups of functions and iteration rounds are used to determine sequential and concurrent tasks. The profiled tasks in the previous step are classified according to sequential and concurrent features of the tasks to schedule and map them into PEs. For instance, round tasks are processed in a sequential order, therefore each round task can be regarded as an element of sequential tasks. 3. Scheduling and mapping tasks on NoC platforms In the third step, the tasks classified into sequential and concurrent tasks are scheduled and mapped into PEs on NePA. Following parameters are required in order to define the scheduling and mapping tasks on NePA. the number of PEs the number of pipeline depths the number of pipelined PE groups

4 Profiling Determination of concurrent and sequential tasks Funtion level IP E K S P IV IP PC PC RL 1 Encrypt Decrypt AR K MC BS KE SR KS G4 IP E K S P G PC PC RL 1 IV IP Encrypt ~ Decrypt ~ Encrypt ~ AR K BS SR MC G4 G KE KS Round level IR Rounds IR BR FR 4 4 G-8 BR BR Notation : Group and #rounds = 1 BR G- : G and #rounds = 14 Rounds FR BR BR BR IR 8 Rounds BR BR BR BR G-4 : G and #rounds = 4 14 X 3 Rounds Scheduling and Mapping (Example : 4x4 NoC) G G PE-4,, G- G- G- G- G- G- G G PE-4, G-5 G-5, G-6, G-4, G-6, G-4 G-6 G-6 G4 G G G4, G G PE-3,, G- G- G- G- G- G- G G PE-3, G-5, G-5, G-6, G-4, G-6, G-4 G-6 G-6 PE-3 G G4 PE-4 G4 G,, Figure 3. The implementation of,, and by the proposed methodology on 4x4 NePA NePA is differently configured by the number of PEs. For example, x NePA platform has four PEs and 8x8 platform has 64 PEs. In this scheduling and mapping step, one of the PEs is selected as the first PE which is in charge of a main control PE. And then one of the neighbor PEs which has the shortest-distance from the current PE is adopted as a next PE to build parallel and pipelined PE groups. Therefore, the nearest PE from current PE is selected as a next PE in order to schedule and map a task to the PE. This method allows reduction of communication. 4. Execution of the tasks In the last step, the tasks mapped and scheduled in the PEs are executed in the parallel and pipelined way Implementation of block ciphers by the proposed methodology In this section, the block cryptographic algorithms are implemented by the proposed method. As shown in Figure 3, the profiled functions, the groups of functions, the groups of rounds, and the compositions of parallel and pipelined tasks are outlined for the scheduling and mapping step on 4x4 mesh-based NePA system Profiling block ciphers on NePA. Table 1 illustrates profiled components of block ciphers. is composed of 9 functions, Initial Permutation (IP), Expansion Permutation (E), Key Schedule (K), Substitution Box (S), Permutation Box (P), Inverse Initial Permutation (IVIP), Permuta- Ciphers Ciphers F unctions IP, E, K, S, P, IVIP, PC1, RL, PC functions ARK, BS, SR, MC, KE, KS Rounds 1 IR, 14 BRs, 1 FR 3 IRs, 14 BRs, 3 FRs 1 IR, 8 BRs, 1 FR Table 1. The profiled result of,, and tion Choice-1 (PC1), Right/Left shift (RL), and Permutation Choice- (PC) in function-level decomposition. has the same element functions of because utilizes cipher three times in an Encrypt-Decrypt-Encrypt order. is organized into 6 functions such as Add Round Key (ARK), Byte Substitution (BS), Shift Row (SR), Mix Columne (MC), Key Expansion (KE), and Key Selection (KS). Rounds are classified into Initial Round (IR), Body Round (BR), and Front Round (FR) as the components of the round-level parallelism for, TEDA, and block cipher Determination of concurrent and sequential tasks. After profiling the block ciphers, the constitution of the concurrent and sequential tasks are determined in both function-level and round-level. For the implementation in function-level, G is grouped with PC1, RL, and

5 PC as the key scheduling module. is composed of E and K, and G4 has S and P. The goal of this step is to find the relationship among the groups of tasks such that,, and are processed sequentially, but G is executed concurrently. composed of encryption and decryption functions uses the same groups of. has 4 groups,, G,, and G4. G is grouped with KE and KS, includes BS and SR.,, and G4 are executed in a sequential order, but G is processed concurrently. For the determination of the concurrent and sequential tasks in round-level, different three round groups,, G, and are used for several block ciphers. The first group () executes the routine of the initial round. The second group (G) is annotated by the number of body rounds. For instance, G-3 means that it belongs in the second group and has three body rounds. The last group () executes the final round to generate encrypted output data Scheduling and mapping tasks on NePA. In this scheduling and mapping stage, the groups determined from the previous step are allocated to PEs along with supplemental information such as the number of PEs, pipeline depth, and the number of PE groups. Figure 3 illustrates an example of the implementation on a 4x4 NePA, composed of 16 PEs. In this example, has 4 concurrent PE groups (,,PE-3,PE-4) and each PE group consists of 3 pipeline depth ( ) with concurrent key scheduling task (G) in function-level. In roundlevel processing, has PE groups (,) and each PE group has 8 pipeline depth (, G- G- G- G- G- G-,). The PEs of a PE group are executed by a pipelined sequence, thus, the PE groups are run concurrently. is scheduled and mapped the same as implementation in function-level. In round-level, consists of 48 rounds (3x,4xG,3x) for each PE group. encryption and decryption are described by 4 PE groups (,,PE-3,PE-4) composed of 4 pipelined PEs in a group for function-level processing. In round-level processing, is composed of PE groups (, ). is utilized for the simulation, and the router model used in this system is the same as [5]. 5.. Simulation Results Figure 4, 5, 6, 7 illustrate the result of the simulation on NePA. In order to determine the complexity of communication on NePA, the amount of transferred bytes between PEs in function and round level is determined as Equation (1), (). #Pipelines is the number of pipelined PEs in a PE group, #Parallels is the number of parallel PE groups, and #Rounds is the number of rounds corresponding to the block ciphers. 9.E+07 8.E+07 7.E+07 6.E+07 4.E+07 3.E+07.E+07 1.E+07 1.E+08 T ranbytes f = (#P ipelines #Rounds 1) #P arallels #InputBytes (1) T ranbytes r = (#P ipelines 1) #P arallels #InputBytes () 8.E+05 6.E+05 4.E+05.E+05 Speed up Figure 4., transfer bytes, and speedup in simulation. Speed up Figure 5., transfer bytes, and speedup in simulation. 5. Experimental results 5.1. Simulation Environment The proposed methodology is simulated and implemented on a cycle-accurate SystemC and HDL NoC environment called NePA. The platform is composed of a number of Compact OpenRISC processors, network interface modules, and routers. The C codes programmed for parallel and pipelined execution on several PEs are compiled by OpenRISC tool chains. 100 MHz operating clock frequency 5.E+06 7.E+05 6.E+05 4.E+05 3.E+05.E+05 1.E+05 Speed up Figure 6., transfer bytes, and speedup in simulation.

6 1.E+08 1.E+08 (a) in function-level and round-level 7.E+04 6.E+04 5.E+04 4.E+04 3.E+04.E+04 1.E+04,, (b) Transfer Bytes in function-level and round-level Figure 7. Comparison of cycle counts and transfer bytes for block ciphers on NePA 6. Conclusions In this paper, a parallel and pipeline processing method has been presented to implement block cipher algorithms such as,, and through profiling, scheduling, and mapping exploration on an NoC platform called NePA. The method is used for the pure software implementation of block ciphers on NePA. The parallelized and pipelined tasks are allocated by the proposed mapping strategy to each PE which consists of 3-bit OpenRISC core, internal memory, router, and NI on the NePA platform. This proposed method has been developed and simulated by using the cycle-accurate SystemC and HDL description model. Using the cycle-accurate simulation, the simulation results show that the proposed method can be implemented on an NoC system effectively. References [1] Openrisc 100 core. projects.cgi/web/or1k/openrisc_100. [] encryption standard (). Technical Report Federal Information Processing Standard (FIPS) 46, National Bureau of Standards, [3] Triple data encryption algorithm (, a.k.a. Triple ). Technical Report Federal Information Processing Standard Publication 46-3, the standard ANSI X , NIST, [4] Advanced encryption standard (). Technical Report Federal Information Processing Standards Publications (FIPS PUBS) 197, Available from [5] J. H. Bahn, S. E. Lee, and N. Bagherzadeh. On design and analysis of a feasible network-on-chip (noc) architecture. In Proceedings of International Conference on Information Technology (ITNG 07), pages , 007. [6] J. H. Bahn, S. E. Lee, Y. S. Yang, J. S. Yang, and N. Bagherzadeh. Multi-processor system platform using network-on-chip (NoC) techniques. Parallel Processing Letters, World Scientific Publishing Company, 008. [7] A. M. Fiskiran and R. B. Lee. On-chip lookup tables for fast symmetric-key encryption. In Proceedings of the 005 IEEE International Conference on Application-Specific Systems, Architecture Processors (ASAP 05), pages , 005. [8] M. A. Franklin and S. r. Pipeline task scheduling on network processors. In Proceedings of 3rd Workshop on Network Processors and Applications - NP3(Madrid, Spain), February 004. [9] M. Fujita, S. Komatsu, H. Saito, K. Seto, T. Sakunkonchak, and Y. Kojima. Field modifiable architecture with FP- GAs and its design/verification/debugging methodologies. In Proceedings of 36th Annual Hawaii International Conference on System Sciences, page 79, 003. [10] S. E. Lee, J. H. Bahn, and N. Bagherzadeh. Design of a feasible on-chip interconnection network for a chip multiprocessor (CMP). In Proceedings of 19th International Symposium on Computer, Architecture and High Performance Computing (SBAC-PAD 007), 007. [11] P. Schaumont, K. Sakiyama, A. Hodjat,, and I. Verbauwhede. Embedded software integration for coarse-grain reconfigurable systems. In Proceedings of the 18th International Parallel and Distributed Processing Symposium (IPDPS 04), pages IEEE Computer Society Press, 004. [1] E. Swankoski, R. Brooks, V. Narayanan, M. Kandemir, and M. Irwin. A parallel architecture for secure FPGA symmetric encryption. In Proceedings of RAW 004, January 004. [13] S. Tillich and J. Groscha. Instruction set extensions for efficient implementation on 3-bit processors. In Cryptographic Hardware and Embedded Systems (CHES 006), LNCS Vol. 449:70 84, 006. [14] N. Weng and T. Wolf. Profiling and mapping of parallel workloads on network processors. In Proceedings of The 0th Annual ACM Symposium on Applied Computing (SAC), pages , March 005. [15] L. Wu, C. Weaver, and T. Austin. CryptoManiac : A fast flexible architecture for secure communication. In Proceedings of Annual Int. Symposium on Computer Architecture (ISCA), pages , 001. [16] J. Zambreno, D. Nguyen, and A. Choudhary. Exploring area/delay tradeoffs in an FPGA implementation. In Proceedings of FPL 004, volume LNCS Vol. 303, pages , 004.