aes based authenticated encryption modes in parallel high
play

AES-Based Authenticated Encryption Modes in Parallel - PowerPoint PPT Presentation

May 05, 2023 •341 likes •540 views

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014 Context

  1. AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014

  2. Context

  3. Context ◮ Huge interest in AE in symmetric community due to CAESAR ◮ Focus on AEAD modes of operation for block ciphers ◮ Block cipher: AES-128 ◮ Intel’s latest Haswell architecture (2013) improves AEAD-relevant instructions ◮ AES-NI instructions ◮ pclmulqdq : Used for multiplication in GF (2 n ) ◮ Machine: Intel(R) Core(TM) i5-4300U CPU @ 1900 MHz

  4. Nonce-based vs. nonce-free In this talk... Nonce-based modes ◮ Lose authenticity, privacy or both when the nonce requirement is violated Nonce-free modes ◮ Maintain authenticity and privacy up to the common message prefix

  5. AEAD modes covered

  6. Modes implemented in this work First AES-NI First Haswell AES-NI Nonce-based OTR CLOC CCM COBRA (FSE 2014) OCB3 SILC Nonce-free McOE-G POET (hash: AES-128) COPA Julius (Julius-ECB) Also implemented: JAMBU and GCM. ( CAESAR submissions in bold )

  7. Multiple-message setting

  8. Multiple-message setting I Internet packet sizes essentially follow a bimodal distribution ◮ 44% of packets: 40-100 bytes ◮ 37% of packets: 1400-1500 bytes Thus, the CAESAR portfolio ◮ Should have excellent performance for messages up to 2KB ◮ This is the range we benchmark in this work Wolfgang John and Sven Tafvelin Analysis of Internet backbone traffic and header anomalies observed In Internet Measurement Conference 2007, pages 111–116. David Murray and Terry Koziniec The state of enterprise network traffic in 2012 In 18th Asia-Pacific Conference on Communications 2012

  9. Multiple-message setting II Meanwhile, this poses a problem 1) Most AEAD modes obtain their best performance only for long messages Another, mostly unrelated problem 2) Sequential AEAD modes can not fully utilize pipeline for AES encryption on general-purpose CPUs To remedy these two problems ◮ We consider processing multiple independent message streams in parallel as part of the algorithm itself ◮ Using varying parallelism degrees for all twelve AEAD modes ◮ We are not suggesting to implement message scheduling! Introduced with the performance study of ALE from FSE 2013

  10. Example: AES-CBC in a perfect world I ◮ In a perfect world , all messages have equal length! # msgs. cycles/byte speed-up single msg. 4 . 28 − 2 . 15 × 1 . 99 2 1 . 43 × 2 . 99 3 1 . 08 × 3 . 96 4 5 0 . 88 × 4 . 86 6 0 . 74 × 5 . 78 7 0 . 64 × 6 . 69 8 0 . 63 × 6 . 79 ◮ Speed-up nearly linear for 2 through 4 multiple messages

  11. Example: AES-CBC in a perfect world II Does parallel messages imply increased latency? ◮ For perfect parallelization, no increase in latency Latencies for processing ◮ Single message: 4 . 28 · | M | cycles ◮ 2 parallel messages: 4 . 30 · | M | cycles ◮ 3 parallel messages: 4 . 29 · | M | cycles ◮ 4 parallel messages: 4 . 32 · | M | cycles With 8 parallel messages ◮ Latency increased by 18% ◮ Throughput increased × 6 . 8

  12. Example: AES-CBC in a realistic world Assume we process 4 messages in parallel ◮ 2 messages of 128 bytes ◮ 1 message of 512 bytes ◮ 1 message of 1024 bytes Actual speedup cycles in single-message setting = cycles in multiple-message setting 4 . 28 · (2 · 128 + 512 + 1024) cycles = 1 . 09 · 4 · 128 + 2 . 15 · 2 · (512 − 128) + 4 . 28 · (1024 − 512) cycles = 1 . 74 ◮ Factor 2 . 27 slowdown from perfect world to realistic world

  13. Performance data

  14. Performance data: Baseline Mode Single msg. Multiple msg. (# msgs.) AES-ECB 0.63 0.63 (8) AES-CTR 0.74 0.75 (8) AES-CBC 4.28 0.63 (8) Theoretical minimum of ≈ 10 / 16 = 0 . 625 cpb obtained for AES-ECB AES-CBC obtains the same with 8 parallel messages (in a perfect world)

  15. Performance data: Single-message setting Message length (bytes) Mode 128 256 512 1024 2048 single message CCM 5 . 35 5 . 19 5 . 14 5 . 11 5 . 10 GCM 2 . 09 1 . 61 1 . 34 1 . 20 1 . 14 OCB3 2 . 19 1 . 43 1 . 06 0 . 87 0 . 81 OTR 2 . 97 1 . 34 1 . 13 1 . 02 0 . 96 CLOC 4 . 50 4 . 46 4 . 44 4 . 46 4 . 44 COBRA 4 . 41 3 . 21 2 . 96 2 . 83 2 . 77 JAMBU 9 . 33 9 . 09 8 . 97 8 . 94 8 . 88 SILC 4 . 57 4 . 54 4 . 52 4 . 51 4 . 50 McOE-G 7 . 77 7 . 36 7 . 17 7 . 07 7 . 02 COPA 3 . 37 2 . 64 2 . 27 2 . 08 1 . 88 POET 5 . 30 4 . 93 4 . 75 4 . 68 4 . 62 Julius 4 . 18 4 . 69 3 . 24 3 . 08 3 . 03

  16. Performance data: Multiple-message setting Message length (bytes) Mode 128 256 512 1024 2048 # msgs. multiple messages CCM 8 1 . 51 1 . 44 1 . 40 1 . 38 1 . 37 GCM 13 1 . 81 1 . 72 1 . 68 1 . 65 1 . 64 OCB3 7 1 . 59 1 . 16 0 . 94 0 . 83 0 . 77 OTR 8 1 . 28 1 . 08 0 . 98 0 . 94 0 . 92 CLOC 7 1 . 40 1 . 31 1 . 26 1 . 24 1 . 23 COBRA 8 2 . 04 1 . 88 1 . 80 1 . 76 1 . 75 JAMBU 14 2 . 14 1 . 98 1 . 89 1 . 85 1 . 82 SILC 7 1 . 43 1 . 33 1 . 28 1 . 25 1 . 24 McOE-G 7 1 . 91 1 . 76 1 . 68 1 . 64 1 . 62 COPA 15 1 . 62 1 . 53 1 . 48 1 . 46 1 . 45 POET 8 3 . 24 2 . 98 2 . 86 2 . 79 2 . 75 Julius 7 2 . 53 2 . 27 2 . 16 2 . 09 2 . 06

  17. Performance data: Speed-ups Message length (bytes) Mode 128 256 512 1024 2048 CCM × 3 . 54 × 3 . 60 × 3 . 67 × 3 . 70 × 3 . 72 GCM × 1 . 15 × 0 . 94 × 0 . 80 × 0 . 73 × 0 . 70 OCB3 × 1 . 38 × 1 . 23 × 1 . 13 × 1 . 05 × 1 . 05 OTR × 2 . 32 × 1 . 24 × 1 . 15 × 1 . 09 × 1 . 04 CLOC × 3 . 21 × 3 . 40 × 3 . 52 × 3 . 60 × 3 . 61 COBRA × 2 . 16 × 1 . 71 × 1 . 64 × 1 . 61 × 1 . 58 JAMBU × 4 . 36 × 4 . 59 × 4 . 75 × 4 . 83 × 4 . 88 SILC × 3 . 20 × 3 . 41 × 3 . 53 × 3 . 61 × 3 . 63 McOE-G × 4 . 07 × 4 . 18 × 4 . 27 × 4 . 31 × 4 . 33 COPA × 2 . 08 × 1 . 73 × 1 . 53 × 1 . 42 × 1 . 30 POET × 1 . 64 × 1 . 65 × 1 . 66 × 1 . 68 × 1 . 45 Julius × 1 . 65 × 2 . 07 × 1 . 50 × 1 . 47 × 1 . 47

  18. Another example: SILC in the multiple-message setting In a perfect world ◮ Speed-up roughly × 3 . 60 using 7 multiple messages In a realistic world ◮ Assume we process 7 messages in parallel ◮ 4 messages of 128 bytes ◮ 3 messages of 2048 bytes cycles in single-message setting Actual speedup = cycles in multiple-message setting 4 . 57 · 4 · 128 + 4 . 50 · 3 · 2048 cycles = 1 . 24 · 7 · 128 + 1 . 76 · 3 · (2048 − 128) cycles = 2 . 67 ◮ Factor 1 . 35 slowdown from perfect world to realistic world

  19. Summary ◮ AEAD modes should excel for messages up to 2KB ◮ Obtained first AES-NI and/or Haswell performance figures for many new (CAESAR candidate) AEAD modes ◮ Multiple-message processing allows significant speed-up of especially sequential modes ◮ Also for messages of varying length Read the full version of the paper at https://eprint.iacr.org/2014/186 (also has nice pictures) Thanks.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16 Stateless, Deterministic

198 views • 17 slides
ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

279 views • 26 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
Control Charts for x and R Subsequent use of the charts The next 20 samples are added to the

Control Charts for x and R Subsequent use of the charts The next 20 samples are added to the

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Control Charts for x and R Subsequent use of the charts The next 20 samples are added to the charts with the control limits derived from

670 views • 14 slides
Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi (STAT615@ISU) Slice sampling November 14, 2017 1 / 26 Slice sampling Slice sampling Suppose the target distribution is p ( | y ) with scalar

1.13k views • 26 slides
Revisiting Benchmarking Methodology for Interconnect Devices Daniel Raumer, Sebastian Gallemller,

Revisiting Benchmarking Methodology for Interconnect Devices Daniel Raumer, Sebastian Gallemller,

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Revisiting Benchmarking Methodology for Interconnect Devices Daniel Raumer, Sebastian Gallemller, Florian Wohlfart, Paul Emmerich, Patrick

437 views • 14 slides
The Epeak - Fluence Bimodality: A fundamental discriminator between long and short GRBs Adam

The Epeak - Fluence Bimodality: A fundamental discriminator between long and short GRBs Adam

The Epeak - Fluence Bimodality: A fundamental discriminator between long and short GRBs Adam Goldstein under the direction of Rob Preece BATSE 5B Spectral Catalog 2,106 GRBs 19,936 Spectra 9,971 2-Sec Peak Flux Spectra 9,965 3.5 Sigma

475 views • 10 slides
Sampling multimodal densities in high dimensional sampling space Gersende FORT LTCI, CNRS &

Sampling multimodal densities in high dimensional sampling space Gersende FORT LTCI, CNRS &

Sampling multimodal densities in high dimensional sampling space Sampling multimodal densities in high dimensional sampling space Gersende FORT LTCI, CNRS & Telecom ParisTech Paris, France Journ ees MAS Toulouse, Ao ut 2014

700 views • 54 slides
Lecture 6: Non-Parametric Methods Parzen Estimation Dr. Chengjiang Long Computer Vision

Lecture 6: Non-Parametric Methods Parzen Estimation Dr. Chengjiang Long Computer Vision

Lecture 6: Non-Parametric Methods Parzen Estimation Dr. Chengjiang Long Computer Vision Researcher at Kitware Inc. Adjunct Professor at RPI. Email: longc3@rpi.edu Recap Previous Lecture 2 C. Long Lecture 6 February 6, 2018 Outline

835 views • 58 slides
Microeconometrics Blundell Lecture 1 Overview and Binary Response Models Richard Blundell

Microeconometrics Blundell Lecture 1 Overview and Binary Response Models Richard Blundell

Microeconometrics Blundell Lecture 1 Overview and Binary Response Models Richard Blundell http://www.ucl.ac.uk/~uctp39a/ University College London February-March 2016 Blundell ( University College London ) ECONG107: Blundell Lecture 1

778 views • 49 slides
Binary Choice Matthieu de Lapparent matthieu.delapparent@epfl.ch Transport and Mobility

Binary Choice Matthieu de Lapparent matthieu.delapparent@epfl.ch Transport and Mobility

Binary Choice Matthieu de Lapparent matthieu.delapparent@epfl.ch Transport and Mobility Laboratory, School of Architecture, Civil and Environmental Engineering, Ecole Polytechnique F ed erale de Lausanne Transport and Mobility Laboratory

805 views • 53 slides

More recommend