architecture level optimizations for kummer based hecc on
play

Architecture level Optimizations for Kummer based HECC on FPGAs - PowerPoint PPT Presentation

Nov 21, 2022 •50 likes •360 views

Architecture level Optimizations for Kummer based HECC on FPGAs Gabriel GALLIN Turku Ozlum CELIK Arnaud TISSERAND CNRS IRISA Univ. Rennes Lab-STICC December, 11 th Indocrypt 2017 ECC, HECC, Kummer-HECC size of GF ( P ) elems.

  1. Architecture level Optimizations for Kummer based HECC on FPGAs Gabriel GALLIN – Turku Ozlum CELIK – Arnaud TISSERAND CNRS – IRISA – Univ. Rennes – Lab-STICC December, 11 th Indocrypt 2017

  2. ECC, HECC, Kummer-HECC size of GF ( P ) elems. source ADD DBL ECC ℓ ECC 12 M + 2 S 7 M + 3 S [2] ℓ HECC ≈ 1 HECC 2 ℓ ECC 40 M + 4 S 38 M + 6 S [7] KHECC ℓ HECC 19 M + 12 S [10] Metric for algorithms efficiency: number of multiplications ( M ) and squares ( S ) in GF ( P ) Kummer-HECC (KHECC) is more efficient than ECC: ◮ Software implementations by Renes et al. at CHES 2016 [10] ◮ ARM Cortex M0: up to 75% clock cycles reduction for signatures ◮ AVR AT-mega: up to 32% cycles reduction for Diffie-Hellman Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 2 / 21

  3. Operations Hierarchy in KHECC Protocols Hardware ◮ Protocols based on scalar multiplication accelerator Curve-Level Scalar Operations Multiplication ◮ Sequence of curve-level operation xDBLADD : [ k ] P b ( ± P , ± Q , ± ( P − Q )) → ( ± [2] P , ± ( P + Q )) xDBLADD (P,Q,P b ) ◮ Size of elements in GF ( P ): 128 bits ◮ Dedicated hyper-threaded multiplier [3]: x ± y x x y 3 independent modular multiplications computed in parallel GF( ) Operations Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 3 / 21

  4. Scalar Multiplication: Montgomery Ladder Montgomery ladder based crypto scalarmult from [10]: Require: m -bit scalar k = � m − 1 i =0 2 i k i , point P b , cst ∈ GF ( P ) 4 Ensure: V 1 = [ k ] P b , V 2 = [ k + 1] P b V 1 ← cst V 2 ← P b for i = m − 1 downto 0 do ( V 1 , V 2 ) ← CSWAP ( k i , ( V 1 , V 2 )) ( V 1 , V 2 ) ← xDBLADD ( V 1 , V 2 , P b ) ( V 1 , V 2 ) ← CSWAP ( k i , ( V 1 , V 2 )) end for return ( V 1 , V 2 ) CSWAP ( k i , ( X , Y )) returns ( X , Y ) if k i = 0, else ( Y , X ) ◮ Constant time, uniform operations (independent from key bits) ◮ CSWAP : very simple but handles secret bits (to be protected) Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 4 / 21

  5. xDBLADD GF ( P ) Operation IN M M S M OUT IN M M S M OUT IN M M S M OUT IN M M S OUT cst cst cst cst cst cst cst cst cst cst cst IN S M S M OUT IN S M S M OUT IN S M S M OUT IN S M S M OUT ◮ Some parallelism available (up to 8 GF ( P ) operations) ◮ Several possible hardware architectures can be implemented Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 5 / 21

  6. Architectural Exploration ◮ Fast exploration and validation of numerous hardware architecture configurations with dedicated tools ( cf. paper ) ◮ Full implementation of 4 selected architectures A1: Smallest architecture A2: Modification of CSWAP A3: Doubled number of arithmetic units A4: Doubled number of units (arithmetic and MEM ) in 2 clusters ◮ Width of MEM and interconnect to be selected: w = 34, 68 or 136 bits Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 6 / 21

  7. Architecture A1: Base Solution ◮ Smallest accelerator: 1 AddSub , 1 Mult , 1 MEM and 1 CSWAP Data Memory Ctrl DMUX Control AddSub Mult CSWAP Data MUX Program Memory Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 7 / 21

  8. FPGA LUT FF logic DSP RAM freq. clock time w [bit] slices slices blocks [MHz] cycles [ms] 34 1010 1833 1361 11 4 322 194,614 0.60 V4 68 1750 3050 2251 11 5 305 186,911 0.61 136 2281 3028 1985 11 7 266 184,337 0.69 34 757 1816 603 11 4 360 194,614 0.54 V5 68 1264 3033 908 11 5 360 186,911 0.52 136 1582 3008 940 11 7 360 184,337 0.51 34 1064 1770 408 11 4 278 194,614 0.70 S6 68 1555 2970 705 11 5 252 186,911 0.74 136 1910 2994 747 11 7 221 184,337 0.83 ◮ Area increases when w increases ◮ Increased number of BRAMs for large memories ◮ Small clock cycles reduction for larger w cancelled by frequency drops ◮ Small w 34 more interesting for A1 architecture Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 8 / 21

  9. Architecture A2: CSWAP Optimization ◮ Same architecture topology as A1: 1 AddSub , 1 Mult , 1 MEM and 1 modified CSWAP ◮ Modified CSWAP unit implements new CSWAP V2 operation: ◮ Merged consecutive CSWAP operations of successive iterations ( V 1 , V 2 ) ← CSWAP V2 ((0 , k m − 1 ) , ( V 1 , V 2 )) for i = m − 1 downto 1 do ( V 1 , V 2 ) ← xDBLADD ( V 1 , V 2 , P b ) ( V 1 , V 2 ) ← CSWAP V2 (( k i , k i − 1 ) , ( V 1 , V 2 )) end for ◮ Swaps V 1 and V 2 if k i � = k i − 1 (only one xor gate needed) ◮ CSWAP unit has constant time behavior Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 9 / 21

  10. FPGA LUT FF logic DSP RAM freq. clock time w [bit] slices slices blocks [MHz] cycles [ms] 34 872 1624 1121 11 4 330 184,374 0.56 V4 68 1556 2637 1978 11 5 290 183,071 0.63 136 2161 3027 2100 11 7 327 183,057 0.56 34 722 1605 541 11 4 360 184,374 0.51 V5 68 1196 2620 840 11 5 360 183,071 0.51 136 1419 3009 944 11 7 360 183,057 0.51 34 940 1559 381 11 4 293 184,374 0.63 S6 68 1503 2565 553 11 5 262 183,071 0.70 136 1890 2981 667 11 7 283 183,057 0.65 ◮ Less CSWAP V2 operations ⇒ slightly less clock cycles than in A1 ◮ Simplified management of CSWAP V2 operations ◮ Slightly higher frequencies , with smaller variations ◮ Slightly reduced area (LUTs and FFs) ◮ A2 slightly more interesting than A1 both for speed and area ( ∼ 10%) ◮ Small w 34 still the best configuration Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 10 / 21

  11. Architecture A3: Large Architecture ◮ Doubled number of GF ( P ) units: 2 AddSub , 2 Mult ◮ More GF ( P ) operations in parallel: up to 6 multiplications Data Memory Ctrl DMUX Control AddSub AddSub Mult Mult CSWAP Data MUX Program Memory Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 11 / 21

  12. FPGA LUT FF logic DSP RAM freq. clock time w [bit] slices slices blocks [MHz] cycles [ms] 34 1462 2611 1783 22 6 294 188,218 0.64 V4 68 2802 4367 3468 22 7 282 124,191 0.44 136 3768 5017 3660 22 9 285 119,057 0.42 34 1262 2607 921 22 6 358 188,218 0.53 V5 68 2290 4403 1409 22 7 345 124,191 0.36 136 2737 4978 1594 22 9 348 119,057 0.34 34 1527 2503 668 22 6 265 188,218 0.71 S6 68 2421 4267 1020 22 7 225 124,191 0.55 136 3007 4877 1131 22 9 225 119,057 0.53 ◮ +60–90% LUTs , 11 DSP slices, + 2 BRAMs compared to A2 ◮ Frequency drops on V4 ( < 13%) and S6 ( < 20%) ◮ – 34–36% clock cycles for w 68 and w 136 , compared to w 34 ◮ 25 to 35% reduced computation time for w 136 depending on FPGA ◮ A3 faster than A2, but larger → area – speed trade-offs Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 12 / 21

  13. Architecture A4: Clustered Architecture IN H M M H S M OUT cst cst CS CS cst OUT IN H H S M H S M ◮ Decomposition of xDBLADD into two symmetric clusters of GF ( P ) operations Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 13 / 21

  14. Architecture A4: Clustered Architecture IN H M M H M M OUT cst cst CS CS cst OUT IN H H M M H M M ◮ Decomposition of xDBLADD into two symmetric clusters of GF ( P ) operations ◮ Modifications of xDBLADD : ◮ Squares → multiplications ◮ No impact on mathematical behavior nor on operations count Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 13 / 21

  15. Architecture A4: Clustered Architecture IN H M M H M M OUT cst cst CS 0 CS 1 cst IN H H M M H M M OUT ◮ Decomposition of xDBLADD into two symmetric clusters of GF ( P ) operations ◮ Modifications of xDBLADD : ◮ Squares → multiplications ◮ No impact on mathematical behavior nor on operations count ◮ New modification of CSWAP : CSWAP V3 ◮ Replaced by two new swapping operations ◮ CS 0 ( A , B , C , D ) → ( A , B , C , B ) if k i = 0 else ( C , D , A , D ) ◮ CS 1 ( A , B , C , D ) → ( A , B , C , D ) if k i = 0 else ( C , D , A , B ) Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 13 / 21

  16. ◮ Same number of GF ( P ) units as in A3: 2 AddSub , 2 Mult ◮ Doubled number of MEM : one for each hardware cluster ◮ CSWAP unit : “bridge” to exchange data between clusters ◮ Same control for both clusters (reduced complexity) Data ADD/SUB AddSub Memory Data MUX Mult C S Control W A P Mult Data MUX Data Memory ADD/SUB AddSub Program Memory Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 14 / 21

  17. FPGA LUT FF logic DSP RAM freq. clock time w [bit] slices slices blocks [MHz] cycles [ms] 34 1695 2950 2158 22 7 324 142,119 0.44 V4 68 2804 4282 3184 22 9 290 128,021 0.44 136 3171 4994 3337 22 13 299 125,456 0.42 34 1370 2953 1013 22 7 358 142,119 0.40 V5 68 2095 4259 1358 22 9 337 128,021 0.38 136 2514 4952 1589 22 13 313 125,456 0.40 34 1564 2089 758 22 7 262 142,119 0.54 S6 68 2387 4030 1060 22 9 239 128,021 0.54 136 3181 4786 1136 22 13 251 125,456 0.50 ◮ Increased area for w 34 compared to A3 ◮ Increased number of BRAMs for additional MEM ◮ Less clock cycles for w 34 ⇒ MEM bottleneck in small configurations ◮ A4 better than A3 for small configuration w 34 Dec., 11 th 2017 G.Gallin – T.O.Celik – A.Tisserand Indocrypt 2017 15 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outcomes Based Funding Update HECC FEBRUARY FULL COMMISSION MEETING 2/12/2015 Brian Fox,

Outcomes Based Funding Update HECC FEBRUARY FULL COMMISSION MEETING 2/12/2015 Brian Fox,

Outcomes Based Funding Update HECC FEBRUARY FULL COMMISSION MEETING 2/12/2015 Brian Fox, Administrator, Public University Budget &amp; Finance PROCESS 2 OBF Technical Workgroup (TWG) formed in May, 2014 University Presidents, HECC

842 views • 44 slides
CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day8: January 30, 2000 Exploiting Instruction-Level Parallelism Caltech CS184b Winter2001 -- DeHon 1 Today Reducing Control

192 views • 16 slides
Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

OOPSLA 18 Boston Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National Univ. Chung-Kil Hur MPI-SWS Ralf Jung Zhengyang Liu University of Utah John Regehr Nuno P. Lopes Microsoft Research

1.3k views • 127 slides
Thomas B. Rolinger , Christopher D. Krieger SC 2018 1 Outline 1. Motivation 2. Emu Architecture

Thomas B. Rolinger , Christopher D. Krieger SC 2018 1 Outline 1. Motivation 2. Emu Architecture

Impact of Traditional Sparse Optimizations on a Migratory Thread Architecture Thomas B. Rolinger , Christopher D. Krieger SC 2018 1 Outline 1. Motivation 2. Emu Architecture 3. SpMV Optimizations 4. Experiments and Results 5. Conclusions

841 views • 55 slides
Advanced cache memory optimizations Computer Architecture J. Daniel Garca Snchez

Advanced cache memory optimizations Computer Architecture J. Daniel Garca Snchez

Advanced cache memory optimizations Advanced cache memory optimizations Computer Architecture J. Daniel Garca Snchez (coordinator) David Expsito Singh Francisco Javier Garca Blas ARCOS Group Computer Science and Engineering Department

558 views • 44 slides
Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA

Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA

Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA HAH Project CryptArchi June, 2017 Summary Context &amp; Motivations HECC Operations Efficient Multiplier Architectures and Tools Conclusion

507 views • 33 slides
Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations time occurs in loops First, we will identify loops We will study three optimizations Loop-invariant code motion This lecture is

249 views • 5 slides
HB 3472 Update HOUSE COMMITTEE ON HIGHER EDUCATION AND WORKFORCE DEVELOPMENT Presented by: Rob

HB 3472 Update HOUSE COMMITTEE ON HIGHER EDUCATION AND WORKFORCE DEVELOPMENT Presented by: Rob

HB 3472 Update HOUSE COMMITTEE ON HIGHER EDUCATION AND WORKFORCE DEVELOPMENT Presented by: Rob Fullmer, HECC Commissioner &amp; Pay It Forward Workgroup Chair Donna Lewelling, HECC Policy Analyst HB 3472: Pay It Forward HECC to consider

539 views • 12 slides
The arithmetic of characteristic 2 Kummer surfaces Pierrick Gaudry 1 David Lubicz 2 1 LORIA,

The arithmetic of characteristic 2 Kummer surfaces Pierrick Gaudry 1 David Lubicz 2 1 LORIA,

Introduction Kummer Surfaces The characteristic 2 case Conclusion The arithmetic of characteristic 2 Kummer surfaces Pierrick Gaudry 1 David Lubicz 2 1 LORIA, Campus Scientifique, BP 239, 54506 Vandoeuvre-ls-Nancy, France 2 Universt de

877 views • 38 slides
Models and Tools for the High-Level Simulation of a Name-Based Interdomain Routing Architecture

Models and Tools for the High-Level Simulation of a Name-Based Interdomain Routing Architecture

I NTRODUCTION P ROBLEM A PPLICATION -D RIVEN H IGH -L EVEL S IMULATION S IMULATION C OMPONENTS R ESULTS Models and Tools for the High-Level Simulation of a Name-Based Interdomain Routing Architecture Kari Visala, Andrew Keating Helsinki

236 views • 20 slides
IMS based NGN IMS based NGN Architecture Architecture and its application and its application

IMS based NGN IMS based NGN Architecture Architecture and its application and its application

I nternational Telecom m unication Union ITU-T IMS based NGN IMS based NGN Architecture Architecture and its application and its application Dick Knight BT Group plc I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1

218 views • 17 slides
Kalrays MPPA: Mathematical library and low level arithmetic optimizations Kalray training at

Kalrays MPPA: Mathematical library and low level arithmetic optimizations Kalray training at

Kalrays MPPA: Mathematical library and low level arithmetic optimizations Kalray training at CERN, June 3 rd , Nicolas Brunie Nicolas Brunie Kalrays MPPA: Mathematical library and low level arithmetic optimizations 1 / 27 1

329 views • 28 slides
CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day1: January 3, 2000 Architecture and overview Caltech CS184b Winter2001 -- DeHon 1 Today This Quarter What is

341 views • 15 slides
Elliptic curve in short Weierstrass form over a field k E : y 2 = x 3 + ax + b (always such a model

Elliptic curve in short Weierstrass form over a field k E : y 2 = x 3 + ax + b (always such a model

Arithmetic on Abelian and Kummer varieties 7. 7 Notes of a talk given for the Lfant Algorithmic Number Theory Seminar Bordeaux. Normal projectivity 7 5.5. Addition, Differential addition 8 6. Arithmetic on Kummer varieties 8 6.1.

305 views • 11 slides
COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides 11

COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides 11

COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides 11 Advanced Cache Optimizations Memory Technology and DRAM optimizations Virtual Machines Xen VM: Design and Performance AMD Opteron

983 views • 83 slides
High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow

High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow

High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow Abstraction Layer Workflow Service provides pre-configured CloudKeeper environments (in particular, a workflow interpreter) Forked Simple-Module

420 views • 15 slides
CS 126 Lecture A3: Boolean Logic Outline Introduction Logic gates Boolean algebra

CS 126 Lecture A3: Boolean Logic Outline Introduction Logic gates Boolean algebra

CS 126 Lecture A3: Boolean Logic Outline Introduction Logic gates Boolean algebra Implementing gates with switching devices Common combinational devices Conclusions CS126 11-1 Randy Wang Where We Are At We have

732 views • 22 slides
ECEU530 Schedule ECE U530 Homework 6 due Wednesday, November 15 Digital Hardware Synthesis

ECEU530 Schedule ECE U530 Homework 6 due Wednesday, November 15 Digital Hardware Synthesis

ECEU530 Schedule ECE U530 Homework 6 due Wednesday, November 15 Digital Hardware Synthesis Complete the Calculator from ECEU323 in VHDL Write a controller Prof. Miriam Leeser Combine controller and datapath mel@coe.neu.edu

473 views • 14 slides
HCAL Back End Requirements and Architecture A. Belloni University of Maryland Biographical

HCAL Back End Requirements and Architecture A. Belloni University of Maryland Biographical

HCAL Back End Requirements and Architecture A. Belloni University of Maryland Biographical Notes Assistant Professor, University of Maryland 2007 Ph.D. Massachusetts Institute of Technology Relevant positions 2014-present:

347 views • 20 slides
SMD150 Computer Architecture Andrey Kruglyak Note: some of todays slides are by Jonas Thor

SMD150 Computer Architecture Andrey Kruglyak Note: some of todays slides are by Jonas Thor

SMD150 Computer Architecture Andrey Kruglyak Note: some of todays slides are by Jonas Thor Today Introduction to VHDL - VHSIC Hardware Description Language crash course with examples SyncSim, new version how to create

518 views • 32 slides
340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg.

340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg.

340 Million Tweets per day 2.3 Billion Queries per day &lt; 10 s Indexing latency 50 ms Avg. query response time Earlybird - Realtime Search @twitter Michael Busch @michibusch michael@twitter.com buschmi@apache.org Earlybird - Realtime

1.2k views • 96 slides
Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS

Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS

Exploiting Quality-Efficiency Tradeoffs with Arbitrary Quantization Special Session - CODES+ISSS Thierry Moreau , Felipe Augusto, Patrick Howe Armin Alaghi, Luis Ceze Internet of Things Revolution aggregate noisy, real world analytics,

536 views • 39 slides
Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model

Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model

Outline Overview Parallel Computing with GPU Introduction to CUDA CUDA Thread Model CUDA Memory Hierarchy and Memory Spaces CUDA Memory Hierarchy and Memory Spaces CUDA Synchronization 2110412 Parallel Comp Arch CUDA:

449 views • 12 slides
BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek marion@0x1338.at @pinkflawd Static Analysis is King What my my sa sandbox th thought What my my cu customer th thought the malw th alware do

886 views • 50 slides

More recommend