cryptographic software engineering part 2 daniel j
play

Cryptographic software engineering, part 2 Daniel J. Bernstein - PDF document

Sep 02, 2022 •27 likes •1.03k views

1 Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General software engineering. Using const-time instructions. 2 Software optimization Almost all software is much slower than it could be. 2 Software

  1. 1 Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: • General software engineering. • Using const-time instructions.

  2. 2 Software optimization Almost all software is much slower than it could be.

  3. 2 Software optimization Almost all software is much slower than it could be. Is software applied to much data? Usually not. Usually the wasted CPU time is negligible.

  4. 2 Software optimization Almost all software is much slower than it could be. Is software applied to much data? Usually not. Usually the wasted CPU time is negligible. But crypto software should be applied to all communication. Crypto that’s too slow ⇒ fewer users ⇒ fewer cryptanalysts ⇒ less attractive for everybody.

  5. 3 Typical situation: X is a cryptographic system. You have written a (const-time) reference implementation of X . You want (const-time) software that computes X as efficiently as possible. You have chosen a target CPU. (Can repeat for other CPUs.) You measure performance of the implementation. Now what?

  6. 4 A simplified example Target CPU: TI LM4F120H5QR microcontroller containing one ARM Cortex-M4F core. Reference implementation: int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;++i) result += x[i]; return result; }

  7. 5 Counting cycles: static volatile unsigned int *const DWT_CYCCNT = (void *) 0xE0001004; ... int beforesum = *DWT_CYCCNT; int result = sum(x); int aftersum = *DWT_CYCCNT; UARTprintf("sum %d %d\n", result,aftersum-beforesum); Output shows 8012 cycles. Change 1000 to 500: 4012.

  8. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?”

  9. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?” Bad practice: Apply random “optimizations” (and tweak compiler options) until you get bored. Keep the fastest results.

  10. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?” Bad practice: Apply random “optimizations” (and tweak compiler options) until you get bored. Keep the fastest results. Try -Os : 8012 cycles.

  11. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?” Bad practice: Apply random “optimizations” (and tweak compiler options) until you get bored. Keep the fastest results. Try -Os : 8012 cycles. Try -O1 : 8012 cycles.

  12. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?” Bad practice: Apply random “optimizations” (and tweak compiler options) until you get bored. Keep the fastest results. Try -Os : 8012 cycles. Try -O1 : 8012 cycles. Try -O2 : 8012 cycles.

  13. 6 “Okay, 8 cycles per addition. Um, are microcontrollers really this slow at addition?” Bad practice: Apply random “optimizations” (and tweak compiler options) until you get bored. Keep the fastest results. Try -Os : 8012 cycles. Try -O1 : 8012 cycles. Try -O2 : 8012 cycles. Try -O3 : 8012 cycles.

  14. 7 Try moving the pointer: int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;++i) result += *x++; return result; }

  15. 7 Try moving the pointer: int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;++i) result += *x++; return result; } 8010 cycles.

  16. 8 Try counting down: int sum(int *x) { int result = 0; int i; for (i = 1000;i > 0;--i) result += *x++; return result; }

  17. 8 Try counting down: int sum(int *x) { int result = 0; int i; for (i = 1000;i > 0;--i) result += *x++; return result; } 8010 cycles.

  18. 9 Try using an end pointer: int sum(int *x) { int result = 0; int *y = x + 1000; while (x != y) result += *x++; return result; }

  19. 9 Try using an end pointer: int sum(int *x) { int result = 0; int *y = x + 1000; while (x != y) result += *x++; return result; } 8010 cycles.

  20. 10 Back to original. Try unrolling: int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;i += 2) { result += x[i]; result += x[i + 1]; } return result; }

  21. 10 Back to original. Try unrolling: int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;i += 2) { result += x[i]; result += x[i + 1]; } return result; } 5016 cycles.

  22. 11 int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;i += 5) { result += x[i]; result += x[i + 1]; result += x[i + 2]; result += x[i + 3]; result += x[i + 4]; } return result; }

  23. 11 int sum(int *x) { int result = 0; int i; for (i = 0;i < 1000;i += 5) { result += x[i]; result += x[i + 1]; result += x[i + 2]; result += x[i + 3]; result += x[i + 4]; } return result; } 4016 cycles. “Are we done yet?”

  24. 12 “Why is this bad practice? Didn’t we succeed in making code twice as fast?”

  25. 12 “Why is this bad practice? Didn’t we succeed in making code twice as fast?” Yes, but CPU time is still nowhere near optimal, and human time was wasted.

  26. 12 “Why is this bad practice? Didn’t we succeed in making code twice as fast?” Yes, but CPU time is still nowhere near optimal, and human time was wasted. Good practice: Figure out lower bound for cycles spent on arithmetic etc. Understand gap between lower bound and observed time.

  27. 13 Find “ARM Cortex-M4 Processor Technical Reference Manual”. Rely on Wikipedia comment that M4F = M4 + floating-point unit.

  28. 13 Find “ARM Cortex-M4 Processor Technical Reference Manual”. Rely on Wikipedia comment that M4F = M4 + floating-point unit. Manual says that Cortex-M4 “implements the ARMv7E-M architecture profile”.

  29. 13 Find “ARM Cortex-M4 Processor Technical Reference Manual”. Rely on Wikipedia comment that M4F = M4 + floating-point unit. Manual says that Cortex-M4 “implements the ARMv7E-M architecture profile”. Points to the “ARMv7-M Architecture Reference Manual”, which defines instructions: e.g., “ADD” for 32-bit addition. First manual says that ADD takes just 1 cycle.

  30. 14 Inputs and output of ADD are “integer registers”. ARMv7-M has 16 integer registers, including special-purpose “stack pointer” and “program counter”.

  31. 14 Inputs and output of ADD are “integer registers”. ARMv7-M has 16 integer registers, including special-purpose “stack pointer” and “program counter”. Each element of x array needs to be “loaded” into a register.

  32. 14 Inputs and output of ADD are “integer registers”. ARMv7-M has 16 integer registers, including special-purpose “stack pointer” and “program counter”. Each element of x array needs to be “loaded” into a register. Basic load instruction: LDR. Manual says 2 cycles but adds a note about “pipelining”. Then more explanation: if next instruction is also LDR (with address not based on first LDR) then it saves 1 cycle.

  33. 15 n consecutive LDRs takes only n + 1 cycles (“more multiple LDRs can be pipelined together”). Can achieve this speed in other ways (LDRD, LDM) but nothing seems faster. Lower bound for n LDR + n ADD: 2 n + 1 cycles, including n cycles of arithmetic. Why observed time is higher: non-consecutive LDRs; costs of manipulating i .

  34. 16 int sum(int *x) { int result = 0; int *y = x + 1000; int x0,x1,x2,x3,x4, x5,x6,x7,x8,x9; while (x != y) { x0 = 0[(volatile int *)x]; x1 = 1[(volatile int *)x]; x2 = 2[(volatile int *)x]; x3 = 3[(volatile int *)x]; x4 = 4[(volatile int *)x]; x5 = 5[(volatile int *)x]; x6 = 6[(volatile int *)x];

  35. 17 x7 = 7[(volatile int *)x]; x8 = 8[(volatile int *)x]; x9 = 9[(volatile int *)x]; result += x0; result += x1; result += x2; result += x3; result += x4; result += x5; result += x6; result += x7; result += x8; result += x9; x0 = 10[(volatile int *)x]; x1 = 11[(volatile int *)x];

  36. 18 x2 = 12[(volatile int *)x]; x3 = 13[(volatile int *)x]; x4 = 14[(volatile int *)x]; x5 = 15[(volatile int *)x]; x6 = 16[(volatile int *)x]; x7 = 17[(volatile int *)x]; x8 = 18[(volatile int *)x]; x9 = 19[(volatile int *)x]; x += 20; result += x0; result += x1; result += x2; result += x3; result += x4; result += x5;

  37. 19 result += x6; result += x7; result += x8; result += x9; } return result; }

  38. 19 result += x6; result += x7; result += x8; result += x9; } return result; } 2526 cycles. Even better in asm.

  39. 19 result += x6; result += x7; result += x8; result += x9; } return result; } 2526 cycles. Even better in asm. Wikipedia: “By the late 1990s for even performance sensitive code, optimizing compilers exceeded the performance of human experts.”

  40. 19 result += x6; result += x7; result += x8; result += x9; } return result; } 2526 cycles. Even better in asm. Wikipedia: “By the late 1990s for even performance sensitive code, optimizing compilers exceeded the performance of human experts.” — [citation needed]

  41. 20 A real example Salsa20 reference software: 30.25 cycles/byte on this CPU. Lower bound for arithmetic: 64 bytes require 21 · 16 1-cycle ADDs, 20 · 16 1-cycle XORs, so at least 10 : 25 cycles/byte. Also many rotations, but ARMv7-M instruction set includes free rotation as part of XOR instruction. (Compiler knows this.)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

1.15k views • 86 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

810 views • 63 slides
Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing

Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing

1 2 Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing part 1 systems into modules: Daniel J. Bernstein We propose instead that one begins with a list of difficult design decisions or This

1.6k views • 143 slides
Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp

1.32k views • 106 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago &amp; Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit

670 views • 44 slides
Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Developer at the company Tieto Recently done Master Thesis on the

940 views • 82 slides
Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and Nicolas Sendrier Part I General Facts about Hash Functions The Merkle-Damg ard construction D Padding + length n n n o o o i i i s s

393 views • 25 slides
Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing your Experiment Massimiliano Di Penta University of Sannio, Italy Outline Empirical studies in software engineering Different kinds of

1.62k views • 146 slides
EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming

EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming

EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming (Jack) Jiang Acknowledgement Adam Porter Ahmed Hassan Daniel Menace David Lilja Derek Foo Dharmesh Thakkar James Holtman

1.5k views • 81 slides
Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German

Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German

Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German Software Engineering Group University of Victoria, Canada September 23, 2003 Version: 1.0.0 1 Introduction By using tools that become vital to the

490 views • 23 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July 18, 2014 Motivation Cryptography is a small but important part of security Proofs are a small but important part of cryptography Hard to

402 views • 17 slides
Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is software engineering? An engineering discipline that is concerned with all aspects of software production from the early stages of system

676 views • 29 slides
eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering

eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering

Introduction &amp; Motivation XXBX Hardware XXBX Software Conclusions and Future Work eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu Department of

738 views • 42 slides
IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia

463 views • 32 slides
L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios

L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios

L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios Pratikakis University of Maryland, College Park Lock Inference for Atomic Sections p. 1/11 Introduction Concurrent programming is notoriously

595 views • 31 slides
Why add layers? Originally, operating systems supported just one file system. What changed?

Why add layers? Originally, operating systems supported just one file system. What changed?

V irtual F ile system S witch A brief overview of the Linux storage stack Why add layers? Originally, operating systems supported just one file system. What changed? introduction of removable media (floppy, CD-ROM, usb drives, etc.)

409 views • 18 slides
Dynamic Memory Review C++ must figure out the amount of space each variable takes up in

Dynamic Memory Review C++ must figure out the amount of space each variable takes up in

Dynamic Memory Review C++ must figure out the amount of space each variable takes up in memory at compile-time (before the program is run). When a function is called, C++ reserves a block of memory for all of that function's variables at

619 views • 30 slides
Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield University March 22, 2019 Paul Baginski Fairfield University Nonunique Factorization in the Ring of Integer-Valued Polynomials 2016 Fairfield

334 views • 30 slides
Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School of Engineering and Computer Science Victoria University of Wellington What is Flow Typing? Defining characteristic : ability to retype variables JVM

534 views • 18 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of

Integer factorization: Exercise for the reader: a progress report Find a nontrivial factor of 6366223796340423057152171586. D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation rization:

593 views • 55 slides

More recommend