Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne ž evi ć NXP Semiconductors miroslav.knezevic@nxp.com January 25, 2016 School on Design for a Secure IoT, Tenerife, 2016
THINGS
Smart Plugs 3. January 28, 2016
Smart Door Locks 4. January 28, 2016
Smart Thermostats 5. January 28, 2016
Smart Smoke Detectors 6. January 28, 2016
Smart Light Bulbs 7. January 28, 2016
Connected Cars 8. January 28, 2016
WHY HARDWARE?
…to run software, obviously! 10. January 28, 2016
But software alone is… Slow Insecure Energy inefficient 11. January 28, 2016
Super Powers of Embedded HW Performance Security* Power Area (Energy) * In the original slide deck Superman was held responsible for Security. During the coffee break, students suggested that Batman would be a better representative and I agree he is. So sorry, Mr. Kent! 13. January 28, 2016
Area – Designing the Smallest Block Cipher 14. January 28, 2016
MOSFET Channel Length V DD A A D G S 15. January 28, 2016
NAND gate Smallest logical gate with two inputs. • GE (gate equivalence) = physical area • of a single NAND gate. (Ab)used for comparing HW designs • across different CMOS technologies. 16. January 28, 2016
XOR gate 2-3 GE 17. January 28, 2016
Modern Lightweight Ciphers < 1000 GE 18. January 28, 2016
AES (128-bit key, ENC only) 2500 GE 19. January 28, 2016
Advances in CMOS Technology 140 nm 40 nm 10 nm 20. January 28, 2016
ARM Cortex M0 example (~20 kGE) CMOS CMOS 140 nm 40 nm 16.25 mm 21. January 28, 2016
Block Cipher – HW Perspective Minimize! Key size ≥ 80 bits Round function + Memory Key schedule + Block size ≥ 32 bits Control logic 22. January 28, 2016
KATAN – The Smallest Block Cipher 23. January 28, 2016
KATAN – The Smallest Block Cipher Only 508 bits of expanded key! KATAN32 = 315 GE + 508 bits of ROM 24. January 28, 2016
KATAN in numbers It’s (one of) the smallest known cipher(s): < 500 GE But it’s not very fast: 254 clock cycles Still scalable: 3 times faster for negligible area overhead 25. January 28, 2016
KATAN vs Competition LED KATAN 180nm NXP140 Synopsys Cadence Piccolo ≥ 700 GE ≥ 460 GE 130nm PRESENT Synopsys UMC180 ≥ 700 GE IHP250 AMIS350 Synopsys ~1kGE KLEIN TSMC180 Synopsys ≥ 1.3 kGE SIMON SPECK IBM130 IBM130 Synopsys Synopsys ≥ 520 GE ≥ 580 GE 26. January 28, 2016
Memory Elements in different CMOS Technologies AREA OF SCAN-FF [GE] 7.67 6.67 6.25 <5 NXP 90NM UMC 130NM UMC 180NM NANGATE 45NM 27. January 28, 2016
SPONGENT in different CMOS Technologies up to 70% difference! AREA [GE] 2323 2071 2012 1950 1768 1728 1571 1367 1340 1329 1256 1192 1103 1060 918 868 759 738 737 521 VERSION 1 VERSION 2 VERSION 3 VERSION 4 VERSION 5 28. January 28, 2016
How can we do a fair comparison? Difficult in practice. But why not using an open-core library at least? http://www.nangate.com/ 29. January 28, 2016
Performance – Designing the Fastest Block Cipher 30. January 28, 2016
Latency vs Throughput 12 Serial 9 3 processing 6 Latency = 15 s Throughput = 0.067 beer/s 31. January 28, 2016
Latency vs Throughput 12 Parallel 9 3 processing! 6 Latency = 15 s Throughput = 0.2 beer/s 32. January 28, 2016
Latency vs Throughput 12 9 3 Pipelining! 6 Latency = 15 s Throughput = 0.2 beer/s 33. January 28, 2016
Latency vs Throughput 12 9 3 Unrolling! 6 bottom-up! Latency = 5 s Throughput = 0.2 beer/s 34. January 28, 2016
Latency of Existing Ciphers – Is Lightweight = “Light + Wait”? BLOCK-SIZE KEY-SIZE S-BOX P-LAYER K-SCHEDULE AES 128 128 8 MDS LIGHT NOEKEON 128 128 4 BINARY NO MINI-AES 64 64 4 MDS LIGHT 64 64, 96, 128 4 BINARY LIGHT MCRYPTON BIT PRESENT 64 80, 128 4 LIGHT PERMUTATION KLEIN 64 64, 80, 96 4 MDS LIGHT LED 64 64, 128 4 MDS NO 35. January 28, 2016
Unrolled HW Architectures 36. January 28, 2016
Results – Latency (CMOS 90 nm) 37. January 28, 2016 17.8 20.2 15.3 16.4 20.3 21.4 25.3 26.4 31.2 32.8 46.6 LATENCY [NS] 48.2 1-cycle 9.8 10.8 2-cycle 9.8 10.8 9.8 11 9.9 12 14.8 17 15.5 17.4 14.8 16.4 14.7 16.6
Number of Rounds vs Key Size 38. January 28, 2016
Results – Area (CMOS 90 nm) 39. January 28, 2016 366.6 191.8 48.2 24.9 63.7 32.6 79.9 41.3 128.7 63.5 193.1 96 AREA [KGE] 1-cycle 41.3 20.9 2-cycle 40.4 21.1 41.4 21 40 22 102.5 49.6 49.5 27.1 72.3 37.6 73.8 37.1
Low Latency Encryption S-box Use small S-boxes (e.g. 5-bit, 4-bit, 3-bit) • Almost everything follows the normal distribution. So does the S-box! • choose me! slide credit: Gregor Leander 40. January 28, 2016
Low Latency Encryption Number of Rounds vs Round Complexity Not too low complexity. • Reduce the number of rounds at the cost of (slightly) heavier round. • 41. January 28, 2016
Low Latency Encryption Key Schedule Number of rounds should be independent of the key schedule. • Use constant addition instead of a key schedule (if possible). • 42. January 28, 2016
Low Latency Encryption Encryption vs Decryption Use involution where possible: 𝑔 𝑔 𝑦 = 𝑦. • Make Encryption and Decryption procedures similar. • BUT: think application oriented – sometimes it is beneficial to have • asymmetric constructions. 43. January 28, 2016
Low Latency Encryption Meet PRINCE 𝛽 -reflection property: 44. January 28, 2016
Low Latency Encryption Meet PRINCE LATENCY [NS] 46.6 31.2 25.3 20.3 17.8 15.3 15.5 14.8 14.8 14.7 9.8 9.8 9.8 9.9 8 45. January 28, 2016
Low Latency Encryption Meet PRINCE AREA [KGE] 366.6 193.1 128.7 102.5 79.9 73.8 72.3 63.7 49.5 48.2 41.4 41.3 40.4 40 17 46. January 28, 2016
Power/Energy – Future of Lightweight Crypto 47. January 28, 2016
History of Lightweight Crypto (Area) Lightweight Block Ciphers 3500 3000 2500 AREA (GE) AES DES 2000 1500 1000 PRESENT 500 KATAN 0 1970 1980 1990 2000 2010 2020 YEAR 48. January 28, 2016
History of Lightweight Crypto (Latency) Lightweight Block Ciphers 10000 LATENCY (# CLOCK CYCLES) 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 49. January 28, 2016
History of Lightweight Crypto (Energy*) Lightweight Block Ciphers 100000000 10000000 1000000 100000 10000 AREA * LATENCY 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 50. January 28, 2016
Future of Lightweight Crypto (Energy*) Lightweight Block Ciphers 100000000 10000000 1000000 100000 10000 AREA * LATENCY PRINCE Future of LWC 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 51. January 28, 2016
= Energy 52. January 28, 2016
= Power 53. January 28, 2016
Passive RFID: Low Power Applications Reader RFID tag CONTROL NETWORK RF RF MEMORY INTERFACE CRYPTO 54. January 28, 2016
Anything Battery Powered: Low Energy Applications 55. January 28, 2016
Every mW matters! Total number of mobile devices in 2015 = 9.5 billion* Average (regular) power consumption of a smartphone = 160 mW** Total energy spent = € 2.8 billion*** a year! * Mobile Statistics Report 2015-2019, The Radicati Group Inc. ** An Analysis of Power Consumption in a Smartphone, A Carroll, G Heiser, USENIX 2010. *** average electricity price in 2014 in EU was € 0.208 per kWh. 56. January 28, 2016
Cisco estimates… … 50 billion* connected devices by 2020 * http://www.cisco.com/web/solutions/trends/iot/portfolio.html 57. January 28, 2016
Intel says… … 200 billion* smart devices by 2020 * http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html 58. January 28, 2016
Moving Bits vs Moving People & Things * http://www.tech-pundit.com/wp-content/uploads/2013/07/Cloud_Begins_With_Coal.pdf 59. January 28, 2016
World’s ICT Energy Consumption The ICT ecosystem uses about 1500 TWh of electricity annually and approaches 10% of world electricity generation! * http://www.tech-pundit.com/wp-content/uploads/2013/07/Cloud_Begins_With_Coal.pdf 60. January 28, 2016
What can Crypto do about it? Become Lightweight Crypto! 61. January 28, 2016
Power Consumption in (Crypto) HW 𝑄 𝑢𝑝𝑢 = 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜 + 𝑄 𝑚𝑓𝑏𝑙𝑏𝑓 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜 ≫ 𝑄 𝑚𝑓𝑏𝑙𝑏𝑓 2 ∙ 𝑔 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜 ≈ 𝐷 𝑓𝑔𝑔 ∙ 𝑊 𝑑𝑚𝑙 ∙ 𝑡𝑥 𝐸𝐸 62. January 28, 2016
Energy Consumption in (Crypto) HW 𝐹 = 𝑄 ∙ 𝑢 = 𝑄 ∙ 𝑂 𝑔 𝑑𝑚𝑙 2 ∙ 𝑂 ∙ 𝑡𝑥 𝐹 ≈ 𝐷 𝑓𝑔𝑔 ∙ 𝑊 𝐸𝐸 63. January 28, 2016
Recommend
More recommend