high speed high security cryptography on arms
play

High-speed high-security cryptography on ARMs Daniel J. Bernstein - PowerPoint PPT Presentation

Feb 24, 2024 •114 likes •288 views

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

  1. High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology, Technische Universiteit Eindhoven joint work with: Peter Schwabe, Academia Sinica “Don’t roll your own crypto. Leave it to us.”

  2. Speed of cryptography: http://bench.cr.yp.to Bernstein, Lange: High-speed high-security cryptography on ARMs

  3. Speed comparison of the SHA-3 finalists Bernstein, Lange: High-speed high-security cryptography on ARMs

  4. Speed comparison of signature systems 64-bit 2400MHz Intel Xeon E5620 32-bit 1900MHz Pentium 4 Bernstein, Lange: High-speed high-security cryptography on ARMs

  5. Benchmarking of cryptographic systems ◮ We benchmark all submitted primitives on more than 100 different CPUs. So far 1112 implementations submitted. ◮ Cooperating project for smaller CPUs: xbx.das-labor.org . ◮ Benchmarking framework and all implementations are public. Anybody can run benchmark on own computer (we’re happy to post your data!). ◮ Clear speed differences between security levels. ◮ Clear speed differences between devices — we count cycles to eliminate influence of clock speed but CPUs do different # operations in one clock cycle. ◮ Clear speed differences between libraries (e.g. OpenSSL much slower than NaCl) ◮ Clear speed differences between choices within one family, e.g. elliptic-curve speed depends on the representation, the coordinate system, the windowing method, . . . Bernstein, Lange: High-speed high-security cryptography on ARMs

  6. Networking and Cryptography library (NaCl) nacl.cr.yp.to ◮ All cryptography has at least 128-bit security (takes at least 2 128 operations to break). ◮ Covers ◮ authenticated encryption (incl. DH key exchange) ◮ signatures ◮ both based on elliptic curves for public-key part ◮ Easy user interface. ◮ Very good speed. ◮ Software side-channel attack resistant: all operations take constant time, no key-dependent branches, no key-dependent addresses. ◮ Implementations are public domain, no known patent issues. ◮ Biggest early adopter: DNSCrypt from OpenDNS. Bernstein, Lange: High-speed high-security cryptography on ARMs

  7. Public-key authenticated encryption ◮ User interface: crypto box , takes public key of recipient, secret key of sender, and a nonce (number used only once) ◮ Diffie-Hellman key exchange using long-term keys. ◮ Stream cipher with MAC for bulk encryption. ◮ Security-optimized speed-optimized choice of cryptographic primitives, more specifically ◮ Elliptic curve in twisted Edwards form, conforming to IEEE-P1363, plus additional security properties. ◮ Salsa20 stream cipher (from final eSTREAM portfolio). ◮ Poly1305 (information-theoretic security). Bernstein, Lange: High-speed high-security cryptography on ARMs

  8. Car security as a crypto performance challenge Bernstein, Lange: High-speed high-security cryptography on ARMs

  9. Car security as a crypto performance challenge Bernstein, Lange: High-speed high-security cryptography on ARMs

  10. Car security as a crypto performance challenge PRESERVE deliverable 1.1, “Security Requirements of VSA”: The different driving scenarios we looked into indicate that in most driving situations (SUL, MUL, and SHL) the packet rates do not exceed 750 packets per second. Only the maximum highway scenario (MHL) goes well beyond this value (2,265 packets per second). . . . Processing 1,000 packets per second and processing each in 1 ms can hardly be met by current hardware. As discussed in [32], a Pentium D 3.4 GHz processor needs about 5 times as long for a verification (which is the most time-consuming operation in cryptographic processing overhead) and a typical OBU even 26 times as long. This is a good indication that a dedicated cryptographic co-processor is likely to be necessary. Bernstein, Lange: High-speed high-security cryptography on ARMs

  11. Performance measurement on a large processor NaCl measurements on typical desktop CPU (4-core 2400MHz Intel Xeon E5620, $390 last year): ◮ 4.99 cycles/byte for secret-key encryption (Salsa20). ◮ 2.66 cycles/byte for secret-key authentication (Poly1305). ◮ 227348 cycles for public-key session (ECDH: Curve25519). ◮ 272592 cycles to verify a signature (EdDSA: Ed25519). ◮ 133593 cycles to verify a signature inside a batch . ◮ 87336 cycles to sign a message. Bernstein, Lange: High-speed high-security cryptography on ARMs

  12. Performance measurement on a large processor NaCl measurements on typical desktop CPU (4-core 2400MHz Intel Xeon E5620, $390 last year): ◮ 4.99 cycles/byte for secret-key encryption (Salsa20). ◮ 2.66 cycles/byte for secret-key authentication (Poly1305). ◮ 227348 cycles for public-key session (ECDH: Curve25519). ◮ 272592 cycles to verify a signature (EdDSA: Ed25519). ◮ 133593 cycles to verify a signature inside a batch . ◮ 87336 cycles to sign a message. Let’s focus on ECDH: 42000 operations/second. Bernstein, Lange: High-speed high-security cryptography on ARMs

  13. Performance measurement on a large processor NaCl measurements on typical desktop CPU (4-core 2400MHz Intel Xeon E5620, $390 last year): ◮ 4.99 cycles/byte for secret-key encryption (Salsa20). ◮ 2.66 cycles/byte for secret-key authentication (Poly1305). ◮ 227348 cycles for public-key session (ECDH: Curve25519). ◮ 272592 cycles to verify a signature (EdDSA: Ed25519). ◮ 133593 cycles to verify a signature inside a batch . ◮ 87336 cycles to sign a message. Let’s focus on ECDH: 42000 operations/second. 90000 operations/second on another typical desktop CPU (3300MHz 6-core AMD Phenom II X6 1100T CPU, $190 last year). Bernstein, Lange: High-speed high-security cryptography on ARMs

  14. Performance measurement on a small processor BeagleBone development board revision A6: 720MHz TI Sitara AM3359 CPU; ARM Cortex A8 core. (Picture credits: beagleboard.org ) Our public-key speed: Bernstein, Lange: High-speed high-security cryptography on ARMs

  15. Performance measurement on a small processor BeagleBone development board revision A6: 720MHz TI Sitara AM3359 CPU; ARM Cortex A8 core. (Picture credits: beagleboard.org ) Our public-key speed: 1447 ECDH/second. Fully protected against software side-channel attacks. Bernstein, Lange: High-speed high-security cryptography on ARMs

  16. Performance extrapolation Faster Cortex A8 cores are widely used in mobile devices: ◮ 1000MHz Apple A4 in iPad 1, iPhone 4 (2010); ◮ 1000MHz Samsung Exynos 3110 in Samsung Galaxy S (2010); ◮ 1000MHz TI OMAP3630 in Motorola Droid X (2010); ◮ 800MHz Freescale i.MX50 in Amazon Kindle 4 (2011); ◮ etc. Our tests on various Cortex A8 cores demonstrate that performance is almost exactly linear in clock speed. Bernstein, Lange: High-speed high-security cryptography on ARMs

  17. Performance extrapolation Faster Cortex A8 cores are widely used in mobile devices: ◮ 1000MHz Apple A4 in iPad 1, iPhone 4 (2010); ◮ 1000MHz Samsung Exynos 3110 in Samsung Galaxy S (2010); ◮ 1000MHz TI OMAP3630 in Motorola Droid X (2010); ◮ 800MHz Freescale i.MX50 in Amazon Kindle 4 (2011); ◮ etc. Our tests on various Cortex A8 cores demonstrate that performance is almost exactly linear in clock speed. Reasonably safe ECDH extrapolations to other Cortex A8 cores: ◮ 1200 /second: 600MHz TI AM3352ZCZ60, 13.5 e (DigiKey). ◮ 2400 /second: 1200MHz Allwinner A10, reportedly $7 . But always better to measure directly. We’re working on it! Bernstein, Lange: High-speed high-security cryptography on ARMs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
Britain's New High Speed Railway Carole Bardell, Head of Health, Safety and Security, HS2 Ltd 12

Britain's New High Speed Railway Carole Bardell, Head of Health, Safety and Security, HS2 Ltd 12

Britain's New High Speed Railway Carole Bardell, Head of Health, Safety and Security, HS2 Ltd 12 th March 2018 Aims for Today Get you up to speed on: HS2 Phase One The way we work; Safe at heart and The Supply Chain Standard

464 views • 29 slides
Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji Novotn Pavel eleda Radek Krej novotny@ics.muni.cz celeda@ics.muni.cz krejci@liberouter.org DeepSec In-Depth Security Conference 2010

652 views • 52 slides
ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A

ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A

ARM Microprocessor and ARM-Based Microcontrollers Nguatem William 24th May 2006 1 / 40 A Microcontroller-Based Embedded System 2 / 40 Introduction ARM Extensions IP Cores ARM based System Summary Roadmap Introduction 1 ARM ARM Basics

833 views • 40 slides
ARMS Virtual Parent Session Find a quiet space to participate. Reminder Turn on your

ARMS Virtual Parent Session Find a quiet space to participate. Reminder Turn on your

ARMS Virtual Parent Session Find a quiet space to participate. Reminder Turn on your video and be camera ready. of our Mute yourself unless you need to talk. norms Stay engaged. Agenda Grading May 1 - June

725 views • 11 slides
Advanced Algorithms (IV) Shanghai Jiao Tong University Chihao Zhang March 23rd, 2020 Review

Advanced Algorithms (IV) Shanghai Jiao Tong University Chihao Zhang March 23rd, 2020 Review

Advanced Algorithms (IV) Shanghai Jiao Tong University Chihao Zhang March 23rd, 2020 Review Review We learnt the Markov inequality Pr[ X a ] E [ X ] a Review We learnt the Markov inequality Pr[ X a ] E [ X ] a We can

1.09k views • 92 slides
QIGONG / TAI CHI FOR EMOTIONAL REGULATION An approach to adolescent treatment for anxiety,

QIGONG / TAI CHI FOR EMOTIONAL REGULATION An approach to adolescent treatment for anxiety,

QIGONG / TAI CHI FOR EMOTIONAL REGULATION An approach to adolescent treatment for anxiety, depression, ADHD, aggression and explosive behavior. Presenter: Brenda W. Schroeder, M.A., LMSW bschroeder@chartermi.net FIRST PRACTICE GATHERING

539 views • 16 slides
Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic

Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic

Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic Targeting in the Agricultural Resource Management Survey (ARMS) Dr. Jaki McCarthy T l Tyler Wilson Wil Research and Development Division,

734 views • 22 slides
Adjuvant and Extended-Adjuvant Therapy for Patients with Localized HER2-Positive Breast Cancer

Adjuvant and Extended-Adjuvant Therapy for Patients with Localized HER2-Positive Breast Cancer

SABCS 2019, 13 December Adjuvant and Extended-Adjuvant Therapy for Patients with Localized HER2-Positive Breast Cancer Martine J Piccart-Gebhart, MD, PhD Scientific Director Jules Bordet Institute Universit Libre de Bruxelles Brussels,

201 views • 19 slides
Results from a Review of CBCRPs Support of Translational Research Priority-Setting Data for

Results from a Review of CBCRPs Support of Translational Research Priority-Setting Data for

Results from a Review of CBCRPs Support of Translational Research Priority-Setting Data for the Translation and Dissemination Program Goal October 11, 2013 Overview of 2015 Priority-Setting Process 1. Review the CBCRP mission statement and

209 views • 20 slides
Adverse Outcome Pathway Networks and the AOP Knowledgebase Stephen Edwards U.S. Environmental

Adverse Outcome Pathway Networks and the AOP Knowledgebase Stephen Edwards U.S. Environmental

Adverse Outcome Pathway Networks and the AOP Knowledgebase Stephen Edwards U.S. Environmental Protection Agency Integrated Systems Toxicology Division Outline Knowledge management Evidence assembly Data organization

495 views • 33 slides

More recommend