minimalism of software implementation
play

Minimalism of Software Implementation Extensive Performance - PowerPoint PPT Presentation

Nov 22, 2023 •386 likes •719 views

Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives on the RL78 Microcontroller - Mitsuru Matsui and Yumiko Murakami Information Technology R&D Center Mitsubishi Electric Corporation Agenda 1.

  1. Minimalism of Software Implementation – Extensive Performance Analysis of Symmetric Primitives on the RL78 Microcontroller - Mitsuru Matsui and Yumiko Murakami Information Technology R&D Center Mitsubishi Electric Corporation

  2. Agenda 1. Introduction • Our motivation • Previous work • Our aim and contributions 2. RL78 microcontroller 3. Interface and Metrics 4. Comparative Figures • Block ciphers • Hash functions 5. Implementation highlights 6. Conclusions 2

  3. 3 Introduction

  4. Our motivation Recent light-weight cryptography is mainly discussed from the aspect of hardware design. – How about SOFTWARE? – In particular, EMBEDDED software? Software implementation of light-weight cryptography is an important issue and needs to be more discussed. 4

  5. Previous work ECRYPT II project* – implemented block ciphers and hash functions on ATtiny45 processor (4KB-ROM, 256B-RAM) in assembly language, and – published the performance evaluation results, which aimed at the top speed record for each primitive on the processor. *ECRYPT II, Implementations of low cost block-ciphers/hash-functions in Atmel AVR devices, http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers/ http://perso.uclouvain.be/fstandae/source_codes/hash_atmel/ 5

  6. Our aim ROM/RAM sizes available to crypto primitives are usually determined by somebody outside crypto! What embedded programmers want to know is – The target primitive can be implemented within the given resource constraints? – Which primitive is fastest in the given resource? We aim at demonstrating overall performance figure: – Various size-and-speed tradeoffs for each primitive. – What ROM/RAM size combinations are possible or impossible. 6

  7. Our contributions To show various size-and-speed tradeoffs for each primitive, • classified available ROM/RAM size combinations into several categories. – 512B, 1KB, and 2KB for ROM-size – 64B, 128B, 256B, and 512B for RAM-size • optimized speed in each category e.g., ROM-2KB/RAM-128B. In addition, we show other tradeoffs for some primitives – Fastest code (at the cost of ROM size) – Smallest ROM size (at the cost of speed) 7

  8. Target primitives • Block ciphers – AES, Camellia (ISO/IEC18033-3) – CLEFIA, PRESENT (ISO/IEC29192-2) • Hash functions – SHA-256/512 – Keccak-256/512, Skein-256/512, Groestl-256/512 (SHA-3 finalists) Skein-256: Skein-256-256 Skein-512: Skein-512-512 Keccak-256: Keccak[r=1088, c=512] Keccak-512: Keccak[r=576, c=1024] 8

  9. 9 RL78 microcontroller

  10. RL78 microcontroller Our target: the RL78 microcontroller (by Renesas Electronics): • 8/16-bit low-end microcontroller • From general-purpose to in-vehicle • Wide memory variations up to 512KB/32KB ROM/RAM • The minimum ROM/RAM sizes are 2KB/256B • CISC processor with eight general registers ( a,x,b,c,d,e,h,l ) – ECRYPT II's target, ATtiny, is a RISC processor with 32 registers 10

  11. Instruction examples Instruction Byte Cycle addw ax, [hl+byte] 3 1 xor/or/and reg1, reg2 1 1 shl/shr a/b/c, cnt 2 1 shlw/shrw ax/bc, cnt 2 1 rolc/rorc a,1 2 1 skc/sknc/skz/sknz 2 1 push/pop regpair 1 1 call adr 3 3 ret 1 6 Many instructions allow only register a/ax as a destination register • and only register pair hl as a general address pointer. • On the other hand, it supports read-modify instructions and its average instruction length is short. 11

  12. 12 Interface and Metrics

  13. Interface We adopted a simple and portable program interface - – commonly accepted in embedded software. – a subroutine callable from a high level language – based on the calling conventions of Renesas’s RL78 development tool. – using the first argument only, which is passed by ax – register pair hl must be recovered at the end of the routine passed by ax (only one argument) Caller (C code) Message block Buffer IV / Hash Flag call/ret Callee (Primitive) 13

  14. Metrics Our purposes: – to get an overall performance figure on size-and-speed tradeoffs for each primitive, and – to reveal that a specific size and speed combination is possible/impossible. ROM-1KB/RAM- ROM-1KB/RAM- Minimize the ROM Minimize the ROM 128B is enough for 128B is enough for size without caring size without caring this primitive. this primitive. the speed. the speed. Portfolio of a primitive (example) ROM-Min(400B) ROM-512B ROM-1KB ROM-2KB - RAM-128B 20,000 9,000 3,000 RAM-64B x x 4,000 3,500 (cycles/block) When only ROM-512B/RAM- When only ROM-512B/RAM- ` - ' : “Satiated”: the top speed is already 64B is available, this primitive 64B is available, this primitive obtained in other category is not an option. is not an option. `x' : The primitive is (seems) impossible to implement in the category 14

  15. How to count ROM/RAM size No consensus* of how to count ROM and RAM sizes of a given crypto routine. How to count RAM size should be unambiguously defined. – RAM is more expensive than ROM in an embedded system. In our metric, ROM and RAM sizes should indicate the entire resource consumption of a target subroutine. * some examples of previous work: • mandatory parameters (such as plaintext and key) were not counted; • stack consumption was not taken into account ; • calling convention was ignored (no register was saved/restored in a subroutine). 15

  16. 16 Comparative figures - Block ciphers -

  17. Speed comparison (Enc-only) 【 ROM-2KB 】 【 ROM-512B/1KB 】 PRESENT:512B-64B (cycles/block) PRESENT:1KB-64B PRESENT:1KB-64B CLEFIA:1KB-128B Camellia:2KB-64B Camellia:1KB-128B AES:512B-128B CLEFIA:2KB-64B AES:1KB-64B AES:1KB-64B Message length (byte) • AES and Camellia show an overall excellent performance • Only AES and PRESENT are options when 512B ROM is available. • Only PRESENT survives with ROM-512B and RAM-64B 17

  18. Speed comparison (Enc+Dec) 【 ROM-2KB 】 【 ROM-512B/1KB 】 PRESENT(D):2KB-64B PRESENT(D):512B-64B (cycles/block) PRESENT(E):2KB-64B CLEFIA(D):2KB-128B PRESENT(E):512B-64B CLEFIA(E):2KB-128B AES(D):2KB-64B PRESENT(D):1KB-64B Camellia(D):2KB-128B Camellia(E):2KB-128B PRESENT(E):1KB-64B AES(D):1KB-128B AES(E):2KB-64B AES(E):1KB-128B Message length (byte) • We can see three speed groups. • Neither Camellia nor CLEFIA is an option with 1KB ROM. • Decryption of Camellia is faster than that of AES when 2KB ROM is available. 18

  19. 19 Comparative figures - Hash functions -

  20. Speed comparison (256-bit Hash) 【 ROM-2KB 】 【 ROM-512B/1KB 】 Keccak:1KB-512B Keccak:2KB-512B Keccak:512B-512B (cycles/block) Groestl:2KB-256B Groestl:1KB-256B Groestl:2KB-512B Groestl:1KB-512B Skein:512B-256B Skein:2KB-256B SHA:1KB-256B Skein:1KB-256B SHA:2KB-256B Message length (byte) • SHA-256 is still the best choice if 1KB ROM is given. • When ROM size is limited to 512 bytes, then SHA-256 is excluded and Keccak-256 and Skein-256 survive. • SHA > Skein > Groestl > Keccak when message is long 20

  21. Speed comparison (512-bit Hash) 【 ROM-2KB 】 【 ROM-512B/1KB 】 Groestl:1KB-512B Groestl:2KB-512B (cycles/block) Keccak:2KB-512B Keccak:1KB-512B Skein:2KB-256B Keccak:512B-512B Skein:512B-256B Skein:1KB-256B SHA:2KB-512B Message length (byte) • Only Skein-512 is an option when RAM is limited to 256B. • SHA-512 and Skein-512 are fastest with 2KB ROM. • Only Keccak-512 and Skein-512 survive with 512B ROM. 21

  22. Implementation highlights

  23. AES-128 Initial Observation (Algorithm and Required Memory) 16 bytes 16 bytes Plaintext Key RAM: AddRoundKey 64B (not easy) or 16 bytes SubBytes 128B (enough) Round 1 ShiftRows KeyStep MixCoumns Round 2 Constant ROM: KeyStep Round 3 256B (S-box) KeyStep 256B (Inv S-Box) KeyStep Round 10 Ciphertext 23

  24. AES-128 Implementation of MixColumn (+SubButes+ShiftRows) x S[in+0] c S[in+1] = d S[in+2] 44 instructions e S[in+3] SBOX [in+0] SBOX [in+2] mov c,a xor x,a SBOX [mem] = mov d,a xor c,a mov a,[mem] mov e,a xor e,a mov b,a GMUL2 GMUL2 mov a,S[b] mov x,a xor c,a xor e,a xor d,a GMUL2 = shl a,1 SBOX [in+1] SBOX [in+3] sknc xor x,a xor x,a xor a,#01BH xor d,a xor c,a xor e,a xor d,a GMUL2 GMUL2 a ← 2a (in GF(2 8 )) xor x,a xor d,a xor c,a xor e,a 24

  25. AES-128 incl. S-box table (256B) Enc-only ROM-Min(486B) ROM-512B ROM-1024B RAM-128B 7,288 6,622 - RAM-64B x x 3855 Loop in MixColumns “Flat” Implementation (one MixColumn code) (four MixColumn codes) incl. S-box tables (512B) ROM- ROM-1024B ROM-2048B Fast Enc+Dec Min(970B) (2380B) Enc 7,743 7,339 RAM- - - 128B Dec 12,683 / 10862 10,636 / 9,106 Enc 3,917 3,865 RAM- x x 64B Dec 6,804 / 5,911 6,541 / 5,706 25

  26. PRESENT-80 Hardware “Ultra-Lightweight” 64-bit Block Cipher 8 bytes 10 bytes RAM: 64B is enough 8 bytes 10 bytes Constant ROM: 16B (S-box) or 31 rounds 256B (S-box||S-box) 16B (Inv S-box) or 256B (Inv Sbox||Inv S-box) 26

  27. PRESENT-80 Implementation of sBoxLayer+pLayer b c d e mov a,SS[mem] mov x,a addw ax,ax xch a,b addw ax,ax repetition of this code xch a,c makes one round x4 addw ax,ax xch a,d addw ax,ax xch a,e 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Journalism LRRH Minimalism Notes Slide 2 - LRHH

Journalism LRRH Minimalism Notes Slide 2 - LRHH

Journalism LRRH Minimalism Notes Slide 2 - LRHH We see shapes in context, and our reactions to them depend in large part on that

173 views • 3 slides
with Meredith Marsh At its core, minimalism is the intentional promotion of the things we most

with Meredith Marsh At its core, minimalism is the intentional promotion of the things we most

with Meredith Marsh At its core, minimalism is the intentional promotion of the things we most value and the removal of everything that distracts us from it. - Joshua Becker, Becoming Minimalist Tidying up is organized hoarding. - The

282 views • 24 slides
Implementation Clean Code och TDD r exempel p verktyg som vi kan anvnda. Software

Implementation Clean Code och TDD r exempel p verktyg som vi kan anvnda. Software

Vad innebr Software Craftmanship? > Vi r proffs som vill leverera kod vi kan vara stolta ver. Varfr? Drfr att vi vet att det lnar sig i lngden. Vi spenderar tex 90% av tiden med att lsa kod, 10% skriva. Implementation

505 views • 9 slides
Kyle Suero @KST123ABC The Arch History Inspired by CRUX/BSD - Minimalism Only officially

Kyle Suero @KST123ABC The Arch History Inspired by CRUX/BSD - Minimalism Only officially

A simple, lightweight distribution Kyle Suero @KST123ABC The Arch History Inspired by CRUX/BSD - Minimalism Only officially support x86_64 Initially released March 11, 2002 by Judd Vinet Arch is an angsty teen! Almost 16. Wow.

509 views • 27 slides
9/4/2012 Vision Screening Minimalism The Eagles Eye Mobile, and what we offer An eye

9/4/2012 Vision Screening Minimalism The Eagles Eye Mobile, and what we offer An eye

9/4/2012 Vision Screening Minimalism The Eagles Eye Mobile, and what we offer An eye health first-aid kit: What An eye health first aid kit: What Carter Liotta, OD every nurse should have and why St. Christophers Hospital for

461 views • 6 slides
Minimalism Jennifer Bartley Minimal Arts objectively describable structures and

Minimalism Jennifer Bartley Minimal Arts objectively describable structures and

Minimalism Jennifer Bartley Minimal Arts objectively describable structures and proportions, its elemental forms and serial accumulations, its industrial materials and production forms argue consistently against abstract arts

1.54k views • 20 slides
Against Upwards Agree: A view from Dagestan Pavel Rudnev prudnev@hse.ru 22-03-2019 Background

Against Upwards Agree: A view from Dagestan Pavel Rudnev prudnev@hse.ru 22-03-2019 Background

Against Upwards Agree: A view from Dagestan Pavel Rudnev prudnev@hse.ru 22-03-2019 Background Agreement in minimalism Mainstream minimalism central spot afforded to unvalued features in much of current theorising Alternatives

551 views • 51 slides
Modeling Linguistic Theory on a Computer: From GB to Minimalism Sandiway Fong Dept. of

Modeling Linguistic Theory on a Computer: From GB to Minimalism Sandiway Fong Dept. of

Modeling Linguistic Theory on a Computer: From GB to Minimalism Sandiway Fong Dept. of Linguistics Dept. of Computer Science 1 MIT IAP Computational Linguistics Fest, 1/14/2005 Outline Mature system: PAPPI Current work

1.02k views • 32 slides
Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Development of Embedded System Courses with implementation of Innovative Virtual approaches for integration of Research, Education and Production in UA, GE, AM Pilot Teaching Implementation Software for Embedded Systems Galyna Tabunshchyk

397 views • 14 slides
HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a wide variety of approaches of mapping DFGs to software Software Mapping of SDF Sequential Parallel single-processor multi-processor *Processor

351 views • 18 slides
The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs . NFS The implementation is part of the Solaris and SunOS operating systems running on Sun workstations

327 views • 3 slides
Software Best Practices Clearinghouse Promoting Adoption and Effective Implementation Kathleen

Software Best Practices Clearinghouse Promoting Adoption and Effective Implementation Kathleen

Software Best Practices Clearinghouse Promoting Adoption and Effective Implementation Kathleen Dangle Fraunhofer Center for Experimental Software Engineering Thomas McGibbon ITT Industries/Data & Analysis Center for Software (DACS)

202 views • 18 slides
CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation

CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation

CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation Language independent principles of design and programming Object oriented programming and design design heuristics good design helps do away

295 views • 3 slides
IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software

IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software

IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software Architect Intel Software de Argentina rodolfo.kohn@intel.com IPv6 - Agenda Why IPv6? No business case Different drivers IPv6 main

440 views • 28 slides
DAB Software Receiver Implementation Andreas M uller Supervisor: Michael Lerjen ETH ITET

DAB Software Receiver Implementation Andreas M uller Supervisor: Michael Lerjen ETH ITET

DAB Software Receiver Implementation Andreas M uller Supervisor: Michael Lerjen ETH ITET CTL June 13, 2008 Introduction 1 Task Software Defined Radio DAB GNU Radio and USRP Implementation 2 OFDM Synchronisation OFDM

2.29k views • 20 slides
Lecture 22 But not sufficient for the real world: At least 2 key missing pieces System

Lecture 22 But not sufficient for the real world: At least 2 key missing pieces System

CSE 331 Context Software Design and Implementation CSE331 is almost over Focus on software design, specification, testing, and implementation Absolutely necessary stuff for any nontrivial project Lecture 22 But not sufficient

351 views • 10 slides
Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de

Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de

Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de Rennes 1 Sminaire Mathmatiques Discrtes, Codes et Cryptographie 20/02/2020 Cryptographic primitives based on codes Best-known cryptographic

957 views • 91 slides
ts rs s r

ts rs s r

ts rs s r t rs s Prr

962 views • 79 slides
The Probabilistic Method Week 10: Applications Joshua Brody CS49/Math59 Fall 2015 Reading

The Probabilistic Method Week 10: Applications Joshua Brody CS49/Math59 Fall 2015 Reading

The Probabilistic Method Week 10: Applications Joshua Brody CS49/Math59 Fall 2015 Reading Quiz What is the Hamming Distance between two n-bit strings x,y? (A) dist(x,y) = #i such that x i != y i (B) dist(x,y) = sqrt( i |x i - y i |) (C)

446 views • 19 slides
Trading Communication and Computing for Distributed Matrix Multiplication ISIT, June 21-26, 2020

Trading Communication and Computing for Distributed Matrix Multiplication ISIT, June 21-26, 2020

Multi-Cell Mobile Edge Coded Computing: Trading Communication and Computing for Distributed Matrix Multiplication ISIT, June 21-26, 2020 Emerging Mobile Applications Computation-intensive Delay-sensitive 2 Mobile Edge Computing

444 views • 21 slides
Local-Optimality Guarantees for Optimal Decoding Based on Paths Nissim Halabi Guy Even School

Local-Optimality Guarantees for Optimal Decoding Based on Paths Nissim Halabi Guy Even School

Local-Optimality Guarantees for Optimal Decoding Based on Paths Nissim Halabi Guy Even School of Electrical Engineering, Tel-Aviv University August 29, 2012 1/23 Communication Over a Noisy Channel u { 0 , 1 } k Channel c C { 0 ,

1.21k views • 23 slides
Test automation Building automatically repeatable test suites Test automation n Test automation

Test automation Building automatically repeatable test suites Test automation n Test automation

Test automation Building automatically repeatable test suites Test automation n Test automation is software that automates any aspect of testing TA2 Test automation 2 n Test automation is software that automates any aspect of testing n

397 views • 24 slides
Building highly reliable data pipelines @ Datadog Quentin FRANCOIS Team Lead, Data Engineering

Building highly reliable data pipelines @ Datadog Quentin FRANCOIS Team Lead, Data Engineering

Building highly reliable data pipelines @ Datadog Quentin FRANCOIS Team Lead, Data Engineering DataEng Barcelona 18 1 2 3 4 5 Building highly reliable data pipelines @ Datadog Quentin FRANCOIS Team Lead, Data Engineering DataEng

1.17k views • 70 slides
CS 188: Artificial Intelligence Constraint Satisfaction Problems II Instructors: Dan Klein and

CS 188: Artificial Intelligence Constraint Satisfaction Problems II Instructors: Dan Klein and

CS 188: Artificial Intelligence Constraint Satisfaction Problems II Instructors: Dan Klein and Pieter Abbeel University of California, Berkeley [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All

652 views • 38 slides

More recommend