nacl s crypto box in hardware
play

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, - PowerPoint PPT Presentation

Oct 01, 2022 •34 likes •394 views

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, Peter Schwabe, and Wolfgang Wieser Cryptography Research, TU Graz (IAIK), Radboud University Nijmegen September 14, 2015 CHES 2015, Saint-Malo, France NaCl and crypto box

  1. NaCl’s crypto box in hardware Michael Hutter, J¨ urgen Schilling, Peter Schwabe, and Wolfgang Wieser Cryptography Research, TU Graz (IAIK), Radboud University Nijmegen September 14, 2015 CHES 2015, Saint-Malo, France

  2. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast 2

  3. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast ◮ crypto box offers public-key authenticated encryption ◮ X25519 Diffie-Hellman key exchange (using Curve25519), ◮ Salsa20 stream cipher, and ◮ Poly1305 message-authentication code. 2

  4. NaCl and crypto box ◮ Networking and Cryptography library - NaCl ◮ Easy-to-use and fast ◮ crypto box offers public-key authenticated encryption ◮ X25519 Diffie-Hellman key exchange (using Curve25519), ◮ Salsa20 stream cipher, and ◮ Poly1305 message-authentication code. ◮ Allows fast and secure end-to-end communication via the Internet ◮ 128-bit security ◮ See also http://nacl.cr.yp.to 2

  5. ...but how does it perform in hardware? 3

  6. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) 3

  7. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) ◮ So why not using SSL or IPSec? ◮ Proposal from Gross et al. [1] at last year’s RFIDsec ◮ Chosen set of IPSec primitives: AES-128 and ECDH using NIST P-192 ◮ Still may require too much resources (52 kGEs)... 3

  8. ...but how does it perform in hardware? ◮ crypto box suitable for IoT? ◮ Wireless Identification and Sensing Platforms (WISPs) ◮ So why not using SSL or IPSec? ◮ Proposal from Gross et al. [1] at last year’s RFIDsec ◮ Chosen set of IPSec primitives: AES-128 and ECDH using NIST P-192 ◮ Still may require too much resources (52 kGEs)... . . . can we do better? 3

  9. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl 4

  10. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption 4

  11. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces 4

  12. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures 4

  13. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures ◮ Low power, not low energy 4

  14. What we did... ◮ We present a carefully optimized hardware architecture of the basic primitives of NaCl ◮ 128-bit public-key authenticated encryption ◮ Compatibility with existing NaCl interfaces ◮ No need for signatures ◮ Low power, not low energy ◮ Constant-runtime implementation 4

  15. Hardware architecture overview 32 32 Memory I/O AMBA Interface RAM ROM Controller Address 32 Buffer Logic Prog. ROM 99 ALU Instr. Decoder Accu ◮ 32-bit architecture with single-port memory 5

  16. Hardware architecture overview 32 32 Memory I/O AMBA Interface RAM ROM Controller Address 32 Buffer Logic Prog. ROM 99 ALU Instr. Decoder Accu ◮ 32-bit architecture with single-port memory ◮ ASIP tailored for crypto box using microcode-control ◮ Self-written ”compiler” (written in Java) that generates machinecode ◮ Automatically outputs RTL of the program ROM (ready to integrate) ◮ Easy to use and to add functionality 5

  17. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths 6

  18. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths ◮ Support for single-level subroutines ◮ 11-bit register stores return address, program counter update ◮ Subroutine addressing: decoder using a look-up table (ROM) 6

  19. The controller Reg start Multiplication Controller PROM0 out addr + Reg + Reg Reg Reg Instruction PROM1 + Decoder bsr addr addr out Reg ROM ctrl SP clk ◮ 2 microcode program ROMs: Curve25519 and Salsa20/Poly1305 ◮ Splitting allows isolating ROMs to reduce power consumption ◮ Area reduction if microcodes have different opcode lengths ◮ Support for single-level subroutines ◮ 11-bit register stores return address, program counter update ◮ Subroutine addressing: decoder using a look-up table (ROM) ◮ 256-bit multiplication controller (optional) 6

  20. 2-column product-scanning multiply control C[10] C[5] C[0] C[10] C[5] C[0] A[0]B[5] A[0]B[5] A[5]B[5] A[0]B[0] A[5]B[5] A[0]B[0] A[5]B[0] A[5]B[0] ◮ We implemented product-scanning multiplication and process two columns in parallel ◮ Column-wise product-scanning multiplication (left) ◮ 2-column parallel product-scanning multiplication (right). ◮ Allows to hold one operand in a register while next operand is pre-fetched from memory 7

  21. Memory paging ◮ Most of the time, crypto box primitives require access to a limited number of RAM locations only ◮ Reduce length of address bits in opcode ◮ Divide memory into virtual memory pages ◮ One memory page consists of 4 × 256 bits of RAM ◮ Special instructions: ◮ Memory Page Select ( MPS ) ◮ Memory Page Increment ( MPI ) ◮ Memory Page Decrement ( MPD ) ◮ Savings ◮ Only 5 opcode bits are required ◮ 2 bits to address a single 256-bit row of the currently selected page ◮ 3 bits to address a single 32-bit word 8

  22. ALU rotate 0 SB . . . sel carry rotate n en carry clk sel rotation sel add mode out 0 4 67 MOL Accu 32 32 32 32 + 32 32 0 + + data in en reg Buf. 0 clk mult counter en adder sel en mode sel en0 en accu clk ◮ 32-bit digit-serial multiplier ◮ Parameterizable digit width w = 2 , 4 , 8 , 12 , 16 bits ◮ Also re-used for addition and subtraction ◮ Pre-fetch buffer used to store one 32-bit operand ◮ 32-bit logic operations: AND, OR, XOR ◮ 99-bit accumulator register with rotation unit 9

  23. Crypto services 1. X25519 Diffie-Hellman key agreement 2. Authenticated encryption using a streaming API ◮ Message is processed in chunks of 64 bytes ◮ Support for authenticated decryption of a 32-byte message Command Hex Description DH-1 0x00 X25519 Diffie-Hellman key exchange: computes public key 0x01 X25519 Diffie-Hellman key exchange: computes session key DH-2 INIT 0x02 HSalsa20: computes extended session key FIRST 0x03 XSalsa20: computes first cipher block 0x04 XSalsa20: computes next cipher block UPDATE FINALIZE 0x05 Poly1305: computes authentication tag 0x06 XSalsa20/Poly1305: decrypts and authenticates a single block DECRYPT 10

  24. Subroutines ◮ Addition, subtraction, and multiplication ◮ Modular reduction in F 2 255 − 19 (iterative approach) ◮ Modular inversion based on Fermat’s little theorem ( 11 M + 254 S) 11

  25. Subroutines ◮ Addition, subtraction, and multiplication ◮ Modular reduction in F 2 255 − 19 (iterative approach) ◮ Modular inversion based on Fermat’s little theorem ( 11 M + 254 S) ECC scalar multiplication: ◮ Differential addition-and-doubling using Montgomery ladder ◮ Costs: 5 M + 4 S + 8 add + 1 M a 24 ◮ 6 working registers (plus the register to store the base point x D ) ◮ Variable a 24 = ( a + 2) / 4 is stored in ROM 11

  26. Tools and macros ◮ Cadence Encounter RTL Compiler v08.10 ◮ UMC 130nm LL logic CMOS process (1 GE equals 5.12 µm 2 ) ◮ Target frequency set to 1 MHz ◮ Results are for post-synthesis not considering overhead of P&R ◮ Cadence Encounter Power System v08.10 used for power estimations after P&R ◮ We used a synchronous 2 304-bit RAM block implemented as either ◮ standard-cell based RAM ( ∼ 18.3 kGEs) or ◮ register-file RAM macro ( ∼ 3.7 kGEs). 12

  27. Performance of crypto box Speed [Cycles] Area [GEs] w Ctrl Total incl. RAM ROM DH-1 DH-2 FIRST UPDATE DECRYPT +ALU std-cells macro 2 3 455 394 3 455 428 8 117 9 291 9 085 10 555 307 29 319 14 648 4 1 957 282 1 957 316 7 705 8 465 8 049 10 761 308 29 526 14 855 8 1 151 906 1 151 940 7 685 8 427 7 513 11 484 311 30 252 15 581 12 971 682 971 716 7 557 8 171 7 385 11 794 313 30 564 15 893 16 811 170 811 184 7 443 7 943 7 271 13 869 311 32 637 17 966 ◮ INIT takes 6 641 cycles and FINALIZE needs 62 cycles for all multiplier digit-sizes w . ◮ Controller (incl. program ROMs) requires 6.3-6.9 kGEs ◮ Power: 40-70 µ W (half of power is spent for RAM) ◮ Critical path: 53.4-82.6 ns (adder structure in multiplier) 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Obviously infeasible to break Tanja Lange, T. U. Eindhoven by best attacks in literature. Joint work

1.46k views • 133 slides
NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

874 views • 50 slides
(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg (Tweet)NaCl NaCl http://nacl.cr.yp.to Networking and Cryptography library Contributions by Matthew Dempsky, Adam Langley, Niels Duif, Bo-Yin

371 views • 7 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto? Bob and Alice and the secret message Mathematical dependance on a relatively small pre-shared key When used right: Prevents

801 views • 30 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

896 views • 50 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific

The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific

The Effect of NaCl on the Reaction Rate of Catecholase Background Enzymes require a specific environment to function 1 Changes in salt concentration can disrupt form of non-covalent bonds 2 Block active sites Catecholase leads to

147 views • 10 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of Pennsylvania October 6, 2016 International Traffic in Arms Regulations April 1, 1992 version Category XIII--Auxiliary Military Equipment ... (b)

1.05k views • 79 slides
Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Commitment Schemes Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe. Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment scheme) An efficient two-stage

605 views • 23 slides
Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao Song , Mentee: Lisette del Pino University of Pennsylvania Directed Reading Program May 16, 2020 Mentor: Tao Song , Mentee: Lisette del Pino

1.35k views • 98 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Automated Game-Based Cryptographic Proofs Santiago Zanella B eguelin IMDEA Software Institute,

Automated Game-Based Cryptographic Proofs Santiago Zanella B eguelin IMDEA Software Institute,

Automated Game-Based Cryptographic Proofs Santiago Zanella B eguelin IMDEA Software Institute, Madrid, Spain 2011.11.14 SEFM 2011 Based on joint work with Gilles Barthe Benjamin Gr egoire Sylvain Heraud Federico Olmedo Yassine

1.32k views • 104 slides
Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University

Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University

Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University Why this talk? Why this presentation? These people are wrong solved problem Algorithms Protocol Design Unsolved Implementation Library

1.11k views • 80 slides
MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 2 overpopulation exists, it is posed

MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 2 overpopulation exists, it is posed

MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 1 MDPI MOL2NET, International Conference Series on Multidisciplinary Sciences Cryptosporidium spp. prevalence in sheep from commercial sites in the State of Mexico, Mexico during Summer

562 views • 5 slides
What we are going to do today What is an emerging infectious disease? Introduction

What we are going to do today What is an emerging infectious disease? Introduction

5/27/2017 Disclosure Emerging Infections: historical perspectives, precipitating factors, and pathologic diagnosis I have nothing to disclose. Except that my silly dogs will Laura W. Lamps M.D. feature prominently Godfrey D. Stobbe

378 views • 37 slides

More recommend