small cryptographic bytecode d j bernstein elaborating on
play

Small cryptographic bytecode D. J. Bernstein elaborating on an idea - PDF document

Feb 15, 2023 •164 likes •717 views

1 Small cryptographic bytecode D. J. Bernstein elaborating on an idea from Adam Langley 2 Line search: trying to find minimum of function f defined on x -line. e.g. Bisection, trying to find minimum in interval [ x 0 ; x 1 ]:

  1. 1 Small cryptographic bytecode D. J. Bernstein elaborating on an idea from Adam Langley

  2. 2 “Line search”: trying to find minimum of function f defined on x -line. e.g. “Bisection”, trying to find minimum in interval [ x 0 ; x 1 ]: Replace interval with either [ x 0 ; ( x 0 + x 1 ) = 2] or [( x 0 + x 1 ) = 2 ; x 1 ]; try to make sensible choice. Iterate many times.

  3. 2 “Line search”: trying to find minimum of function f defined on x -line. e.g. “Bisection”, trying to find minimum in interval [ x 0 ; x 1 ]: Replace interval with either [ x 0 ; ( x 0 + x 1 ) = 2] or [( x 0 + x 1 ) = 2 ; x 1 ]; try to make sensible choice. Iterate many times. Can try to reduce #iterations using smarter models of f : see, e.g., “secant method”.

  4. 2 “Line search”: trying to find minimum of function f defined on x -line. e.g. “Bisection”, trying to find minimum in interval [ x 0 ; x 1 ]: Replace interval with either [ x 0 ; ( x 0 + x 1 ) = 2] or [( x 0 + x 1 ) = 2 ; x 1 ]; try to make sensible choice. Iterate many times. Can try to reduce #iterations using smarter models of f : see, e.g., “secant method”. Harder when f varies more.

  5. 3 How to find minimum of function f defined on ( x; y )-plane? “Gradient descent”: Starting from ( x 0 ; y 0 ), try to figure out direction where f decreases fastest.

  6. 3 How to find minimum of function f defined on ( x; y )-plane? “Gradient descent”: Starting from ( x 0 ; y 0 ), try to figure out direction where f decreases fastest. Could do line search to find minimum in that direction. Then find a new direction.

  7. 3 How to find minimum of function f defined on ( x; y )-plane? “Gradient descent”: Starting from ( x 0 ; y 0 ), try to figure out direction where f decreases fastest. Could do line search to find minimum in that direction. Then find a new direction. Better: Step down that direction. Then find a new direction.

  8. 3 How to find minimum of function f defined on ( x; y )-plane? “Gradient descent”: Starting from ( x 0 ; y 0 ), try to figure out direction where f decreases fastest. Could do line search to find minimum in that direction. Then find a new direction. Better: Step down that direction. Then find a new direction. Silly: Line search in x direction; line search in y direction; repeat.

  9. 4 Keccak optimization Goal: Fastest C code for Keccak on a Cortex-M4 CPU core. You start with simple C code implementing Keccak.

  10. 4 Keccak optimization Goal: Fastest C code for Keccak on a Cortex-M4 CPU core. You start with simple C code implementing Keccak. You compile it; see how fast it is; modify it to try to make it faster; repeat; eventually stop trying.

  11. 4 Keccak optimization Goal: Fastest C code for Keccak on a Cortex-M4 CPU core. You start with simple C code implementing Keccak. You compile it; see how fast it is; modify it to try to make it faster; repeat; eventually stop trying. You publish your fastest code. Maybe lots of people use it, and care about its speed.

  12. 5 Compiler writer learns about your Keccak Cortex-M4 C code.

  13. 5 Compiler writer learns about your Keccak Cortex-M4 C code. Compiles it; sees how fast it is. Modifies compiler to try to make the compiled code faster. Repeats; eventually stops trying.

  14. 5 Compiler writer learns about your Keccak Cortex-M4 C code. Compiles it; sees how fast it is. Modifies compiler to try to make the compiled code faster. Repeats; eventually stops trying. Publishes a new compiler version.

  15. 5 Compiler writer learns about your Keccak Cortex-M4 C code. Compiles it; sees how fast it is. Modifies compiler to try to make the compiled code faster. Repeats; eventually stops trying. Publishes a new compiler version. Later: Maybe you try the new compiler. Whole process repeats.

  16. 5 Compiler writer learns about your Keccak Cortex-M4 C code. Compiles it; sees how fast it is. Modifies compiler to try to make the compiled code faster. Repeats; eventually stops trying. Publishes a new compiler version. Later: Maybe you try the new compiler. Whole process repeats. You treat compiler as constant. Compiler treats code as constant.

  17. 6 Define f ( x; y ) as time taken by code x with compiler y .

  18. 6 Define f ( x; y ) as time taken by code x with compiler y . x 0 : initial code. y 0 : initial compiler.

  19. 6 Define f ( x; y ) as time taken by code x with compiler y . x 0 : initial code. y 0 : initial compiler. You try to minimize f ( x; y 0 ). x 1 : new code from this line search in x direction.

  20. 6 Define f ( x; y ) as time taken by code x with compiler y . x 0 : initial code. y 0 : initial compiler. You try to minimize f ( x; y 0 ). x 1 : new code from this line search in x direction. Compiler writer: f ( x 1 ; y ). y 1 : new compiler from this line search in y direction.

  21. 6 Define f ( x; y ) as time taken by code x with compiler y . x 0 : initial code. y 0 : initial compiler. You try to minimize f ( x; y 0 ). x 1 : new code from this line search in x direction. Compiler writer: f ( x 1 ; y ). y 1 : new compiler from this line search in y direction. This whole approach is silly.

  22. 7 min { f ( x; y ) } is the time taken by fastest Keccak Cortex-M4 asm.

  23. 7 min { f ( x; y ) } is the time taken by fastest Keccak Cortex-M4 asm. Slowly bouncing between x -line searches, y -line searches is a silly way to approach this min.

  24. 7 min { f ( x; y ) } is the time taken by fastest Keccak Cortex-M4 asm. Slowly bouncing between x -line searches, y -line searches is a silly way to approach this min. Clearly min can be achieved by many different pairs ( x; y ). Which pair is easiest to find?

  25. 7 min { f ( x; y ) } is the time taken by fastest Keccak Cortex-M4 asm. Slowly bouncing between x -line searches, y -line searches is a silly way to approach this min. Clearly min can be achieved by many different pairs ( x; y ). Which pair is easiest to find? Generalize from C to other languages: which language makes min easiest to find? Why did goal say “C code”? End user doesn’t need C.

  26. 8 Does end user need Cortex-M4?

  27. 8 Does end user need Cortex-M4? CPU designer learns about your Keccak Cortex-M4 asm.

  28. 8 Does end user need Cortex-M4? CPU designer learns about your Keccak Cortex-M4 asm. Modifies the CPU design to try to make this code faster. Repeats; eventually stops trying.

  29. 8 Does end user need Cortex-M4? CPU designer learns about your Keccak Cortex-M4 asm. Modifies the CPU design to try to make this code faster. Repeats; eventually stops trying. Years later, sells a new CPU. You reoptimize for this CPU.

  30. 8 Does end user need Cortex-M4? CPU designer learns about your Keccak Cortex-M4 asm. Modifies the CPU design to try to make this code faster. Repeats; eventually stops trying. Years later, sells a new CPU. You reoptimize for this CPU. Sometimes CPUs try extending or replacing instruction set, but this is poorly coordinated with programmers, compiler writers.

  31. 9 Generalize f ( x; y ) definition: f ( x; y ) is time taken by code x on platform y . If compiler y on code x produces asm y ( x ) for Cortex-M4: f ( x; y ) = f ( y ( x ) ; Cortex-M4).

  32. 9 Generalize f ( x; y ) definition: f ( x; y ) is time taken by code x on platform y . If compiler y on code x produces asm y ( x ) for Cortex-M4: f ( x; y ) = f ( y ( x ) ; Cortex-M4). Without the CPU changing: Minimize f ( a; Cortex-M4). Search for ( x; y ) with y ( x ) = a .

  33. 9 Generalize f ( x; y ) definition: f ( x; y ) is time taken by code x on platform y . If compiler y on code x produces asm y ( x ) for Cortex-M4: f ( x; y ) = f ( y ( x ) ; Cortex-M4). Without the CPU changing: Minimize f ( a; Cortex-M4). Search for ( x; y ) with y ( x ) = a . Typical CPU designer: View a as a constant; try to minimize f ( a; y ). Silly optimization approach.

  34. 10 “I know the minimum! I’ve developed the fastest circuit that computes Keccak. This circuit is my CPU.”

  35. 10 “I know the minimum! I’ve developed the fastest circuit that computes Keccak. This circuit is my CPU.” Wait a minute: “CPU” concept is more restrictive than “chip”. Perspective of CPU designer: This chip can do anything! People want this chip to support SHA-1, SHA-2, SHA-3, SHAmir; all sorts of block ciphers; public-key cryptosystems; non-cryptographic computations.

  36. 11 Adding fast Keccak circuit (“Keccak coprocessor”) to CPU adds area to CPU. Adding fast coprocessors for desired mix of operations adds even more area to CPU.

  37. 11 Adding fast Keccak circuit (“Keccak coprocessor”) to CPU adds area to CPU. Adding fast coprocessors for desired mix of operations adds even more area to CPU. For same CPU area, obtain much better throughput by building many copies of original CPU core without these coprocessors.

  38. 11 Adding fast Keccak circuit (“Keccak coprocessor”) to CPU adds area to CPU. Adding fast coprocessors for desired mix of operations adds even more area to CPU. For same CPU area, obtain much better throughput by building many copies of original CPU core without these coprocessors. Fast Keccak chip is special case. Doesn’t reflect general case.

  39. 12 CPU designer’s metric: What is best performance for a specified mix of operations within a particular CPU area?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Small cryptographic bytecode Line search: trying to find minimum of D. J. Bernstein

Small cryptographic bytecode Line search: trying to find minimum of D. J. Bernstein

1 2 Small cryptographic bytecode Line search: trying to find minimum of D. J. Bernstein function f defined on x -line. elaborating on an idea from e.g. Bisection, trying to find Adam Langley minimum in interval [ x 0 ; x 1 ]:

1.19k views • 102 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, Academia Sinica http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards.

603 views • 38 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, National Taiwan U. http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted

641 views • 35 slides
Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago &

Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago &

Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven The poor user is given enough rope with which to hang himselfsomething a standard should not do. 1992

597 views • 34 slides
Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp

1.32k views • 106 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago & Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 BushingMarcanSegher University of Illinois at Chicago & Sven failOverflow demolition Technische Universiteit Eindhoven of Sony PS3 security

1.08k views • 69 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

810 views • 63 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

1.15k views • 86 slides
Can cryptographic software Bobs laptop screen: be fixed? From: Alice D. J. Bernstein Thank

Can cryptographic software Bobs laptop screen: be fixed? From: Alice D. J. Bernstein Thank

1 2 Can cryptographic software Bobs laptop screen: be fixed? From: Alice D. J. Bernstein Thank you for your submission. We received many interesting papers, and unfortunately your Bob assumes this message is something Alice actually

1.47k views • 145 slides
Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit

670 views • 44 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed

Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed

Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? Cryptographic speed What is the fastest public-key encryption

828 views • 55 slides
Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

1 Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General software engineering. Using const-time instructions. 2 Software optimization Almost all software is much slower than it could be. 2 Software

1.03k views • 100 slides
Optimization on Heterogeneous Systems Kerry A. Seitz, Jr. and Mark C. Lewis Trinity University,

Optimization on Heterogeneous Systems Kerry A. Seitz, Jr. and Mark C. Lewis Trinity University,

Virtual Machine and Bytecode for Optimization on Heterogeneous Systems Kerry A. Seitz, Jr. and Mark C. Lewis Trinity University, San Antonio, TX Acknowledgments Trinity University Department of Computer Science Trinity University Mach

573 views • 19 slides
1 Java Release History Enhancements in JDK 5 (= Java 1.5) Generics 1995 (1.0) First

1 Java Release History Enhancements in JDK 5 (= Java 1.5) Generics 1995 (1.0) First

CS 242 Outline Java Virtual machine overview Language Overview Loader and initialization History and design goals Linker and verifier Classes and Inheritance Bytecode interpreter Object features Method

180 views • 17 slides
Computer Basics and software. Hardware includes the tangible parts of computer systems.

Computer Basics and software. Hardware includes the tangible parts of computer systems.

1/6/16 Hello Hello World World Hardware and Software Computer systems consist of hardware Computer Basics and software. Hardware includes the tangible parts of computer systems. TOPICS Software includes programs - sets of

306 views • 9 slides
Energy Usage via Bytecode Profiling Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan

Energy Usage via Bytecode Profiling Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan

Estimating Android Applications CPU Energy Usage via Bytecode Profiling Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan The Message Goal: Optimize energy efficiency of implementation Important to focus on software

279 views • 5 slides
A bytecode set for adaptive optimizations Clment Bra & Eliot Miranda Thursday, August

A bytecode set for adaptive optimizations Clment Bra & Eliot Miranda Thursday, August

A bytecode set for adaptive optimizations Clment Bra & Eliot Miranda Thursday, August 21, 14 Introduction The Cog VM is the standard VM for: Pharo Squeak Newspeak Thursday, August 21, 14 Introduction Working

387 views • 20 slides
Java Bytecode to Hardware Made Easy with Bluespec SystemVerilog Flavius Gruian Mehmet Ali Arslan

Java Bytecode to Hardware Made Easy with Bluespec SystemVerilog Flavius Gruian Mehmet Ali Arslan

Java Bytecode to Hardware Made Easy with Bluespec SystemVerilog Flavius Gruian Mehmet Ali Arslan Lund University, Sweden {Flavius.Gruian, Mehmet_Ali.Arslan}@cs.lth.se Java Technologies for Real-time and Embedded Systems, 2012 1 / 15 Outline

498 views • 26 slides
Wireless Reprogramming HW2 To be assigned tomorrow (Thursday) Mat: mobile code

Wireless Reprogramming HW2 To be assigned tomorrow (Thursday) Mat: mobile code

Wireless Reprogramming HW2 To be assigned tomorrow (Thursday) Mat: mobile code Due on 3/16 (Wed), 2:30pm Agilla: mobile agent Chenyang Lu CSE 467S 1 Chenyang Lu CSE 467S 2 Motivation for Mobile Code XNP and Deluge

254 views • 4 slides
Outline snack Prereqs, Learning Goals, and Quiz Notes Prelude: Additive Inverse

Outline snack Prereqs, Learning Goals, and Quiz Notes Prelude: Additive Inverse

snick Outline snack Prereqs, Learning Goals, and Quiz Notes Prelude: Additive Inverse CPSC 121: Models of Computation Problems and Discussion 2016W2 Clock Arithmetic and Twos Complement Number Representation 1/3

146 views • 11 slides

More recommend