software benchmarking of sha 3 candidates http bench cr
play

Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. - PDF document

Mar 03, 2024 •337 likes •950 views

Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Selecting cryptographic primitives NISTs final AES report, 2001: Security

  1. Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven

  2. Selecting cryptographic primitives NIST’s final AES report, 2001: “Security was the most important : : : factor in the evaluation Rijndael appears to offer an : : : adequate security margin. Serpent appears to offer a high security margin.” (Emphasis added.) So why didn’t Serpent win?

  3. Selecting cryptographic primitives NIST’s final AES report, 2001: “Security was the most important : : : factor in the evaluation Rijndael appears to offer an : : : adequate security margin. Serpent appears to offer a high security margin.” (Emphasis added.) So why didn’t Serpent win? Maybe hardware efficiency? Or side-channel security? Or something else?

  4. Side channels: “The operations used by Serpent are among the easiest to defend against timing and power attacks.”

  5. Side channels: “The operations used by Serpent are among the easiest to defend against timing and power attacks.” Hardware speed: “Serpent is well suited to restricted-space : : : Fully pipelined environments implementations of Serpent offer the highest throughput of any of the finalists for non-feedback : : : Efficiency is generally modes. very good, and Serpent’s speed is independent of key size.”

  6. Side channels: “The operations used by Serpent are among the easiest to defend against timing and power attacks.” Hardware speed: “Serpent is well suited to restricted-space : : : Fully pipelined environments implementations of Serpent offer the highest throughput of any of the finalists for non-feedback : : : Efficiency is generally modes. very good, and Serpent’s speed is independent of key size.” Great! Why didn’t Serpent win?

  7. Aha: Software speed!

  8. Aha: Software speed! “Serpent is generally the slowest of the finalists in software speed for : : : encryption and decryption. Serpent provides consistently low-end performance.”

  9. Aha: Software speed! “Serpent is generally the slowest of the finalists in software speed for : : : encryption and decryption. Serpent provides consistently low-end performance.” Conclusion: “NIST judged Rijndael to be the best overall algorithm for the AES. Rijndael appears to be consistently a very good performer in both hardware and software [and offers good key agility, low memory, easy defense, fast defense, flexibility, parallelism].”

  10. 2007 NIST SHA-3 call: “The security provided by an algorithm is the most important factor in the evaluation.”

  11. 2007 NIST SHA-3 call: “The security provided by an algorithm is the most important factor in the evaluation.” 2011.02 NIST report: : : : high security “BLAKE : : : margin NIST feels that future results are less likely to dramatically narrow Grøstl’s security margin than that : : : of the other candidates. : : : solid security margin : : : JH : : : high security Keccak : : : margin : : : high security margin” Skein

  12. Will this factor alone decide the winner?

  13. Will this factor alone decide the winner? Will further security analysis kill 4 out of 5 SHA-3 candidates?

  14. Will this factor alone decide the winner? Will further security analysis kill 4 out of 5 SHA-3 candidates? Perhaps, but probably not! Presumably decision will depend partially on speed in software, speed in hardware, speed of implementations with various side-channel defenses, etc.

  15. Will this factor alone decide the winner? Will further security analysis kill 4 out of 5 SHA-3 candidates? Perhaps, but probably not! Presumably decision will depend partially on speed in software, speed in hardware, speed of implementations with various side-channel defenses, etc. Remaining speed differences seem larger than remaining security differences.

  16. Speed variability Main question in this talk: “How fast is hash software?” Answer varies from one hash function to another. Perhaps this variability is important to hash users. Perhaps this variability will be important in the SHA-3 selection.

  17. Answer depends on hash-function parameters. On a 3200MHz AMD Phenom II X6 1090T (100fa0), for the same input size, changing from 256-bit output to 512-bit output makes � 1 : 55 � faster; BLAKE � 1 : 31 � faster; SHA-2 � 1 : 01 � faster; Skein JH neither faster nor slower; � 1 : 48 � slower; Grøstl � 1 : 86 � slower. Keccak (2010.12 data, before tweaks.)

  18. Answer depends on #cores used for hashing. 2.4GHz Intel Core 2 Duo E4600 (6fd) has 2 CPU cores operating in parallel. 2.4GHz Intel Core 2 Quad Q6600 (6fb) has 4 CPU cores operating in parallel. Hash twice as many messages per second! Standard way to reduce this dependence: measure hash time on 1 core.

  19. Warning: Single-core speed is sometimes better than speed of 4 cores handling 4 messages in parallel. Multiple active cores can conflict in DRAM access etc. Warning: Single-core speed � 4 is usually better than speed of 4 cores cooperating to handle 1 long message. Warning: These issues (and more issues coming up) have different effects on different hash functions.

  20. Back to the main question: How fast is hash software? Answer depends on CPU. In one second, single-core 533MHz PowerPC G4 (7410) computes SHA-256 hashes of 5985 4096-byte messages. In one second, single core of 1800MHz PowerPC G5 (970) computes SHA-256 hashes of 20729 4096-byte messages.

  21. Standard way to reduce this dependence: count cycles; i.e., divide #seconds by clock speed. 533MHz PowerPC G4 (7410): 86835 cycles to hash a 4096-byte message with SHA-256. 1800MHz PowerPC G5 (970): 89047 cycles to hash a 4096-byte message with SHA-256. Note: Most CPUs have built-in cycle counters; “RDTSC” etc. Cycles are also a natural unit for serious programmers.

  22. Warning: Different CPUs do different amounts of computation in a cycle. Warning: Different CPUs with different speeds can have the same name. Warning: Some CPU operations (e.g. DRAM access) do not scale linearly with clock speed. Warning: A CPU in 64-bit mode is often faster (but sometimes slower!) than the same CPU in 32-bit mode.

  23. 4096-byte SHA-256 timings: 64421 cycles: amd64 architecture (64-bit), 2833MHz Intel Core 2 Quad Q9550 (10677). 64923 cycles: x86 architecture (32-bit), 2833MHz Intel Core 2 Quad Q9550 (10677). 88304 cycles: ppc32, 533MHz Motorola PowerPC G4 (7410). 94464 cycles: armeabi, 800MHz Freescale i.MX515 (Cortex A8). 197572 cycles: armeabi, 400MHz TI OMAP 2420.

  24. 4096-byte SHA-512 timings: 44200 cycles: amd64 architecture (64-bit), 2833MHz Intel Core 2 Quad Q9550 (10677). 77682 cycles: x86 architecture (32-bit), 2833MHz Intel Core 2 Quad Q9550 (10677). 228864 cycles: ppc32, 533MHz Motorola PowerPC G4 (7410). 390400 cycles: armeabi, 800MHz Freescale i.MX515 (Cortex A8). 500038 cycles: armeabi, 400MHz TI OMAP 2420.

  25. How fast is hash software? Answer depends on message length: hashing long message takes more time than hashing short message. SHA-512 timings on 3200MHz AMD Phenom II X4 955 (100f42): 48166 cycles for 4096 bytes. 24917 cycles for 2048 bytes. 15584 cycles for 1024 bytes. 13304 cycles for 512 bytes.

  26. Standard way to reduce this dependence: divide cycles by message length. Warning: Still have dependence. SHA-512 on the same Phenom: 11.76 cycles/byte for 4096 bytes. 12.17 cycles/byte for 2048 bytes. 12.99 cycles/byte for 1024 bytes. 14.63 cycles/byte for 512 bytes. 17.86 cycles/byte for 256 bytes. 24.47 cycles/byte for 128 bytes. 28.03 cycles/byte for 112 bytes. 15.23 cycles/byte for 111 bytes. 25.81 cycles/byte for 64 bytes.

  27. SHA-512 cycles vs. bytes: 20000 15000 10000 5000 0 0 100 200 300 400 500 600

  28. SHA-256 cycles vs. bytes: 20000 15000 10000 5000 0 0 100 200 300 400 500 600

  29. Hamsi cycles vs. bytes: 20000 15000 10000 5000 0 0 100 200 300 400 500 600

  30. ECHO-256 cycles vs. bytes: 20000 15000 10000 5000 0 0 100 200 300 400 500 600

  31. Cycles vs. bytes: 20000 15000 10000 5000 0 0 100 200 300 400 500 600

  32. How fast is hash software? Answer depends on implementation. SHA-512: OpenSSL 0.9.8k is 1 : 31 � faster than a simple reference implementation on a typical Core 2 (for 1536 bytes). Grøstl-256: The “core2duo” implementation is 3 : 75 � faster than the “opt32” implementation and 1 : 48 � faster than the “sphlib” implementation.

  33. A user who cares about speed won’t use a slow reference implementation. He’ll use the fastest implementation available. Slowness of unused software has no impact on user’s final speed. The ultimate goal of benchmark reports is to accurately predict the speed that the user will see. ) Report speed of the fastest implementation.

  34. How fast is hash software? Answer depends on compiler and on compiler options. Skein-512, Atom N280, 1536 bytes, -fomit-frame-pointer : 177110 cycles: opt with gcc -O2

  35. How fast is hash software? Answer depends on compiler and on compiler options. Skein-512, Atom N280, 1536 bytes, -fomit-frame-pointer : 177110 cycles: opt with gcc -O2 176290 cycles: opt with gcc -O3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Selecting cryptographic primitives NISTs final AES report, 2001: Security was

686 views • 50 slides
Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal

Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal

Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK September 27, 2016 Directions in Authenticated Ciphers - Nagoya, Japan Software

972 views • 46 slides
Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael

908 views • 53 slides
NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search

NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search

NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search Albert-Ludwigs-Universitt Freiburg DeToL 07.11.2019 Julien Siems, Arbr Zela and Frank Hutter Under review as a conference paper at ICLR 2020 Motivation

1.43k views • 24 slides
An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of High-Level Synthesis Tools Ekawat Homsirikamol and Kris Gaj George Mason University USA Based on work partially supported by the National Science

775 views • 50 slides
Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street

Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street

Overview Implementation Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street September 24, 2013, OUD Workshop Christopher S. Hardin and Roshan P. James Core bench: micro-benchmarking for OCaml

539 views • 16 slides
Early Experience in Benchmarking Edge AI Processors with Object Detection Workloads Bench 2019

Early Experience in Benchmarking Edge AI Processors with Object Detection Workloads Bench 2019

Early Experience in Benchmarking Edge AI Processors with Object Detection Workloads Bench 2019 Yujie Hui 1 , Jeffrey Lien 2 , and Xiaoyi Lu 1 1 Department of Computer Science and Engineering, The Ohio State University {hui.82, lu.932}@osu.edu 2

1.14k views • 28 slides
MSA Benchmarking Daniel Yuan and Stanley Liu Intro Benchmarking 6 MSA software 3

MSA Benchmarking Daniel Yuan and Stanley Liu Intro Benchmarking 6 MSA software 3

MSA Benchmarking Daniel Yuan and Stanley Liu Intro Benchmarking 6 MSA software 3 progressive methods Progressive T-Coffee 11.00.8cbe486 Heuristics Sequences -> Guide Tree MAFFT 7 -> MSA PSAlign

240 views • 5 slides
Bench'19 Benchmarking Database Ingestion Ability with Real-Time Big Astronomical Data Qing Tang

Bench'19 Benchmarking Database Ingestion Ability with Real-Time Big Astronomical Data Qing Tang

Bench'19 Benchmarking Database Ingestion Ability with Real-Time Big Astronomical Data Qing Tang Qing Tang,Chen Yang, Xiaofeng Meng, Zhihui Du RUC 15/11/2019 Outline Background Benchmark Methodology Experiments and Results Analysis

264 views • 14 slides
Benchmarking case for validation of draping software K. Vanclooster, S.V. Lomov and I.Verpoest

Benchmarking case for validation of draping software K. Vanclooster, S.V. Lomov and I.Verpoest

Benchmarking case for validation of draping software K. Vanclooster, S.V. Lomov and I.Verpoest K.U. Leuven - Department of Metallurgy and Materials Engineering Downloaded from http://www.mtm.kuleuven.ac.be/Research/C2/poly/index.htm

92 views • 6 slides
Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of

Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of

Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of California, Irvine ses@ics.uci.edu Background Developed a theory of benchmarking based on own experience and historical research Successful

730 views • 35 slides
Last mile software development Last mile software development Writing modern software for bench

Last mile software development Last mile software development Writing modern software for bench

Last mile software development Last mile software development Writing modern software for bench scientists Thomas Sibley The Perl Conference 2017 Alexandria, VA Hello! My name is Thomas Sibley. I'm here today to talk about modern

891 views • 76 slides
eBASH: ECRYPT, VAMPIRE ECRYPT Benchmarking European Union has funded of All Submitted Hashes

eBASH: ECRYPT, VAMPIRE ECRYPT Benchmarking European Union has funded of All Submitted Hashes

eBASH: ECRYPT, VAMPIRE ECRYPT Benchmarking European Union has funded of All Submitted Hashes ECRYPT I network (20042008), ECRYPT II network (20082012). http://bench.cr.yp.to /ebash.html ECRYPTs virtual labs include D. J.

782 views • 30 slides
FOSTERING RESEARCH THROUGH BENCHMARKING IN COMPUTER SCIENCE / SOFTWARE ENGINEERING FOUNDJEM

FOSTERING RESEARCH THROUGH BENCHMARKING IN COMPUTER SCIENCE / SOFTWARE ENGINEERING FOUNDJEM

FOSTERING RESEARCH THROUGH BENCHMARKING IN COMPUTER SCIENCE / SOFTWARE ENGINEERING FOUNDJEM ARMSTRONG SWART POLYTECHNIQUE MONTREAL PLAN Introduction Motivation & Background The BonFIRE Experiment Benchmarking in

370 views • 16 slides
Gaps between the bedside and the bench: Perspectives from the bench University of Oregon

Gaps between the bedside and the bench: Perspectives from the bench University of Oregon

Gaps between the bedside and the bench: Perspectives from the bench University of Oregon University of Tbingen Bernardo Blanco-Snchez Antje Bernd Aurlie Clment Eberhart Zrenner Javier Fierro John

477 views • 32 slides
Bench Decorum Bench Decorum Definition Appropriate conduct and sportsmanlike behaviour on the

Bench Decorum Bench Decorum Definition Appropriate conduct and sportsmanlike behaviour on the

Bench Decorum Bench Decorum Definition Appropriate conduct and sportsmanlike behaviour on the floor and bench Bench Decorum Coach Communication & Conduct A coach shall address the officials in a business-like manner A coach

199 views • 4 slides
14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer

14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer

14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer Engineering Fall 2013 Lecture #24: Verilog Time Dimension and Test Benches Verilog Functions and Tasks [ behavioral style ] Verilog function accepts

195 views • 5 slides
CENG 342 Digital Systems A Combinational Logic Circuit in VHDL Larry Pyeatt SDSM&T

CENG 342 Digital Systems A Combinational Logic Circuit in VHDL Larry Pyeatt SDSM&T

CENG 342 Digital Systems A Combinational Logic Circuit in VHDL Larry Pyeatt SDSM&T Testbench VHDL code can be simulated in a computer to verify the correctness. After simulation, the code can be synthesized to a physical device. For

179 views • 16 slides
VHDL/Verilog Simulation Testbench Design The Test Bench Concept Elements of a VHDL/Verilog

VHDL/Verilog Simulation Testbench Design The Test Bench Concept Elements of a VHDL/Verilog

VHDL/Verilog Simulation Testbench Design The Test Bench Concept Elements of a VHDL/Verilog testbench Unit Under Test (UUT) or Device Under Test (DUT) instantiate one or more UUTs Stimulus of UUT inputs algorithmic from

513 views • 32 slides
BOREXINO: Erste komple3e spektroskopische Messung solarer Neutrinos

BOREXINO: Erste komple3e spektroskopische Messung solarer Neutrinos

BOREXINO: Erste komple3e spektroskopische Messung solarer Neutrinos Astroteilchenphysik in Deutschland Status und Perspek6ven 30.9.-1.10.2014 am KIT Stefan

251 views • 14 slides
CDA 4253/CIS 6930 FPGA System Design Finite State Machines Dr. Hao Zheng Comp Sci & Eng U

CDA 4253/CIS 6930 FPGA System Design Finite State Machines Dr. Hao Zheng Comp Sci & Eng U

CDA 4253/CIS 6930 FPGA System Design Finite State Machines Dr. Hao Zheng Comp Sci & Eng U of South Florida Outline and Reading Modeling FSMs in VHDL Mealy and Moore Modeling FSMD in VHDL Map computation into FSMD Reading

1.35k views • 120 slides
Hardware Design with VHDL VHDL I ECE 443 VHDL Introduction A language for describing the

Hardware Design with VHDL VHDL I ECE 443 VHDL Introduction A language for describing the

Hardware Design with VHDL VHDL I ECE 443 VHDL Introduction A language for describing the structural, physical and behavioral characteristics of digital systems. VHDL is used to attain several goals: Synthesis of digital systems.

539 views • 11 slides
An Open-Source Python-Based Hardware Generation, Simulation, and Verification Framework Shunning

An Open-Source Python-Based Hardware Generation, Simulation, and Verification Framework Shunning

An Open-Source Python-Based Hardware Generation, Simulation, and Verification Framework Shunning Jiang, Christopher Torng, Christopher Batten Computer Systems Laboratory School of Electrical and Computer Engineering Cornell University 1

465 views • 19 slides
Advanced Concepts in Simulation Based Verification Topics planned to be covered Test Bench

Advanced Concepts in Simulation Based Verification Topics planned to be covered Test Bench

Advanced Concepts in Simulation Based Verification Topics planned to be covered Test Bench Organization and Design Test Scenarios, Assertions and Coverage Checking and Coverage Analysis in relation to Specman 1 Test Bench

990 views • 59 slides

More recommend