toward fair and comprehensive benchmarking of caesar
play

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in - PowerPoint PPT Presentation

Dec 14, 2023 •375 likes •908 views

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael

  1. Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael X. Lyons, Panasayya Yalla, and Kris Gaj George Mason University USA Based on work partially supported by the National Science Foundation under Grant No. 1314540

  2. GMU Benchmarking Team Ahmed Ferozpuri Will Diehl “Ice” Homsirikamol Panasayya Yalla Mike X. Lyons Farnoud Farahmand

  3. Evaluation Criteria in Cryptographic Contests Security Software Efficiency Hardware Efficiency µProcessors µControllers FPGAs ASICs Licensing Flexibility Simplicity 3

  4. Hardware Benchmarking in Previous Contests AES (1999-2000): 5 final candidates eSTREAM (2007-2008): 8 Phase-3 candidates SHA-3 (2010-2012): 14 Round 2 Candidates + 5 Final Candidates CAESAR (2016): 29 Round 2 Candidates 4

  5. New in CAESAR 1) standard hardware Application Programming Interface (API) 2) comprehensive Implementer’s Guide and Development Package , including VHDL and Python code common for all candidates 3) the design teams have been asked to submit their own Verilog/VHDL code 5

  6. CAESAR Hardware API

  7. CAESAR Hardware API Specifies: • Minimum Compliance Criteria • Interface • Communication Protocol • Timing Characteristics Assures: • Compatibility • Fairness 7

  8. CAESAR Hardware API - Timeline • July 2015, CryptArchi, Leuven, GMU API v1.0 • Sep. 2015, DIAC, Singapore, GMU API v1.1 • Dec. 2015, ReConFig, Cancun, GMU API v1.2 • Feb. 16, 2016, proposed CAESAR API v1.0 • Mar. 22, 2016, CAESAR Committee considers adoption • May 7, 2016, official adoption by the CAESAR Committee • May 12, 2016, final version of CAESAR API v1.0 • June 30, 2016, deadline for VHDL/Verilog Code • August 12, 2016, last submission of the code 8

  9. CAESAR API v1.0 vs. GMU API v1.2 Feb. 16, 2016 • Functional Changes • Supporting both high-speed and lightweight implementations • Supporting both single-pass and two-pass algorithms • Moving the buffering of decrypted data to an external unit, common for all candidates • No passing of Npub and AD to the output • Specifying the maximum size of AD/message/ciphertext explicitly • Requiring full support for key scheduling • Editorial Changes • Adding Minimum Compliance Criteria & Timing Characteristics • Separating from the Implementer’s Guide 9

  10. Advantages of CAESAR API v1.0 vs. GMU API 1.2 • Simplified: § code development § definitions of timing parameters for decryption § resource utilization characterization § benchmarking § Aimed to § speed-up coding § encourage more design teams to get involved 10

  11. Limitations of the CAESAR API v1.0 Interface: • No parallel loading of AD and Message (used by Keyak) Protocol: • No support for intermediate tags (used by variants of ELmD, POET, TriviA-ck, and COLM) • No protocol support for a second pass without storing intermediate results (or the entire input) inside of the authenticated cipher core 11

  12. CAESAR Implementer’s Guide & Development Package

  13. Top-level block diagram of a High-Speed architecture AEAD sw sdi_data sdi_data key key CipherCore KEY_SIZE sdi_valid sdi_valid bdo bdo Datapath DBLK_SIZE bdi bdi sdi_ready sdi_ready DBLK_SIZE Pre Post Processor Processor key_valid key_valid w do_data key_ready key_ready do_data key_update key_update do_valid do_valid do_ready decrypt decrypt do_ready bdi_valid bdi_valid CipherCore bdo_valid bdo_valid bdi_ready bdi_ready bdo_ready bdo_ready Controller bdi_type bdi_type bdo_size bdo_size 3 LBS_BYTES+1 bdi_eot bdi_eot bdi_eoi bdi_eoi pdi_valid pdi_valid bdi_partial bdi_partial pdi_ready pdi_ready msg_auth_valid msg_auth_valid bdi_pad_loc bdi_pad_loc w DBLK_SIZE/8 msg_auth_done msg_auth_done pdi_data pdi_data bdi_valid_bytes bdi_valid_bytes cmd_ready cmd_ready cmd_valid DBLK_SIZE/8 cmd_valid bdi_size bdi_size LBS_BYTES+1 cmd cmd CipherCore din_valid CMD dout_valid din_ready dout_ready FIFO din dout 24 24 Required Optional 13

  14. Development Package May. 12, 2016 - present a. VHDL code of a generic PreProcessor, PostProcessor, and CMD FIFO, common for all Round 2 Candidates (src_rtl) b. Universal testbench common for all Round 2 candidates (AEAD_TB) c. Python app used to automatically generate test vectors (aeadtvgen) d. Six reference high-speed implementations of Dummy authenticated ciphers (dummyN) 14

  15. The API Compliant Code Development Development Reference SpecificaCon Package C Code aeadtvgen Development Package Test Vectors dummyN Formulas for the ExecuCon Time Development Manual & Throughput Package Design Pass/ src_rtl Fail Functional HDL Code Verification Post Place & Route FPGA Tools Results Development (Resource UClizaCon, Package Max. Clock Frequency) AEAD_TB 15

  16. Overview of Submitted Designs

  17. Submitters 1. CCRG NTU (Nanyang Technological University) Singapore – ACORN, AEGIS, JAMBU, & MORUS 2. CLOC-SILC Team, Japan – CLOC & SILC 3. Ketje-Keyak Team – Ketje & Keyak 4. Lab Hubert Curien, St. Etienne, France – ELmD & TriviA-ck 5. Axel Y. Poschmann and Marc Stöttinger – Deoxys & Joltik 6. NEC Japan – AES-OTR 7. IAIK TU Graz, Austria – Ascon 8. DS Radboud University Nijmegen, Netherlands – HS1-SIV 9. IIS ETH Zurich, Switzerland – NORX 10. Pi-Cipher Team – Pi-Cipher 11. EmSec RUB, Germany – POET 12. CG UCL, INRIA – SCREAM 13. Shanghai Jiao Tong University, China – SHELL Total: 19 Candidate Families 17

  18. Submitters - GMU Benchmarking Team “Ice” Homsirikamol Will Diehl AES-GCM, AEZ, Minalpher Ascon, Deoxys, OMD HS1-SIV, ICEPOLE, POET Joltik, NORX, OCB, SCREAM PAEQ, Pi-Cipher, STRIBOB Farnoud Mike X. Ahmed Farahmand Lyons Ferozpuri AES-COPA TriviA-ck PRIMATEs- CLOC GIBBON & HANUMAN, PAEQ Total: 19 Candidate Families + AES-GCM 18

  19. Variant vs. Architecture Architectures Variants output_1 output input Variant 1 input Arch 1 Variant 2 output_2 output Arch 2 input input Typically different output_2 ≠ output_1 throughput, area 19

  20. Round 2 Statistics • 43 hardware design packages • 75 variant-architecture pairs • Covering the majority of primary variants of 28 out of 29 Round 2 Candidate Families (all except Tiaoxin) • High-speed implementation of AES-GCM (baseline) The biggest and the earliest hardware benchmarking effort in the history of cryptographic competitions 20

  21. Summary of Submitted Designs • 2 Compliant designs + 1 Non-Compliant Design 1: TriviA-ck • 2 Compliant designs 3: Ascon, CLOC, Minalpher • 1 Compliant Design + 1 Non-Compliant Design 8: Deoxys, ELmD, HS1-SIV, Joltik, NORX, Pi-Cipher, POET, SCREAM • 1 Compliant Design 17: ACORN, AEGIS, AES-COPA, AES-JAMBU, AES-OTR, AEZ, ICEPOLE, Ketje, Keyak, MORUS, OCB, OMD, PAEQ, PRIMATEs-GIBBON, HANUMAN, SHELL, SILC, STRIBOB • No Designs 1: Tiaoxin 21

  22. Non Compliant Designs Algorithm Hardware No Full-block No support Wrapper (Target) designers decryption width for CAESAR required interface API Protocol Deoxys Axel Y. X X X & Joltik Poschmann (ASIC) & Marc Stöttinger POET Amir X X (ASIC, Moradi FPGA) SCREAM Lubos X X (ASIC, Gaspar & FPGA) Stephanie Kerckhof NORX Michael X X X (ASIC) Muehl- berghuber 22

  23. Partial Compliance Keyak (by the Ketje-Keyak Team) • Compliance criteria: § supported maximum size for AD should be 2 32 -1 bytes • Implementation: § supported maximum size for AD is 24 bytes In the Motorist mode: metadata (AD) is input together with the plaintext and possibly in input blocks after it • Feature unique for Keyak • No plug-in replacement for AES-GCM 23

  24. Architectures • Majority of algorithms have designs based on Basic Iterative Architecture • One round per clock cycle • Straightforward • Easy to describe in VHDL/Verilog • Best or close to best throughput/area • Hard to optimize Other Architectures: § Lightweight: ACORN § Folded: HS1-SIV, Pi-Cipher § Unrolled (extra): Ascon, SCREAM § With Speculative Deoxys Precomputation: 24

  25. Key sizes • Majority of implemented ciphers support 128-bit keys only Exceptions: § AES-JAMBU, Ketje: 96 § AEZ: 384 § PRIMATEs: 80 & 120 § STRIBOB: 192 § Joltik: 64 & 128 § Pi-Cipher: 96, 128, 256 § Deoxys, NORX: 128 & 256 Possible allowed key ranges: |K| ≥ 96 |K| ≥ 120 covers all families covers all families except AES-JAMBU and Ketje • • excludes variants with covers stronger variants of PRIMATEs • • 64 and 80-bit keys excludes lightweight variants • 25

  26. PDI & DO Ports Width, w • The CAESAR API Minimum Compliance Criteria allow § High-speed: 32 ≤ w ≤ 256 § Lightweight: w = 8, 16, 32 • Majority of the API compliant implementations support w=32 or 64 only Exceptions: § ACORN: 8 & 32 § PRIMATEs: 40 § HS1-SIV: 128 § NORX, Pi-Cipher: 128 & 256 § AEGIS, ICEPOLE, MORUS: 256 26

  27. Benchmarking Methodology

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of High-Level Synthesis Tools Ekawat Homsirikamol and Kris Gaj George Mason University USA Based on work partially supported by the National Science

775 views • 50 slides
Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal

Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal

Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1 , Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK September 27, 2016 Directions in Authenticated Ciphers - Nagoya, Japan Software

972 views • 46 slides
* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

AMDiS Adaptive Multidimensional simulations: Parallel Concepts Parallel Concepts Christina Stcker (stoecker@caesar.de), Dr. Angel Ribalta (ribalta@caesar.de), Simon Vey (vey@caesar.de), * Dr. Axel Voigt (voigt@caesar.de) research

806 views • 23 slides
Fair School Funding Plan Regional Presentation A comprehensive, fair school funding plan for

Fair School Funding Plan Regional Presentation A comprehensive, fair school funding plan for

Fair School Funding Plan Regional Presentation A comprehensive, fair school funding plan for Ohio Sponsors: State Representatives Bob Cupp & John Patterson 2 1 Making School Funding Fair. and Getting it Right A New, Fair Funding

460 views • 3 slides
Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists Daniel J. Bernstein CAESAR timeline planned in 2012 2013.01: Announce tentative schedule. 2014.01: Deadline for first-round submissions.

527 views • 10 slides
A fair comparison of two stochastic optimization algorithms Benchmarking MPC vs SDDP April 10,

A fair comparison of two stochastic optimization algorithms Benchmarking MPC vs SDDP April 10,

A fair comparison of two stochastic optimization algorithms Benchmarking MPC vs SDDP April 10, 2017 1/33 Why using stochastic optimization? We aim to tackle uncertainties in Energy Management System. Problem: we do not know in advance the

764 views • 42 slides
Fair School Funding Plan A comprehensive, fair school funding plan for Ohio Sponsors: State

Fair School Funding Plan A comprehensive, fair school funding plan for Ohio Sponsors: State

Fair School Funding Plan A comprehensive, fair school funding plan for Ohio Sponsors: State Representatives Bob Cupp & John Patterson 2 Special Education Recommendations Fund & 100% Funding Return Count and fund Authorize

465 views • 19 slides
BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

Friends of Caesar Creek is a not-for-profit volunteer organization dedicated to educating the public about the natural resources of the Caesar Creek Lake Region. They support the educational, scientific, and historical activities of the region

497 views • 18 slides
Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438 Outline Last time: low-level plumbing Today: top-down architecting of the Internet Goals Layering Protocols The end-to-end

946 views • 58 slides
Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the

Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the

Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the December TACIR meeting, Commissioners voted to study elections and voting methods in Tennessee Goals of the comprehensive study: Increasing public

979 views • 23 slides
THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

StreamableU Presentation THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go to one? 1 2 COLLEGE FAIR DOS AND DONTS HOW TO FIND A COLLEGE FAIR DONT DO NACAC - https://www.nacacfairs.org/

551 views • 5 slides
Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to

Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to

Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to SoCalREN 3. Benchmarking and Compliance Overview What is Energy Benchmarking What is ENERGY STAR Portfolio Manager California Building

368 views • 35 slides
Dockerization Impacts in Database Performance Benchmarking ..,

Dockerization Impacts in Database Performance Benchmarking ..,

Dockerization Impacts in Database Performance Benchmarking .., -05-18 The Problems of Benchmarking Confjguration process of a single node is complex and involves a lot of efgort Benchmarking client;

466 views • 7 slides
B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3

B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3

B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3 Benchmarking: Background B3 stands for: Buildings Benchmarking and Beyond www.CleanEnergyResourceTeams.org B3 Benchmarking: Background The

297 views • 25 slides
Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

1 Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2 Bit operations per bit of plaintext (assuming precomputed subkeys), as listed in recent

1.07k views • 46 slides
Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2 1 IAIK, Graz University of Technology, Austria 2 Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of

639 views • 25 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham

Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham

Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham College Shodor Foundation Earlham College ibabic09 at cs.earlham.edu fitz at cs.earlham.edu mmludin08 at cs.earlham.edu Tom Murphy Charlie Peck

487 views • 17 slides
Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD

Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD

Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD August 5, 2013 In collaboration with Mark A. Miller, Terri Schwartz, & Bryan Lunt SDSC/UCSD Supported by NSF

238 views • 19 slides
Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton Ferrer Research Manager (AI Red Team @ Facebook) Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world ...with Manipulated

983 views • 79 slides
E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not

E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not

E nginEEring by thE n umbErs E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not abated since the mid-1990s. unchanged since last year, edging slightly Foreign nationals received a higher proportion

806 views • 36 slides
2 c/ 2 rt s

2 c/ 2 rt s

2 c/ 2 rt s ttt rt s P 1 t 2

516 views • 49 slides
Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint

Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint

Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint with Bertrand Banos and Volodya Roubtsov ( J Phys A 2016), and more recent work with Martin Wolf and Jock McOrist (Surrey) New Trends in Applied

527 views • 36 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides

More recommend