SLIDE 1
UCL Crypto Group
Microelectronics Laboratory
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 2
Context
◮ More lightweight devices in more applications
Towards Green Cryptography: a Comparison of Lightweight Ciphers from - - PowerPoint PPT Presentation
Towards Green Cryptography: a Comparison of Lightweight Ciphers from - - PowerPoint PPT Presentation
Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St ephanie Kerckhof, Fran cois Durvaux, C edric Hoquet, David Bol, Fran cois-Xavier Standaert CHES 2012 September 2012 UCL Crypto Group
SLIDE 2
SLIDE 3
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 3
Outline
1 Motivations 2 This Work 3 Observations 4 Conclusion
SLIDE 4
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES
SLIDE 5
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON
SLIDE 6
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG
SLIDE 7
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA
SLIDE 8
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT
SLIDE 9
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT KATAN TWIS MIBS
SLIDE 10
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT KATAN TWIS MIBS Piccolo LBlock
SLIDE 11
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT KATAN TWIS MIBS Piccolo LBlock KLEIN
SLIDE 12
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT KATAN TWIS MIBS Piccolo LBlock KLEIN
◮ Many lightweight ciphers
SLIDE 13
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 4
Lightweight Ciphers
2002 2004 2006 2008 2010 2012 AES TEA NOEKEON ICEBERG HIGHT mCrypton SEA PRESENT KATAN TWIS MIBS Piccolo LBlock KLEIN
◮ Many lightweight ciphers ◮ Few comparative studies → Lack of standardization? ◮ Existing implementations → Different technologies
→ Focused on gate count
SLIDE 14
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 5
What is Lightweight?
SLIDE 15
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 5
What is Lightweight?
I’m lightweight
SLIDE 16
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 5
What is Lightweight?
I’m lightweight
SLIDE 17
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 5
What is Lightweight?
I’m lightweight
SLIDE 18
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 5
What is Lightweight?
I’m lightweight
SLIDE 19
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 6
What is Lightweight?
◮ Which criteria?
→ Low area? → Low power? → Low energy? → Still fast?
◮ Limitation: Relativity of metrics
→ Possibility to optimize one criteria at the expense
- f another one
I’m lightweight
SLIDE 20
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 7
How Relevant is Lightweight Cryptography?
◮ Changing algorithm is expensive ◮ How much do we gain compared to ◮ Hardware design choices (e.g. architecture) ◮ Implementation choices (e.g. frequency/voltage scaling)
SLIDE 21
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 8
Outline
1 Motivations 2 This Work 3 Observations 4 Conclusion
SLIDE 22
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 9
This Work
Algorithms choice
◮ Block and key sizes ◮ Different types of key scheduling ◮ Different combinations of encryption/decryption
Block Key Ciphers 128 128 aes noekeon 64 128 hight iceberg 64 80 katan present
SLIDE 23
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 10
This Work
Flexible architecture
◮ 3 core options (Enc, Dec, Enc/Dec) ◮ Unrolling parameter Nr
SLIDE 24
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 11
This Work
Technology: Low-power 65 nm CMOS Comparative study
◮ At fixed frequency f100 ◮ At maximum frequency fmax (max. area penalty = 10%) ◮ For all metrics
Area Frequency Power Energy Throughput Frequency/Voltage scaling Eop = 1
2NswCLV2 dd + Eleak
SLIDE 25
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 12
Outline
1 Motivations 2 This Work 3 Observations Interpretation of Synthesis Results Impact of Algorithmic Design Choices 4 Conclusion
SLIDE 26
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 13
Critical Path
Expectation: Number of rounds x 2 ⇒ Critical path x 2
0.5 1 2 4 8 1 2 4 8 Number of rounds Critical path [ns]
NOEKEON HIGHT
SLIDE 27
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 13
Critical Path
Expectation: Number of rounds x 2 ⇒ Critical path x 2
0.5 1 2 4 8 1 2 4 8 Number of rounds Critical path [ns]
NOEKEON HIGHT
SLIDE 28
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 13
Critical Path
Expectation: Number of rounds x 2 ⇒ Critical path x 2 Observation: Critical path not always in the round logic
0.5 1 2 4 8 1 2 4 8 Number of rounds Critical path [ns]
NOEKEON HIGHT
SLIDE 29
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 14
Area
Naive expectation: Number of rounds x 2 ⇒ Area x 2
Number of rounds Area [GE] 28 29 210 211 212 213 214 215 216 1 2 4 8 16 32
PRESENT KATAN
SLIDE 30
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 14
Area
Naive expectation: Number of rounds x 2 ⇒ Area x 2
Number of rounds Area [GE] 28 29 210 211 212 213 214 215 216 1 2 4 8 16 32
PRESENT KATAN
SLIDE 31
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 14
Area
Naive expectation: Number of rounds x 2 ⇒ Area x 2 Observation: Main component of area = state register
Number of rounds Area [GE] 28 29 210 211 212 213 214 215 216 1 2 4 8 16 32
PRESENT KATAN
SLIDE 32
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 15
Throughput
Expectation: Round unrolling should not make sense at fmax
Number of rounds Throughput [Mbits/s] 100 200 300 400 1 2 4 8
16 32
ICEBERG KATAN
SLIDE 33
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 15
Throughput
Expectation: Round unrolling should not make sense at fmax
Number of rounds Throughput [Mbits/s] 100 200 300 400 1 2 4 8
16 32
ICEBERG KATAN
SLIDE 34
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 15
Throughput
Expectation: Round unrolling should not make sense at fmax Observation: And for extremely simple rounds
Number of rounds Throughput [Mbits/s] 100 200 300 400 1 2 4 8
16 32
ICEBERG KATAN
SLIDE 35
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 16
Energy
Expectation: Energy stable with number of rounds
Number of rounds Energy per bit [pJ]
NOEKEON PRESENT HIGHT KATAN ICEBERG
1 2 4 8 16 1 2 4 8 16 32
SLIDE 36
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 16
Energy
Expectation: Energy stable with number of rounds Observation: Energy more or less stable
Number of rounds Energy per bit [pJ]
NOEKEON PRESENT HIGHT KATAN ICEBERG
1 2 4 8 16 1 2 4 8 16 32
SLIDE 37
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 16
Energy
Expectation: Energy stable with number of rounds Observation: Trend observed later for KATAN
Number of rounds Energy per bit [pJ]
NOEKEON PRESENT HIGHT KATAN ICEBERG
1 2 4 8 16 1 2 4 8 16 32
SLIDE 38
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 17
Outline
1 Motivations 2 This Work 3 Observations Interpretation of Synthesis Results Impact of Algorithmic Design Choices 4 Conclusion
SLIDE 39
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 18
Encryption Only
Energy per bit [pJ]
1 2 4 8 16 1 2−2 2−4
Throughput/Area [Mbits/sµm2]
1 2 4 8 16 1 2−2 2−4
ICEBERG AES HIGHT KATAN PRESENT NOEKEON
SLIDE 40
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 18
Impact of Key Scheduling
Energy per bit [pJ]
1 2 4 8 16 1 2−2 2−4
Throughput/Area [Mbits/sµm2]
1 2 4 8 16 1 2−2 2−4
ICEBERG AES HIGHT KATAN PRESENT NOEKEON
SLIDE 41
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 18
Encryption/Decryption
Energy per bit [pJ]
1 2 4 8 16 1 2−2 2−4
Throughput/Area [Mbits/sµm2]
1 2 4 8 16 1 2−2 2−4
ICEBERG AES HIGHT KATAN PRESENT NOEKEON
SLIDE 42
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 18
”On the Fly” Key Scheduling
Energy per bit [pJ]
1 2 4 8 16 1 2−2 2−4
Throughput/Area [Mbits/sµm2]
1 2 4 8 16 1 2−2 2−4
ICEBERG AES HIGHT KATAN PRESENT NOEKEON
SLIDE 43
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 18
- vs. not ”On the Fly” Key Scheduling
Energy per bit [pJ]
1 2 4 8 16 1 2−2 2−4
Throughput/Area [Mbits/sµm2]
1 2 4 8 16 1 2−2 2−4
ICEBERG AES HIGHT KATAN PRESENT NOEKEON
SLIDE 44
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 19
Efficiency
Throughput/(Energy x Area) 0.1 0.2 0.3 0.4 0.5 0.6 NOEKEON KATAN PRESENT
NOEKEON KATAN PRESENT
SLIDE 45
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 19
Efficiency
Observation: Definition of round is arbitrary
Throughput/(Energy x Area) 0.1 0.2 0.3 0.4 0.5 0.6 NOEKEON KATAN PRESENT 18 cycles/enc. 17 cycles/enc. 17 cycles/enc.
NOEKEON KATAN PRESENT
SLIDE 46
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 20
Frequency/Voltage Scaling
Observation: Better energy gain with frequency/voltage scaling
Energy per bit [pJ] Algorithm choice
1 2 3 4
Vdd [V]
1 2 3 4 1.2 1 0.8 0.6 0.5 0.4
NOEKEON PRESENT HIGHT KATAN ICEBERG AES
SLIDE 47
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 21
Outline
1 Motivations 2 This Work 3 Observations 4 Conclusion
SLIDE 48
UCL Crypto Group
Microelectronics Laboratory
Towards Green Cryptography - September 2012 22
Conclusion
Comparative studies are usefull Energy: Interesting efficiency metric Algorithm design
◮ Definition of round is arbitrary ◮ Impact of key scheduling ◮ Efficient combination of encryption and decryption
AES is a low energy cipher Voltage scaling: If allowed, has strong impact on energy
SLIDE 49
UCL Crypto Group
Microelectronics Laboratory