FPGA & Crypto: Is Marriage in the Cards? Kris Gaj George Mason University fragments of the...
-
Upload
helen-bell -
Category
Documents
-
view
216 -
download
2
Transcript of FPGA & Crypto: Is Marriage in the Cards? Kris Gaj George Mason University fragments of the...
FPGA & Crypto: Is Marriage in the Cards?
Kris GajGeorge Mason University
fragments of the presentation
at the CryptArchi workshop, France, June 2004
Possible Applications of
Cryptographic Hardware
Why are cryptographic chips needed?
• hardware accelerators for web servers
SSL (Secure Socket Layer) – cryptographic protocol used by majority of today’s web servers to protect credit card numbers for on-line transactions such as buying a book on the amazon.com
Estimated number of web servers as of Oct. 2000 6 millionSource: NEC ResearchSee http://www.pittsburghsolutions.com/eresearch-news.htm
However, only servers exposed to a large number of transactionsrequire hardware acceleration
Why are cryptographic chips needed?
• hardware accelerators for Virtual Private Networks (VPNs)
IPSec (Secure Internet Protocol) – cryptographic protocol used to support VPNs (Virtual Private Networks), i.e., secure communication between remote Local Area Networks (LANs) using Internet
IPSec optional in IP ver. 4, required in emerging IP ver. 6
Acceleration can be provided using: - secure VPN gateways and routers - secure client PCMCIA cards.
Virtual Private Network
• local networks may belong to the same or different organizations• security gateways may come from different vendors
Internet
Securitygateway
Securitygateway.
.
.
.
.
.
.
.
Cryptographic end points
Host
Host
Host
Host
Remote user
Types of VPN devices
• high-end VPN devices
e.g. corporate security gateways and routers
• low-end VPN devices
e.g. home routers
- speeds reaching 1 Gbit/s and beyond
- delay & bandwidth sensitive applications
VoIP (Voice over IP), video conferencing
- low cost
- moderate speed (up to 10-100 Mbit/s)
Why are cryptographic chips needed?
• hardware accelerators for wireless gateways
IEEE 802.11 – most popular wireless protocol including strong encryption and authentication
Wireless
gateway
Why are cryptographic chips needed?
• Pay TV
• High volume
• Pay TV decoders must be tamper-resistant
• Capability of a remote upgrade can substantially
reduce the cost of recovering from an attack
• Storage Area Networks
Encryption of data during transmission and at rest.
Why are cryptographic chips needed?
• space applications
• cipher breaking machines
• secure cell phones, PDAs, pagers
Low volume applications, cost not a major factor
• general-purpose reconfigurable supercomputers
• smartcards
High volume applications, cost a major factor
So how is it all done today?
Selected ASIC Security Chips (1)
Chip name Encryption
algorithms
HMAC
algorithms
Data rate
[Mbps]
Public key
algorithms
Other
Broadcom
BCM5823
DES-CBC
3DES-CBC
AES-CBC
AES-CTR
SHA-1
MD5
500 DH
RSA
On-chip RNG
Broadcom
BCM5841
3DES-CBC
AES-CBC
AES-CTR
SHA-1
MD5
4,800 none In-line IPsec processing.
On-chip SA database.
RNG.
Chip name Encryption
algorithms
HMAC
algorithms
Data rate
[Mbps]
Public key
algorithms
Other
HiFn 7956 DES-CBC
3DES-CBC
AES-CBC
AES-CTR
ARC4
SHA-1
MD5
632 DH
RSA
IPsec header and trailer processing. IKE support. On-chip SA database. LZS and MPPC compression. RNG
HiFn 8350
HIPP III
DES-CBC
3DES-CBC
AES-CBC
AES-CTR
ARC4
SHA-1
MD5
AES-XCBC
4,000 DH
RSA
In-line IPsec processing.
On-chip SA database.
IKE processing.
RNG
Selected ASIC Security Chips (2)
Chip name Encryption
algorithms
HMAC
algorithms
Data rate
[Mbps]
Public key
algorithms
Other
Nitrox Lite
CN1010
DES
3DES
AES
ARC4
SHA-1
MD5
1,000 DH
RSA
In-line IPsec processing.
RSA 7K 1024 RSA's/sec.
On-chip RNG.
NITROX II
CN2560
DES
3DES
AES
ARC4
SHA-1
MD5
10,000 DH
RSA
In-line IPsec processing.
RSA 40K 1024 RSA's/sec.
On-chip RNG.
2M SA's with 512 MB
DRAM. Adapts to
changing load.
Selected ASIC Security Chips (3)
Families of Cavium chips:
Nitrox Lite, Nitrox, Nitrox II
Chip name Encryption
algorithms
HMAC
algorithms
Data rate
[Mbps]
Public key
algorithms
Other
SafeNet
SafeXcel 1141
DES-CBC
3DES-CBC
SHA-1
MD5
265 DH
RSA
DSA
IPsec processing.
IKE processing.
RNG.
SafeNet
SafeXcel 1842
DES-CBC
3DES-CBC
AES-CBC
SHA-1
MD5
3,300 DH
RSA
DSA
IPsec processing.
IKE processing.
RNG.
Selected ASIC Security Chips (4)
Chip name Encryption
algorithms
HMAC
algorithms
Data rate
[Mbps]
Public key
algorithms
Other
Intel
IXP2850
DES-CBC
3DES-CBC
AES-CBC
SHA-1 10,000 none Network processor with cryptographic accelerator. Can do flow-through processing.
Selected ASIC Security Chips (5)
And many others …
Among them the following encryption chipmakers …
AEP Systems
Corrent
Motorola
Layer N Networks
NetContinuum
NetOctave
Philips Semiconductors
. . . . . .
Broadcom
HiFn
Cavium
SafeNet
Intel
Cryptographic ASICs - Summary
• distributed market with multiple small players
• volumes sold by individual vendors may not justify
ASIC solutions
• multiple companies already developing cryptographic
IP cores for FPGAs (ALMA Technologies, Amphion,
Bisquare Systems Private Ltd., Helion Technologies,
Ocean Logic Pty Ltd., etc.)
How do FPGAs do?
Secret-key Cryptosystems Hash Functions
Public-Key Cryptosystems
• Triple DES• AES-Rijndael• other AES finalists (Mars, RC6, Serpent, Twofish)
Cryptographic TransformationsMost Often Implemented
• SHA-1• SHA-2 (256, 384, 512)• MD5
• RSA• DH, DSA• ECC (Elliptic Curve Cryptosystems)
Secret-Key Encryption CoresMajor Architectures
Throughput
Area
10 Gbit/s
1 Gbit/s
500 Mbit/s
100 Mbit/s
Pipelined / Ultra fast
Fast
Standard
Compact / Tiny
register
combinationallogic
one round
multiplexer
Standard iterative architecture
round key
Key scheduling
input
output
key
050100150200250300350400450500
Speed [Mbit/s]
Serpent I8
Rijndael Twofish RC6 MarsSerpent I1
431 444414
353
294
177173
104
149
62
143112
88102
61
Worcester Polytechnic Institute
University of Southern California
George Mason University
Implementations of AES candidatesusing Xilinx, Virtex 1000
Implementations of AES candidates
0100020003000400050006000700080009000
Serpent I8
RijndaelTwofish RC6 MarsSerpent I1
Area=Cost [CLB slices]
Worcester Polytechnic Institute
University of Southern California
George Mason University
1250
5511
1076
28092666
11371749
2638 2507
4312
35282744
4621 4507
7964
using Xilinx, Virtex 1000
Fully pipelined / Ultra fast architecture
round #rounds=k pipeline stages
. . . .
round 1= k pipeline stages
round 2=k pipeline stages
. . . .
. . . .
. . . .
k registers
0
2
4
6
8
10
12
14
16
18
Full mixed pipelining in Virtex FPGAs
Throughput [Gbit/s]
Serpent RijndaelTwofish RC6
16.815.2
13.1 12.2
Gaj & Chodowiec, RSA Conf. 2001
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
50000
Serpent RijndaelTwofish RC6
Area [CLB slices]
19,700 21,000
46,900
12,600
80 RAMs
dedicated memory blocks, RAMs
Full mixed pipelining in Virtex FPGAsGaj & Chodowiec, RSA Conf. 2001
Compact / Tiny AES Core
The entire design fits in a single Spartan-II XC2S30, second smallest in the Spartan-II family
432 6available
Area
CLB Slices BlockRAMs
222 3
requiredfor AES
• Nearly 50% of the device available for other logic
• Throughput: 174Mbps at 60MHz clock frequency
Chodowiec & Gaj, CHES 2003
Amphion IP cores (1)
AES Encryption
Virtex-II FPGA ASIC TSMC 180nm
Size [Slices] Data rate [Mbps] Size [gates] Data rate [Mbps]
Compact 403 + 4 BRAM 350 14.8K 581
Standard 696 + 4 BRAM 250 – 341 18.2K 426 - 581
Fast 573 + 10 BRAM 1,323 27K 2,327
Ultra fast 2181 + 100 BRAM
10,880 203K 25,600
AES Decryption
Compact 549 + 4 BRAM 290 16.4K 581
Standard 746 + 4 BRAM 290 – 426 19.2K 426 – 581
Fast 778 + 10 BRAM 1,064 34K 2,327
Ultra fast 3,998 + 100 BRAM
9,344 283K 25,600
Simplex AES Encryption / Decryption
Compact 799 + 6 BRAM 290 25K 581
Standard 1,256 + 18 BRAM 930 49.3K 2,327
ASIC/FPGA
1.66
1.76
1.70
2.35
2.00
1.36
2.19
2.74
2.00
2.50
Amphion IP cores (2)
DES / 3DES Encryption / Decryption
Virtex-II FPGA ASIC TSMC 180nm
Size [Slices] Data rate [Mbps] Size [gates] Data rate [Mbps]
Ultra compact 527 128 7.9K 266
Compact 803 240 11.8K 533
Fast 1,367 430 21.8K 1,067
Ultra fast 4,305 1,941 56.7K 4,267
SHA-1 & SHA-2 cores
SHA-1 854 626 17K 1,264
SHA-256 1,122 420 26K 1,575
SHA–256
/ 384 / 512
2,403 390
626
52K 1,307
2,098
2.08
2.22
2.48
2.20
2.02
3.75
3.353.35
ASIC/FPGA
Helion Technologies cores
AES Encryption or Decryption
Virtex-II FPGA ASIC TSMC 180nm
Size [Slices] Data rate [Mbps]
Size [gates] Data rate [Mbps]
Tiny ? < 25 ? < 30
Standard 392 LUT +
3 BRAM
223 < 11K > 500
Fast 899 LUT +
10 BRAM
1,699 < 31 K > 2,000
Pipelined ? > 10,000 ? > 25,000
DES & 3DES
DES
3DES
888 LUT 640
230
< 6K > 1,250
> 460
Hash functions
SHA-1 573 874 20K > 1,000
MD5 613 + 1 BRAM
744 16K 1,140
SHA-256 849 + 1 BRAM
685 < 22K 1,575
ASIC/FPGA
1.20
2.24
1.18
2.50
1.95
1.14
1.53
2.30
2.00
Public-Key Cryptosystems
• RSA• DH, DSA• ECC (Elliptic Curve Cryptosystems)
RSA – the best reported academic results
obtained using FPGAs
Authors: T. Blum & C. Paar, WPI
ARITH 1999, IEEE Trans. on Computers, 2001
Platform: Xilinx XC40250XV-9 (8464 CLBs) and
XC40150XV-8 (5184 CLBs)
Best result:
Number of the RSA 1024-bit signatures per second
322
RSA – results reported in the industry
using ASICs
SafeNet, SafeXcel 1842:
2,100
Cavium, CN1340, NitroxPlus
42,000
Number of the RSA 1024-bit signatures per second:
Orlando & Paar
Sun Microsystems
Lopez & Dahab
Okada, Tori, et al.
Weimerskirch,
Paar, Shantz
FPGA Crypto - Summary
• FPGAs fully competitive with ASICs for implementation
of secret key ciphers and hash functions
• FPGAs emerging as competitive with ASICs for
implementation of public key cryptosystems
Problems:
size of operands
support for fast arithmetic operations
ASICs, Software,
or maybe FPGAs?
FPGAs vs. ASICsPawel Chodowiec, GMU, PhD Thesis
Pawel Chodowiec, GMU, PhD Thesis
Cryptographic applications “reserved” for ASICs
• smart cards
• wireless devices: cell phones, PDAs, pagers
Requirements that make FPGAs non-competitivefor these applications:
• small size• very low cost• very low power consumption• resistance to side-channel attacks such as power analysis or electromagnetic emission analysis
Why are FPGAs better for the remaining applications?
FPGAs vs. ASICs
• lower development costs• shorter time to the market
Existing advantages:
Potential advantages:
• lower maintenance costs Secure remote upgrades (patches) Secure remote updates (new algorithms)
Why are FPGAs better for the remaining applications?
FPGAs vs. software
• speed
Existing advantages:
Potential advantages:
• true random number generation• secure key storage• resistance to tampering
Why are FPGAs Good Platforms for Cryptography?
Category ASICs FPGAs Software
Speed 3 2 1
Development Cost 1 2 3
Development Time 1 2 3
Cost of Development Tools 1 3 3
Tamper Resistance 3 2 1
Key Protection 3 2 1
Algorithm Agility 1 3 3
Random Number Generation 3 2 1
Totals: 16 18 16
Why FPGAs are not used in real-life applications?
Perceived difficulties:
• too small capacity
• too small speed
• low security
Real difficulties:
• remote upgrade
• temper resistance
• key protection
• random number generation