FPGA & Crypto: Is Marriage in the Cards?

Kris GajGeorge Mason University

fragments of the presentation

at the CryptArchi workshop, France, June 2004

Possible Applications of

Cryptographic Hardware

Why are cryptographic chips needed?

• hardware accelerators for web servers

SSL (Secure Socket Layer) – cryptographic protocol used by majority of today’s web servers to protect credit card numbers for on-line transactions such as buying a book on the amazon.com

Estimated number of web servers as of Oct. 2000 6 millionSource: NEC ResearchSee http://www.pittsburghsolutions.com/eresearch-news.htm

However, only servers exposed to a large number of transactionsrequire hardware acceleration

Why are cryptographic chips needed?

• hardware accelerators for Virtual Private Networks (VPNs)

IPSec (Secure Internet Protocol) – cryptographic protocol used to support VPNs (Virtual Private Networks), i.e., secure communication between remote Local Area Networks (LANs) using Internet

IPSec optional in IP ver. 4, required in emerging IP ver. 6

Acceleration can be provided using: - secure VPN gateways and routers - secure client PCMCIA cards.

Virtual Private Network

• local networks may belong to the same or different organizations• security gateways may come from different vendors

Internet

Securitygateway

Securitygateway.

.

.

.

.

.

.

.

Cryptographic end points

Host

Host

Host

Host

Remote user

Types of VPN devices

• high-end VPN devices

e.g. corporate security gateways and routers

• low-end VPN devices

e.g. home routers

- speeds reaching 1 Gbit/s and beyond

- delay & bandwidth sensitive applications

VoIP (Voice over IP), video conferencing

- low cost

- moderate speed (up to 10-100 Mbit/s)

Why are cryptographic chips needed?

• hardware accelerators for wireless gateways

IEEE 802.11 – most popular wireless protocol including strong encryption and authentication

Wireless

gateway

Why are cryptographic chips needed?

• Pay TV

• High volume

• Pay TV decoders must be tamper-resistant

• Capability of a remote upgrade can substantially

reduce the cost of recovering from an attack

• Storage Area Networks

Encryption of data during transmission and at rest.

Why are cryptographic chips needed?

• space applications

• cipher breaking machines

• secure cell phones, PDAs, pagers

Low volume applications, cost not a major factor

• general-purpose reconfigurable supercomputers

• smartcards

High volume applications, cost a major factor

So how is it all done today?

Selected ASIC Security Chips (1)

Chip name Encryption

algorithms

HMAC

algorithms

Data rate

[Mbps]

Public key

algorithms

Other

Broadcom

BCM5823

DES-CBC

3DES-CBC

AES-CBC

AES-CTR

SHA-1

MD5

500 DH

RSA

On-chip RNG

Broadcom

BCM5841

3DES-CBC

AES-CBC

AES-CTR

SHA-1

MD5

4,800 none In-line IPsec processing.

On-chip SA database.

RNG.

Chip name Encryption

algorithms

HMAC

algorithms

Data rate

[Mbps]

Public key

algorithms

Other

HiFn 7956 DES-CBC

3DES-CBC

AES-CBC

AES-CTR

ARC4

SHA-1

MD5

632 DH

RSA

IPsec header and trailer processing. IKE support. On-chip SA database. LZS and MPPC compression. RNG

HiFn 8350

HIPP III

DES-CBC

3DES-CBC

AES-CBC

AES-CTR

ARC4

SHA-1

MD5

AES-XCBC

4,000 DH

RSA

In-line IPsec processing.

On-chip SA database.

IKE processing.

RNG

Selected ASIC Security Chips (2)

Chip name Encryption

algorithms

HMAC

algorithms

Data rate

[Mbps]

Public key

algorithms

Other

Nitrox Lite

CN1010

DES

3DES

AES

ARC4

SHA-1

MD5

1,000 DH

RSA

In-line IPsec processing.

RSA 7K 1024 RSA's/sec.

On-chip RNG.

NITROX II

CN2560

DES

3DES

AES

ARC4

SHA-1

MD5

10,000 DH

RSA

In-line IPsec processing.

RSA 40K 1024 RSA's/sec.

On-chip RNG.

2M SA's with 512 MB

DRAM. Adapts to

changing load.

Selected ASIC Security Chips (3)

Families of Cavium chips:

Nitrox Lite, Nitrox, Nitrox II

Chip name Encryption

algorithms

HMAC

algorithms

Data rate

[Mbps]

Public key

algorithms

Other

SafeNet

SafeXcel 1141

DES-CBC

3DES-CBC

SHA-1

MD5

265 DH

RSA

DSA

IPsec processing.

IKE processing.

RNG.

SafeNet

SafeXcel 1842

DES-CBC

3DES-CBC

AES-CBC

SHA-1

MD5

3,300 DH

RSA

DSA

IPsec processing.

IKE processing.

RNG.

Selected ASIC Security Chips (4)

Chip name Encryption

algorithms

HMAC

algorithms

Data rate

[Mbps]

Public key

algorithms

Other

Intel

IXP2850

DES-CBC

3DES-CBC

AES-CBC

SHA-1 10,000 none Network processor with cryptographic accelerator. Can do flow-through processing.

Selected ASIC Security Chips (5)

And many others …

Among them the following encryption chipmakers …

AEP Systems

Corrent

Motorola

Layer N Networks

NetContinuum

NetOctave

Philips Semiconductors

. . . . . .

Broadcom

HiFn

Cavium

SafeNet

Intel

Cryptographic ASICs - Summary

• distributed market with multiple small players

• volumes sold by individual vendors may not justify

ASIC solutions

• multiple companies already developing cryptographic

IP cores for FPGAs (ALMA Technologies, Amphion,

Bisquare Systems Private Ltd., Helion Technologies,

Ocean Logic Pty Ltd., etc.)

How do FPGAs do?

Secret-key Cryptosystems Hash Functions

Public-Key Cryptosystems

• Triple DES• AES-Rijndael• other AES finalists (Mars, RC6, Serpent, Twofish)

Cryptographic TransformationsMost Often Implemented

• SHA-1• SHA-2 (256, 384, 512)• MD5

• RSA• DH, DSA• ECC (Elliptic Curve Cryptosystems)

Secret-Key Encryption CoresMajor Architectures

Throughput

Area

10 Gbit/s

1 Gbit/s

500 Mbit/s

100 Mbit/s

Pipelined / Ultra fast

Fast

Standard

Compact / Tiny

register

combinationallogic

one round

multiplexer

Standard iterative architecture

round key

Key scheduling

input

output

key

050100150200250300350400450500

Speed [Mbit/s]

Serpent I8

Rijndael Twofish RC6 MarsSerpent I1

431 444414

353

294

177173

104

149

62

143112

88102

61

Worcester Polytechnic Institute

University of Southern California

George Mason University

Implementations of AES candidatesusing Xilinx, Virtex 1000

Implementations of AES candidates

0100020003000400050006000700080009000

Serpent I8

RijndaelTwofish RC6 MarsSerpent I1

Area=Cost [CLB slices]

Worcester Polytechnic Institute

University of Southern California

George Mason University

1250

5511

1076

28092666

11371749

2638 2507

4312

35282744

4621 4507

7964

using Xilinx, Virtex 1000

Fully pipelined / Ultra fast architecture

round #rounds=k pipeline stages

. . . .

round 1= k pipeline stages

round 2=k pipeline stages

. . . .

. . . .

. . . .

k registers

0

2

4

6

8

10

12

14

16

18

Full mixed pipelining in Virtex FPGAs

Throughput [Gbit/s]

Serpent RijndaelTwofish RC6

16.815.2

13.1 12.2

Gaj & Chodowiec, RSA Conf. 2001

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

50000

Serpent RijndaelTwofish RC6

Area [CLB slices]

19,700 21,000

46,900

12,600

80 RAMs

dedicated memory blocks, RAMs

Full mixed pipelining in Virtex FPGAsGaj & Chodowiec, RSA Conf. 2001

Compact / Tiny AES Core

The entire design fits in a single Spartan-II XC2S30, second smallest in the Spartan-II family

432 6available

Area

CLB Slices BlockRAMs

222 3

requiredfor AES

• Nearly 50% of the device available for other logic

• Throughput: 174Mbps at 60MHz clock frequency

Chodowiec & Gaj, CHES 2003

Amphion IP cores (1)

AES Encryption

Virtex-II FPGA ASIC TSMC 180nm

Size [Slices] Data rate [Mbps] Size [gates] Data rate [Mbps]

Compact 403 + 4 BRAM 350 14.8K 581

Standard 696 + 4 BRAM 250 – 341 18.2K 426 - 581

Fast 573 + 10 BRAM 1,323 27K 2,327

Ultra fast 2181 + 100 BRAM

10,880 203K 25,600

AES Decryption

Compact 549 + 4 BRAM 290 16.4K 581

Standard 746 + 4 BRAM 290 – 426 19.2K 426 – 581

Fast 778 + 10 BRAM 1,064 34K 2,327

Ultra fast 3,998 + 100 BRAM

9,344 283K 25,600

Simplex AES Encryption / Decryption

Compact 799 + 6 BRAM 290 25K 581

Standard 1,256 + 18 BRAM 930 49.3K 2,327

ASIC/FPGA

1.66

1.76

1.70

2.35

2.00

1.36

2.19

2.74

2.00

2.50

Amphion IP cores (2)

DES / 3DES Encryption / Decryption

Virtex-II FPGA ASIC TSMC 180nm

Size [Slices] Data rate [Mbps] Size [gates] Data rate [Mbps]

Ultra compact 527 128 7.9K 266

Compact 803 240 11.8K 533

Fast 1,367 430 21.8K 1,067

Ultra fast 4,305 1,941 56.7K 4,267

SHA-1 & SHA-2 cores

SHA-1 854 626 17K 1,264

SHA-256 1,122 420 26K 1,575

SHA–256

/ 384 / 512

2,403 390

626

52K 1,307

2,098

2.08

2.22

2.48

2.20

2.02

3.75

3.353.35

ASIC/FPGA

Helion Technologies cores

AES Encryption or Decryption

Virtex-II FPGA ASIC TSMC 180nm

Size [Slices] Data rate [Mbps]

Size [gates] Data rate [Mbps]

Tiny ? < 25 ? < 30

Standard 392 LUT +

3 BRAM

223 < 11K > 500

Fast 899 LUT +

10 BRAM

1,699 < 31 K > 2,000

Pipelined ? > 10,000 ? > 25,000

DES & 3DES

DES

3DES

888 LUT 640

230

< 6K > 1,250

> 460

Hash functions

SHA-1 573 874 20K > 1,000

MD5 613 + 1 BRAM

744 16K 1,140

SHA-256 849 + 1 BRAM

685 < 22K 1,575

ASIC/FPGA

1.20

2.24

1.18

2.50

1.95

1.14

1.53

2.30

2.00

Public-Key Cryptosystems

• RSA• DH, DSA• ECC (Elliptic Curve Cryptosystems)

RSA – the best reported academic results

obtained using FPGAs

Authors: T. Blum & C. Paar, WPI

ARITH 1999, IEEE Trans. on Computers, 2001

Platform: Xilinx XC40250XV-9 (8464 CLBs) and

XC40150XV-8 (5184 CLBs)

Best result:

Number of the RSA 1024-bit signatures per second

322

RSA – results reported in the industry

using ASICs

SafeNet, SafeXcel 1842:

2,100

Cavium, CN1340, NitroxPlus

42,000

Number of the RSA 1024-bit signatures per second:

Orlando & Paar

Sun Microsystems

Lopez & Dahab

Okada, Tori, et al.

Weimerskirch,

Paar, Shantz

FPGA Crypto - Summary

• FPGAs fully competitive with ASICs for implementation

of secret key ciphers and hash functions

• FPGAs emerging as competitive with ASICs for

implementation of public key cryptosystems

Problems:

size of operands

support for fast arithmetic operations

ASICs, Software,

or maybe FPGAs?

FPGAs vs. ASICsPawel Chodowiec, GMU, PhD Thesis

Pawel Chodowiec, GMU, PhD Thesis

Cryptographic applications “reserved” for ASICs

• smart cards

• wireless devices: cell phones, PDAs, pagers

Requirements that make FPGAs non-competitivefor these applications:

• small size• very low cost• very low power consumption• resistance to side-channel attacks such as power analysis or electromagnetic emission analysis

Why are FPGAs better for the remaining applications?

FPGAs vs. ASICs

• lower development costs• shorter time to the market

Existing advantages:

Potential advantages:

• lower maintenance costs Secure remote upgrades (patches) Secure remote updates (new algorithms)

Why are FPGAs better for the remaining applications?

FPGAs vs. software

• speed

Existing advantages:

Potential advantages:

• true random number generation• secure key storage• resistance to tampering

Why are FPGAs Good Platforms for Cryptography?

Category ASICs FPGAs Software

Speed 3 2 1

Development Cost 1 2 3

Development Time 1 2 3

Cost of Development Tools 1 3 3

Tamper Resistance 3 2 1

Key Protection 3 2 1

Algorithm Agility 1 3 3

Random Number Generation 3 2 1

Totals: 16 18 16

Why FPGAs are not used in real-life applications?

Perceived difficulties:

• too small capacity

• too small speed

• low security

Real difficulties:

• remote upgrade

• temper resistance

• key protection

• random number generation