1 / 46

FPGA & Crypto: Is Marriage in the Cards?

Kris Gaj George Mason University. FPGA & Crypto: Is Marriage in the Cards?. fragments of the presentation at the CryptArchi workshop, France, June 2004. Possible Applications of Cryptographic Hardware. Why are cryptographic chips needed?. hardware accelerators for web servers

nell
Télécharger la présentation

FPGA & Crypto: Is Marriage in the Cards?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kris Gaj George Mason University FPGA & Crypto: Is Marriage in the Cards? fragments of the presentation at the CryptArchi workshop, France, June 2004

  2. Possible Applications of Cryptographic Hardware

  3. Why are cryptographic chips needed? • hardware accelerators for web servers • SSL (Secure Socket Layer) – cryptographic protocol • used by majority of today’s web servers • to protect credit card numbers for on-line transactions • such as buying a book on the amazon.com Estimated number of web servers as of Oct. 2000 6 million Source: NEC Research See http://www.pittsburghsolutions.com/eresearch-news.htm However, only servers exposed to a large number of transactions require hardware acceleration

  4. Why are cryptographic chips needed? • hardware accelerators for • Virtual Private Networks (VPNs) • IPSec (Secure Internet Protocol) – cryptographic protocol • used to support VPNs (Virtual Private Networks), i.e., secure • communication between remote Local Area Networks (LANs) • using Internet • IPSec optional in IP ver. 4, required in emerging IP ver. 6 • Acceleration can be provided using: • - secure VPN gateways and routers • - secure client PCMCIA cards.

  5. Virtual Private Network Remote user Security gateway Security gateway Host Host . . . . . . . . Internet Cryptographic end points Host Host • local networks may belong to the same or different organizations • security gateways may come from different vendors

  6. Types of VPN devices • high-end VPN devices • e.g. corporate security gateways and routers • speeds reaching 1 Gbit/s and beyond • delay & bandwidth sensitive applications • VoIP (Voice over IP), video conferencing • low-end VPN devices • e.g. home routers • low cost • moderate speed (up to 10-100 Mbit/s)

  7. Why are cryptographic chips needed? • hardware accelerators for wireless gateways • IEEE 802.11 – most popularwireless protocol • including strong encryption and authentication Wireless gateway

  8. Why are cryptographic chips needed? • Storage Area Networks Encryption of data during transmission and at rest. • Pay TV • High volume • Pay TV decoders must be tamper-resistant • Capability of a remote upgrade can substantially • reduce the cost of recovering from an attack

  9. Why are cryptographic chips needed? Low volume applications, cost not a major factor • space applications • cipher breaking machines • general-purpose reconfigurable supercomputers High volume applications, cost a major factor • secure cell phones, PDAs, pagers • smartcards

  10. So how is it all done today?

  11. Selected ASIC Security Chips (1)

  12. Selected ASIC Security Chips (2)

  13. Selected ASIC Security Chips (3)

  14. Families of Cavium chips: Nitrox Lite, Nitrox, Nitrox II

  15. Selected ASIC Security Chips (4)

  16. Selected ASIC Security Chips (5)

  17. And many others …

  18. Among them the following encryption chipmakers … Broadcom HiFn Cavium SafeNet Intel AEP Systems Corrent Motorola Layer N Networks NetContinuum NetOctave Philips Semiconductors . . . . . .

  19. Cryptographic ASICs - Summary • distributed market with multiple small players • volumes sold by individual vendors may not justify • ASIC solutions • multiple companies already developing cryptographic • IP cores for FPGAs (ALMA Technologies, Amphion, • Bisquare Systems Private Ltd., Helion Technologies, • Ocean Logic Pty Ltd., etc.)

  20. How do FPGAs do?

  21. Cryptographic Transformations Most Often Implemented Secret-key Cryptosystems Hash Functions • SHA-1 • SHA-2 (256, 384, 512) • MD5 • Triple DES • AES-Rijndael • other AES finalists • (Mars, RC6, Serpent, Twofish) Public-Key Cryptosystems • RSA • DH, DSA • ECC (Elliptic Curve Cryptosystems)

  22. Secret-Key Encryption Cores Major Architectures Throughput Pipelined / Ultra fast 10 Gbit/s 1 Gbit/s Fast 500Mbit/s Standard 100Mbit/s Area Compact / Tiny

  23. Standard iterative architecture input multiplexer key register one round combinational logic Key scheduling round key output

  24. Implementations of AES candidates using Xilinx, Virtex 1000 Speed [Mbit/s] 500 George Mason University 444 431 414 450 University of Southern California 400 Worcester Polytechnic Institute 353 350 294 300 250 177 200 173 149 143 150 112 102 104 88 100 62 61 50 0 RC6 Mars Rijndael Twofish Serpent I1 Serpent I8

  25. Implementations of AES candidates using Xilinx, Virtex 1000 Area=Cost [CLB slices] 9000 7964 George Mason University 8000 University of Southern California 7000 Worcester Polytechnic Institute 5511 6000 4621 4507 5000 4312 3528 4000 2809 2507 2744 2638 2666 3000 1749 2000 1250 1076 1137 1000 0 Serpent I8 Serpent I1 Twofish Mars Rijndael RC6

  26. Fully pipelined / Ultra fast architecture k registers round 1 = k pipeline stages . . . . round 2 =k pipeline stages . . . . . . . . round #rounds =k pipeline stages . . . .

  27. Full mixed pipelining in Virtex FPGAs Gaj & Chodowiec, RSA Conf. 2001 Throughput [Gbit/s] 16.8 18 15.2 16 13.1 12.2 14 12 10 8 6 4 2 0 Serpent RC6 Twofish Rijndael

  28. Full mixed pipelining in Virtex FPGAs Gaj & Chodowiec, RSA Conf. 2001 Area [CLB slices] 46,900 50000 dedicated memory blocks, RAMs 45000 40000 35000 30000 21,000 25000 19,700 20000 12,600 15000 80 RAMs 10000 5000 0 Serpent Twofish RC6 Rijndael

  29. Area 432 6 available required for AES 222 3 CLB Slices BlockRAMs Compact / Tiny AES Core Chodowiec & Gaj, CHES 2003 • The entire design fits in a single Spartan-II XC2S30, second smallest in the Spartan-II family • Nearly 50% of the device available for other logic • Throughput: 174Mbps at 60MHz clock frequency

  30. Amphion IP cores (1) ASIC/ FPGA 1.66 1.70 1.76 2.35 2.00 1.36 2.19 2.74 2.00 2.50

  31. Amphion IP cores (2) ASIC/ FPGA 2.08 2.22 2.48 2.20 2.02 3.75 3.35 3.35

  32. Helion Technologies cores ASIC/ FPGA 1.20 2.24 1.18 2.50 1.95 2.00 1.14 1.53 2.30

  33. Public-Key Cryptosystems • RSA • DH, DSA • ECC (Elliptic Curve Cryptosystems)

  34. RSA – the best reported academic results obtained using FPGAs Authors: T. Blum & C. Paar, WPI ARITH 1999, IEEE Trans. on Computers, 2001 Platform: Xilinx XC40250XV-9 (8464 CLBs) and XC40150XV-8 (5184 CLBs) Best result: Number of the RSA 1024-bit signatures per second 322

  35. RSA – results reported in the industry using ASICs Number of the RSA 1024-bit signatures per second: SafeNet, SafeXcel 1842: 2,100 Cavium, CN1340, NitroxPlus 42,000

  36. Weimerskirch, Paar, Shantz Lopez & Dahab Okada, Tori, et al. Orlando & Paar Sun Microsystems

  37. FPGA Crypto - Summary • FPGAs fully competitive with ASICs for implementation • of secret key ciphers and hash functions • FPGAs emerging as competitive with ASICs for • implementation of public key cryptosystems • Problems: • size of operands • support for fast arithmetic operations

  38. ASICs, Software, or maybe FPGAs?

  39. FPGAs vs. ASICs Pawel Chodowiec, GMU, PhD Thesis

  40. Pawel Chodowiec, GMU, PhD Thesis

  41. Cryptographic applications “reserved” for ASICs • smart cards • wireless devices: cell phones, PDAs, pagers • Requirements that make FPGAs non-competitive • for these applications: • small size • very low cost • very low power consumption • resistance to side-channel attacks such as • power analysis or electromagnetic emission analysis

  42. Why are FPGAs better for the remaining applications? FPGAs vs. ASICs Existing advantages: • lower development costs • shorter time to the market Potential advantages: • lower maintenance costs • Secure remote upgrades (patches) • Secure remote updates (new algorithms)

  43. Why are FPGAs better for the remaining applications? FPGAs vs. software Existing advantages: • speed Potential advantages: • true random number generation • secure key storage • resistance to tampering

  44. Why are FPGAs Good Platforms for Cryptography?

  45. Why FPGAs are not used in real-life applications? Perceived difficulties: • too small capacity • too small speed • low security Real difficulties: • remote upgrade • temper resistance • key protection • random number generation

More Related