Markku-Juhani Olavi Saarinen
ABSTRACT
Simple AEAD Hardware Interface (SÆHI) is a hardware cryptographic interface aimed at CAESAR Authenticated Encryption with Associated Data (AEAD) algorithms. Cryptographic acceleration is typically achieved either with a coprocessor or via instruction set extensions. ISA modifications require re-engineering the CPU core, making the approach inapplicable outside the realm of open source processor cores. At minimum, we suggest implementing CAESAR AEADs as universal memory-mapped cryptographic coprocessors, synthesizable even on low end FPGA platforms. AEADs complying to SÆHI must also include C language API drivers targeting low-end MCUs that directly utilize the memory mapping in a ``bare metal'' fashion. This can also be accommodated on MMU-equipped mid-range CPUs.
Extended battery life and bandwidth resulting from dedicated cryptographic hardware is vital for currently dominant computing and communication devices: mobile phones, tablets, and Internet-of-Things (IoT) applications. We argue that these should be priority hardware optimization targets for AEAD algorithms with realistic payload profiles.
We demonstrate a fully integrated implementation of WhirlBob and Keyak AEADs on the FPGA fabric of Xilinx Zynq 7010. This low-cost System-on-Chip (SoC) also houses a dual-core Cortex-A9 CPU, closely matching the architecture of many embedded devices. The on-chip coprocessor is accessible from user space with a Linux kernel driver. An integration path exists all the way to end-user applications.
- ARM. AMBA Open Speci_cations. www.arm.com/products/system-ip/amba, 2014.Google Scholar
- P. S. L. M. Barreto and V. Rijmen. The Whirlpool hashing function. NESSIE Algorithm Speci_cation www.larc.usp.br/~pbarreto/WhirlpoolPage.html, 2000, Revised May 2003.Google Scholar
- S. Bartolini, R. Giorgi, and E. Martinelli. Instruction set extensions for cryptographic applications. In _ C. K. Ko_c, editor, Cryptographic Engineering, pages 191--233. Springer, 2009.Google ScholarCross Ref
- G. Bertoni, J. Daemen, M. Peeters, G. V. Assche, and R. V. Keer. CAESAR submission: Keyak v1. CAESAR 1st Round, competitions.cr.yp.to/round1/keyakv1.pdf, March 2014.Google Scholar
- A. Biryukov, D. Khovratovich, and I. Nikoli_c. Distinguisher and related-key attack on the full AES-256. In S. Halevi, editor, CRYPTO '09, volume 5677 of LNCS, pages 231--249. Springer, 2009. Google ScholarDigital Library
- A. Bogdanov, D. Khovratovich, and C. Rechberger. Biclique cryptanalysis of the full AES. In D. Lee and X. Wang, editors, ASIACRYPT '11, volume 7073 of LNCS, pages 344--371. Springer, 2011. Google ScholarDigital Library
- K. Burgin and M. Peck. Suite B Pro_le for Internet Protocol Security (IPsec). IETF RFC 6380, October 2011.Google Scholar
- CAESAR. CAESAR first round submissions. competitions.cr.yp.to/caesar-submissions.html, March 2014.Google Scholar
- J. Daemen and V. Rijmen. The Design of Rijndael: AES - the Advanced Encryption Standard. Springer, 2002. Google ScholarDigital Library
- T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246, August 2008.Google Scholar
- M. Dworkin. Recommendation for block cipher modes of operation. NIST Special Publication 800-38A, December 2001.Google Scholar
- GOST. Information technology. cryptographic protection of information, hash function. GOST R 34.11-2012, 2012. (In Russian).Google Scholar
- V. T. Hoang, T. Krovetz, and P. Rogaway. AEZ v1: Authenticated-Encryption by Enciphering. CAESAR 1st Round, competitions.cr.yp.to/round1/aezv1.pdfl, March 2014.Google Scholar
- K. Igoe. Suite B Cryptographic Suites for Secure Shell (SSH). IETF RFC 6239, May 2011.Google Scholar
- K. Igoe and J. Solinas. AES Galois Counter Mode for the Secure Shell Transport Layer Protocol. IETF RFC 5647, August 2009.Google Scholar
- S. Kent. IP encapsulating security payload (ESP). IETF RFC 4303, December 2005.Google Scholar
- T. Krovetz. HS1-SIV (v1). CAESAR 1st Round, competitions.cr.yp.to/round1/hs1sivv1.pdf, March 2014.Google Scholar
- D. McGrew and J. Viega. The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH. IETF RFC 4543, May 2006.Google Scholar
- NIST. Advanced Encryption Standard (AES). FIPS 197, 2001.Google Scholar
- NIST. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D, 2007.Google Scholar
- NIST. The keyed-hash message authentication code (HMAC). FIPS 198-1, July 2008.Google Scholar
- NIST. DRAFT SHA-3 standard: Permutation-based hash and extendable-output functions. DRAFT FIPS 202, May 2014.Google Scholar
- NIST and D. Bernstein. CAESAR call for submissions. competitions.cr.yp.to/caesar-call.html, January 2014.Google Scholar
- NSA. Suite B Cryptography. www.nsa.gov/ia/programs/suiteb_cryptography, June 2014.Google Scholar
- G. Procter and C. Cid. On weak keys and forgery attacks against polynomial-based MAC schemes. In S. Moriai, editor, FSE '13, volume 8424 of LNCS, pages 287--304. Springer, 2013.Google Scholar
- R. Rivest. The RC4 encryption algorithm. Proprietary Speci_cation, March 1992.Google Scholar
- M.-J. O. Saarinen. Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In A. Canteaut, editor, FSE 2012, volume 7549 of LNCS, pages 216--225. Springer, 2012. Google ScholarDigital Library
- M.-J. O. Saarinen. Beyond modes: Building a secure record protocol from a cryptographic sponge permutation. In J. Benaloh, editor, CT-RSA 2014, volume 8366 of LNCS, pages 270--285. Springer, 2014.Google Scholar
- M.-J. O. Saarinen. Lighter, Faster, and Constant-Time: WHIRLBOB, the Whirlpool variant of STRIBOB. IACR ePrint 2014/501, eprint.iacr.org/2014/501, June 2014.Google Scholar
- M.-J. O. Saarinen. The STRIBOBr1 authenticated encryption algorithm. CAESAR, 1st Round www.stribob.com, March 2014.Google Scholar
- M.-J. O. Saarinen and D. Engels. A Do-It-All-Cipher for RFID: Design Requirements (Extended Abstract). DIAC 2012, 05-06 July 2012, Stockholm SE. IACR ePrint 2012/317, eprint.iacr.org/2012/317, June 2012.Google Scholar
- M. Salter and R. Housley. Suite B Profile for Transport Layer Security (TLS). IETF RFC 6460, January 2012.Google Scholar
- VCAT and NIST. NIST Cryptographic Standards and Guidelines Development Process: Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology, July 2014.Google Scholar
- Xillybus. The guide to xillybus lite, version 2.0. xillybus.com/downloads/doc/xillybus_lite.pdf, March 2014.Google Scholar
- Xillybus. Xillinux: A Linux distribution for Zedboard, ZyBo, MicroZed and SocKit. xillybus.com/xillinux, 2014.Google Scholar
- T. Ylönen and C. Lonvick. The secure shell (SSH) transport layer protocol. IETF RFC 4253, January 2006.Google Scholar
Index Terms
- Simple AEAD Hardware Interface (SÆHI) in a SoC: Implementing an On-Chip Keyak/WhirlBob Coprocessor
Recommendations
The RecoBlock SoC platform: a flexible array of reusable run-time-reconfigurable IP-blocks
DATE '13: Proceedings of the Conference on Design, Automation and Test in EuropeRun-time reconfigurable (RTR) FPGAs combine the flexibility of software with the high efficiency of hardware. Still, their potential cannot be fully exploited due to increased complexity of the design process. Consequently, to enable an efficient design ...
Compact Keccak Hardware Architecture for Data Integrity and Authentication on FPGAs
Cryptographic hash functions play a crucial role in networking and communication security, including their use for data integrity and message authentication. Keccak hash algorithm is one of the finalists in the next generation SHA-3 hash algorithm ...
High-speed & Low Area Hardware Architectures of the Whirlpool Hash Function
AbstractHigh-speed and low area hardware architectures of the Whirlpool hash function are presented in this paper. A full Look-up Table (LUT) based design is shown to be the fastest method by which to implement the non-linear layer of the algorithm in ...
Comments