ICCAD AV guidelines

1
Kris Gaj George Mason University
FPGA Crypto Is Marriage in the Cards?
fragments of the presentation at the CryptArchi
workshop, France, June 2004
2
Possible Applications of Cryptographic Hardware
3
Why are cryptographic chips needed?

• hardware accelerators for web servers
• SSL (Secure Socket Layer) cryptographic
  protocol
• used by majority of todays web servers
• to protect credit card numbers for on-line
  transactions
• such as buying a book on the amazon.com

Estimated number of web servers as of Oct. 2000
6
million Source NEC Research See
http//www.pittsburghsolutions.com/eresearch-news.
htm
However, only servers exposed to a large number
of transactions require hardware acceleration
4
Why are cryptographic chips needed?

• hardware accelerators for
• Virtual Private Networks (VPNs)
• IPSec (Secure Internet Protocol)
  cryptographic protocol
• used to support VPNs (Virtual Private
  Networks), i.e., secure
• communication between remote Local Area
  Networks (LANs)
• using Internet
• IPSec optional in IP ver. 4, required in
  emerging IP ver. 6
• Acceleration can be provided using
• - secure VPN gateways and routers
• - secure client PCMCIA cards.

5
Virtual Private Network
Remote user
Security gateway
Security gateway
Host
Host
. . . .
. . . .
Internet
Cryptographic end points
Host
Host

• local networks may belong to the same or
  different organizations

• security gateways may come from different vendors

6
Types of VPN devices

• high-end VPN devices
• e.g. corporate security gateways and routers

• speeds reaching 1 Gbit/s and beyond
• delay bandwidth sensitive applications
• VoIP (Voice over IP), video conferencing

• low-end VPN devices
• e.g. home routers

• low cost
• moderate speed (up to 10-100 Mbit/s)

7
Why are cryptographic chips needed?

• hardware accelerators for wireless gateways
• IEEE 802.11 most popular wireless protocol
• including strong encryption and authentication

Wireless gateway
8
Why are cryptographic chips needed?

• Storage Area Networks

Encryption of data during transmission and at
rest.

• Pay TV

• High volume
• Pay TV decoders must be tamper-resistant
• Capability of a remote upgrade can substantially
• reduce the cost of recovering from an attack

9
Why are cryptographic chips needed?
Low volume applications, cost not a major factor

• space applications

• cipher breaking machines

• general-purpose reconfigurable supercomputers

High volume applications, cost a major factor

• secure cell phones, PDAs, pagers

• smartcards

10
So how is it all done today?
11
Selected ASIC Security Chips (1)
Chip name Encryption algorithms HMAC algorithms Data rate Mbps Public key algorithms Other
Broadcom BCM5823 DES-CBC 3DES-CBC AES-CBC AES-CTR SHA-1 MD5 500 DH RSA On-chip RNG
Broadcom BCM5841 3DES-CBC AES-CBC AES-CTR SHA-1 MD5 4,800 none In-line IPsec processing. On-chip SA database. RNG.
12
Selected ASIC Security Chips (2)
Chip name Encryption algorithms HMAC algorithms Data rate Mbps Public key algorithms Other
HiFn 7956 DES-CBC 3DES-CBC AES-CBC AES-CTR ARC4 SHA-1 MD5 632 DH RSA IPsec header and trailer processing. IKE support. On-chip SA database. LZS and MPPC compression. RNG
HiFn 8350 HIPP III DES-CBC 3DES-CBC AES-CBC AES-CTR ARC4 SHA-1 MD5 AES-XCBC 4,000 DH RSA In-line IPsec processing. On-chip SA database. IKE processing. RNG
13
Selected ASIC Security Chips (3)
Chip name Encryption algorithms HMAC algorithms Data rate Mbps Public key algorithms Other
Nitrox Lite CN1010 DES 3DES AES ARC4 SHA-1 MD5 1,000 DH RSA In-line IPsec processing. RSA 7K 1024 RSA's/sec. On-chip RNG.
NITROX II CN2560 DES 3DES AES ARC4 SHA-1 MD5 10,000 DH RSA In-line IPsec processing. RSA 40K 1024 RSA's/sec. On-chip RNG. 2M SA's with 512 MB DRAM. Adapts to changing load.
14
Families of Cavium chips Nitrox Lite, Nitrox,
Nitrox II
15
Selected ASIC Security Chips (4)
Chip name Encryption algorithms HMAC algorithms Data rate Mbps Public key algorithms Other
SafeNet SafeXcel 1141 DES-CBC 3DES-CBC SHA-1 MD5 265 DH RSA DSA IPsec processing. IKE processing. RNG.
SafeNet SafeXcel 1842 DES-CBC 3DES-CBC AES-CBC SHA-1 MD5 3,300 DH RSA DSA IPsec processing. IKE processing. RNG.
16
Selected ASIC Security Chips (5)
Chip name Encryption algorithms HMAC algorithms Data rate Mbps Public key algorithms Other
Intel IXP2850 DES-CBC 3DES-CBC AES-CBC SHA-1 10,000 none Network processor with cryptographic accelerator. Can do flow-through processing.
17
And many others
18
Among them the following encryption chipmakers
AEP Systems Corrent Motorola Layer N
Networks NetContinuum NetOctave Philips
Semiconductors . . . . . .
Broadcom HiFn Cavium SafeNet Intel
19
Cryptographic ASICs - Summary

• distributed market with multiple small players
• volumes sold by individual vendors may not
  justify
• ASIC solutions
• multiple companies already developing
  cryptographic
• IP cores for FPGAs (ALMA Technologies, Amphion,
  
• Bisquare Systems Private Ltd., Helion
  Technologies,
• Ocean Logic Pty Ltd., etc.)

20
How do FPGAs do?
21
Cryptographic Transformations Most Often
Implemented
Secret-key Cryptosystems
Hash Functions

• SHA-1
• SHA-2 (256, 384, 512)
• MD5

• Triple DES
• AES-Rijndael
• other AES finalists
• (Mars, RC6, Serpent, Twofish)

Public-Key Cryptosystems

• RSA
• DH, DSA
• ECC (Elliptic Curve Cryptosystems)

22
Secret-Key Encryption Cores
Major Architectures
Throughput
Pipelined / Ultra fast
10 Gbit/s
1 Gbit/s
Fast
500 Mbit/s
Standard
100 Mbit/s
Area
Compact / Tiny
23
Standard iterative architecture
input
multiplexer
key
register
one round
combinational logic
Key scheduling
round key
output
24
Implementations of AES candidates
using Xilinx, Virtex 1000
Speed Mbit/s
500
George Mason University
444
431
414
450
University of Southern California
400
Worcester Polytechnic Institute
353
350
294
300
250
177
200
173
149
143
150
112
102
104
88
100
62
61
50
0
Rijndael
RC6
Mars
Twofish
Serpent I1
Serpent I8
25
Implementations of AES candidates
using Xilinx, Virtex 1000
AreaCost CLB slices
9000
7964
George Mason University
8000
University of Southern California
7000
Worcester Polytechnic Institute
5511
6000
4621
4507
5000
4312
3528
4000
2809
2507
2744
2638
2666
3000
1749
2000
1250
1076
1137
1000
0
Serpent I8
Rijndael
Twofish
Mars
Serpent I1
RC6
26
Fully pipelined / Ultra fast architecture
k registers
round 1 k pipeline stages
. . . .
round 2 k pipeline stages
. . . .
. . . .
round rounds k pipeline stages
. . . .
27
Full mixed pipelining in Virtex FPGAs
Gaj Chodowiec, RSA Conf. 2001
Throughput Gbit/s
16.8
18
15.2
16
13.1
12.2
14
12
10
8
6
4
2
0
Serpent
RC6
Rijndael
Twofish
28
Full mixed pipelining in Virtex FPGAs
Gaj Chodowiec, RSA Conf. 2001
Area CLB slices
46,900
50000
dedicated memory blocks, RAMs
45000
40000
35000
30000
21,000
25000
19,700
20000
12,600
15000
80 RAMs
10000
5000
0
Serpent
Twofish
RC6
Rijndael
29
Compact / Tiny AES Core
Chodowiec Gaj, CHES 2003

• The entire design fits in a single Spartan-II
  XC2S30, second smallest in the Spartan-II family

• Nearly 50 of the device available for other
  logic
• Throughput 174Mbps at 60MHz clock frequency

30
(No Transcript)
31
Amphion IP cores (1)
AES Encryption AES Encryption AES Encryption AES Encryption AES Encryption
Virtex-II FPGA Virtex-II FPGA ASIC TSMC 180nm ASIC TSMC 180nm
Size Slices Data rate Mbps Size gates Data rate Mbps
Compact 403 4 BRAM 350 14.8K 581
Standard 696 4 BRAM 250 341 18.2K 426 - 581
Fast 573 10 BRAM 1,323 27K 2,327
Ultra fast 2181 100 BRAM 10,880 203K 25,600
AES Decryption AES Decryption AES Decryption AES Decryption AES Decryption
Compact 549 4 BRAM 290 16.4K 581
Standard 746 4 BRAM 290 426 19.2K 426 581
Fast 778 10 BRAM 1,064 34K 2,327
Ultra fast 3,998 100 BRAM 9,344 283K 25,600
Simplex AES Encryption / Decryption Simplex AES Encryption / Decryption Simplex AES Encryption / Decryption Simplex AES Encryption / Decryption Simplex AES Encryption / Decryption
Compact 799 6 BRAM 290 25K 581
Standard 1,256 18 BRAM 930 49.3K 2,327
ASIC/ FPGA
1.66
1.70
1.76
2.35
2.00
1.36
2.19
2.74
2.00
2.50
32
Amphion IP cores (2)
DES / 3DES Encryption / Decryption DES / 3DES Encryption / Decryption DES / 3DES Encryption / Decryption DES / 3DES Encryption / Decryption DES / 3DES Encryption / Decryption
Virtex-II FPGA Virtex-II FPGA ASIC TSMC 180nm ASIC TSMC 180nm
Size Slices Data rate Mbps Size gates Data rate Mbps
Ultra compact 527 128 7.9K 266
Compact 803 240 11.8K 533
Fast 1,367 430 21.8K 1,067
Ultra fast 4,305 1,941 56.7K 4,267
SHA-1 SHA-2 cores SHA-1 SHA-2 cores SHA-1 SHA-2 cores SHA-1 SHA-2 cores SHA-1 SHA-2 cores
SHA-1 854 626 17K 1,264
SHA-256 1,122 420 26K 1,575
SHA256 / 384 / 512 2,403 390 626 52K 1,307 2,098
ASIC/ FPGA
2.08
2.22
2.48
2.20
2.02
3.75
3.35 3.35
33
Helion Technologies cores
AES Encryption or Decryption AES Encryption or Decryption AES Encryption or Decryption AES Encryption or Decryption AES Encryption or Decryption
Virtex-II FPGA Virtex-II FPGA ASIC TSMC 180nm ASIC TSMC 180nm
Size Slices Data rate Mbps Size gates Data rate Mbps
Tiny ? lt 25 ? lt 30
Standard 392 LUT 3 BRAM 223 lt 11K gt 500
Fast 899 LUT 10 BRAM 1,699 lt 31 K gt 2,000
Pipelined ? gt 10,000 ? gt 25,000
DES 3DES DES 3DES DES 3DES DES 3DES DES 3DES
DES 3DES 888 LUT 640 230 lt 6K gt 1,250 gt 460
Hash functions Hash functions Hash functions Hash functions Hash functions
SHA-1 573 874 20K gt 1,000
MD5 613 1 BRAM 744 16K 1,140
SHA-256 849 1 BRAM 685 lt 22K 1,575
ASIC/ FPGA
1.20
2.24
1.18
2.50
1.95
2.00
1.14
1.53
2.30
34
Public-Key Cryptosystems

• RSA
• DH, DSA
• ECC (Elliptic Curve Cryptosystems)

35
RSA the best reported academic results
obtained using FPGAs
Authors T. Blum C. Paar, WPI
ARITH 1999, IEEE Trans. on Computers,
2001 Platform Xilinx XC40250XV-9 (8464 CLBs)
and XC40150XV-8 (5184
CLBs) Best result Number of the RSA
1024-bit signatures per second
322
36
RSA results reported in the industry using
ASICs
Number of the RSA 1024-bit signatures per second
SafeNet, SafeXcel 1842
2,100 Cavium, CN1340, NitroxPlus
42,000
37
Weimerskirch, Paar, Shantz
Lopez Dahab
Okada, Tori, et al.
Orlando Paar
Sun Microsystems
38
FPGA Crypto - Summary

• FPGAs fully competitive with ASICs for
  implementation
• of secret key ciphers and hash functions
• FPGAs emerging as competitive with ASICs for
• implementation of public key cryptosystems
• Problems
• size of operands
• support for fast arithmetic operations

39
ASICs, Software, or maybe FPGAs?
40
FPGAs vs. ASICs
Pawel Chodowiec, GMU, PhD Thesis
41
Pawel Chodowiec, GMU, PhD Thesis
42
Cryptographic applications reserved for ASICs

• smart cards

• wireless devices cell phones, PDAs, pagers

• Requirements that make FPGAs non-competitive
• for these applications
• small size
• very low cost
• very low power consumption
• resistance to side-channel attacks such as
• power analysis or electromagnetic emission
  analysis

43
Why are FPGAs better for the remaining
applications?
FPGAs vs. ASICs
Existing advantages

• lower development costs
• shorter time to the market

Potential advantages

• lower maintenance costs

• Secure remote upgrades (patches)
• Secure remote updates (new algorithms)

44
Why are FPGAs better for the remaining
applications?
FPGAs vs. software
Existing advantages

• speed

Potential advantages

• true random number generation
• secure key storage
• resistance to tampering

45
Why are FPGAs Good Platforms for Cryptography?
Category ASICs FPGAs Software
Speed 3 2 1
Development Cost 1 2 3
Development Time 1 2 3
Cost of Development Tools 1 3 3
Tamper Resistance 3 2 1
Key Protection 3 2 1
Algorithm Agility 1 3 3
Random Number Generation 3 2 1
Totals 16 18 16
46
Why FPGAs are not used in real-life applications?
Perceived difficulties

• too small capacity
• too small speed
• low security

Real difficulties

• remote upgrade
• temper resistance
• key protection
• random number generation