Ekawat Homsirikamol

Fair and comprehensive methodology for comparing hardware performance of fourteen round two SHA-3 candidates using FPGAs

Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic standards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and acceptable for the majority of the cryptographic community. In this paper, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the development of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking.

ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs

A fair comparison of functionally equivalent digital system designs targeting FPGAs is a challenging and time consuming task. The results of the comparison depend on the inherent properties of competing algorithms, as well as on selected hardware architectures, implementation techniques, FPGA families, languages and tools. In this paper, we introduce an open-source environment, called ATHENa for fair, comprehensive, automated, and collaborative hardware benchmarking of algorithms belonging to the same class. As our first goal, we select the benchmarking of algorithms belonging to the area of cryptography. Algorithms from this area have been shown to achieve significant speed-ups and security gains compared to software when implemented in FPGAs. The capabilities of our environment are demonstrated using three examples: two different hardware architectures of the current cryptographic hash function standard, SHA-256, and one architecture of a candidate for the new standard, Fugue. All source codes, testbenches, and configuration files necessary to repeat experiments described in this paper are made available through the project web site.

Throughput vs. area trade-offs in high-speed architectures of five round 3 SHA-3 candidates implemented using xilinx and altera FPGAs

In this paper we present a comprehensive comparison of all Round 3 SHA-3 candidates and the current standard SHA-2 from the point of view of hardware performance in modern FPGAs. Each algorithm is implemented using multiple architectures based on the concepts of folding, unrolling, and pipelining. Trade-offs between speed and area are investigated, and the best architecture from the point of view of the throughput to area ratio is identified. Finally, all algorithms are ranked based on their overall performance, and the characteristic features of each algorithm important from the point of view of its implementation in hardware are identified.

Security margin evaluation of SHA-3 contest finalists through SAT-Based attacks

In 2007, the U.S. National Institute of Standards and Technology (NIST) announced a public contest aiming at the selection of a new standard for a cryptographic hash function. In this paper, the security margin of five SHA-3 finalists is evaluated with an assumption that attacks launched on finalists should be practically verified. A method of attacks is called logical cryptanalysis where the original task is expressed as a SATisfiability problem. To simplify the most arduous stages of this type of cryptanalysis and helps to mount the attacks in a uniform way a new toolkit is used. In the context of SAT-based attacks, it has been shown that all the finalists have substantially bigger security margin than the current standards SHA-256 and SHA-1.

Can high-level synthesis compete against a hand-written code in the cryptographic domain? A case study

This paper investigates the state of the current high-level synthesis (HLS) tools by using Xilinx Vivado HLS for designing a cryptographic module based on Advanced Encryption Standard. The obtained results are compared with the results for the hand-written Register-Transfer Level (RTL) VHDL code to determine the suitability of the HLS-based approach for implementing cryptographic algorithms in hardware. Our study has shown that the RTL-based approach still outperforms the HLS-based approach due to the flexibility in designing a control unit, which affects the throughput of the circuit. Nevertheless, the HLS-based approach can successfully compete with the RTL-based approach in terms of area and maximum clock frequency.

ICEPOLE: High-Speed, Hardware-Oriented Authenticated Encryption

This paper introduces our dedicated authenticated encryption scheme ICEPOLE. ICEPOLE is a high-speed hardware-oriented scheme, suitable for high-throughput network nodes or generally any environment where specialized hardware (such as FPGAs or ASICs) can be used to provide high data processing rates. ICEPOLE-128 (the primary ICEPOLE variant) is very fast. On the modern FPGA device Virtex 6, a basic iterative architecture of ICEPOLE reaches 41 Gbits/s, which is over 10 times faster than the equivalent implementation of AES-128-GCM. The throughput-to-area ratio is also substantially better when compared to AES-128-GCM. We have carefully examined the security of the algorithm through a range of cryptanalytic techniques and our findings indicate that ICEPOLE offers high security level.

A universal hardware API for authenticated ciphers

In this paper, we propose a universal hardware Application Programming Interface (API) for authenticated ciphers. In particular, our API is intended to meet the requirements of all algorithms submitted to the CAESAR competition. Two major parts of the API, the interface and the communication protocol, were developed with the goal of reducing any potential biases in benchmarking of authenticated ciphers in hardware. Our high-speed implementation of the proposed hardware API includes universal, open-source pre-processing and post-processing units, common for all CAESAR candidates and the current standards, such as AES-GCM and AES-CCM. Apart from the full documentation, examples, and the source code of the pre-processing and post-processing units, we have made available in public domain a) a universal testbench to verify the functionality of any CAESAR candidate implemented using our hardware API, b) a Python script used to automatically generate test vectors for this testbench, c) VHDL wrappers used to determine the maximum clock frequency and the resource utilization of all implementations, and d) RTL VHDL source codes of highspeed implementations of AES and the Keccak Permutation F, which may be used as building blocks in implementations of related ciphers. We hope that the existence of these resources will substantially reduce the time necessary to develop hardware implementations of all CAESAR candidates for the purpose of evaluation, comparison, and future deployment in real products.

A novel modular adder for one thousand bits and more using fast carry chains of modern FPGAs

In this paper a novel, low-latency family of high-radix Parallel Prefix Network adders and modular adders has been proposed. This family efficiently takes advantage of fast carry chains of modern FPGAs. The implementation results reveal that these adders have great potential for efficient implementation of modular addition with the long integers used in various public key cryptography schemes.

Comparison of multi-purpose cores of Keccak and AES

Most widely used security protocols, Internet Protocol Security (IPSec), Secure Socket Layer (SSL), and Transport Layer Security (TLS), provide several cryptographic services which in turn require multiple dedicated cryptographic algorithms. A single cryptographic primitive for all secret key functions utilizing different mode of operations can overcome this constraint. This paper investigates the possibility of using AES and Keccak as the underlying primitives for high-speed and resource constrained applications. Even though a plain AES implementation is typically much smaller and has a better throughput to area ratio than a plain Keccak, adding additional cryptographic services changes the results dramatically. Our multi-purpose Keccak outperforms our multi-purpose AES by a factor of 4 for throughput over area on average. This underlines the flexibility of the Keccak Sponge and Duplex functions. Our multi-purpose Keccak achieves a throughput of 23.2 Gbps in AE-mode (Keyak) on a Xilinx Virtex-7 and 28.7 Gbps on a Altera Stratix-IV. In order to study this further we also implemented two versions of a dedicated Keyak and dedicated AES-GCM. Our dedicated Keyak implementation outperforms our dedicated AES-GCM on average by a factor 6 in terms of throughput over area reaching a throughput of 28.9 Gbps and 4.1 Gbps respectively on a Xilinx Virtex-7.

Hardware Benchmarking of Cryptographic Algorithms Using High-Level Synthesis Tools: The SHA-3 Contest Case Study

The growing number of candidates competing in the cryptographic contests, such as SHA-3, makes the hardware performance evaluation extremely time consuming, tedious, and imprecise, especially in the early stages of the competitions. The main difficulties include the long time necessary to develop and verify HDL (hardware description language) codes of all candidates, and the need of developing (or at least tweaking) codes for multiple variants and architectures of each algorithm. High-level synthesis (HLS), based on the newly developed Xilinx Vivado HLS tool, offers a potential solution to the aforementioned problems. In order to verify a potential validity of this approach, we have applied our proposed methodology to the comparison of five Round 3 SHA-3 candidates. Our study has demonstrated that despite a noticeable performance penalty, caused by the use of high-level synthesis tools vs. manual design, the ranking of the evaluated candidates, in terms of four major performance metrics, frequency, throughput, area, and throughput to area ratio, has remained unchanged for Altera Stratix IV FPGAs.