DOCSLIB.ORG

Instruction Set Extensions for Support of Cryptography on Embedded Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Instruction Set Extensions for Support of Cryptography on Embedded Systems Instruction Set Extensions for Support of Cryptography on Embedded Systems by Stefan Tillich A PhD Thesis Presented to the Faculty of Computer Science in Partial Fulfillment of the Requirements for the PhD Degree Assessors Prof. Dr. Karl Christian Posch (TU Graz, Austria) Prof. Dr. Bart Preneel (KU Leuven, Belgium) November 2008 Institute for Applied Information Processing and Communications (IAIK) Faculty of Informatics Graz University of Technology, Austria Abstract Digital computing devices continue to be increasingly dispersed within our ev- eryday environments. Computers are “embedded” into everyday appliances in order to serve predominantly one of two purposes: Either take over the func- tionality of analog electronic components or enable new services in their own right. While such digital computing capabilities are arguably a key enabler for exciting new applications, the potential hazards should not be overlooked. Problems which exist in the much more familiar domain of desktop computing (e.g., development of correct software) are now introduced into these new fields. At the same time, embedded computers also face new challenges, e.g., severe restrictions of resources like computing power, memory, and energy. One of the more pressing problems of embedded computing is the provision of adequate security mechanisms. While there are some robust solutions available for the desktop domain, resource restrictions often prevent their direct applica- tion for embedded devices. The basic problem is constituted by the fact that modern cryptographic algorithms still present a significant overhead for such constrained systems. As most embedded processors will be charged with the execution of cryp- tographic algorithms, it is worthwhile to revisit these processors’ capabilities in this regard and to consider the benefits of “tweaking” their functionality towards these specific workloads. The main vehicle for such a tweaking is the addition of custom instructions into the default instruction set architecture of the pro- cessor. Such instruction set extensions have been highly successful in areas like multimedia and digital signal processing. In this thesis we examine instruction set extensions for cryptography, with a special focus on secret-key algorithms. Three main goals are pursued within this thesis. The first goal is the investi- gation of potential new instructions (design space exploration) and the proposal of worthwhile candidates. The second goal is concerned with the efficient imple- mentation of the proposed instructions and the evaluation of their effectiveness in a realistic setup. This activity has lead to the creation of the LEON2-CIS embedded processor, which is a variant of the SPARC V8-compatible LEON2 processor and which incorporates all of the instructions which we propose in this thesis. The LEON2-CIS is available under the GNU LGPL in order to document our efforts and to provide a basis for further research. The third goal of this thesis is concerned with strategies for securing embedded processors against the threat of implementation attacks (most importantly side channel attacks). This thesis collects our research work from the last years, most of which has already been disseminated through academic publication. The publications have i ii been put into a coherent form and have been complemented with new material. In addition to documenting our work, we have strived to provide references to relevant publications by research groups dealing with related topics. Acknowledgements First of all I would like to thank Johann Großsch¨adlfor the very fruitful co- operation during the last years, which has manifested itself in the form of the LEON2-CIS processor. Johann’s work has provided both an excellent starting point as well as a valuable complement to my own. Furthermore, I consider myself very lucky that I have been able to learn from Johann a great deal about the academic world (and especially the publishing process). Many thanks also go to my fellow colleagues and friends who have supported me during my studies and work. I would especially like to mention my coauthors (apart from Johann) of the publications which constitute the “flesh and bones” of this thesis: Martin Feldhofer, Christoph Herbst, Stefan Mangard, Thomas Popp, and Alexander Szekely. In this regard, I would also like to thank David Canright, Dan Page, and Johannes Wolkerstorfer for their support. Stefan Mangard and Elisabeth Oswald deserve special credit for providing guidance and support and for their patience with their younger colleagues. Fur- thermore, I’d like to thank the academic staff at IAIK, but especially Manfred Aigner for granting me enough leeway to finish this work and Karl Christian Posch for serving both as my advisor and assessor for this thesis. Many thanks also go to Bart Preneel for serving as second assessor and for his willingness to make the trip to Graz. Thanks also to all who took the time to read over the drafts of this thesis and made valuable comments and suggestions: Manfred Aigner, Christoph Herbst, Mario Kirschbaum, Marcel Medwed, Thomas Popp, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely. Last but not least I would like to thank my family and friends, which have constantly supported me during the whole course of my studies, but especially my parents, without whom none of this work would have been possible. Stefan Tillich Graz, November 2008 iii Contents Abstract i Acknowledgements iii List of Tables xi List of Figures xiii Acronyms xvii Notation xix 1 Introduction 1 1.1 The Future of Computing ...................... 1 1.2 Challenges for Ubiquitous Computing ............... 3 1.3 The Role of Cryptography ...................... 3 1.4 Implementing Cryptography on Constrained Devices . 4 1.5 Instruction Set Extensions for Cryptography ........... 5 1.5.1 Previous Work ........................ 7 1.5.2 Our Contribution ....................... 8 1.6 International Research Work Regarding Support for Public-Key Cryptography ............................. 10 1.6.1 Integer Modulo Arithmetic . 10 1.6.2 Non-Integer Arithmetic ................... 10 1.7 Work on Support for Secret-Key Cryptography by Other Research Groups ................................. 12 1.7.1 General Permutations .................... 12 1.7.2 Broad Algorithm Support . 12 1.7.3 Specific Algorithm Support for the Advanced Encryption Standard ........................... 14 1.8 Our Contributions and Results for Secret-Key Cryptography Sup- port .................................. 14 1.8.1 Synergies Between Secret-Key Algorithms and Public-Key Algorithms .......................... 15 1.8.2 Dedicated Support for AES . 15 1.8.3 Protection Against Side-Channel Attacks . 17 1.9 Organization of This Thesis ..................... 18 v vi Contents 2 Concepts and Methods of Modern Cryptography 21 2.1 Mathematical Preliminaries ..................... 21 2.2 Principles of Public-Key Cryptography . 22 2.2.1 RSA .............................. 23 2.2.2 Digital Signature Algorithm (DSA) . 23 2.2.3 Elliptic Curve Cryptography (ECC) . 23 2.2.4 Other Public-Key Cryptosystems . 23 2.3 Details on Elliptic Curve Cryptography . 24 2.4 Modern Secret-Key Cryptography Algorithms . 24 2.4.1 Block Ciphers ......................... 25 2.4.2 Hash Functions ........................ 25 2.4.3 Stream Ciphers ........................ 26 2.5 Description of the Advanced Encryption Standard . 27 2.5.1 Principal Structure ...................... 27 2.5.2 Round Transformations ................... 28 3 Cryptography and Instruction Set Extensions 35 3.1 Implementation Options for Cryptographic Algorithms . 35 3.1.1 Application-Specific Integrated Circuit . 38 3.1.2 Application-Specific Instruction Set Processors /Applica- tion Domain-Specific Processors . 39 3.1.3 General-Purpose Processor with Coprocessor . 39 3.1.4 General-Purpose Processor with Instruction Set Extensions 40 3.1.5 General-Purpose Processor . 40 3.2 Design and Implementation Approach for Instruction Set Exten- sions .................................. 41 4 Instruction Set Extensions for Public-Key Cryptography 43 4.1 Related Work on Public-Key Extensions . 44 4.2 Low-Cost Instruction Set Extensions for ECC over GF(2m) . 44 4.3 Arithmetic in Binary Extension Fields . 46 4.4 Proposed Multiply-Step Instructions . 48 4.4.1 Single-Bit Variant ...................... 49 4.4.2 Double-Bit Variant ...................... 51 4.5 Possible Implementation with Modified Ripple-Carry Adder . 52 4.6 Experimental Results ......................... 55 4.6.1 Hardware Cost ........................ 56 4.6.2 Performance ......................... 57 4.6.3 Memory Requirements .................... 58 4.7 Summary and Conclusions ...................... 59 5 Accelerating AES Using Instruction Set Extensions for Ellip- tic Curve Cryptography 61 5.1 Implementing AES on 32-bit Processors . 62 5.2 Optimizing AES Using Instruction Set Extensions . 64 5.2.1 Column-Oriented Implementation . 65 Contents vii 5.2.2 Row-Oriented Implementation . 68 5.3 Practical Results ........................... 70 5.3.1 Precomputed Key Schedule . 71 5.3.2 On-the-fly Key Expansion . 71 5.3.3 Code Size and Side-Channel Attacks . 72 5.4 Summary and Conclusions ...................... 72 6 Analysis of the Impact of Instruction Set Extensions on Mem- ory Efficiency 73 6.1 Memory Considerations for AES Implementations . 73 6.2 Custom Instruction for S-box Lookup . 74 6.3 Influence of Cache Size on Performance .............. 77 6.4 Comparison of Calculated AES Implementations . 78 6.4.1 Area Overhead Estimation
Load more

Recommended publications
  • A Differential Fault Attack on MICKEY
    A Differential Fault Attack on MICKEY 2.0 Subhadeep Banik and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute Kolkata, 203, B.T. Road, Kolkata-108. s.banik [email protected], [email protected] Abstract. In this paper we present a differential fault attack on the stream cipher MICKEY 2.0 which is in eStream's hardware portfolio. While fault attacks have already been reported against the other two eStream hardware candidates Trivium and Grain, no such analysis is known for MICKEY. Using the standard assumptions for fault attacks, we show that if the adversary can induce random single bit faults in the internal state of the cipher, then by injecting around 216:7 faults and performing 232:5 computations on an average, it is possible to recover the entire internal state of MICKEY at the beginning of the key-stream generation phase. We further consider the scenario where the fault may affect at most three neighbouring bits and in that case we require around 218:4 faults on an average. Keywords: eStream, Fault attacks, MICKEY 2.0, Stream Cipher. 1 Introduction The stream cipher MICKEY 2.0 [4] was designed by Steve Babbage and Matthew Dodd as a submission to the eStream project. The cipher has been selected as a part of eStream's final hardware portfolio. MICKEY is a synchronous, bit- oriented stream cipher designed for low hardware complexity and high speed. After a TMD tradeoff attack [16] against the initial version of MICKEY (ver- sion 1), the designers responded by tweaking the design by increasing the state size from 160 to 200 bits and altering the values of some control bit tap loca- tions.
    [Show full text]
  • New Instruction Set Extensions
    New Instruction Set Extensions Instruction Set Innovation in Intels Processor Code Named Haswell [email protected] Agenda • Introduction - Overview of ISA Extensions • Haswell New Instructions • New Instructions Overview • Intel® AVX2 (256-bit Integer Vectors) • Gather • FMA: Fused Multiply-Add • Bit Manipulation Instructions • TSX/HLE/RTM • Tools Support for New Instruction Set Extensions • Summary/References Copyright© 2012, Intel Corporation. All rights reserved. Partially Intel Confidential Information. 2 *Other brands and names are the property of their respective owners. Instruction Set Architecture (ISA) Extensions 199x MMX, CMOV, Multiple new instruction sets added to the initial 32bit instruction PAUSE, set of the Intel® 386 processor XCHG, … 1999 Intel® SSE 70 new instructions for 128-bit single-precision FP support 2001 Intel® SSE2 144 new instructions adding 128-bit integer and double-precision FP support 2004 Intel® SSE3 13 new 128-bit DSP-oriented math instructions and thread synchronization instructions 2006 Intel SSSE3 16 new 128-bit instructions including fixed-point multiply and horizontal instructions 2007 Intel® SSE4.1 47 new instructions improving media, imaging and 3D workloads 2008 Intel® SSE4.2 7 new instructions improving text processing and CRC 2010 Intel® AES-NI 7 new instructions to speedup AES 2011 Intel® AVX 256-bit FP support, non-destructive (3-operand) 2012 Ivy Bridge NI RNG, 16 Bit FP 2013 Haswell NI AVX2, TSX, FMA, Gather, Bit NI A long history of ISA Extensions ! Copyright© 2012, Intel Corporation. All rights reserved. Partially Intel Confidential Information. 3 *Other brands and names are the property of their respective owners. Instruction Set Architecture (ISA) Extensions • Why new instructions? • Higher absolute performance • More energy efficient performance • New application domains • Customer requests • Fill gaps left from earlier extensions • For a historical overview see http://en.wikipedia.org/wiki/X86_instruction_listings Copyright© 2012, Intel Corporation.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Hyper-Threading Performance with Intel Cpus for Linux SAP Deployment on Proliant Servers
    Hyper-Threading Performance with Intel CPUs for Linux SAP Deployment on ProLiant Servers Session #3798 Hein van den Heuvel Performance Engineer Hewlett-Packard © 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Topics • Hyper-Threading Intro • Implementation details Intel, IBM, Sun • Linux implementation • My own tests • SAP (SD) benchmark • Benchmark Results • Conclusions: (18% improvement for SAP 2-tier) Intel Hyper-Threading Overview “Hyper-Threading Technology is a form of simultaneous multithreading technology (SMT), where multiple threads of software applications can be run simultaneously on one processor. This is achieved by duplicating the architectural state on each processor, while sharing one set of processor execution resources. The architectural state tracks the flow of a program or thread, and the execution resources are the units on the processor that do the work: add, multiply, load, etc. “ http://www.intel.com/business/bss/products/hyperthreading/server/ht_server.pdf http://www.intel.com/technology/hyperthread/ Intel HT in a picture To-be-updated Hyper-Threading Versus Dual Core • HP (PA + ipf) opted for ‘dual core’ technology. − Each processor has full set of resources − Only limitation is shared ‘system’ connection. − Allows for dense (8p – 4u – 4640) − minimally constrained systems • Software licensing impact (Oracle!) • Hyper-Threading technology effectiveness will depend on application IBM P5 SMT Summary Enhanced Simultaneous Multi-Threading features To improve SMT performance for various workload mixes and provide robust quality of service, POWER5 provides two features: • Dynamic resource balancing – The objective of dynamic resource balancing is to ensure that the two threads executing on the same processor flow smoothly through the system.
    [Show full text]
  • Rigorous Cache Side Channel Mitigation Via Selective Circuit Compilation
    RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation B Heiko Mantel, Lukas Scheidel, Thomas Schneider, Alexandra Weber( ), Christian Weinert, and Tim Weißmantel Technical University of Darmstadt, Darmstadt, Germany {mantel,weber,weissmantel}@mais.informatik.tu-darmstadt.de, {scheidel,schneider,weinert}@encrypto.cs.tu-darmstadt.de Abstract. Cache side channels constitute a persistent threat to crypto implementations. In particular, block ciphers are prone to attacks when implemented with a simple lookup-table approach. Implementing crypto as software evaluations of circuits avoids this threat but is very costly. We propose an approach that combines program analysis and circuit compilation to support the selective hardening of regular C implemen- tations against cache side channels. We implement this approach in our toolchain RiCaSi. RiCaSi avoids unnecessary complexity and overhead if it can derive sufficiently strong security guarantees for the original implementation. If necessary, RiCaSi produces a circuit-based, hardened implementation. For this, it leverages established circuit-compilation technology from the area of secure computation. A final program analysis step ensures that the hardening is, indeed, effective. 1 Introduction Cache side channels are unintended communication channels of programs. Cache- side-channel leakage might occur if a program accesses memory addresses that depend on secret information like cryptographic keys. When these secret-depen- dent memory addresses are loaded into a shared cache, an attacker might deduce the secret information based on observing the cache. Such cache side channels are particularly dangerous for implementations of block ciphers, as shown, e.g., by attacks on implementations of DES [58,67], AES [2,11,57], and Camellia [59,67,73].
    [Show full text]
  • On Security and Privacy for Networked Information Society
    Antti Hakkala On Security and Privacy for Networked Information Society Observations and Solutions for Security Engineering and Trust Building in Advanced Societal Processes Turku Centre for Computer Science TUCS Dissertations No 225, November 2017 ON SECURITY AND PRIVACY FOR NETWORKED INFORMATIONSOCIETY Observations and Solutions for Security Engineering and Trust Building in Advanced Societal Processes antti hakkala To be presented, with the permission of the Faculty of Mathematics and Natural Sciences of the University of Turku, for public criticism in Auditorium XXII on November 18th, 2017, at 12 noon. University of Turku Department of Future Technologies FI-20014 Turun yliopisto 2017 supervisors Adjunct professor Seppo Virtanen, D. Sc. (Tech.) Department of Future Technologies University of Turku Turku, Finland Professor Jouni Isoaho, D. Sc. (Tech.) Department of Future Technologies University of Turku Turku, Finland reviewers Professor Tuomas Aura Department of Computer Science Aalto University Espoo, Finland Professor Olaf Maennel Department of Computer Science Tallinn University of Technology Tallinn, Estonia opponent Professor Jarno Limnéll Department of Communications and Networking Aalto University Espoo, Finland The originality of this thesis has been checked in accordance with the University of Turku quality assurance system using the Turnitin OriginalityCheck service ISBN 978-952-12-3607-5 (Online) ISSN 1239-1883 To my wife Maria, I am forever grateful for everything. Thank you. ABSTRACT Our society has developed into a networked information soci- ety, in which all aspects of human life are interconnected via the Internet — the backbone through which a significant part of communications traffic is routed. This makes the Internet ar- guably the most important piece of critical infrastructure in the world.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • Siderand: a Heuristic and Prototype of a Side-Channel-Based Cryptographically Secure Random Seeder Designed to Be Platform- and Architecture-Agnostic
    SideRand: A Heuristic and Prototype of a Side-Channel-Based Cryptographically Secure Random Seeder Designed to Be Platform- and Architecture-Agnostic JV ROIG, Advanced Research Center – Asia Pacific College Generating secure random numbers is vital to the security and privacy infrastructures we rely on today. Having a computer system generate a secure random number is not a trivial problem due to the deterministic nature of computer systems. Servers commonly deal with this problem through hardware-based random number generators, which can come in the form of expansion cards, dongles, or integrated into the CPU itself. With the explosion of network- and internet-connected devices, however, the problem of cryptography is no longer a server-centric problem; even small devices need a reliable source of randomness for cryptographic operations – for example, network devices and appliances like routers, switches and access points, as well as various Internet-of-Things (IoT) devices for security and remote management. This paper proposes a software solution based on side-channel measurements as a source of high- quality entropy (nicknamed “SideRand”), that can theoretically be applied to most platforms (large servers, appliances, even maker boards like RaspberryPi or Arduino), and generates a seed for a regular CSPRNG to enable proper cryptographic operations for security and privacy. This paper also proposes two criteria – openness and auditability – as essential requirements for confidence in any random generator for cryptographic use, and discusses how SideRand meets the two criteria (and how most hardware devices do not). CCS Concepts: • Security and privacy → Cryptography KEYWORDS Cryptographically secure random number generation; side-channel based CSPRNG 1 INTRODUCTION 1.1 Generating Random Numbers for Privacy and Security The ability to generate strong random numbers is essential to cryptography, and central to security and privacy in the IT world.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • Instruction-Level Parallelism in AES Candidates Craig S
    Instruction-level Parallelism in AES Candidates Craig S. K. Clapp Instruction-level Parallelism in AES Candidates Craig S.K. Clapp PictureTel Corporation, 100 Minuteman Rd., Andover, MA01810, USA email: [email protected] Abstract. We explore the instruction-level parallelism present in a number of candidates for the Advanced Encryption Standard (AES) and demonstrate how their speed in software varies as a function of the execution resources available in the target CPU. An analysis of the critical paths through the algorithms is used to establish theoretical upper limits on their performance, while performance on finite machines is characterized on a family of hypothetical RISC/VLIW CPUs having from one through eight concurrent instruction-issue slots. The algorithms studied are Crypton, E2, Mars, RC6, Rijndael, Serpent, and Twofish. 1 Introduction Several performance comparisons among AES candidate algorithms have already been published, e.g.[6,7,8,10,16]. However, while such studies do indeed render the valuable service of providing a quantitative rather than qualitative comparison between candidates, and in some cases do so for a number of currently popular processors, they are not necessarily very insightful as to how to expect performance of the algorithms to compare on processors other than those listed, nor in particular on future processors that are likely to replace those in common use today. One of the lessons of DES[11] is that, apart from having too short a key, the original dominant focus on hardware implementation led to a design which over the years has become progressively less able to take full advantage of each new processor generation.
    [Show full text]
  • X86 Assembly Language Reference Manual
    x86 Assembly Language Reference Manual Part No: 817–5477–11 March 2010 Copyright ©2010 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related software documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are “commercial computer software” or “commercial technical data” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms setforth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
    [Show full text]
  • On the Design and Analysis of Stream Ciphers Hell, Martin
    On the Design and Analysis of Stream Ciphers Hell, Martin 2007 Link to publication Citation for published version (APA): Hell, M. (2007). On the Design and Analysis of Stream Ciphers. Department of Electrical and Information Technology, Lund University. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 On the Design and Analysis of Stream Ciphers Martin Hell Ph.D. Thesis September 13, 2007 Martin Hell Department of Electrical and Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.eit.lth.se/ ISBN: 91-7167-043-2 ISRN: LUTEDX/TEIT-07/1039-SE c Martin Hell, 2007 Abstract his thesis presents new cryptanalysis results for several different stream Tcipher constructions.
    [Show full text]