DOCSLIB.ORG

A Fast, Verified, Cross-Platform Cryptographic Provider

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Fast, Verified, Cross-Platform Cryptographic Provider EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider Jonathan Protzenko∗, Bryan Parnoz, Aymeric Fromherzz, Chris Hawblitzel∗, Marina Polubelovay, Karthikeyan Bhargavany Benjamin Beurdouchey, Joonwon Choi∗x, Antoine Delignat-Lavaud∗,Cedric´ Fournet∗, Natalia Kulatovay, Tahina Ramananandro∗, Aseem Rastogi∗, Nikhil Swamy∗, Christoph M. Wintersteiger∗, Santiago Zanella-Beguelin∗ ∗Microsoft Research zCarnegie Mellon University yInria xMIT Abstract—We present EverCrypt: a comprehensive collection prone (due in part to Intel and AMD reporting CPU features of verified, high-performance cryptographic functionalities avail- inconsistently [78]), with various cryptographic providers able via a carefully designed API. The API provably supports invoking illegal instructions on specific platforms [74], leading agility (choosing between multiple algorithms for the same functionality) and multiplexing (choosing between multiple im- to killed processes and even crashing kernels. plementations of the same algorithm). Through abstraction and Since a cryptographic provider is the linchpin of most zero-cost generic programming, we show how agility can simplify security-sensitive applications, its correctness and security are verification without sacrificing performance, and we demonstrate crucial. However, for most applications (e.g., TLS, cryptocur- how C and assembly can be composed and verified against rencies, or disk encryption), the provider is also on the critical shared specifications. We substantiate the effectiveness of these techniques with new verified implementations (including hashes, path of the application’s performance. Historically, it has been Curve25519, and AES-GCM) whose performance matches or notoriously difficult to produce cryptographic code that is fast, exceeds the best unverified implementations. We validate the correct, and secure (e.g., free of leaks via side channels). For API design with two high-performance verified case studies built instance, OpenSSL’s libcrypto reported 24 vulnerabilities atop EverCrypt, resulting in line-rate performance for a secure between January 1, 2016 and May 1, 2019 (Figure 15). network protocol and a Merkle-tree library, used in a production blockchain, that supports 2.7 million insertions/sec. Altogether, Such critical, complex code is a natural candidate for formal EverCrypt consists of over 124K verified lines of specs, code, verification, which can mathematically guarantee correctness and proofs, and it produces over 29K lines of C and 14K lines and security even for complex low-level implementations. of assembly code. Indeed, in recent years, multiple research groups have produced exciting examples of verified cryptographic code. I. INTRODUCTION However, as we discuss in detail in xII, previous work has Application developers seldom write their own cryptographic not produced a verified cryptographic provider comparable to code; instead they rely on a cryptographic provider, such the unverified providers in use today. Instead, some papers as OpenSSL’s libcrypto [65], Windows Cryptography verify a single algorithm [14, 17, 80], or even just a portion API [58], or libsodium [7]. Developers expect their provider thereof [26, 67, 75]. Others focus on many variants of a to be comprehensive in supplying all of the functionalities they single functionality, with elliptic curves being a popular need (asymmetric and symmetric encryption, signing, hashing, choice [36, 81]. Finally, a few works include several classes of key derivation, . ) for all the platforms they support. functionality (e.g., hashing and encryption) but either in small Further, a modern cryptographic provider should be agile; number for specific platforms [25, 39], or with speeds below that is, it should provide multiple algorithms (e.g., ChaCha-Poly those of state-of-the-art providers [10, 44, 73, 82]. All of these and AES-GCM) for the same functionality (e.g., authenticated works contribute important techniques and insights into how to encryption) and all algorithms should employ a single unified best verify cryptographic code, but they all fall short of what API, to make it simple to change algorithms if one is broken. application developers want from a cryptographic provider. A modern cryptographic provider should also support multi- Building on previous algorithm verification efforts [25, plexing, that is, the ability to choose between multiple imple- 39, 82], we present EverCrypt, a comprehensive, provably mentations of the same algorithm. This allows the provider to correct and secure, cryptographic provider that supports agility, employ high-performance implementations on popular hardware multiplexing, and auto-configuration. EverCrypt’s agility means platforms (OpenSSL, for example, supports dozens), while that multiple algorithms provably provide the same API to still providing a fallback implementation that will work on clients, and its multiplexing demonstrates multiple disparate any platform. Ideally, these disparate implementations should implementations (almost all entirely new, including several be exposed to the developer via a single unified API, so platform-specific implementations that beat state-of-the-art that she need not change her code when a new optimized unverified libraries) verifying against the same cryptographic version is deployed, and so that the provider can automatically specification. The API is carefully designed to be usable by choose the optimal implementation, rather than force the both verified and unverified (e.g., C) clients. To support the developer to do so. Historically, this process has been error former, we show that multiple layers of abstraction, both in the implementation and (more surprisingly) in the specification of In summary, this paper makes the following contributions: cryptographic algorithms, naturally leads to agile code while 1) EverCrypt, a comprehensive, verified cryptographic also improving verification efficiency. We also demonstrate provider that offers agility, multiplexing, and speed; how the judicious use of generic programming can enhance 2) the design of a principled, abstract, agile API, usable by developer productivity and simplify specifications by cleanly verified (F?) and unverified (C) clients alike; extracting commonality from related algorithms. 3) its multiplexing implementation, coupled with verified To illustrate the benefits of multiplexing, and as part of our zero-cost generic programming techniques to streamline efforts to ensure state-of-the-art performance for EverCrypt, the verification of cryptographic algorithms without sacri- we present new verified implementations of a large variety of ficing performance; algorithms (Figure4). These include, e.g., Curve25519 [ 18], 4) a new approach based on dependently typed generic hash functions, and authenticated encryption with additional programming [12] to prove the safety and correctness data (AEAD) that transparently multiplex between a generic C of fine-grained interoperation between C and assembly; implementation and a hand-tuned x64 assembly implementation. 5) new verified cryptographic implementations (including When run on x64, they match or exceed the performance of the hashes, Curve25519, and AES-GCM) whose performance best unverified code, while the C implementations provide matches or exceeds the best unverified implementations; support across all other platforms (and offer performance 6) case studies on real applications of Merkle trees and QUIC competitive with unverified C code as well). transport security to demonstrate the utility of EverCrypt’s To illustrate the utility of EverCrypt’s API, we develop API and the performance it enables. two applications atop it. First, a new Merkle-tree [56] library The specifications, proofs, and code of EverCrypt are all leverages EverCrypt’s agile hashing API. The Merkle trees available as open source (xIX). support high-performance secure logging, providing over 2.7M transactions/s. They also come with comprehensive safety, II. BACKGROUND AND RELATED WORK correctness, and cryptographic security properties, illustrating Multiple research projects have contributed to our understand- EverCrypt’s value when building formally-verified applications. ing of how to produce verified cryptographic code, but none Second, we build a verified transport security layer for the QUIC provide the performance, comprehensiveness, and convenience network protocol [45] and, by connecting it to unverified QUIC that developers expect from a cryptographic provider, and none implementations, show that it supports line-rate performance. investigate the challenges of agility or automatic multiplexing. 1 All EverCrypt code is proven safe and functionally correct. Some work verifies parts of individual algorithms, particu- Safety means the code respects memory abstractions (e.g., never larly portions of Curve25519. For example, Chen et al. [26] reading outside the bounds of an array) and does not perform verify the correctness of a Montgomery ladder using Coq [72] illegal operations (e.g., divide by zero). Functional correctness and an SMT solver, while Tsai et al. [75] and Polyakov et means the code’s computational behavior is precisely described al. [67] do so using an SMT solver and a computer algebra by a pure mathematical function. Further, all EverCrypt code system. All three focus on implementations written in assembly- is proven side-channel resistant; specifically, the sequence of like languages. Almeida et al. [10], in contrast, use a domain- instructions executed and the memory addresses
Load more

Recommended publications
  • Hoja De Datos De Familes Del Procesador Intel(R) Core(TM) De 10A Generación, Vol.1
    10a generación de familias de procesadores Intel® Core™ Ficha técnica, Volumen 1 de 2 Compatible con la 10a generación de la familia de procesadores Intel® Core™, procesadores Intel® Pentium®, procesadores Intel® Celeron® para plataformas U/Y, anteriormente conocidos como Ice Lake. Agosto de 2019 Revisión 001 Número del Documento: 341077-001 Líneas legales y descargos de responsabilidad Esta información es una combinación de una traducción hecha por humanos y de la traducción automática por computadora del contenido original para su conveniencia. Este contenido se ofrece únicamente como información general y no debe ser considerada como completa o precisa. No puede utilizar ni facilitar el uso de este documento en relación con ninguna infracción u otro análisis legal relacionado con los productos Intel descritos en este documento. Usted acepta conceder a Intel una licencia no exclusiva y libre de regalías a cualquier reclamación de patente redactada posteriormente que incluya el objeto divulgado en este documento. Este documento no concede ninguna licencia (expresa o implícita, por impedimento o de otro tipo) a ningún derecho de propiedad intelectual. Las características y beneficios de las tecnologías Intel dependen de la configuración del sistema y pueden requerir la activación de hardware, software o servicio habilitado. El desempeño varía según la configuración del sistema. Ningún equipo puede ser absolutamente seguro. Consulte al fabricante de su sistema o su distribuidor minorista u obtenga más información en intel.la. Las tecnologías Intel pueden requerir la activación de hardware habilitado, software específico o servicios. Consulte con el fabricante o distribuidor del sistema. Los productos descritos pueden contener defectos de diseño o errores conocidos como erratas que pueden hacer que el producto se desvíe de las especificaciones publicadas.
    [Show full text]
  • Why Untyped Nonground Metaprogramming Is Not (Much Of) a Problem
    NORTH- HOLLAND WHY UNTYPED NONGROUND METAPROGRAMMING IS NOT (MUCH OF) A PROBLEM BERN MARTENS* and DANNY DE SCHREYE+ D We study a semantics for untyped, vanilla metaprograms, using the non- ground representation for object level variables. We introduce the notion of language independence, which generalizes range restriction. We show that the vanilla metaprogram associated with a stratified normal oljjctct program is weakly stratified. For language independent, stratified normal object programs, we prove that there is a natural one-to-one correspon- dence between atoms p(tl, . , tr) in the perfect Herbrand model of t,he object program and solve(p(tl, , tT)) atoms in the weakly perfect Her\) and model of the associated vanilla metaprogram. Thus, for this class of programs, the weakly perfect, Herbrand model provides a sensible SC mantics for the metaprogram. We show that this result generalizes to nonlanguage independent programs in the context of an extended Hcr- brand semantics, designed to closely mirror the operational behavior of logic programs. Moreover, we also consider a number of interesting exterl- sions and/or variants of the basic vanilla metainterpreter. For instance. WC demonstrate how our approach provides a sensible semantics for a limit4 form of amalgamation. a “Partly supported by the Belgian National Fund for Scientific Research, partly by ESPRlT BRA COMPULOG II, Contract 6810, and partly by GOA “Non-Standard Applications of Ab- stract Interpretation,” Belgium. TResearch Associate of the Belgian National Fund for Scientific Research Address correspondence to Bern Martens and Danny De Schreye, Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A. B-3001 Hevrrlee Belgium E-mail- {bern, dannyd}@cs.kuleuven.ac.be.
    [Show full text]
  • GPU Developments 2018
    GPU Developments 2018 2018 GPU Developments 2018 © Copyright Jon Peddie Research 2019. All rights reserved. Reproduction in whole or in part is prohibited without written permission from Jon Peddie Research. This report is the property of Jon Peddie Research (JPR) and made available to a restricted number of clients only upon these terms and conditions. Agreement not to copy or disclose. This report and all future reports or other materials provided by JPR pursuant to this subscription (collectively, “Reports”) are protected by: (i) federal copyright, pursuant to the Copyright Act of 1976; and (ii) the nondisclosure provisions set forth immediately following. License, exclusive use, and agreement not to disclose. Reports are the trade secret property exclusively of JPR and are made available to a restricted number of clients, for their exclusive use and only upon the following terms and conditions. JPR grants site-wide license to read and utilize the information in the Reports, exclusively to the initial subscriber to the Reports, its subsidiaries, divisions, and employees (collectively, “Subscriber”). The Reports shall, at all times, be treated by Subscriber as proprietary and confidential documents, for internal use only. Subscriber agrees that it will not reproduce for or share any of the material in the Reports (“Material”) with any entity or individual other than Subscriber (“Shared Third Party”) (collectively, “Share” or “Sharing”), without the advance written permission of JPR. Subscriber shall be liable for any breach of this agreement and shall be subject to cancellation of its subscription to Reports. Without limiting this liability, Subscriber shall be liable for any damages suffered by JPR as a result of any Sharing of any Material, without advance written permission of JPR.
    [Show full text]
  • Cyclone: a Type-Safe Dialect of C∗
    Cyclone: A Type-Safe Dialect of C∗ Dan Grossman Michael Hicks Trevor Jim Greg Morrisett If any bug has achieved celebrity status, it is the • In C, an array of structs will be laid out contigu- buffer overflow. It made front-page news as early ously in memory, which is good for cache locality. as 1987, as the enabler of the Morris worm, the first In Java, the decision of how to lay out an array worm to spread through the Internet. In recent years, of objects is made by the compiler, and probably attacks exploiting buffer overflows have become more has indirections. frequent, and more virulent. This year, for exam- ple, the Witty worm was released to the wild less • C has data types that match hardware data than 48 hours after a buffer overflow vulnerability types and operations. Java abstracts from the was publicly announced; in 45 minutes, it infected hardware (“write once, run anywhere”). the entire world-wide population of 12,000 machines running the vulnerable programs. • C has manual memory management, whereas Notably, buffer overflows are a problem only for the Java has garbage collection. Garbage collec- C and C++ languages—Java and other “safe” lan- tion is safe and convenient, but places little con- guages have built-in protection against them. More- trol over performance in the hands of the pro- over, buffer overflows appear in C programs written grammer, and indeed encourages an allocation- by expert programmers who are security concious— intensive style. programs such as OpenSSH, Kerberos, and the com- In short, C programmers can see the costs of their mercial intrusion detection programs that were the programs simply by looking at them, and they can target of Witty.
    [Show full text]
  • Practical Reflection and Metaprogramming for Dependent
    Practical Reflection and Metaprogramming for Dependent Types David Raymond Christiansen Advisor: Peter Sestoft Submitted: November 2, 2015 i Abstract Embedded domain-specific languages are special-purpose pro- gramming languages that are implemented within existing general- purpose programming languages. Dependent type systems allow strong invariants to be encoded in representations of domain-specific languages, but it can also make it difficult to program in these em- bedded languages. Interpreters and compilers must always take these invariants into account at each stage, and authors of embedded languages must work hard to relieve users of the burden of proving these properties. Idris is a dependently typed functional programming language whose semantics are given by elaboration to a core dependent type theory through a tactic language. This dissertation introduces elabo- rator reflection, in which the core operators of the elaborator are real- ized as a type of computations that are executed during the elab- oration process of Idris itself, along with a rich API for reflection. Elaborator reflection allows domain-specific languages to be imple- mented using the same elaboration technology as Idris itself, and it gives them additional means of interacting with native Idris code. It also allows Idris to be used as its own metalanguage, making it into a programmable programming language and allowing code re-use across all three stages: elaboration, type checking, and execution. Beyond elaborator reflection, other forms of compile-time reflec- tion have proven useful for embedded languages. This dissertation also describes error reflection, in which Idris code can rewrite DSL er- ror messages before presenting domain-specific messages to users, as well as a means for integrating quasiquotation into a tactic-based elaborator so that high-level syntax can be used for low-level reflected terms.
    [Show full text]
  • REFPERSYS High-Level Goals and Design Ideas*
    REFPERSYS high-level goals and design ideas* Basile STARYNKEVITCH† Abhishek CHAKRAVARTI‡ Nimesh NEEMA§ refpersys.org October 2019 - May 2021 Abstract REFPERSYS is a REFlexive and orthogonally PERsistent SYStem (as a GPLv3+ licensed free software1) running on Linux; it is a hobby2 but serious research project for many years, mostly aimed to experiment open science ideas close to Artificial General Intelligence3 dreams, and we don’t expect use- ful or interesting results before several years of hard work. audience : LINUX free software developers4 and computer scientists interested in an experimental open science approach to reflexive systems, orthogonal persistence, symbolic artificial intelligence, knowledge engines, etc.... Nota Bene: this report contains many hyperlinks to relevant sources so its PDF should rather be read on a computer screen, e.g. with evince. Since it describes a circular design (with many cycles [Hofstadter:1979:GEB]), we recommend to read it twice (skipping footnotes and references on the first read). This entire document is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. *This document has git commit fb17387fbbb7e200, was Lua-LATEX generated on 2021-May-17 18:55 MEST, see gitlab.com/bstarynk/refpersys/ and its doc/design-ideas subdirectory. Its draft is downloadable, as a PDF file, from starynkevitch.net/Basile/refpersys-design.pdf ... †See starynkevitch.net/Basile/ and contact [email protected], 92340 Bourg La Reine (near Paris), France. ‡[email protected], FL 3C, 62B PGH Shah Road, Kolkata 700032, India.
    [Show full text]
  • Spindle Documentation Release 2.0.0
    spindle Documentation Release 2.0.0 Jorge Ortiz, Jason Liszka June 08, 2016 Contents 1 Thrift 3 1.1 Data model................................................3 1.2 Interface definition language (IDL)...................................4 1.3 Serialization formats...........................................4 2 Records 5 2.1 Creating a record.............................................5 2.2 Reading/writing records.........................................6 2.3 Record interface methods........................................6 2.4 Other methods..............................................7 2.5 Mutable trait...............................................7 2.6 Raw class.................................................7 2.7 Priming..................................................7 2.8 Proxies..................................................8 2.9 Reflection.................................................8 2.10 Field descriptors.............................................8 3 Custom types 9 3.1 Enhanced types..............................................9 3.2 Bitfields..................................................9 3.3 Type-safe IDs............................................... 10 4 Enums 13 4.1 Enum value methods........................................... 13 4.2 Companion object methods....................................... 13 4.3 Matching and unknown values...................................... 14 4.4 Serializing to string............................................ 14 4.5 Examples................................................. 14 5 Working
    [Show full text]
  • SIMD Extensions
    SIMD Extensions PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Sat, 12 May 2012 17:14:46 UTC Contents Articles SIMD 1 MMX (instruction set) 6 3DNow! 8 Streaming SIMD Extensions 12 SSE2 16 SSE3 18 SSSE3 20 SSE4 22 SSE5 26 Advanced Vector Extensions 28 CVT16 instruction set 31 XOP instruction set 31 References Article Sources and Contributors 33 Image Sources, Licenses and Contributors 34 Article Licenses License 35 SIMD 1 SIMD Single instruction Multiple instruction Single data SISD MISD Multiple data SIMD MIMD Single instruction, multiple data (SIMD), is a class of parallel computers in Flynn's taxonomy. It describes computers with multiple processing elements that perform the same operation on multiple data simultaneously. Thus, such machines exploit data level parallelism. History The first use of SIMD instructions was in vector supercomputers of the early 1970s such as the CDC Star-100 and the Texas Instruments ASC, which could operate on a vector of data with a single instruction. Vector processing was especially popularized by Cray in the 1970s and 1980s. Vector-processing architectures are now considered separate from SIMD machines, based on the fact that vector machines processed the vectors one word at a time through pipelined processors (though still based on a single instruction), whereas modern SIMD machines process all elements of the vector simultaneously.[1] The first era of modern SIMD machines was characterized by massively parallel processing-style supercomputers such as the Thinking Machines CM-1 and CM-2. These machines had many limited-functionality processors that would work in parallel.
    [Show full text]
  • Union Types for Semistructured Data
    Edinburgh Research Explorer Union Types for Semistructured Data Citation for published version: Buneman, P & Pierce, B 1999, Union Types for Semistructured Data. in Union Types for Semistructured Data: 7th International Workshop on Database Programming Languages, DBPL’99 Kinloch Rannoch, UK, September 1–3,1999 Revised Papers. Lecture Notes in Computer Science, vol. 1949, Springer-Verlag GmbH, pp. 184-207. https://doi.org/10.1007/3-540-44543-9_12 Digital Object Identifier (DOI): 10.1007/3-540-44543-9_12 Link: Link to publication record in Edinburgh Research Explorer Document Version: Peer reviewed version Published In: Union Types for Semistructured Data General rights Copyright for the publications made accessible via the Edinburgh Research Explorer is retained by the author(s) and / or other copyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associated with these rights. Take down policy The University of Edinburgh has made every reasonable effort to ensure that Edinburgh Research Explorer content complies with UK legislation. If you believe that the public display of this file breaches copyright please contact [email protected] providing details, and we will remove access to the work immediately and investigate your claim. Download date: 27. Sep. 2021 Union Typ es for Semistructured Data Peter Buneman Benjamin Pierce University of Pennsylvania Dept of Computer Information Science South rd Street Philadelphia PA USA fpeterbcpiercegcisupenn edu Technical
    [Show full text]
  • Dynamic Extension of Typed Functional Languages
    Dynamic Extension of Typed Functional Languages Don Stewart PhD Dissertation School of Computer Science and Engineering University of New South Wales 2010 Supervisor: Assoc. Prof. Manuel M. T. Chakravarty Co-supervisor: Dr. Gabriele Keller Abstract We present a solution to the problem of dynamic extension in statically typed functional languages with type erasure. The presented solution re- tains the benefits of static checking, including type safety, aggressive op- timizations, and native code compilation of components, while allowing extensibility of programs at runtime. Our approach is based on a framework for dynamic extension in a stat- ically typed setting, combining dynamic linking, runtime type checking, first class modules and code hot swapping. We show that this framework is sufficient to allow a broad class of dynamic extension capabilities in any statically typed functional language with type erasure semantics. Uniquely, we employ the full compile-time type system to perform run- time type checking of dynamic components, and emphasize the use of na- tive code extension to ensure that the performance benefits of static typing are retained in a dynamic environment. We also develop the concept of fully dynamic software architectures, where the static core is minimal and all code is hot swappable. Benefits of the approach include hot swappable code and sophisticated application extension via embedded domain specific languages. We instantiate the concepts of the framework via a full implementation in the Haskell programming language: providing rich mechanisms for dy- namic linking, loading, hot swapping, and runtime type checking in Haskell for the first time. We demonstrate the feasibility of this architecture through a number of novel applications: an extensible text editor; a plugin-based network chat bot; a simulator for polymer chemistry; and xmonad, an ex- tensible window manager.
    [Show full text]
  • Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
    Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material.
    [Show full text]
  • FAST HASHING in CUDA Neville Walo Department of Computer
    FAST HASHING IN CUDA Neville Walo Department of Computer Science ETH Zurich¨ Zurich,¨ Switzerland ABSTRACT cies, it is possible to use the compression function of SHA- Hash functions, such as SHA-256 [1], are extensively used 256 along with the Sarkar-Schellenberg composition prin- in cryptographic applications. However, SHA-256 cannot ciple [2] to create a parallel collision resistant hash function be parallelized due to sequential dependencies. Using the called PARSHA-256 [3]. Sarkar-Schellenberg composition principle [2] in combina- In this work, we try to accelerate hashing in CUDA [6]. tion with SHA-256 gives rise to PARSHA-256 [3], a parallel We have divided this project into two sub-projects. The first collision resistant hash function. We present efficient imple- one is the Bitcoin scenario, with the goal to calculate many mentations for both SHA-256 and PARSHA-256 in CUDA. independent SHA-256 computation in parallel. The second Our results demonstrate that for large messages PARSHA- case is PARSHA-256, where the goal is to implement the 256 can significantly outperform SHA-256. proposed algorithm efficiently in CUDA. Related work. To our knowledge there is no compara- ble implementation of PARSHA-256 which runs on a GPU. 1. INTRODUCTION There exists only the implementation of the original paper, Hash functions are one of the most important operations which uses multithreading [3]. On the other hand, there in cryptographic applications, like digital signature algo- are countless implementations of Bitcoin Miners in CUDA rithms, keyed-hash message authentication codes, encryp- [7, 8], as this was the most prominent way to mine Bitcoins tions and the generation of random numbers.
    [Show full text]