Fast Multiplication of Binary Polynomials with the Forthcoming Vectorized VPCLMULQDQ Instruction

Total Page:16

File Type:pdf, Size:1020Kb

Fast Multiplication of Binary Polynomials with the Forthcoming Vectorized VPCLMULQDQ Instruction Fast multiplication of binary polynomials with the forthcoming vectorized VPCLMULQDQ instruction Nir Drucker Shay Gueron Vlad Krasnov University of Haifa, Israel, University of Haifa, Israel, CloudFlare, Inc. and and San Francisco, USA Amazon Web Services Inc.1 Amazon Web Services Inc.1 Abstract—Polynomial multiplication over binary fields F2n is Intel has recently announced [7] that its future architecture, a common primitive, used for example by current cryptosystems codename ”Ice Lake”, will introduce a new instruction called n = 128 such as AES-GCM (with ). It also turns out to be a prim- VPCLMULQDQ. This instruction, together with the new vector- itive for other cryptosystems, that are being designed for the Post VAESENC VAESDEC Quantum era, with values n 128. Examples from the recent ized AES instructions ( and ), are useful submissions to the NIST Post-Quantum Cryptography project, for accelerating AES-GCM. However, we argue that even as a are BIKE, LEDAKem, and GeMSS, where the performance of standalone instruction, VPCLMULQDQ is useful for some new the polynomial multiplications, is significant. Therefore, efficient emerging algorithms, which paper demonstrates how it can be F n n polynomial multiplication over 2 , with large , is a significant used for accelerating ”big” polynomial multiplications (with emerging optimization target. > 511 Anticipating future applications, Intel has recently announced degree ). that its future architecture (codename ”Ice Lake”) will introduce The correctness of the algorithms (and the code) can be a new vectorized way to use the current VPCLMULQDQ instruc- checked now, but actual performance measurements require tion. In this paper, we demonstrate how to use this instruction a real CPU, which is currently unavailable. To address this for accelerating polynomial multiplication. Our analysis shows difficulty, we use other techniques to estimate the future 2 a prediction for at least x speedup for multiplications with performance, such as counting instructions and running with polynomials of degree 512 or more. some ”stand in” replacements. The results of both techniques are similar, and this allows us to predict that polynomial I. INTRODUCTION multiplication is going to be at least 2x faster on these future Several modern encryption schemes use polynomial multi- CPUs, compared to the current software implementations on plication over F2n as one of their main primitives. One promi- the current architectures. nent example is AES-GCM whose (almost) XOR-universal The paper is organized as follows: Section II describes the hash function (GHASH) is an evaluation of polynomials with new VPCLMULQDQ instruction. Section III presents some con- coefficients in F2128 . The nonce misuse resistant Authenticated cepts that we use for polynomial multiplications. Section IV Encryption AES-GCM-SIV is using a similar (almost) XOR- presents our new implementation. We show our experimental universal hash function (POLYVAL). These evaluations can results in Section V, and conclude in Section VI. be significantly sped up with dedicated instructions. Indeed, II. THE VPCLMULQDQ INSTRUCTION modern general-purpose processors are equipped with the PCLMULQDQ ”carry-less multiplication” instruction [1], [2]. Algorithm 1 DST = VPCLMULQDQ(SRC1, SRC2, Imm8) ≥ 128 Multiplication of polynomials with higher degrees ( ) Inputs: SRC1, SRC2 (wide registers) Imm8 (8 bits) is becoming a useful computational task for newly designed Outputs: DST (a wide register) cryptosystems that are based on coding or multivariate poly- 1: procedure VPCLMULQDQ(SRC1, SRC2, Imm8) i 0 KL − 1 nomials. These are motivated by the NIST Post-Quantum 2: for := to do 3: j1 =2i + Imm8[0] Project [3] that targets the definition of the next generation 4: j2 =2i + Imm8[4] of quantum-resistant public key and signature cryptosystems. 5: T1[ 63 : 0 ] = SRC1[ 64(j1 +1)− 1 : 64j1 ] 69 6: T2[ 63 : 0 ] = SRC2[ 64(j2 +1)− 1 : 64j2 ] We give three examples out of the recent submissions 7: DST[ 128(i +1)− 1 : 128i ]=PCLMULQDQ( T1, T2 ) to this project, that use polynomial multiplication in F2n : return DST BIKE [4] (MDPC codes) with n =32, 749, LEDAKem [5] (LDPC codes) with n =99, 053, and GeMSS [6] (multivariate Alg. 1 [7] presents the extended instruction VPCLMULQDQ. polynomials) using n = 354. We note that the performance of It vectorizes polynomial (carry-less) multiplications, and is the polynomial multiplication is significant in these algorithms, able to perform KL =1/2/4 multiplications of two qwords for example, the key generation and the encapsulation steps (64 bits). The multiplicands are selected from two source of BIKE are dominated by such multiplications. operands, which are 128/256/512-bit registers (named xmm, ymm, zmm, respectively), and the selection is determined by 1This work was done prior to joining Amazon. the value of the immediate byte. Note that the case KL =1 XXX-X-XXXXXXX-X-X/ARITH18/c 2018 IEEE 111 a7 a6 a5 a4 a3 a2 a1 a0 b7 b6 b5 b4 b3 b2 b1 b0 a0b7 a0b6 a0b5 a0b4 a0b3 a0b2 a0b1 a0b0 a1b7 a1b6 a1b5 a1b4 a1b3 a1b2 a1b1 a1b0 a2b7 a2b6 a2b5 a2b4 a2b3 a2b2 a2b1 a2b0 a3b7 a3b6 a3b5 a3b4 a3b3 a3b2 a3b1 a3b0 a4b7 a4b6 a4b5 a4b4 a4b3 a4b2 a4b1 a4b0 a5b7 a5b6 a5b5 a5b4 a5b3 a5b2 a5b1 a5b0 a6b7 a6b6 a6b5 a6b4 a6b3 a6b2 a6b1 a6b0 a7b7 a7b6 a7b5 a7b4 a7b3 a7b2 a7b1 a7b0 Fig. 1. Schoolbook multiplication of 8 × 8 qwords (or 4 × 4 qwords in red dashed border). The size of each aibj is 128 bits. using xmm registers, is exactly the VPCLMULQDQ instruction zmm registers. This is why splitting each row into ”even” that is currently available in the modern CPU’s. and ”odd” columns, where each part is 8 qwords long, seems natural. We use 16 zmm registers, namely Even0,...,Even7 III. POLYNOMIAL MULTIPLICATION and Odd0,...,Odd7, to accommodate these values. Table I Obviously, polynomial multiplication can be executed by presents the layout of the qwords in the registers. the standard schoolbook algorithms. However, for sufficiently high degrees, a Carry-less Karatsuba algorithm [1], [2], [8]is TABLE I faster. For even higher degrees, other algorithms such as Toom- A SPLIT PRESENTATION OF THE EVEN AND ODD COLUMNS PRESENTED IN FIGURE 1, THE RED DASHED LINE MARKS THE 4 × 4 QWORDS Cook [9], [10] may become useful. These algorithms (e.g., MULTIPLICATION BOUNDARY Karatsuba and Toom-Cook) work in a recursive way, where at Register Values each step multiplies smaller degree operands. After a sufficient alias (4 packets of 128-bits dashed for alignment) number of iterations, the involved polynomial has a small Even0 ----a0b6 a0b4 a0b2 a0b0 a b a b a b a b enough degree, and then it pays to revert to the schoolbook Even1 ---1 7 1 5 1 3 1 1 - a b a b a b a b multiplication, for the final step. Even2 ---2 6 2 4 2 2 2 0 - Even3 --a3b7 a3b5 a3b3 a3b1 -- In [11], we showed that for polynomials of degree slightly Even4 --a4b6 a4b4 a4b2 a4b0 -- a b a b a b a b smaller or equal to a power of two, the best performance Even5 - 5 7 5 5 5 3 5 1 --- Even6 - a6b6 a6b4 a6b2 a6b0 --- is attained with a recursive Karatsuba algorithm, until the Even a7b7 a7b5 a7b3 a7b1 ---- 255 4 7 polynomials area the degree of ( qwords), and then revert Odd0 ----a0b7 a0b5 a0b3 a0b1 a b a b a b a b to the schoolbook multiplication. Odd1 ----1 6 1 4 1 2 1 0 a b a b a b a b Here, we demonstrate how the new VPCLMULQDQ instruc- Odd2 ---2 7 2 5 2 3 2 1 - Odd3 ---a3b6 a3b4 a3b2 a3b0 - tion can be used for two methods that multiply polynomials of Odd4 --a4b7 a4b5 a4b3 a4b1 -- a b a b a b a b degree 511 (8 qwords): a) A schoolbook multiplication of 8×8 Odd5 --5 6 5 4 5 2 5 0 -- a b a b a b a b qwords using zmm registers; b) A Karatsuba multiplication Odd6 - 6 7 6 5 6 3 6 1 --- Odd7 - a7b6 a7b4 a7b2 a7b0 --- that invokes a 4 × 4 qwords schoolbook multiplication, as its ”core”, and uses ymm registers. We compare them to a reference implementation [11] that uses the existing version TABLE II of PCLMULQDQ, for a Karatsuba multiplication that wraps a PERMUTATION OF VALUES FROM TABLE I FOR 8 × 8 MULTIPLICATION 4 × 4 qwords schoolbook flow. Register Permutation mask Output Values alias (Original qword idx) (4 packets of 128-bits) IV. VPCLMULQDQ AND SCHOOLBOOK Even0 - a0b6 a0b4 a0b2 a0b0 a b a b a b a b We use the same algorithm for both the 8×8 qwords and 4× Even1 54321076 1 5 1 3 1 1 1 7 Even 54321076a2b4 a2b2 a2b0 a2b6 4 2 qwords multiplications. The only difference is in the sizes of Even3 32107654a3b3 a3b1 a3b7 a3b5 a b a b a b a b the wide registers that are used (zmm and ymm, respectively). Even4 32107654 4 2 4 0 4 6 4 4 a b a b a b a b For brevity, we present only the 8 × 8 qwords version, but in Even5 10765432 5 1 5 7 5 5 5 3 Even 10765432a6b0 a6b6 a6b4 a6b2 4 × 4 6 each table, also mark the qwords parts with red dashed Even7 - a7b7 a7b5 a7b3 a7b1 lines. Fig. 2 shows a real (37-lines) code snippet of the 4 × 4 Odd0 - a0b7 a0b5 a0b3 a0b1 a b a b a b a b qwords multiplication, as an example. Odd1 - 1 6 1 4 1 2 1 0 Odd2 54321076a2b5 a2b3 a2b1 a2b7 Fig. 1 illustrates the basic schoolbook multiplication with Odd3 54321076a3b4 a3b2 a3b0 a3b6 a b a b a b a b polynomials of degree 511, namely a, b.
Recommended publications
  • Key Agreement from Weak Bit Agreement
    Key Agreement from Weak Bit Agreement Thomas Holenstein Department of Computer Science Swiss Federal Institute of Technology (ETH) Zurich, Switzerland [email protected] ABSTRACT In cryptography, much study has been devoted to find re- Assume that Alice and Bob, given an authentic channel, lations between different such assumptions and primitives. For example, Impagliazzo and Luby show in [9] that imple- have a protocol where they end up with a bit SA and SB , respectively, such that with probability 1+ε these bits are mentations of essentially all non-trivial cryptographic tasks 2 imply the existence of one-way functions. On the other equal. Further assume that conditioned on the event SA = hand, many important primitives can be realized if one-way SB no polynomial time bounded algorithm can predict the δ functions exist. Examples include pseudorandom generators bit better than with probability 1 − 2 . Is it possible to obtain key agreement from such a primitive? We show that [7], pseudorandom functions [5], and pseudorandom permu- 1−ε tations [12]. for constant δ and ε the answer is yes if and only if δ > 1+ε , both for uniform and non-uniform adversaries. For key agreement no such reduction to one-way functions The main computational technique used in this paper is a is known. In fact, in [10] it is shown that such a reduction strengthening of Impagliazzo’s hard-core lemma to the uni- must be inherently non-relativizing, and thus it seems very form case and to a set size parameter which is tight (i.e., hard to find such a construction.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • The Design and Evolution Of
    J Cryptol (2021) 34:36 https://doi.org/10.1007/s00145-021-09399-8 The Design and Evolution of OCB Ted Krovetz Computer Science Department, California State University, 6000 J Street, Sacramento, California 95819, USA [email protected] Phillip Rogaway Department of Computer Science, Kemper Hall of Engineering, University of California, Davis, California 95616, USA [email protected] Communicated by Tetsu Iwata. Received 20 December 2019 / Revised 26 August 2020 / Accepted 14 September 2020 Abstract. We describe OCB3, the final version of OCB, a blockcipher mode for au- thenticated encryption (AE). We prove the construction secure, up to the birthday bound, assuming its underlying blockcipher is secure as a strong-PRP. We study the scheme’s software performance, comparing its speed, on multiple platforms, to a variety of other AE schemes. We reflect on the history and development of the mode. Keywords. AEAD, Authenticated encryption, CAESAR competition, Cryptographic standards, Fast software encryption, Modes of operation, OCB. 1. Introduction Schemes for authenticated encryption (AE) symmetrically encrypt a message in a way that ensures both its confidentiality and authenticity. OCB is a well-known algorithm for achieving this aim. It is a blockcipher mode of operation, the blockcipher usually being AES. There are three main variants of OCB. The first, now called OCB1 (2001) [39], was mo- tivated by Charanjit Jutla’s IAPM [24]. A second version, now called OCB2 (2004) [18, 38], added support for associated data (AD) [37] and redeveloped the mode using the idea of a tweakable blockcipher [30]. OCB2 was recently found to have a disastrous bug [17].
    [Show full text]
  • Investigation of Ice Particle Habits to Be Used for Ice Cloud Remote Sensing for the GCOM-C Satellite Mission
    Atmos. Chem. Phys., 16, 12287–12303, 2016 www.atmos-chem-phys.net/16/12287/2016/ doi:10.5194/acp-16-12287-2016 © Author(s) 2016. CC Attribution 3.0 License. Investigation of ice particle habits to be used for ice cloud remote sensing for the GCOM-C satellite mission Husi Letu1,2, Hiroshi Ishimoto3, Jerome Riedi4, Takashi Y. Nakajima1, Laurent C.-Labonnote4, Anthony J. Baran5, Takashi M. Nagao6, and Miho Sekiguchi7 1Research and Information Center (TRIC), Tokai University, 4-1-1 Kitakaname Hiratsuka, Kanagawa 259-1292, Japan 2Institute of Remote Sensing and Digital Earth, Chinese Academy of Sciences (CAS), DaTun Road No. 20 (North), Beijing 100101, China 3Meteorological Research Institute, 1-1 Nagamine, Tsukuba, Ibaraki 305-0052, Japan 4Laboratoire d’Optique Atmosphérique, UMR CNRS 8518, Université de Lille 1-Sciences et Technologies, Villeneuve d’Ascq, France 5Met Office, Fitzroy Road, Exeter, EX1 3PB, UK 6Earth Observation Research Center (EORC), Japan Aerospace Exploration Agency (JAXA), 2-1-1 Sengen Tsukuba, Ibaraki 305-8505, Japan 7Tokyo University of Marine Science and Technology, Tokyo 135-8533, Japan Correspondence to: Takashi Y. Nakajima ([email protected]) Received: 29 September 2015 – Published in Atmos. Chem. Phys. Discuss.: 11 November 2015 Revised: 10 September 2016 – Accepted: 15 September 2016 – Published: 29 September 2016 Abstract. In this study, various ice particle habits are in- phase matrix. The characteristics of calculated extinction ef- vestigated in conjunction with inferring the optical proper- ficiency, single-scattering albedo, and asymmetry factor of ties of ice clouds for use in the Global Change Observa- the five ice particle habits are compared.
    [Show full text]
  • Operator's Manual
    OPERATOR’S MANUAL Safety Notices ..................................................................................................... 1 Disclaimer ......................................................................................................................... 1 Introduction ......................................................................................................... 3 Features ............................................................................................................................ 3 Requirements ....................................................................................................................3 Component Overview ......................................................................................... 5 Flex4 Terminal ..................................................................................................................5 Terminal Buttons .............................................................................................................................. 6 Terminal Connections ...................................................................................................................... 6 Operator Remote Switch Module....................................................................................... 7 Switch Module Functions ................................................................................................................. 7 Rate Control Module ........................................................................................................
    [Show full text]
  • CICE: the Los Alamos Sea Ice Model Documentation and Software User's
    CICE: the Los Alamos Sea Ice Model Documentation and Software User’s Manual Version 4.1 LA-CC-06-012 Elizabeth C. Hunke and William H. Lipscomb T-3 Fluid Dynamics Group, Los Alamos National Laboratory Los Alamos NM 87545 May 5, 2010 Contents 1 Introduction 2 2 Coupling with other climate model components 3 2.1 Atmosphere . .5 2.2 Ocean . .7 3 Model components 7 3.1 Horizontal transport . .9 3.1.1 Reconstructing area and tracer fields . 11 3.1.2 Locating departure triangles . 13 3.1.3 Integrating fields . 17 3.1.4 Updating state variables . 17 3.2 Transport in thickness space . 18 3.3 Mechanical redistribution . 21 3.4 Dynamics . 24 3.5 Thermodynamics . 26 3.5.1 Thermodynamic surface forcing . 26 3.5.2 New temperatures . 29 3.5.3 Growth and melting . 32 4 Numerical implementation 34 4.1 Directory structure . 34 4.2 Grid, boundary conditions and masks . 37 4.2.1 Grid domains and blocks . 38 4.2.2 Tripole grids . 39 4.2.3 Column configuration . 40 4.2.4 Boundary conditions . 40 4.2.5 Masks . 40 4.3 Initialization and coupling . 41 1 4.4 Choosing an appropriate time step . 41 4.5 Model output . 42 4.5.1 History files . 42 4.5.2 Diagnostic files . 43 4.5.3 Restart files . 44 4.6 Execution procedures . 44 4.7 Performance . 46 4.8 Adding things . 48 4.8.1 Timers . 48 4.8.2 History fields . 49 4.8.3 Tracers . 49 5 Troubleshooting 50 5.1 Initial setup .
    [Show full text]
  • High-Speed, Hardware-Oriented Authenticated Encryption
    ICEPOLE: High-speed, Hardware-oriented Authenticated Encryption Pawe lMorawiecki1;2, Kris Gaj5, Ekawat Homsirikamol5, Krystian Matusiewicz8, Josef Pieprzyk3;4, Marcin Rogawski7, Marian Srebrny1;2, and Marcin W´ojcik6 1 Institute of Computer Science, Polish Academy of Sciences, Poland 2 Section of Informatics, University of Commerce, Kielce, Poland 3 Department of Computing, Macquarie University, Australia 4 Electrical Engineering and Computer Science School, Science and Engineering Faculty, Queensland University of Technology, Brisbane, Australia 5 Cryptographic Engineering Research Group, George Mason University, USA 6 Cryptography and Information Security Group, University of Bristol, United Kingdom 7 Cadence Design Systems, San Jose, USA 8 Intel, Gda´nsk,Poland Abstract. This paper introduces our dedicated authenticated encryption scheme ICEPOLE. ICE- POLE is a high-speed hardware-oriented scheme, suitable for high-throughput network nodes or generally any environment where specialized hardware (such as FPGAs or ASICs) can be used to provide high data processing rates. ICEPOLE-128 (the primary ICEPOLE variant) is very fast. On the modern FPGA device Virtex 6, a basic iterative architecture of ICEPOLE reaches 41 Gbits/s, which is over 10 times faster than the equivalent implementation of AES-128-GCM. The throughput-to-area ratio is also substantially better when compared to AES-128-GCM. We have carefully examined the security of the algorithm through a range of cryptanalytic techniques and our findings indicate that ICEPOLE offers high security level. Keywords: authenticated encryption scheme, authenticated cipher, ICEPOLE 1 Introduction Protocols such as SSL/TLS [12, 16], the backbone of the Internet, are designed to provide data confidentiality and authenticity. Often the underlying algorithms of these protocols realize en- cryption and authentication separately (e.g., AES in CBC mode for encryption and HMAC- SHA1 for authentication).
    [Show full text]
  • Qualcomm® Inline Crypto Engine (UFS) Version 3.1.0 and Version 3.2.0
    Qualcomm® Inline Crypto Engine (UFS) Version 3.1.0 and Version 3.2.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.5 2021-03-05 Prepared for: Qualcomm Technologies, Inc. 5775 Morehouse Drive San Diego, CA 92121 Prepared by: atsec information security Corp. 9130 Jollyville Road, Suite 260 Austin, TX 78759 Qualcomm Inline Crypto Engine is a product of Qualcomm Technologies, Inc. and/or its subsidiaries. Qualcomm Inline Crypto Engine (UFS) FIPS 140-2 Non-Proprietary Security Policy TABLE OF CONTENTS 1. INTRODUCTION ..................................................................................................... 3 1.1 PURPOSE OF THE SECURITY POLICY ..................................................................................................... 3 2. CRYPTOGRAPHIC MODULE SPECIFICATION .............................................................. 4 2.1. DESCRIPTION OF MODULE ................................................................................................................ 4 2.2. DESCRIPTION OF APPROVED MODE .................................................................................................... 5 2.3. CRYPTOGRAPHIC MODULE BOUNDARY ................................................................................................ 6 3. CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .............................................. 12 4. ROLES, SERVICES AND AUTHENTICATION ............................................................. 13 4.1. ROLES .......................................................................................................................................
    [Show full text]
  • Crypto 101 Lvh
    Crypto 101 lvh 1 2 Copyright 2013-2017, Laurens Van Houtven (lvh) This work is available under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license. You can find the full text of the license at https://creativecommons.org/licenses/by-nc/4.0/. The following is a human-readable summary of (and not a substitute for) the license. You can: • Share: copy and redistribute the material in any medium or format • Adapt: remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms: • Attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. • NonCommercial: you may not use the material for commercial purposes. • No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. 3 No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. Pomidorkowi 4 Contents Contents 5 I Foreword 10 1 About this book 11 2 Advanced sections 13 3 Development 14 4 Acknowledgments 15 II Building blocks 17 5 Exclusive or 18 5.1 Description .....................
    [Show full text]
  • Authenticated Encryption by Enciphering
    AEZ v4.1: Authenticated Encryption by Enciphering Viet Tung Hoang Ted Krovetz Phillip Rogaway UC Santa Barbara Sacramento State UC Davis [email protected] [email protected] [email protected] October 15, 2015 The named authors are both designers and submitters. Abstract AEZ encrypts by appending to the plaintext a fixed authentication block and then enciphering the resulting string with an arbitrary-input-length blockcipher, this tweaked by the nonce and AD. The approach results in strong security and usability properties, including nonce-reuse misuse resistance, automatic exploitation of decryption-verified redundancy, and arbitrary, user- selectable ciphertext expansion. AEZ is parallelizable and its computational cost is close to that of AES-CTR. Our C implementation achieves peak speeds of 0.63 cpb on an Intel Skylake processor and 1.3 cpb on Apple’s A9 ARM processor. The latest version of this document, and all related materials, can always be found on the AEZ homepage: http://www.cs.ucdavis.edu/∼rogaway/aez Contents 0 Introduction 1 1Specification 3 1.1 Notation.............................................. 3 1.2 ArgumentsandParameters................................... 4 1.3 AEZExtensions......................................... 4 1.4 Pseudocode............................................ 5 1.5 Usagecap............................................. 9 2 Security Goals 10 3 Security Analysis 13 4 Features 16 5 Design Rationale 19 6 Intellectual Property 19 7Consent 20 8 Changes 20 References 21 A Specification of BLAKE2b 24 B Specification of AEZ deciphering algorithms 25 Hoang, Krovetz, and Rogaway AEZ v4.1 0 Introduction This document describes AEZ, which we view as both an enciphering scheme and an authenticated- encryption scheme. Before specifying it we provide a brief overview.
    [Show full text]
  • Cryptographic (In)Security in Android Apps an Empirical Analysis
    Radboud University Nijmegen TRU/e Security Faculty Of Science Radboud University, Nijmegen, Netherlands Cryptographic (In)Security in Android Apps An Empirical Analysis Master Thesis in Cyber Security Supervisor: Author: Dr. Veelasha Moonsamy Milad Masoodi Second reader: Dr. Fabian van den Broek July 20, 2020 As our circle of knowledge expands, so does the circumference of darkness surrounding it. |Albert Einstein I Acknowledgements No work of immense effort has ever been accomplished by the trials of one man alone, as such is this humble attempt. While I have performed this work through great dedication and effort relative to my situation, I could never achieve a final result of such adequacy without the help of many adept and selfless scientists, instructors, and friends that aided me in every step of the way. Atop all is Dr. Moonsamy; her excellent guidance and insight in critical moments on intricate details shaped this work. Along with the staff of the cybersecurity group of Radboud University, exceptional scientists that opened the gates of this fantastic field for me, and not to forget the invisible staff of the department, those who clean, maintain, and keep the environment operational so we could learn. It behooves me to thank Dr. Manuel Egele for CryptoLint, the incredible software that helped me design mine, my wonderful uncle, friend, and mentor Kamal Mohajerani who provided help, support, guidance, and elucidated every consultation with care and patience which considerably affected the format of this research, and my very good friend Sina Afshar for proofreading and commenting on my thesis. Last but not least, my mother, Dr.
    [Show full text]
  • Anything-But Eazy in Hardware
    AEZ: Anything-but EaZy in Hardware Ekawat Homsirikamol, & Kris Gaj George Mason University USA Based on work partially supported by NSF under Grant No. 1314540. Special thanks to the authors of AEZ: Phillip Rogaway, Ted Krovetz, and Viet Tung Hoang. First Author Ekawat Homsirikamol a.k.a “Ice” PhD Thesis defense on Nov. 18, 2016; currently with Cadence Design Systems in San Jose, CA Outline • Introduction & Motivation • CAESAR Hardware API • Hardware Architecture of AEZ • Results & Discussions • Conclusions & Future Work 3 Introduction & Motivation Cryptographic Standard Contests IX.1997 X.2000 AES 15 block ciphers ® 1 winner NESSIE I.2000 XII.2002 CRYPTREC XI.2004 IV.2008 34 stream 4 HW winners eSTREAM ciphers ® + 4 SW winners X.2007 X.2012 51 hash functions ® 1 winner SHA-3 I.2013 XII.2017 57 authenticated ciphers ® multiple winners CAESAR 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time CAESAR Competition Goal: A portfolio of new-generation authenticated ciphers • offering advantages over AES-GCM • suitable for wide-spread adoption Period: March 2014 - December 2017 (tentative) Organizer: An informal committee of leading cryptographic experts Number of candidates: 57 ➞ 29 ➞ 15 ➞ ? ➞ ? R1 R2 R3 finalists portfolio 6 CAESAR Recent and Upcoming Milestones 2016.06.30: Round 2 VHDL/Verilog Code 2016.08.15: Announcement of 15 Round 3 candidates 2016.09.15: Round 3 tweaks 2016.09.25-27: DIAC 2016 - Directions in Authenticated Ciphers 2016.10.15: Round 3 software 2017.04.15 (tentative): Round 3 VHDL/Verilog code 7 CAESAR
    [Show full text]