Summary Part I Security: Applications & Aspects Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Part II Basic Cyphering Symmetric vs Asymmetric Cryptography Security Background Theoretical Attacks Arnaud Tisserand Cryptographic Hash Functions Physical Attacks CNRS, IRISA laboratory, CAIRN research team Random Number Generators (RNG) Part III Cryptographic Processors ´ Cryptographic Co-Processors & Accelerators Ecole ARCHI Processors and Co-Processors Lille, Nord Trusted Platform Module (TPM) June 8{12th 2015 Part IV Instruction Set Instruction Set Extensions Instruction Set Extensions Addition of Long Operands Extension for Finite Fields Arithmetic Extensions for AES Conclusion, future prospects, references A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 2/81 Applications with Security Needs Part I Introduction Security: Applications & Aspects Cryptographic Features Software vs Hardware Support Hardware Acceleration Solutions We need protections against: A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 3/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 4/81 Security Aspects Steganography Cryptography: art of secret security Steganography: art of dissimulation Principle: hide a secret message into another message (support) system security cryptology secret message landings in Normandy on data steganography June 6th, 1944. networks cryptography operating systems cryptanalysis program - programs physical devices theoretical support image result difference A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 5/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 6/81 Cryptographic Features Software vs Hardware Support I Objectives: Cryptographic primitives: instructions managment + control SW • Confidentiality • Encryption @ • Integrity • Digital signature @ • Authenticity • Hash function memory D reg. hierarchy FU FU FU • Non-repudiation • Random numbers generation LSU file 1 2 3 • ... • ... Implementation issues: EXCELLENT slow large large small • Performances: speed, delay, throughput, latency FLEXIBILITY SPEED AREA ENERGY DEVEL. COST • Cost: device (memory, size, weight), low power/energy consumption, design limited fast small small HUGE • Security: protection against attacks op. op. op. op. Applications: smart cards, computers, Internet, telecommunications, reg. reg. reg. reg. set-top boxes, data storage, RFID tags, WSN, smart grids. CTRL SECURITY?memory HW A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 7/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 8/81 Hardware Acceleration Solutions Part II At cluster/network/system level: (autonomous) dedicated processors • Digital signal processors (DSPs) Security Background • Network processors • Multimedia processors Basic Cyphering • Cryptographic processors Symmetric vs Asymmetric Cryptography At computer level: co-processors and accelerators Theoretical Attacks • Dedicated cards for specific applications: video (GPU), audio, . • Cryptographic co-processors Cryptographic Hash Functions At processor/core level: instruction set extensions Physical Attacks • Vector/matrix computations, SIMD, FMA, small floats, data shuffling, bit manipulation, cache interaction, prefetching Random Number Generators (RNG) • Multimedia & signal processing applications • Cryptographic extensions (AES, GF(2m) multiplication) A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 9/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 10/81 Basic Cyphering Symmetric / Private-Key Cryptography Alice wants to secretly send a message to Bob in such a way Eve E D (eavesdropper/spy) should have no information Ek (M) M A B Dk (Ek (M)) = M secret k E k • A : Alice, B : Bob • M: plain text/message • E: encryption/ciphering algorithm, D: decryption/deciphering algorithm E plain text • k: secret key to be shared by A and B M A B • Ek (M): encrypted text • communication Dk (Ek (M)): decrypted text secured zone secured zone channel • E: eavesdropper/spy A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 11/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 12/81 Symmetric Cryptography Limitation Asymmetric / Public-Key Cryptography people required keys E D n list list number Ek (M) 2 A, B k 1 A B M A B Dk0 (Ek (M)) = M C k2 k3 0 3 A, B, C 3 k E k k1 A B k C k2 k3 k 4 A, B, C, D A 1 B 6 k6 • k: B's public key (known to everyone including E) k4 k5 • D Ek (M): ciphered text • k0: B's private key (must be kept secret) n A,. n×(n−1) 2 • Dk0 (Ek (M)): deciphered text A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 13/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 14/81 Symmetric or Asymmetric Cryptography? Theoretical Attacks Private-key or symmetric cryptography: simple algorithms attack k, M??? fast computation E limited cost (silicon area, energy) E D requires a key exchange Ek (M) key distribution problem for n persons M A B Dk (Ek (M)) = M k k Public-key or asymmetric cryptography: no key exchange Notations: only 2 keys per person (1 private, 1 public) • M plain text allows digital signature • E encryption algorithm • C = Ek (M) ciphered text more complex algorithms • D decryption algorithm • secured zone slower computation • k secret key higher cost A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 15/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 16/81 RSA 768 Attack in December 2009 RSA Ciphering (Rivest, Shamir, Adleman 1977) (n; e) d 6 months on 80 parallel computers (≡ 1 500 years for a single computer!) public key RSA-768 = m 2 [0; n − 1] 3347807169895689878604416984821269081770479498371376856891 private key c 2431388982883793878002287614711652531743087737814467999489 c = me mod n A B m = cd mod n × 3674604366679959042824463379962795263227915816434308764267 6032283815739666511279233373417143396810270092798736308917 RSA key pair generation: Source: article 1. generate primes p and q (length l=2) http://eprint.iacr.org/2010/006.pdf 2. compute n = pq and φ = (p − 1)(q − 1) Factorization of a 768-bit RSA modulus. Thorsten Kleinjung, Kazumaro 3. select e such that 1 < e < φ and gcd(e; φ) = 1 Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thome, Joppe W. Bos, 4. compute d satisfying 1 < d < φ and ed ≡ 1 mod φ Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, Dag Arne Osvik, Herman te Riele, Andrey Timofeev, and Paul Zimmermann Security: • integer factorization problem: compute (p,q) knowing just n is hard • minimal key size recommendation: 1024 bits A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 17/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 18/81 RSA Signature Cryptographic Hash Functions (1/2) m signature verification signature generation • message m (arbitrary block of data) l bits • variable size l ACCEPT signature (n; e) d H public key • hash or digest h k bits h=h0 h0 = se mod n • fixed size k (in practice k << l) private key h = H(m) (m; s) comparison d A B s = h mod n Security properties of cryptographic hash functions: • preimage resistance (one way function): h m j h = H(m) h6=h0 h = H(m) h = H(m) 9 1 • second preimage resistance : m19m2 6= m1 j H(m1) = H(m2) REJECT signature m • collision resistance: finding (m1; m2) such that m1 6= m2 and H(m1) = H(m2) is very hard H a cryptographic hash function Examples: MD5, WHIRLPOOL, SHA-1, SHA-2, SHA-3 (selection 2010) A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 19/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 20/81 Cryptographic Hash Functions (2/2) [Trapdoor] One Way Function One way function: f : x 7! y = f (x) Examples using openssl: • given x, computing y is easy • given y, computing x is very hard > echo "string" | openssl dgst -sha224 -hex Trapdoor one way function: f : x 7! y = f (x) string digest • given x, computing y is easy 0123456789 95ae4be607f065743ac1c81d1180591a919d08b8d4765e176b26f214 • given y, computing x is very hard 1123456789 5c527cd1341a4338f09086e71d1a0d69f818d74a828c974b9433524a 0123446789 94e5aa1d275dc3a21c76d28b011f4ea6121fa228af3ec7fa329da44f • given some (secret) information and y, computing x is easy 0123456788 b04c6b0b1d663ad0c00d749441747cc6df211ea6c98f4fd2dbf283ff Example: p and q primes, computing n = pq is easy but finding (p; q) knowing just n is very hard A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 21/81 A. Tisserand, CNRS{IRISA{CAIRN. Processor Extensions for Security 22/81 Elliptic Curve Cryptography (ECC) Key Size vs Security Level E : y 2 = x 3 + 4x + 20 over GF(1009) security RSA ECC encryption points on E: P, Q= (x; y) or (x; y; z) level GF(p) GF(2m) signature coordinates: x; y; z 2 GF(·) jnj [bits] jpj [bits] m [bits] 56 512 112 113 etc GF(p), GF(2m), t : 160{600 bits protocol level 64 704 128 131 k = (kt−1kt−2 ::: k1k0)2 2 N 80 1024 160 163 J [k]P Scalar multiplication operation 96 1536 192 193 for i from 0 to t − 1 do 112 2048 224 233 JJ if ki = 1 then Q = ADD(P; Q) 128 3072 256 283 P = DBL(P) 192 7680 384 409 P + P curve level Point addition/doubling operations 256 15360 521 571 ADD(P; Q) DBL(P) sequence of finite field operations 2 h DBL: v1 = z1 ; v2 = x1 − v1;::: • Security level of h: the best known algorithm takes2 steps for 2 ADD: w1 = z1 ; w2 = z1 × w1;::: breaking the cryptosystem GF(p) or GF(2m) operations • RSA: Z=nZ with n = pq, p and q primes x±y x×y ::: operation