47_Presentation [Kashif Latif]

8/3/2019 47_Presentation [Kashif Latif]

1/24

Click to edit Master text stylesSecond level Third level Fourth level Fifth level


2/24

High Throughput HardwareImplementation of SecureHash Algorithm (SHA-3)

Finalist - BLAKEBy

Kashif Latif

ISRL information Security Research LaboratoryNational University of Sciences and Technology


3/24


4/24

INTRODUCTION

t Master text styleselvel

levellevelISRL information Security Research Laboratory

Hardware solutions to Cryptographicalgorithms provide high speed and realtime results for applications like dataconfidentiality & authentications

FPGA is the best leading representative ofreconfigurable hardware devices ofmodern era

Implementations need both efficient andcost effective solutions of cryptographic

algorithms on reconfigurable platforms

44


5/24

SCOPE



Cryptographic hash functions are widely

used in many information securityapplications like digital signatures,message authentication codes (MACs) andother forms of authentications

National Institute of Standards andTechnology (NIST) USA has announced apublic competition on November 2, 2007to develop a new cryptographic hash

algorithm called SHA-3 A response to recent advances in thecryptanalysis of commonly used hashalgorithms. Include SHA family: SHA-0,SHA-1, SHA-256 and SHA-512, MD4 andMD5 55


6/24

CRYPTOGRAPHIC HASHFUNCTIONS



A one-way procedure whose input isarbitrary random block of data and outputis a fixed-size bit string

A hash valueHof plaintext M generatedby a hash function h of the form

H = h(M) More often, the data to be hashed is called

the message, and the hash value is called

the message digest or simply digest

66


7/24


APPLICATIONS



Verifying File integrity Hashing Passwords Digital Signatures

77


8/24


APPLICATIONS



Message

Signature

Message

Signature

Message

MessageDigest

HashFunction

Signature

HashFunction

Message

Digest

K

K

Compare

Digital Signatures with Conventional Encryptionand Hash Functions

88


9/24

REQUIREMENT OF NEW HASHALGORITHM



Commonly used hash algorithms, SHA

family: SHA-0, SHA-1, SHA-256 and SHA-512, MD4 and MD5

In previous few years, cryptanalysis ofthese algorithms found serious

vulnerabilities Collisions were reported for MD4, MD5,

HAVAL-128 and RIPEMD in 2004 [1] A 263 operations collision attack on SHA-1

is reported in 2005 [2], previously it wasthought of 280 operations A collision attack on MD5 is reported in

2006 [3]

SHA-3 Contest is a response to recentadvances in the cr tanal sis of these 99


10/24

SHA-3 CONTEST



Publically open contest like AES in 1997-

2001 NIST announced in November 2007 64 submissions, out of which 51 fulfilled

the minimum submission requirements

and were selected as the First RoundCandidates in Dec 2008

Reduced to 14 in Round 2 of thecompetition

5 out of 14 Round 2 candidates selectedand promoted to Final Round on 10December 2010

Tentative time-line for the end of this

competition and selection of finalist forSHA-3 is in 4th uarter of 2012 1010


11/24

SHA-3 Finalists



BLAKE Grstl JH Keccak Skein

1111


12/24

BLAKE Hash function



Based on Bernsteins stream cipherChaCha

Uses iteration mode HAIFA Internal construction is local wide-pipe

1212

Chain Value

Message Salt

Next Chain ValueRoundsInitializatio

nFinalization

Salt Chain ValueCounter


13/24

BLAKE Hash function



Two basic variants BLAKE-256 and BALKE-512

BLAKE-256 operates on 32-bit and BLAKE-512 operates on 64-bit words

Compression function takes four inputs Chaining hash value h = h0, h1, h2, , h7 Message block m = m0, m1, m2, , m15 Salts = s0, s1, s2, s3 Counter t = t0, t1

Additional use of constants andPermutation table Constants c = c0, c1, c2, , c15 Permutation r {0,., 15}

Output is new chaining hash value h'= h'0,' ' '1313


14/24

BLAKE Hash function



Initialization: 4x4 matrix of 16 words v =

v0, v1, v2, , v15 initialized as follows:

1414

v0 v1 v2 v3

v4 v5 v6 v7

v8 v9 v10 v11

v12 v13 v14 v15

h0 h1 h2 h3

h4 h5 h6 h7

s0 c0 s1 c1 s2 c2 s3 c3

t0 c4 t0 c5 t1 c6 t1 c7

Round Function: Simple transformationover state v, computation of following 8 GfunctionsG0 (v0, v4, v8,v12 ) G2 (v1, v5, v9,v13 )

G4 (v2, v6, v10,v14 ) G6 (v3, v7, v11,v15 )

G8 (v0, v5, v10,v15 ) G10 (v1, v6, v11,v12 )

G12 (v2, v7, v8,v13 ) G14 (v3, v4, v9,v14 )


15/24

BLAKE Hash function



G (a, b, c, d) is defined as:

1515

a = a + b + (m r (i) c r (i +1))

d = ( d a ) >> 16

c = c + d

b = ( b c ) >> 12

a = a + b + (mr(i+1

)

c r(i))

d = ( d a ) >> 8

c = c + d

b = ( b c ) >> 7

Bit wise XOR+ Addition

>>

Right rotate


16/24

BLAKE Hash function



Round function is iterated 14 times for

BLAKE-256 and 16 times for BLAKE-512 Finalization:

1616

h'0 = h0 s0 v0v8

h'1 = h1 s1 v1v9

h'2 = h2 s2 v2v10h'3 = h3 s3 v3v11

h'4 = h4 s0 v4v12

h'5 = h5 s1 v5v13

h'6 = h6 s2 v6v14

h'7 = h7 s3 v7v15


17/24

IMPLEMENTATION



Input/output interface

1717

data_OUT

I/OInterface

HashModule

hash_valid

ack

loa

d

reset

clock

data_IN

6

4

64


18/24

IMPLEMENTATION



Data path and Control path

1818

DataPath

hash_done

hash_en

select

reset

clock

Clock

Counter

FSMLogic

StateReg

Input Registers

BLAKEHashCore

Output Register

Intermediate

Registers

input

output

C

ontrolPath


19/24

GFunctions

IMPLEMENTATION



Data path Architecture

1919

hash

Finalization

G1

G2

G3

G4

V_Reg

Initialization

IV

CV_Reg

msgcnst.


20/24

RESULTS



2020

Device Area[Slices]

Fmax[MHz]

T[ns]

Xilinx Virtex 7 1566 135.355 7.388

Xilinx Virtex 6 1602 131.961 7.578

Xilinx Virtex 5 1739 124.55 8.029

Device Block Size[bits]

Nclk[cycles]

T[ns]

Thash[ns]

TP[Gb/s]

Xilinx Virtex 7 512 28 7.388 206.86 2.47

Xilinx Virtex 6 512 28 7.578 212.18 2.41

Xilinx Virtex 5 512 28 8.029 224.81 2.28


21/24

Comparison with previouswork



2121

Author (s) Device Fmax[MHz]

Area[Slices]

TP[Gb/s]

TPA[Mbps/slice]

Our work Virtex 7 135.355 1566 2.47 1.58

Our work Virtex 6 131.961 1602 2.41 1.51

Our work Virtex 5 124.55 1739 2.28 1.31

Aumasson et al. [7] Virtex 5 100.00 1217 1.76 1.45

Baldwin et al. [8] Virtex 5 91.35 1653 0.83 0.50

Matsuo et al. [9] Virtex 5 115.00 1660 0.64 0.38

Kris Gaj et al. [10] Virtex 5 117.06 1871 2.07 1.10

E. Hom. et al. [11] Virtex 6 - 1247 1.96 1.57

E. Hom. et al. [11] Virtex 5 - 1691 2.25 1.33


22/24

CONCLUSION



We have presented efficient and highthroughput implementation of BLAKE-256 Results shown for Virtex 5, Virtex 6 and

Virtex 7

Performance figures reported in terms ofArea consumption, throughput andthroughput per area

Results achieved in this work are

exceeding the performance forimplementations reported so far

This work serves as performanceinvestigation of BLAKE-256 on most up-to-date FPGAs 2222


23/24

Question & Answers



Q/A

2323

REFERENCES


24/24

REFERENCES


levell lISRL i S R L

[1] X. L. Xiaoyun Wang, D. Feng and H. Yu, Collisions for hash functions MD4, MD5, HAVAL-128and RIPEMD, Cryptology ePrint Archive, Report 2004/199, http://eprint.iacr.org/2004/199 , pp.1-4.[2] M. Szydlo, SHA-1 collisions can be found in 263 operations, CryptoBytes Technical

Newsletter, August 19, 2005.[3] M. Stevens, Fast collision attack on MD5, ePrint-2006-104, March 2006http://eprint.iacr.org/2006/104.pdf, pp. 1-13.[4] Federal Register / Vol. 72, No. 212 / Friday, November 2, 2007 / Notices,

http://csrc.nist.gov/groups/ ST/hash/documents/ FR_Notice_Nov07.pdf, pp. 1-9.[5] National Institute of Standards and Technology (NIST), Cryptographic Hash AlgorithmCompetition. http://www.nist.gov/itl/csd/ct/.

[6] NIST Interagency Report 7764, Status Report on the Second Round of the SHA-3Cryptographic Hash Algorithm Competition, February 2011, pp. 1-38.[7] J. Aumasson, L. Henzen, W. Meier, R. W. Phan, SHA-3 Proposal BLAKE version 1.3,http://131002.net/blake/blake.pdf, December 2010, pp. 1-79.[8] B. Baldwin, N. Hanley, M. Hamilton, L. Lu, A. Byrne, M. Neill and W. P. Marnane, FPGAImplementations of the Round Two SHA-3 Candidates, 2nd SHA-3 Candidate Conference,Santa Barbara, August 23-24, 2010, pp. 1-18.[9] S. Matsuo, M. Knezevic, P. Schaumont, I. Verbauwhede, A. Satoh, K. Sakiyama and K. Ota,

How Can We Conduct Fair and Consistent Hardware Evaluation for SHA-3 Candidate?, 2ndSHA-3 Candidate Conference, Santa Barbara, August 23-24, 2010, pp. 1-15.[10] K. Gaj, E. Homsirikamol, and M. Rogawski, Fair and Comprehensive Methodology forComparing Hardware Performance of Fourteen Round Two SHA-3 Candidates using FPGAs, inProceedings of Cryptographic Hardware and Embedded Systems workshop, CHES 2010,Santa Barbara, Aug. 2010.[11] E. Homsirikamol, M. Rogawski and K. Gaj, Comparing Hardware Performance of Round 3SHA-3 Candidates using Multiple Hardware Architectures in Xilinx and Altera FPGAs, ECRYPTII Hash Workshop 2011, Tallinn, Estonia, May 19-20, 2011, pp. 1-15.

2424
http://eprint.iacr.org/2004/199http://eprint.iacr.org/2006/104.pdfhttp://www.nist.gov/itl/csd/ct/http://131002.net/blake/blake.pdfhttp://131002.net/blake/blake.pdfhttp://www.nist.gov/itl/csd/ct/http://eprint.iacr.org/2006/104.pdfhttp://eprint.iacr.org/2004/199

Documents

47_Presentation [Kashif Latif]