Software implementation of Post-Quantum Cryptography
|
|
- Erika Leonard
- 8 years ago
- Views:
Transcription
1 Software implementation of Post-Quantum Cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands October 20, 2013 ASCrypto 2013, Florianópolis, Brazil
2 Part I Optimizing cryptographic software with vector instructions Software implementation of Post-Quantum Cryptography 2
3 Computers and computer programs A highly simplified view Branch Unit A program is a sequence of instructions ALU implicit Load/Store instructions move data between memory and registers (processed by the L/S unit) Registers L/S Unit explicit Memory Branch instructions (conditionally) jump to a position in the program Arithmetic instructions perform simple operations on values in registers (processed by the ALU) CPU Registers are fast (fixed-size) storage units, addressed by name Software implementation of Post-Quantum Cryptography 3
4 A first program Adding up 1000 integers 1. Set register R1 to zero 2. Set register R2 to zero 3. Load 32-bits from address START+R2 into register R3 4. Add 32-bit integers in R1 and R3, write the result in R1 5. Increase value in register R2 by 4 6. Compare value in register R2 to Goto line 3 if R2 was smaller than 4000 Software implementation of Post-Quantum Cryptography 4
5 A first program Adding up 1000 integers in readable syntax int32 int32 int32 result tmp ctr result = 0 ctr = 0 looptop : tmp = mem32 [ START + ctr ] result += tmp ctr += 4 unsigned <? ctr goto looptop if unsigned < Software implementation of Post-Quantum Cryptography 5
6 Running the program Easy approach: Per time-slot (cycle) execute one instruction, then go for the next Cycles needs to be long enough to finish the most complex supported instruction Software implementation of Post-Quantum Cryptography 6
7 Running the program Easy approach: Per time-slot (cycle) execute one instruction, then go for the next Cycles needs to be long enough to finish the most complex supported instruction Other approach: Chop instructions into smaller tasks, e.g. for addition: 1. Fetch instruction 2. Decode instruction 3. Fetch register arguments 4. Execute (actual addition) 5. Write back to register Software implementation of Post-Quantum Cryptography 6
8 Running the program Easy approach: Per time-slot (cycle) execute one instruction, then go for the next Cycles needs to be long enough to finish the most complex supported instruction Other approach: Chop instructions into smaller tasks, e.g. for addition: 1. Fetch instruction 2. Decode instruction 3. Fetch register arguments 4. Execute (actual addition) 5. Write back to register Overlap instructions (e.g., while one instruction is in step 2, the next one can do step 1 etc.) This is called pipelined execution (many more stages possible) Advantage: cycles can be much shorter (higher clock speed) Software implementation of Post-Quantum Cryptography 6
9 Running the program Easy approach: Per time-slot (cycle) execute one instruction, then go for the next Cycles needs to be long enough to finish the most complex supported instruction Other approach: Chop instructions into smaller tasks, e.g. for addition: 1. Fetch instruction 2. Decode instruction 3. Fetch register arguments 4. Execute (actual addition) 5. Write back to register Overlap instructions (e.g., while one instruction is in step 2, the next one can do step 1 etc.) This is called pipelined execution (many more stages possible) Advantage: cycles can be much shorter (higher clock speed) Requirement for overlapping execution: instructions have to be independent Software implementation of Post-Quantum Cryptography 6
10 Throughput and latency While the ALU is executing an instruction the L/S and branch units are idle Software implementation of Post-Quantum Cryptography 7
11 Throughput and latency While the ALU is executing an instruction the L/S and branch units are idle Idea: Duplicate fetch and decode, handle two or three instructions per cycle While we re at it: Why not deploy two ALUs This concept is called superscalar execution Software implementation of Post-Quantum Cryptography 7
12 Throughput and latency While the ALU is executing an instruction the L/S and branch units are idle Idea: Duplicate fetch and decode, handle two or three instructions per cycle While we re at it: Why not deploy two ALUs This concept is called superscalar execution Number of independent instructions of one type per cycle: throughput Number of cycles that need to pass before the result can be used: latency Software implementation of Post-Quantum Cryptography 7
13 An example computer Still highly simplified Branch Unit ALU ALU Latencies and throughputs At most 4 instructions per cycle implicit Registers L/S Unit explicit Memory At most 1 Load/Store instruction per cycle At most 2 arithmetic instructions per cycle Arithmetic latency: 2 cycles Load latency: 3 cycles Branches have to be last instruction in a cycle CPU Software implementation of Post-Quantum Cryptography 8
14 Adding up 1000 integers on this computer Latencies and throughputs Need at least 1000 load instructions: 1000 cycles At most 4 instructions per cycle At most 1 Load/Store instruction per cycle At most 2 arithmetic instructions per cycle Arithmetic latency: 2 cycles Load latency: 3 cycles Branches have to be last instruction in a cycle Software implementation of Post-Quantum Cryptography 9
15 Adding up 1000 integers on this computer Latencies and throughputs Need at least 1000 load instructions: 1000 cycles Need at least 999 addition instructions: 500 cycles At most 4 instructions per cycle At most 1 Load/Store instruction per cycle At most 2 arithmetic instructions per cycle Arithmetic latency: 2 cycles Load latency: 3 cycles Branches have to be last instruction in a cycle Software implementation of Post-Quantum Cryptography 9
16 Adding up 1000 integers on this computer Latencies and throughputs Need at least 1000 load instructions: 1000 cycles Need at least 999 addition instructions: 500 cycles At least 1999 instructions: 500 cycles At most 4 instructions per cycle At most 1 Load/Store instruction per cycle At most 2 arithmetic instructions per cycle Arithmetic latency: 2 cycles Load latency: 3 cycles Branches have to be last instruction in a cycle Software implementation of Post-Quantum Cryptography 9
17 Adding up 1000 integers on this computer Latencies and throughputs Need at least 1000 load instructions: 1000 cycles Need at least 999 addition instructions: 500 cycles At least 1999 instructions: 500 cycles Lower bound: 1000 cycles At most 4 instructions per cycle At most 1 Load/Store instruction per cycle At most 2 arithmetic instructions per cycle Arithmetic latency: 2 cycles Load latency: 3 cycles Branches have to be last instruction in a cycle Software implementation of Post-Quantum Cryptography 9
18 How about our program? int32 int32 int32 result tmp ctr result = 0 ctr = 0 looptop : tmp = mem32 [ START + ctr ] result += tmp ctr += 4 unsigned <? ctr goto looptop if unsigned < Software implementation of Post-Quantum Cryptography 10
19 How about our program? int32 int32 int32 result tmp ctr result = 0 ctr = 0 looptop : tmp = mem32 [ START + ctr ] # wait 2 cycles for tmp result += tmp ctr += 4 # wait 1 cycle for ctr unsigned <? ctr # wait 1 cycle for unsigned < goto looptop if unsigned < Addition has to wait for load Comparison has to wait for addition Each iteration of the loop takes 8 cycles Total: > 8000 cycles Software implementation of Post-Quantum Cryptography 10
20 How about our program? int32 int32 int32 result tmp ctr result = 0 ctr = 0 looptop : tmp = mem32 [ START + ctr ] # wait 2 cycles for tmp result += tmp ctr += 4 # wait 1 cycle for ctr unsigned <? ctr # wait 1 cycle for unsigned < goto looptop if unsigned < Addition has to wait for load Comparison has to wait for addition Each iteration of the loop takes 8 cycles Total: > 8000 cycles This program sucks! Software implementation of Post-Quantum Cryptography 10
21 Making the program fast Step 1 Unrolling result = 0 tmp = mem32 [ START +0] result += tmp tmp = mem32 [ START +4] result += tmp tmp = mem32 [ START +8] result += tmp Remove all the loop control: unrolling... tmp = mem32 [ START +3996] result += tmp Software implementation of Post-Quantum Cryptography 11
22 Making the program fast Step 1 Unrolling result = 0 tmp = mem32 [ START +0] # wait 2 cycles for tmp result += tmp tmp = mem32 [ START +4] # wait 2 cycles for tmp result += tmp tmp = mem32 [ START +8] # wait 2 cycles for tmp result += tmp... Remove all the loop control: unrolling Each load-and-add now takes 3 cycles Total: 3000 cycles tmp = mem32 [ START +3996] # wait 2 cycles for tmp result += tmp Software implementation of Post-Quantum Cryptography 11
23 Making the program fast Step 1 Unrolling result = 0 tmp = mem32 [ START +0] # wait 2 cycles for tmp result += tmp tmp = mem32 [ START +4] # wait 2 cycles for tmp result += tmp tmp = mem32 [ START +8] # wait 2 cycles for tmp result += tmp... tmp = mem32 [ START +3996] # wait 2 cycles for tmp result += tmp Remove all the loop control: unrolling Each load-and-add now takes 3 cycles Total: 3000 cycles Better, but still too slow Software implementation of Post-Quantum Cryptography 11
24 Making the program fast Step 2 Instruction Scheduling result = mem32 [ START + 0] tmp0 = mem32 [ START + 4] tmp1 = mem32 [ START + 8] tmp2 = mem32 [ START +12] result += tmp0 tmp0 = mem32 [ START +16] result += tmp1 tmp1 = mem32 [ START +20] result += tmp2 tmp2 = mem32 [ START +24]... Load values earlier Load latencies are hidden Use more registers for loaded values (tmp0, tmp1, tmp2) Get rid of one addition to zero result += tmp2 tmp2 = mem32 [ START +3996] result += tmp0 result += tmp1 result += tmp2 Software implementation of Post-Quantum Cryptography 12
25 Making the program fast Step 2 Instruction Scheduling result = mem32 [ START + 0] tmp0 = mem32 [ START + 4] tmp1 = mem32 [ START + 8] tmp2 = mem32 [ START +12] result += tmp0 tmp0 = mem32 [ START +16] # wait 1 cycle for result result += tmp1 tmp1 = mem32 [ START +20] # wait 1 cycle for result result += tmp2 tmp2 = mem32 [ START +24]... result += tmp2 tmp2 = mem32 [ START +3996] # wait 1 cycle for result result += tmp0 # wait 1 cycle for result result += tmp1 # wait 1 cycle for result result += tmp2 Load values earlier Load latencies are hidden Use more registers for loaded values (tmp0, tmp1, tmp2) Get rid of one addition to zero Now arithmetic latencies kick in Total: 2000 cycles Software implementation of Post-Quantum Cryptography 12
26 Making the program fast Step 3 More Instruction Scheduling (two accumulators) result0 = mem32 [ START + 0] tmp0 = mem32 [ START + 8] result1 = mem32 [ START + 4] tmp1 = mem32 [ START +12] tmp2 = mem32 [ START +16] result0 += tmp0 tmp0 = mem32 [ START +20] result1 += tmp1 tmp1 = mem32 [ START +24] result0 += tmp2 tmp2 = mem32 [ START +28]... result0 += tmp1 tmp1 = mem32 [ START +3996] result1 += tmp2 result0 += tmp0 result1 += tmp1 result0 += result1 Use one more accumulator register (result1) All latencies hidden Total: 1004 cycles Asymptotically n cycles for n additions Software implementation of Post-Quantum Cryptography 13
27 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Software implementation of Post-Quantum Cryptography 14
28 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Software implementation of Post-Quantum Cryptography 14
29 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Software implementation of Post-Quantum Cryptography 14
30 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Interleave independent instructions (instruction scheduling) Software implementation of Post-Quantum Cryptography 14
31 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Interleave independent instructions (instruction scheduling) Resulting program is larger and requires more registers! Software implementation of Post-Quantum Cryptography 14
32 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Interleave independent instructions (instruction scheduling) Resulting program is larger and requires more registers! Note: Good instruction scheduling typically requires more registers Software implementation of Post-Quantum Cryptography 14
33 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Interleave independent instructions (instruction scheduling) Resulting program is larger and requires more registers! Note: Good instruction scheduling typically requires more registers Opposing requirements to register allocation (assigning registers to live variables, minimizing memory access) Software implementation of Post-Quantum Cryptography 14
34 Summary of what we did Analyze the algorithm in terms of machine instructions Look at what the respective machine is able to do Compute a lower bound of the cycles Optimize until we (almost) reached the lower bound: Unroll the loop Interleave independent instructions (instruction scheduling) Resulting program is larger and requires more registers! Note: Good instruction scheduling typically requires more registers Opposing requirements to register allocation (assigning registers to live variables, minimizing memory access) Both instruction scheduling and register allocation are NP hard So is the joint problem Many instances are efficiently solvable Software implementation of Post-Quantum Cryptography 14
35 Architectures and microarchitectures What instructions and how many registers do we have? Instructions are defined by the instruction set Supported register names are defined by the set of architectural registers Instruction set and set of architectural registers together define the architecture Examples for architectures: x86, AMD64, ARMv6, ARMv7, UltraSPARC Sometimes base architectures are extended, e.g., MMX, SSE, NEON Software implementation of Post-Quantum Cryptography 15
36 Architectures and microarchitectures What instructions and how many registers do we have? Instructions are defined by the instruction set Supported register names are defined by the set of architectural registers Instruction set and set of architectural registers together define the architecture Examples for architectures: x86, AMD64, ARMv6, ARMv7, UltraSPARC Sometimes base architectures are extended, e.g., MMX, SSE, NEON What determines latencies etc? Different microarchitectures implement an architecture Latencies and throughputs are specific to a microarchitecture Example: Intel Core 2 Quad Q9550 implements the AMD64 architecture Software implementation of Post-Quantum Cryptography 15
37 Out-of-order execution Optimal instruction scheduling depends on the microarchitecture Code optimized for one microarchitecture may run at very bad performance on another microarchitecture Many software is shipped in binary form (cannot recompile) Software implementation of Post-Quantum Cryptography 16
38 Out-of-order execution Optimal instruction scheduling depends on the microarchitecture Code optimized for one microarchitecture may run at very bad performance on another microarchitecture Many software is shipped in binary form (cannot recompile) Idea: Let the processor reschedule instructions on the fly Look ahead a few instructions, pick one that can be executed This is called out-of-order execution Software implementation of Post-Quantum Cryptography 16
39 Out-of-order execution Optimal instruction scheduling depends on the microarchitecture Code optimized for one microarchitecture may run at very bad performance on another microarchitecture Many software is shipped in binary form (cannot recompile) Idea: Let the processor reschedule instructions on the fly Look ahead a few instructions, pick one that can be executed This is called out-of-order execution Typically requires more physical than architectural registers and register renaming Software implementation of Post-Quantum Cryptography 16
40 Out-of-order execution Optimal instruction scheduling depends on the microarchitecture Code optimized for one microarchitecture may run at very bad performance on another microarchitecture Many software is shipped in binary form (cannot recompile) Idea: Let the processor reschedule instructions on the fly Look ahead a few instructions, pick one that can be executed This is called out-of-order execution Typically requires more physical than architectural registers and register renaming Harder for the (assembly) programmer to understand what exactly will happen with the code Harder to come up with optimal scheduling Software implementation of Post-Quantum Cryptography 16
41 Out-of-order execution Optimal instruction scheduling depends on the microarchitecture Code optimized for one microarchitecture may run at very bad performance on another microarchitecture Many software is shipped in binary form (cannot recompile) Idea: Let the processor reschedule instructions on the fly Look ahead a few instructions, pick one that can be executed This is called out-of-order execution Typically requires more physical than architectural registers and register renaming Harder for the (assembly) programmer to understand what exactly will happen with the code Harder to come up with optimal scheduling Harder to screw up completely Software implementation of Post-Quantum Cryptography 16
42 Optimizing Crypto vs. optimizing something So far there was nothing crypto-specific in this talk Is optimizing crypto the same as optimizing any other software? Software implementation of Post-Quantum Cryptography 17
43 Optimizing Crypto vs. optimizing something So far there was nothing crypto-specific in this talk Is optimizing crypto the same as optimizing any other software? No. Software implementation of Post-Quantum Cryptography 17
44 Optimizing Crypto vs. optimizing something So far there was nothing crypto-specific in this talk Is optimizing crypto the same as optimizing any other software? No. Cryptographic software deals with secret data (keys) Information about secret data must not leak through side channels Software implementation of Post-Quantum Cryptography 17
45 Optimizing Crypto vs. optimizing something So far there was nothing crypto-specific in this talk Is optimizing crypto the same as optimizing any other software? No. Cryptographic software deals with secret data (keys) Information about secret data must not leak through side channels Most critical for software implementations on large CPUs: software must take constant time (independent of secret data) Software implementation of Post-Quantum Cryptography 17
46 Timing leakage part I Consider the following piece of code: if s then r A else r B end if Software implementation of Post-Quantum Cryptography 18
47 Timing leakage part I Consider the following piece of code: if s then r A else r B end if General structure of any conditional branch A and B can be large computations, r can be a large state Software implementation of Post-Quantum Cryptography 18
48 Timing leakage part I Consider the following piece of code: if s then r A else r B end if General structure of any conditional branch A and B can be large computations, r can be a large state This code takes different amount of time, depending on s Obvious timing leak if s is secret Software implementation of Post-Quantum Cryptography 18
49 Timing leakage part I Consider the following piece of code: if s then r A else r B end if General structure of any conditional branch A and B can be large computations, r can be a large state This code takes different amount of time, depending on s Obvious timing leak if s is secret Even if A and B take the same amount of cycles this is not constant time! Reason: Conditional branch takes different amount of cycles whether taken or not Never use secret-data-dependent branch conditions Software implementation of Post-Quantum Cryptography 18
50 Eliminating branches So, what do we do with this piece of code? if s then r A else r B end if Software implementation of Post-Quantum Cryptography 19
51 Eliminating branches So, what do we do with this piece of code? if s then r A else r B end if Replace by r sa + (1 s)b Software implementation of Post-Quantum Cryptography 19
52 Eliminating branches So, what do we do with this piece of code? if s then r A else r B end if Replace by r sa + (1 s)b Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication Software implementation of Post-Quantum Cryptography 19
53 Eliminating branches So, what do we do with this piece of code? if s then r A else r B end if Replace by r sa + (1 s)b Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication For very fast A and B this can even be faster Software implementation of Post-Quantum Cryptography 19
54 Cached memory access Branch Unit ALU ALU implicit Registers L/S Unit Memory Memory access goes through a cache Small but fast transparent memory for frequently used data Cache CPU Software implementation of Post-Quantum Cryptography 20
55 Cached memory access Branch Unit ALU ALU implicit Registers L/S Unit Memory Memory access goes through a cache Small but fast transparent memory for frequently used data A load from memory places data also in the cache Data remains in cache until it s replaced by other data Cache CPU Software implementation of Post-Quantum Cryptography 20
56 Cached memory access Branch Unit ALU ALU implicit Registers L/S Unit Cache CPU Memory Memory access goes through a cache Small but fast transparent memory for frequently used data A load from memory places data also in the cache Data remains in cache until it s replaced by other data Loading data is fast if data is in the cache (cache hit) Loading data is slow if data is not in the cache (cache miss) Software implementation of Post-Quantum Cryptography 20
57 Timing leakage part II T[0]...T[15] T[16]...T[31] T[32]...T[47] T[48]...T[63] T[64]...T[79] T[80]...T[95] T[96]...T[111] T[112]...T[127] T[128]...T[143] T[144]...T[159] T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T[223] T[224]...T[239] T[240]...T[255] Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache Software implementation of Post-Quantum Cryptography 21
58 Timing leakage part II T[0]...T[15] T[16]...T[31] attacker s data attacker s data T[64]...T[79] T[80]...T[95] attacker s data attacker s data attacker s data attacker s data T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T[223] attacker s data attacker s data Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache The attacker s program replaces some cache lines Software implementation of Post-Quantum Cryptography 21
59 Timing leakage part II T[0]...T[15] T[16]...T[31]?????? T[64]...T[79] T[80]...T[95]???????????? T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T223]?????? Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache The attacker s program replaces some cache lines Crypto continues, loads from table again Software implementation of Post-Quantum Cryptography 21
60 Timing leakage part II T[0]...T[15] T[16]...T[31]?????? T[64]...T[79] T[80]...T[95]???????????? T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T223]?????? Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache The attacker s program replaces some cache lines Crypto continues, loads from table again Attacker loads his data: Software implementation of Post-Quantum Cryptography 21
61 Timing leakage part II T[0]...T[15] T[16]...T[31]?????? T[64]...T[79] T[80]...T[95]??? attacker s data?????? T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T223]?????? Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache The attacker s program replaces some cache lines Crypto continues, loads from table again Attacker loads his data: Fast: cache hit (crypto did not just load from this line) Software implementation of Post-Quantum Cryptography 21
62 Timing leakage part II T[0]...T[15] T[16]...T[31]?????? T[64]...T[79] T[80]...T[95]??? T[112]...T[127]?????? T[160]...T[175] T[176]...T[191] T[192]...T[207] T[208]...T223]?????? Consider lookup table of 32-bit integers Cache lines have 64 bytes Crypto and the attacker s program run on the same CPU Tables are in cache The attacker s program replaces some cache lines Crypto continues, loads from table again Attacker loads his data: Fast: cache hit (crypto did not just load from this line) Slow: cache miss (crypto just loaded from this line) Software implementation of Post-Quantum Cryptography 21
63 Some comments on cache-timing This is only the most basic cache-timing attack Software implementation of Post-Quantum Cryptography 22
64 Some comments on cache-timing This is only the most basic cache-timing attack Non-secret cache lines are not enough for security Load/Store addresses influence timing in many different ways Do not access memory at secret-data-dependent addresses Software implementation of Post-Quantum Cryptography 22
65 Some comments on cache-timing This is only the most basic cache-timing attack Non-secret cache lines are not enough for security Load/Store addresses influence timing in many different ways Do not access memory at secret-data-dependent addresses Timing attacks are practical: Osvik, Tromer, Shamir, 2006: 65 ms to steal a 256-bit AES key used for Linux hard-disk encryption Software implementation of Post-Quantum Cryptography 22
66 Some comments on cache-timing This is only the most basic cache-timing attack Non-secret cache lines are not enough for security Load/Store addresses influence timing in many different ways Do not access memory at secret-data-dependent addresses Timing attacks are practical: Osvik, Tromer, Shamir, 2006: 65 ms to steal a 256-bit AES key used for Linux hard-disk encryption Remote timing attacks are practical: Brumley, Tuveri, 2011: A few minutes to steal ECDSA signing key from OpenSSL implementation Software implementation of Post-Quantum Cryptography 22
67 Eliminating lookups Want to load item at (secret) position p from table of size n Software implementation of Post-Quantum Cryptography 23
68 Eliminating lookups Want to load item at (secret) position p from table of size n Load all items, use arithmetic to pick the right one: for i from 0 to n 1 do d T [i] if p = i then r d end if end for Software implementation of Post-Quantum Cryptography 23
69 Eliminating lookups Want to load item at (secret) position p from table of size n Load all items, use arithmetic to pick the right one: for i from 0 to n 1 do d T [i] if p = i then r d end if end for Problem 1: if-statements are not constant time (see before) Software implementation of Post-Quantum Cryptography 23
70 Eliminating lookups Want to load item at (secret) position p from table of size n Load all items, use arithmetic to pick the right one: for i from 0 to n 1 do d T [i] if p = i then r d end if end for Problem 1: if-statements are not constant time (see before) Problem 2: Comparisons are not constant time, replace by: static unsigned long long eq(uint32_t a, uint32_t b) { unsigned long long t = a ^ b; t = (-t) >> 63; return 1-t; } Software implementation of Post-Quantum Cryptography 23
71 Timing leakage part III Are secret branch conditions and secret load/store addresses the only problem? Software implementation of Post-Quantum Cryptography 24
72 Timing leakage part III Are secret branch conditions and secret load/store addresses the only problem? Answer by Langley: That s assuming that the fundamental processor instructions are constant time, but that s true for all sane CPUs. Software implementation of Post-Quantum Cryptography 24
73 Timing leakage part III Are secret branch conditions and secret load/store addresses the only problem? Answer by Langley: That s assuming that the fundamental processor instructions are constant time, but that s true for all sane CPUs. Some architectures have non-constant-time arithmetic Examples: UMULL/SMULL and UMLAL/SMLAL on ARM Cortex-M3 DIV instruction on Intel processors, see also https: // Software implementation of Post-Quantum Cryptography 24
74 Timing leakage part III Are secret branch conditions and secret load/store addresses the only problem? Answer by Langley: That s assuming that the fundamental processor instructions are constant time, but that s true for all sane CPUs. Some architectures have non-constant-time arithmetic Examples: UMULL/SMULL and UMLAL/SMLAL on ARM Cortex-M3 DIV instruction on Intel processors, see also https: // Summary Writing efficient constant-time code is hard Typically requires reconsiderations through all optimization levels Software implementation of Post-Quantum Cryptography 24
75 SIMD computations Thus we arbitrarily select a reference organization : the IBM This organization is then regarded as the prototype of the class of machines which we label: 1) Single Instruction Stream Single Data Stream (SISD). Three additional organizational classes are evident. 2) Single Instruction Stream Multiple Data Stream (SIMD) 3) Multiple Instruction Stream Single Data Stream (MISD) 4) Multiple Instruction Stream Multiple Data Stream (MIMD) Michael J. Flynn. Very high-speed computing systems Software implementation of Post-Quantum Cryptography 25
76 SISD Example: 32-bit integer addition int64 a int64 b a = mem32[addr1 + 0] b = mem32[addr2 + 0] (uint32) a += b mem32[addr3 + 0] = a Software implementation of Post-Quantum Cryptography 26
77 SIMD with vector instructions Example: 4 32-bit integer additions reg128 a reg128 b a = mem128[addr1 + 0] b = mem128[addr2 + 0] 4x a += b mem128[addr3 + 0] = a Software implementation of Post-Quantum Cryptography 27
78 Back to adding 1000 integers Imagine that vector addition is as fast as scalar addition vector loads are as fast as scalar loads Software implementation of Post-Quantum Cryptography 28
79 Back to adding 1000 integers Imagine that vector addition is as fast as scalar addition vector loads are as fast as scalar loads Need only 250 vector additions, 250 vector loads Lower bound of 250 cycles Software implementation of Post-Quantum Cryptography 28
80 Back to adding 1000 integers Imagine that vector addition is as fast as scalar addition vector loads are as fast as scalar loads Need only 250 vector additions, 250 vector loads Lower bound of 250 cycles Very straight-forward modification of the program Fully unrolled loop needs only 1/4 of the space Software implementation of Post-Quantum Cryptography 28
81 Is it really that efficient? Consider the Intel Nehalem processor Software implementation of Post-Quantum Cryptography 29
82 Is it really that efficient? Consider the Intel Nehalem processor 32-bit load throughput: 1 per cycle 32-bit add throughput: 3 per cycle 32-bit store throughput: 1 per cycle Software implementation of Post-Quantum Cryptography 29
83 Is it really that efficient? Consider the Intel Nehalem processor 32-bit load throughput: 1 per cycle 32-bit add throughput: 3 per cycle 32-bit store throughput: 1 per cycle 128-bit load throughput: 1 per cycle 4 32-bit add throughput: 2 per cycle 128-bit store throughput: 1 per cycle Software implementation of Post-Quantum Cryptography 29
84 Is it really that efficient? Consider the Intel Nehalem processor 32-bit load throughput: 1 per cycle 32-bit add throughput: 3 per cycle 32-bit store throughput: 1 per cycle 128-bit load throughput: 1 per cycle 4 32-bit add throughput: 2 per cycle 128-bit store throughput: 1 per cycle Vector instructions are almost as fast as scalar instructions but do 4 the work Software implementation of Post-Quantum Cryptography 29
85 Is it really that efficient? Consider the Intel Nehalem processor 32-bit load throughput: 1 per cycle 32-bit add throughput: 3 per cycle 32-bit store throughput: 1 per cycle 128-bit load throughput: 1 per cycle 4 32-bit add throughput: 2 per cycle 128-bit store throughput: 1 per cycle Vector instructions are almost as fast as scalar instructions but do 4 the work Situation on other architectures/microarchitectures is similar Reason: cheap way to increase arithmetic throughput (less decoding, address computation, etc.) Software implementation of Post-Quantum Cryptography 29
86 More reasons for using vector arithmetic Data-dependent branches are expensive in SIMD Variably indexed loads (lookups) into vectors are expensive Need to rewrite algorithms to eliminate branches and lookups Software implementation of Post-Quantum Cryptography 30
87 More reasons for using vector arithmetic Data-dependent branches are expensive in SIMD Variably indexed loads (lookups) into vectors are expensive Need to rewrite algorithms to eliminate branches and lookups Secret-data-dependent branches and secret branch conditions are the major sources of timing-attack vulnerabilities Software implementation of Post-Quantum Cryptography 30
88 More reasons for using vector arithmetic Data-dependent branches are expensive in SIMD Variably indexed loads (lookups) into vectors are expensive Need to rewrite algorithms to eliminate branches and lookups Secret-data-dependent branches and secret branch conditions are the major sources of timing-attack vulnerabilities Strong synergies between speeding up code with vector instructions and protecting code! Software implementation of Post-Quantum Cryptography 30
89 Vectorization problems I Carry handling When adding two 32-bit integers, the result may have 33 bits (32-bit result + carry) Scalar additions keep the carry in a special flag register Subsequent instructions can use this flag, e.g., add with carry Software implementation of Post-Quantum Cryptography 31
90 Vectorization problems I Carry handling When adding two 32-bit integers, the result may have 33 bits (32-bit result + carry) Scalar additions keep the carry in a special flag register Subsequent instructions can use this flag, e.g., add with carry How about carries of vector additions? Answer 1: Special carry generate instruction (e.g., CBE-SPU) Software implementation of Post-Quantum Cryptography 31
91 Vectorization problems I Carry handling When adding two 32-bit integers, the result may have 33 bits (32-bit result + carry) Scalar additions keep the carry in a special flag register Subsequent instructions can use this flag, e.g., add with carry How about carries of vector additions? Answer 1: Special carry generate instruction (e.g., CBE-SPU) Answer 2: They re lost, recomputation is very expensive Software implementation of Post-Quantum Cryptography 31
92 Vectorization problems I Carry handling When adding two 32-bit integers, the result may have 33 bits (32-bit result + carry) Scalar additions keep the carry in a special flag register Subsequent instructions can use this flag, e.g., add with carry How about carries of vector additions? Answer 1: Special carry generate instruction (e.g., CBE-SPU) Answer 2: They re lost, recomputation is very expensive Need to avoid carries instead of handling them No problem for today s talk, but requires care for big-integer arithmetic Software implementation of Post-Quantum Cryptography 31
93 Vectorization problems II Removing instruction-level parallelism If we don t vectorize we perform multiple independent instructions We turn data-level parallelism (DLP) into instruction-level parallelism (ILP) Software implementation of Post-Quantum Cryptography 32
94 Vectorization problems II Removing instruction-level parallelism If we don t vectorize we perform multiple independent instructions We turn data-level parallelism (DLP) into instruction-level parallelism (ILP) Pipelined and multiscalar execution need ILP Vectorization removes ILP Problematic for algorithms with, e.g., 4-way DLP Software implementation of Post-Quantum Cryptography 32
95 Vectorization problems II Removing instruction-level parallelism If we don t vectorize we perform multiple independent instructions We turn data-level parallelism (DLP) into instruction-level parallelism (ILP) Pipelined and multiscalar execution need ILP Vectorization removes ILP Problematic for algorithms with, e.g., 4-way DLP Good example to see this: ChaCha/Salsa/Blake Software implementation of Post-Quantum Cryptography 32
96 Vectorization problems II Removing instruction-level parallelism If we don t vectorize we perform multiple independent instructions We turn data-level parallelism (DLP) into instruction-level parallelism (ILP) Pipelined and multiscalar execution need ILP Vectorization removes ILP Problematic for algorithms with, e.g., 4-way DLP Good example to see this: ChaCha/Salsa/Blake Vectorization of ChaCha and Salsa can resort to higher-level parallelism (multiple blocks) Harder for Blake: each block depends on the previous one Software implementation of Post-Quantum Cryptography 32
97 Vectorization problems III Data shuffeling Consider multiplication of 4-coefficient polynomials f = f 0 + f 1 x + f 2 x 2 + f 3 x 3 and g = g 0 + g 1 x + g 2 x 2 + g 3 x 3 : r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Software implementation of Post-Quantum Cryptography 33
98 Vectorization problems III Data shuffeling Consider multiplication of 4-coefficient polynomials f = f 0 + f 1 x + f 2 x 2 + f 3 x 3 and g = g 0 + g 1 x + g 2 x 2 + g 3 x 3 : r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Ignore carries, overflows etc. for a moment 16 multiplications, 9 additions How to vectorize multiplications? Software implementation of Post-Quantum Cryptography 33
99 Vectorization problems III Data shuffeling r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Can easily load (f 0, f 1, f 2, f 3 ) and (g 0, g 1, g 2, g 3 ) Multiply, obtain (f 0 g 0, f 1 g 1, f 2 g 2, f 3 g 3 ) Software implementation of Post-Quantum Cryptography 33
100 Vectorization problems III Data shuffeling r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Can easily load (f 0, f 1, f 2, f 3 ) and (g 0, g 1, g 2, g 3 ) Multiply, obtain (f 0 g 0, f 1 g 1, f 2 g 2, f 3 g 3 ) And now what? Software implementation of Post-Quantum Cryptography 33
101 Vectorization problems III Data shuffeling r 0 = f 0 g 0 r 1 = f 0 g 1 + f 1 g 0 r 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 r 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 r 4 = f 1 g 3 + f 2 g 2 + f 3 g 1 r 5 = f 2 g 3 + f 3 g 2 r 6 = f 3 g 3 Can easily load (f 0, f 1, f 2, f 3 ) and (g 0, g 1, g 2, g 3 ) Multiply, obtain (f 0 g 0, f 1 g 1, f 2 g 2, f 3 g 3 ) And now what? Answer: Need to shuffle data in input and output registers Significant overhead, not clear that vectorization speeds up computation! Software implementation of Post-Quantum Cryptography 33
102 Efficient vectorization Most important question: Where does the parallelism come from? Easiest answer: Consider multiple batched encryptions, decryptions, signature computations, verifications, etc. Software implementation of Post-Quantum Cryptography 34
103 Efficient vectorization Most important question: Where does the parallelism come from? Easiest answer: Consider multiple batched encryptions, decryptions, signature computations, verifications, etc. Often: Can exploit lower-level parallelism Software implementation of Post-Quantum Cryptography 34
104 Efficient vectorization Most important question: Where does the parallelism come from? Easiest answer: Consider multiple batched encryptions, decryptions, signature computations, verifications, etc. Often: Can exploit lower-level parallelism Rule of thumb: parallelize on an as high as possible level Vectorization is hard to do as add-on optimization Reconsider algorithms, synergie with constant-time algorithms Software implementation of Post-Quantum Cryptography 34
105 Going binary So far: considered vectors of integers How about arithmetic in binary fields? Software implementation of Post-Quantum Cryptography 35
106 Going binary So far: considered vectors of integers How about arithmetic in binary fields? Think of an n-bit register as a vector register with n 1-bit entries Operations are now bitwise XOR, AND, OR, etc. Software implementation of Post-Quantum Cryptography 35
107 Going binary So far: considered vectors of integers How about arithmetic in binary fields? Think of an n-bit register as a vector register with n 1-bit entries Operations are now bitwise XOR, AND, OR, etc. This is called bitslicing, introduced by Biham in 1997 for DES Software implementation of Post-Quantum Cryptography 35
108 Going binary So far: considered vectors of integers How about arithmetic in binary fields? Think of an n-bit register as a vector register with n 1-bit entries Operations are now bitwise XOR, AND, OR, etc. This is called bitslicing, introduced by Biham in 1997 for DES Other views on bitslicing: Simulation of hardware implementations in software Software implementation of Post-Quantum Cryptography 35
109 Going binary So far: considered vectors of integers How about arithmetic in binary fields? Think of an n-bit register as a vector register with n 1-bit entries Operations are now bitwise XOR, AND, OR, etc. This is called bitslicing, introduced by Biham in 1997 for DES Other views on bitslicing: Simulation of hardware implementations in software Computations on a transposition of data Software implementation of Post-Quantum Cryptography 35
110 Bitslicing issues XOR, AND, OR, etc are usually fast (e.g., bit operations per cycle on Intel Core 2) Can be very fast for operations that are not natively supported (like arithmetic in binary fields) Software implementation of Post-Quantum Cryptography 36
111 Bitslicing issues XOR, AND, OR, etc are usually fast (e.g., bit operations per cycle on Intel Core 2) Can be very fast for operations that are not natively supported (like arithmetic in binary fields) Active data set increases massively (e.g., 128 ) For normal vector operations, register space is increased accordingly (e.g, bit vector registers vs bit integer registers) For bitslicing: Need to fit more data into the same registers Typical consequence: more loads and stores (that easily become the performance bottleneck) Software implementation of Post-Quantum Cryptography 36
112 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Software implementation of Post-Quantum Cryptography 37
113 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Software implementation of Post-Quantum Cryptography 37
114 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Integer-vector instructions follow with AVX2 (Haswell) Software implementation of Post-Quantum Cryptography 37
115 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Integer-vector instructions follow with AVX2 (Haswell) Very powerful arithmetic: 1 double-precision vector multiplication and 1 double-precision vector addition per cycle (8 FLOPs per cycle per core) Software implementation of Post-Quantum Cryptography 37
116 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Integer-vector instructions follow with AVX2 (Haswell) Very powerful arithmetic: 1 double-precision vector multiplication and 1 double-precision vector addition per cycle (8 FLOPs per cycle per core) Also supported: XOR, AND, OR on YMM registers (1 per cycle) Software implementation of Post-Quantum Cryptography 37
117 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Integer-vector instructions follow with AVX2 (Haswell) Very powerful arithmetic: 1 double-precision vector multiplication and 1 double-precision vector addition per cycle (8 FLOPs per cycle per core) Also supported: XOR, AND, OR on YMM registers (1 per cycle) Alternative: XOR, AND, OR on XMM registers (3 per cycle) Software implementation of Post-Quantum Cryptography 37
118 Introducing AVX Vector instruction set introduced by Intel with Sandy Bridge and Ivy Bridge 256-bit vector registers YMM0,...,YMM15 Overlap with 128-bit XMM registers Instruction set only supports floating-point vector instructions on YMM registers Integer-vector instructions follow with AVX2 (Haswell) Very powerful arithmetic: 1 double-precision vector multiplication and 1 double-precision vector addition per cycle (8 FLOPs per cycle per core) Also supported: XOR, AND, OR on YMM registers (1 per cycle) Alternative: XOR, AND, OR on XMM registers (3 per cycle) However, don t mix XMM and YMM instruction (context-switch penalty) Software implementation of Post-Quantum Cryptography 37
119 Part II Fast Lattice-Based Signatures joint work with Tim Güneysu, Tobias Oder, and Thomas Pöppelmann Software implementation of Post-Quantum Cryptography 38
120 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Software implementation of Post-Quantum Cryptography 39
121 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Security level with the implemented parameters: original estimate: 100 bits (against traditional computers) Software implementation of Post-Quantum Cryptography 39
122 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Security level with the implemented parameters: original estimate: 100 bits (against traditional computers) Lyubashevsky in 2013: 80 bits Software implementation of Post-Quantum Cryptography 39
123 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Security level with the implemented parameters: original estimate: 100 bits (against traditional computers) Lyubashevsky in 2013: 80 bits 2014:...? Software implementation of Post-Quantum Cryptography 39
124 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Security level with the implemented parameters: original estimate: 100 bits (against traditional computers) Lyubashevsky in 2013: 80 bits 2014:...? This is not a mature, well understood cryptosystem Don t use it in applications, but study it! Software implementation of Post-Quantum Cryptography 39
125 Introduction Consider lattice-based signature scheme proposed by Güneysu, Lyubashevsky, and Pöppelmann at CHES 2012 Aggressively optimized version of scheme by Lyubashevsky (Eurocrypt 2012) Security level with the implemented parameters: original estimate: 100 bits (against traditional computers) Lyubashevsky in 2013: 80 bits 2014:...? This is not a mature, well understood cryptosystem Don t use it in applications, but study it! Implementation techniques are applicable more generally Software implementation of Post-Quantum Cryptography 39
126 Notation n is a power of 2 p is a prime congruent to 1 modulo 2n (necessary for efficiency) R is the ring F p [x]/ x n + 1 R k subset of R with coefficients in [ k, k]. Software implementation of Post-Quantum Cryptography 40
127 Lattice hardness assumptions Standard lattice hardness assumption Decisional Ring-LWE: Given (a 1, t 1 ),..., (a m, t m ) R R. Decide whether $ t i = a i s + e i where s, e 1,..., e m D σ and a i R (D σ denotes a Gaussian distribution), or (a i, t i ) uniformly random from R R. Software implementation of Post-Quantum Cryptography 41
The mathematics of RAID-6
The mathematics of RAID-6 H. Peter Anvin 1 December 2004 RAID-6 supports losing any two drives. The way this is done is by computing two syndromes, generally referred P and Q. 1 A quick
More informationHow To Write A Hexadecimal Program
The mathematics of RAID-6 H. Peter Anvin First version 20 January 2004 Last updated 20 December 2011 RAID-6 supports losing any two drives. syndromes, generally referred P and Q. The way
More informationIntroduction to Cloud Computing
Introduction to Cloud Computing Parallel Processing I 15 319, spring 2010 7 th Lecture, Feb 2 nd Majd F. Sakr Lecture Motivation Concurrency and why? Different flavors of parallel computing Get the basic
More informationMore on Pipelining and Pipelines in Real Machines CS 333 Fall 2006 Main Ideas Data Hazards RAW WAR WAW More pipeline stall reduction techniques Branch prediction» static» dynamic bimodal branch prediction
More informationLSN 2 Computer Processors
LSN 2 Computer Processors Department of Engineering Technology LSN 2 Computer Processors Microprocessors Design Instruction set Processor organization Processor performance Bandwidth Clock speed LSN 2
More informationBinary search tree with SIMD bandwidth optimization using SSE
Binary search tree with SIMD bandwidth optimization using SSE Bowen Zhang, Xinwei Li 1.ABSTRACT In-memory tree structured index search is a fundamental database operation. Modern processors provide tremendous
More informationComputer Architecture TDTS10
why parallelism? Performance gain from increasing clock frequency is no longer an option. Outline Computer Architecture TDTS10 Superscalar Processors Very Long Instruction Word Processors Parallel computers
More informationNew AES software speed records
New AES software speed records Daniel J. Bernstein and Peter Schwabe 16.12.2008 Indocrypt 2008 The estream project ECRYPT Stream Cipher Project Running from 2004 to 2008 to identify promising new stream
More informationIA-64 Application Developer s Architecture Guide
IA-64 Application Developer s Architecture Guide The IA-64 architecture was designed to overcome the performance limitations of today s architectures and provide maximum headroom for the future. To achieve
More informationELE 356 Computer Engineering II. Section 1 Foundations Class 6 Architecture
ELE 356 Computer Engineering II Section 1 Foundations Class 6 Architecture History ENIAC Video 2 tj History Mechanical Devices Abacus 3 tj History Mechanical Devices The Antikythera Mechanism Oldest known
More informationINSTRUCTION LEVEL PARALLELISM PART VII: REORDER BUFFER
Course on: Advanced Computer Architectures INSTRUCTION LEVEL PARALLELISM PART VII: REORDER BUFFER Prof. Cristina Silvano Politecnico di Milano cristina.silvano@polimi.it Prof. Silvano, Politecnico di Milano
More informationİSTANBUL AYDIN UNIVERSITY
İSTANBUL AYDIN UNIVERSITY FACULTY OF ENGİNEERİNG SOFTWARE ENGINEERING THE PROJECT OF THE INSTRUCTION SET COMPUTER ORGANIZATION GÖZDE ARAS B1205.090015 Instructor: Prof. Dr. HASAN HÜSEYİN BALIK DECEMBER
More informationBEAGLEBONE BLACK ARCHITECTURE MADELEINE DAIGNEAU MICHELLE ADVENA
BEAGLEBONE BLACK ARCHITECTURE MADELEINE DAIGNEAU MICHELLE ADVENA AGENDA INTRO TO BEAGLEBONE BLACK HARDWARE & SPECS CORTEX-A8 ARMV7 PROCESSOR PROS & CONS VS RASPBERRY PI WHEN TO USE BEAGLEBONE BLACK Single
More informationADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-12: ARM
ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-12: ARM 1 The ARM architecture processors popular in Mobile phone systems 2 ARM Features ARM has 32-bit architecture but supports 16 bit
More informationSoftware Pipelining. for (i=1, i<100, i++) { x := A[i]; x := x+1; A[i] := x
Software Pipelining for (i=1, i
More informationCSE 6040 Computing for Data Analytics: Methods and Tools
CSE 6040 Computing for Data Analytics: Methods and Tools Lecture 12 Computer Architecture Overview and Why it Matters DA KUANG, POLO CHAU GEORGIA TECH FALL 2014 Fall 2014 CSE 6040 COMPUTING FOR DATA ANALYSIS
More informationThread level parallelism
Thread level parallelism ILP is used in straight line code or loops Cache miss (off-chip cache and main memory) is unlikely to be hidden using ILP. Thread level parallelism is used instead. Thread: process
More informationLecture 11: Multi-Core and GPU. Multithreading. Integration of multiple processor cores on a single chip.
Lecture 11: Multi-Core and GPU Multi-core computers Multithreading GPUs General Purpose GPUs Zebo Peng, IDA, LiTH 1 Multi-Core System Integration of multiple processor cores on a single chip. To provide
More informationInstruction Set Architecture. or How to talk to computers if you aren t in Star Trek
Instruction Set Architecture or How to talk to computers if you aren t in Star Trek The Instruction Set Architecture Application Compiler Instr. Set Proc. Operating System I/O system Instruction Set Architecture
More informationCMSC 611: Advanced Computer Architecture
CMSC 611: Advanced Computer Architecture Parallel Computation Most slides adapted from David Patterson. Some from Mohomed Younis Parallel Computers Definition: A parallel computer is a collection of processing
More informationImplementation of Full -Parallelism AES Encryption and Decryption
Implementation of Full -Parallelism AES Encryption and Decryption M.Anto Merline M.E-Commuication Systems, ECE Department K.Ramakrishnan College of Engineering-Samayapuram, Trichy. Abstract-Advanced Encryption
More informationAES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition
Directions in Authenticated Ciphers DIAC 2013, 11 13 August 2013, Chicago, USA AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition Shay Gueron University
More informationCPU Session 1. Praktikum Parallele Rechnerarchtitekturen. Praktikum Parallele Rechnerarchitekturen / Johannes Hofmann April 14, 2015 1
CPU Session 1 Praktikum Parallele Rechnerarchtitekturen Praktikum Parallele Rechnerarchitekturen / Johannes Hofmann April 14, 2015 1 Overview Types of Parallelism in Modern Multi-Core CPUs o Multicore
More informationUNIT 2 CLASSIFICATION OF PARALLEL COMPUTERS
UNIT 2 CLASSIFICATION OF PARALLEL COMPUTERS Structure Page Nos. 2.0 Introduction 27 2.1 Objectives 27 2.2 Types of Classification 28 2.3 Flynn s Classification 28 2.3.1 Instruction Cycle 2.3.2 Instruction
More informationCHAPTER 7: The CPU and Memory
CHAPTER 7: The CPU and Memory The Architecture of Computer Hardware, Systems Software & Networking: An Information Technology Approach 4th Edition, Irv Englander John Wiley and Sons 2010 PowerPoint slides
More informationComputer Architecture Lecture 2: Instruction Set Principles (Appendix A) Chih Wei Liu 劉 志 尉 National Chiao Tung University cwliu@twins.ee.nctu.edu.
Computer Architecture Lecture 2: Instruction Set Principles (Appendix A) Chih Wei Liu 劉 志 尉 National Chiao Tung University cwliu@twins.ee.nctu.edu.tw Review Computers in mid 50 s Hardware was expensive
More informationAdaptive Stable Additive Methods for Linear Algebraic Calculations
Adaptive Stable Additive Methods for Linear Algebraic Calculations József Smidla, Péter Tar, István Maros University of Pannonia Veszprém, Hungary 4 th of July 204. / 2 József Smidla, Péter Tar, István
More informationGCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University
GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with
More informationComputer Architecture. Secure communication and encryption.
Computer Architecture. Secure communication and encryption. Eugeniy E. Mikhailov The College of William & Mary Lecture 28 Eugeniy Mikhailov (W&M) Practical Computing Lecture 28 1 / 13 Computer architecture
More informationWeek 1 out-of-class notes, discussions and sample problems
Week 1 out-of-class notes, discussions and sample problems Although we will primarily concentrate on RISC processors as found in some desktop/laptop computers, here we take a look at the varying types
More informationPROBLEMS #20,R0,R1 #$3A,R2,R4
506 CHAPTER 8 PIPELINING (Corrisponde al cap. 11 - Introduzione al pipelining) PROBLEMS 8.1 Consider the following sequence of instructions Mul And #20,R0,R1 #3,R2,R3 #$3A,R2,R4 R0,R2,R5 In all instructions,
More informationHaswell Cryptographic Performance
White Paper Sean Gulley Vinodh Gopal IA Architects Intel Corporation Haswell Cryptographic Performance July 2013 329282-001 Executive Summary The new Haswell microarchitecture featured in the 4 th generation
More informationThe Impact of Cryptography on Platform Security
The Impact of Cryptography on Platform Security Ernie Brickell Intel Corporation 2/28/2012 1 Security is Intel s Third Value Pillar Intel is positioning itself to lead in three areas: energy-efficient
More informationWhy Relative Share Does Not Work
Why Relative Share Does Not Work Introduction Velocity Software, Inc March 2010 Rob van der Heij rvdheij @ velocitysoftware.com Installations that run their production and development Linux servers on
More informationSide Channel Analysis and Embedded Systems Impact and Countermeasures
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks Cryptographic devices Side
More informationSolution: start more than one instruction in the same clock cycle CPI < 1 (or IPC > 1, Instructions per Cycle) Two approaches:
Multiple-Issue Processors Pipelining can achieve CPI close to 1 Mechanisms for handling hazards Static or dynamic scheduling Static or dynamic branch handling Increase in transistor counts (Moore s Law):
More informationIntel 64 and IA-32 Architectures Software Developer s Manual
Intel 64 and IA-32 Architectures Software Developer s Manual Volume 1: Basic Architecture NOTE: The Intel 64 and IA-32 Architectures Software Developer's Manual consists of seven volumes: Basic Architecture,
More informationPexip Speeds Videoconferencing with Intel Parallel Studio XE
1 Pexip Speeds Videoconferencing with Intel Parallel Studio XE by Stephen Blair-Chappell, Technical Consulting Engineer, Intel Over the last 18 months, Pexip s software engineers have been optimizing Pexip
More informationwhat operations can it perform? how does it perform them? on what kind of data? where are instructions and data stored?
Inside the CPU how does the CPU work? what operations can it perform? how does it perform them? on what kind of data? where are instructions and data stored? some short, boring programs to illustrate the
More informationRethinking SIMD Vectorization for In-Memory Databases
SIGMOD 215, Melbourne, Victoria, Australia Rethinking SIMD Vectorization for In-Memory Databases Orestis Polychroniou Columbia University Arun Raghavan Oracle Labs Kenneth A. Ross Columbia University Latest
More informationBindel, Spring 2010 Applications of Parallel Computers (CS 5220) Week 1: Wednesday, Jan 27
Logistics Week 1: Wednesday, Jan 27 Because of overcrowding, we will be changing to a new room on Monday (Snee 1120). Accounts on the class cluster (crocus.csuglab.cornell.edu) will be available next week.
More informationA Predictive Model for Cache-Based Side Channels in Multicore and Multithreaded Microprocessors
A Predictive Model for Cache-Based Side Channels in Multicore and Multithreaded Microprocessors Leonid Domnitser, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science SUNY-Binghamton {lenny,
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationChapter 5 Instructor's Manual
The Essentials of Computer Organization and Architecture Linda Null and Julia Lobur Jones and Bartlett Publishers, 2003 Chapter 5 Instructor's Manual Chapter Objectives Chapter 5, A Closer Look at Instruction
More informationHardware-Aware Analysis and. Presentation Date: Sep 15 th 2009 Chrissie C. Cui
Hardware-Aware Analysis and Optimization of Stable Fluids Presentation Date: Sep 15 th 2009 Chrissie C. Cui Outline Introduction Highlights Flop and Bandwidth Analysis Mehrstellen Schemes Advection Caching
More informationAlgorithms of Scientific Computing II
Technische Universität München WS 2010/2011 Institut für Informatik Prof. Dr. Hans-Joachim Bungartz Alexander Heinecke, M.Sc., M.Sc.w.H. Algorithms of Scientific Computing II Exercise 4 - Hardware-aware
More informationThe programming language C. sws1 1
The programming language C sws1 1 The programming language C invented by Dennis Ritchie in early 1970s who used it to write the first Hello World program C was used to write UNIX Standardised as K&C (Kernighan
More informationFast Arithmetic Coding (FastAC) Implementations
Fast Arithmetic Coding (FastAC) Implementations Amir Said 1 Introduction This document describes our fast implementations of arithmetic coding, which achieve optimal compression and higher throughput by
More informationIBM CELL CELL INTRODUCTION. Project made by: Origgi Alessandro matr. 682197 Teruzzi Roberto matr. 682552 IBM CELL. Politecnico di Milano Como Campus
Project made by: Origgi Alessandro matr. 682197 Teruzzi Roberto matr. 682552 CELL INTRODUCTION 2 1 CELL SYNERGY Cell is not a collection of different processors, but a synergistic whole Operation paradigms,
More informationVLIW Processors. VLIW Processors
1 VLIW Processors VLIW ( very long instruction word ) processors instructions are scheduled by the compiler a fixed number of operations are formatted as one big instruction (called a bundle) usually LIW
More informationLecture 3: Modern GPUs A Hardware Perspective Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com
CSCI-GA.3033-012 Graphics Processing Units (GPUs): Architecture and Programming Lecture 3: Modern GPUs A Hardware Perspective Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Modern GPU
More informationAdvanced Computer Architecture-CS501. Computer Systems Design and Architecture 2.1, 2.2, 3.2
Lecture Handout Computer Architecture Lecture No. 2 Reading Material Vincent P. Heuring&Harry F. Jordan Chapter 2,Chapter3 Computer Systems Design and Architecture 2.1, 2.2, 3.2 Summary 1) A taxonomy of
More informationDivide: Paper & Pencil. Computer Architecture ALU Design : Division and Floating Point. Divide algorithm. DIVIDE HARDWARE Version 1
Divide: Paper & Pencil Computer Architecture ALU Design : Division and Floating Point 1001 Quotient Divisor 1000 1001010 Dividend 1000 10 101 1010 1000 10 (or Modulo result) See how big a number can be
More informationOverview. CISC Developments. RISC Designs. CISC Designs. VAX: Addressing Modes. Digital VAX
Overview CISC Developments Over Twenty Years Classic CISC design: Digital VAX VAXÕs RISC successor: PRISM/Alpha IntelÕs ubiquitous 80x86 architecture Ð 8086 through the Pentium Pro (P6) RJS 2/3/97 Philosophy
More informationFast Software AES Encryption
Calhoun: The NPS Institutional Archive Faculty and Researcher Publications Faculty and Researcher Publications 2010 Fast Software AES Encryption Osvik, Dag Arne Proceedings FSE'10 Proceedings of the 17th
More informationUnit 4: Performance & Benchmarking. Performance Metrics. This Unit. CIS 501: Computer Architecture. Performance: Latency vs.
This Unit CIS 501: Computer Architecture Unit 4: Performance & Benchmarking Metrics Latency and throughput Speedup Averaging CPU Performance Performance Pitfalls Slides'developed'by'Milo'Mar0n'&'Amir'Roth'at'the'University'of'Pennsylvania'
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide
More informationIntel 8086 architecture
Intel 8086 architecture Today we ll take a look at Intel s 8086, which is one of the oldest and yet most prevalent processor architectures around. We ll make many comparisons between the MIPS and 8086
More informationInstruction Set Architecture (ISA)
Instruction Set Architecture (ISA) * Instruction set architecture of a machine fills the semantic gap between the user and the machine. * ISA serves as the starting point for the design of a new machine
More informationHigh-Performance Modular Multiplication on the Cell Processor
High-Performance Modular Multiplication on the Cell Processor Joppe W. Bos Laboratory for Cryptologic Algorithms EPFL, Lausanne, Switzerland joppe.bos@epfl.ch 1 / 19 Outline Motivation and previous work
More informationEE282 Computer Architecture and Organization Midterm Exam February 13, 2001. (Total Time = 120 minutes, Total Points = 100)
EE282 Computer Architecture and Organization Midterm Exam February 13, 2001 (Total Time = 120 minutes, Total Points = 100) Name: (please print) Wolfe - Solution In recognition of and in the spirit of the
More informationChapter 2 Parallel Architecture, Software And Performance
Chapter 2 Parallel Architecture, Software And Performance UCSB CS140, T. Yang, 2014 Modified from texbook slides Roadmap Parallel hardware Parallel software Input and output Performance Parallel program
More informationHigh-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address,
More informationLattice QCD Performance. on Multi core Linux Servers
Lattice QCD Performance on Multi core Linux Servers Yang Suli * Department of Physics, Peking University, Beijing, 100871 Abstract At the moment, lattice quantum chromodynamics (lattice QCD) is the most
More informationAn Implementation Of Multiprocessor Linux
An Implementation Of Multiprocessor Linux This document describes the implementation of a simple SMP Linux kernel extension and how to use this to develop SMP Linux kernels for architectures other than
More informationInterpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters
Interpreters and virtual machines Michel Schinz 2007 03 23 Interpreters Interpreters Why interpreters? An interpreter is a program that executes another program, represented as some kind of data-structure.
More informationPerformance Counter. Non-Uniform Memory Access Seminar Karsten Tausche 2014-12-10
Performance Counter Non-Uniform Memory Access Seminar Karsten Tausche 2014-12-10 Performance Counter Hardware Unit for event measurements Performance Monitoring Unit (PMU) Originally for CPU-Debugging
More informationMulti-core architectures. Jernej Barbic 15-213, Spring 2007 May 3, 2007
Multi-core architectures Jernej Barbic 15-213, Spring 2007 May 3, 2007 1 Single-core computer 2 Single-core CPU chip the single core 3 Multi-core architectures This lecture is about a new trend in computer
More informationMAQAO Performance Analysis and Optimization Tool
MAQAO Performance Analysis and Optimization Tool Andres S. CHARIF-RUBIAL andres.charif@uvsq.fr Performance Evaluation Team, University of Versailles S-Q-Y http://www.maqao.org VI-HPS 18 th Grenoble 18/22
More informationScalability and Classifications
Scalability and Classifications 1 Types of Parallel Computers MIMD and SIMD classifications shared and distributed memory multicomputers distributed shared memory computers 2 Network Topologies static
More informationStatic Scheduling. option #1: dynamic scheduling (by the hardware) option #2: static scheduling (by the compiler) ECE 252 / CPS 220 Lecture Notes
basic pipeline: single, in-order issue first extension: multiple issue (superscalar) second extension: scheduling instructions for more ILP option #1: dynamic scheduling (by the hardware) option #2: static
More informationSPARC64 VIIIfx: CPU for the K computer
SPARC64 VIIIfx: CPU for the K computer Toshio Yoshida Mikio Hondo Ryuji Kan Go Sugizaki SPARC64 VIIIfx, which was developed as a processor for the K computer, uses Fujitsu Semiconductor Ltd. s 45-nm CMOS
More informationCS:APP Chapter 4 Computer Architecture. Wrap-Up. William J. Taffe Plymouth State University. using the slides of
CS:APP Chapter 4 Computer Architecture Wrap-Up William J. Taffe Plymouth State University using the slides of Randal E. Bryant Carnegie Mellon University Overview Wrap-Up of PIPE Design Performance analysis
More informationIntroduction to GPU Programming Languages
CSC 391/691: GPU Programming Fall 2011 Introduction to GPU Programming Languages Copyright 2011 Samuel S. Cho http://www.umiacs.umd.edu/ research/gpu/facilities.html Maryland CPU/GPU Cluster Infrastructure
More informationWhite Paper. Shay Gueron Intel Architecture Group, Israel Development Center Intel Corporation
White Paper Shay Gueron Intel Architecture Group, Israel Development Center Intel Corporation Intel Advanced Encryption Standard (AES) New Instructions Set Intel AES New Instructions are a set of instructions
More informationFLOATING-POINT ARITHMETIC IN AMD PROCESSORS MICHAEL SCHULTE AMD RESEARCH JUNE 2015
FLOATING-POINT ARITHMETIC IN AMD PROCESSORS MICHAEL SCHULTE AMD RESEARCH JUNE 2015 AGENDA The Kaveri Accelerated Processing Unit (APU) The Graphics Core Next Architecture and its Floating-Point Arithmetic
More informationAES-GCM for Efficient Authenticated Encryption Ending the Reign of HMAC-SHA-1?
Workshop on Real-World Cryptography Stanford University Jan. 9-11, 2013 AES-GCM for Efficient Authenticated Encryption Ending the Reign of HMAC-SHA-1? Shay Gueron University of Haifa Department of Mathematics,
More informationPipelining Review and Its Limitations
Pipelining Review and Its Limitations Yuri Baida yuri.baida@gmail.com yuriy.v.baida@intel.com October 16, 2010 Moscow Institute of Physics and Technology Agenda Review Instruction set architecture Basic
More informationInstruction Set Design
Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level of abstraction between the software and the hardware One of the most important abstraction in CS It s narrow,
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More informationHardware performance monitoring. Zoltán Majó
Hardware performance monitoring Zoltán Majó 1 Question Did you take any of these lectures: Computer Architecture and System Programming How to Write Fast Numerical Code Design of Parallel and High Performance
More informationChapter 2 Parallel Computer Architecture
Chapter 2 Parallel Computer Architecture The possibility for a parallel execution of computations strongly depends on the architecture of the execution platform. This chapter gives an overview of the general
More informationCounter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers
Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was
More informationLecture 2 Parallel Programming Platforms
Lecture 2 Parallel Programming Platforms Flynn s Taxonomy In 1966, Michael Flynn classified systems according to numbers of instruction streams and the number of data stream. Data stream Single Multiple
More informationHow To Encrypt With A 64 Bit Block Cipher
The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric
More informationQ. Consider a dynamic instruction execution (an execution trace, in other words) that consists of repeats of code in this pattern:
Pipelining HW Q. Can a MIPS SW instruction executing in a simple 5-stage pipelined implementation have a data dependency hazard of any type resulting in a nop bubble? If so, show an example; if not, prove
More informationIJESRT. [Padama, 2(5): May, 2013] ISSN: 2277-9655
IJESRT INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY Design and Verification of VLSI Based AES Crypto Core Processor Using Verilog HDL Dr.K.Padama Priya *1, N. Deepthi Priya 2 *1,2
More informationFast Implementations of AES on Various Platforms
Fast Implementations of AES on Various Platforms Joppe W. Bos 1 Dag Arne Osvik 1 Deian Stefan 2 1 EPFL IC IIF LACAL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos, dagarne.osvik}@epfl.ch 2 Dept.
More informationProcessing Multiple Buffers in Parallel to Increase Performance on Intel Architecture Processors
White Paper Vinodh Gopal Jim Guilford Wajdi Feghali Erdinc Ozturk Gil Wolrich Martin Dixon IA Architects Intel Corporation Processing Multiple Buffers in Parallel to Increase Performance on Intel Architecture
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationMaster of Science in Computer Science and Engineering Thesis: Fast Flexible Architectures for Secure Communication
Master of Science in Computer Science and Engineering Thesis: Fast Flexible Architectures for Secure Communication Lisa Wu Advanced Computer Architecture Laboratory University of Michigan Ann Arbor, MI
More information64-Bit Architecture Speeds RSA By 4x
64-Bit Architecture Speeds RSA By 4x MIPS Technologies, Inc. June 2002 Public-key cryptography, and RSA in particular, is increasingly important to e-commerce transactions. Many digital consumer appliances
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard
More informationAdministration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers
CS 4 Introduction to Compilers ndrew Myers Cornell University dministration Prelim tomorrow evening No class Wednesday P due in days Optional reading: Muchnick 7 Lecture : Instruction scheduling pr 0 Modern
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationThis Unit: Floating Point Arithmetic. CIS 371 Computer Organization and Design. Readings. Floating Point (FP) Numbers
This Unit: Floating Point Arithmetic CIS 371 Computer Organization and Design Unit 7: Floating Point App App App System software Mem CPU I/O Formats Precision and range IEEE 754 standard Operations Addition
More informationThe Microarchitecture of Superscalar Processors
The Microarchitecture of Superscalar Processors James E. Smith Department of Electrical and Computer Engineering 1415 Johnson Drive Madison, WI 53706 ph: (608)-265-5737 fax:(608)-262-1267 email: jes@ece.wisc.edu
More informationCPU Organization and Assembly Language
COS 140 Foundations of Computer Science School of Computing and Information Science University of Maine October 2, 2015 Outline 1 2 3 4 5 6 7 8 Homework and announcements Reading: Chapter 12 Homework:
More informationHardware Assisted Virtualization
Hardware Assisted Virtualization G. Lettieri 21 Oct. 2015 1 Introduction In the hardware-assisted virtualization technique we try to execute the instructions of the target machine directly on the host
More information