Pre-silicon Characterization of NIST SHA-3 Final Round Candidates



Similar documents
Hardware Implementation of the Compression Function for Selected SHA-3 Candidates

Implementation and Design of AES S-Box on FPGA

Hash Function JH and the NIST SHA3 Hash Competition

Implementation of Full -Parallelism AES Encryption and Decryption

Hash Function of Finalist SHA-3: Analysis Study

Implementation Details

How To Design A Chip Layout

Introduction to Digital System Design

The implementation and performance/cost/power analysis of the network security accelerator on SoC applications

Agenda. Michele Taliercio, Il circuito Integrato, Novembre 2001

Design and Implementation of an On-Chip timing based Permutation Network for Multiprocessor system on Chip

Hardware Implementation of AES Encryption and Decryption System Based on FPGA

Grøstl a SHA-3 candidate

Comparison of seven SHA-3 candidates software implementations on smart cards.

Power Reduction Techniques in the SoC Clock Network. Clock Power

An On-chip Security Monitoring Solution For System Clock For Low Cost Devices

Example-driven Interconnect Synthesis for Heterogeneous Coarse-Grain Reconfigurable Logic

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

Parallel AES Encryption with Modified Mix-columns For Many Core Processor Arrays M.S.Arun, V.Saminathan

Asynchronous IC Interconnect Network Design and Implementation Using a Standard ASIC Flow

Testing Low Power Designs with Power-Aware Test Manage Manufacturing Test Power Issues with DFTMAX and TetraMAX

7a. System-on-chip design and prototyping platforms

Architectures and Platforms

ISSCC 2003 / SESSION 13 / 40Gb/s COMMUNICATION ICS / PAPER 13.7

AES1. Ultra-Compact Advanced Encryption Standard Core. General Description. Base Core Features. Symbol. Applications

International Journal of Electronics and Computer Science Engineering 1482

Best Practises for LabVIEW FPGA Design Flow. uk.ni.com ireland.ni.com

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

University of Texas at Dallas. Department of Electrical Engineering. EEDG Application Specific Integrated Circuit Design

Testing of Digital System-on- Chip (SoC)

System-on. on-chip Design Flow. Prof. Jouni Tomberg Tampere University of Technology Institute of Digital and Computer Systems.

What is a System on a Chip?

8 Gbps CMOS interface for parallel fiber-optic interconnects

Design of a High Speed Communications Link Using Field Programmable Gate Arrays

Digital Systems Design! Lecture 1 - Introduction!!

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Alpha CPU and Clock Design Evolution

Chapter 13: Verification

EEC 119B Spring 2014 Final Project: System-On-Chip Module

Architectural Level Power Consumption of Network on Chip. Presenter: YUAN Zheng

路 論 Chapter 15 System-Level Physical Design

High-Level Synthesis for FPGA Designs

Design and Verification of Nine port Network Router

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

Hunting Asynchronous CDC Violations in the Wild

IMPLEMENTATION OF BACKEND SYNTHESIS AND STATIC TIMING ANALYSIS OF PROCESSOR LOCAL BUS(PLB) PERFORMANCE MONITOR

10 Gigabit Ethernet MAC Core for Altera CPLDs. 1 Introduction. Product Brief Version February 2002

LogiCORE IP AXI Performance Monitor v2.00.a

IL2225 Physical Design

Permutation-based encryption, authentication and authenticated encryption

ELECTENG702 Advanced Embedded Systems. Improving AES128 software for Altera Nios II processor using custom instructions

AES (Rijndael) IP-Cores

Lesson 7: SYSTEM-ON. SoC) AND USE OF VLSI CIRCUIT DESIGN TECHNOLOGY. Chapter-1L07: "Embedded Systems - ", Raj Kamal, Publs.: McGraw-Hill Education

On the Use of Strong BCH Codes for Improving Multilevel NAND Flash Memory Storage Capacity

Reconfigurable Architecture Requirements for Co-Designed Virtual Machines

Quartus II Software Design Series : Foundation. Digitale Signalverarbeitung mit FPGA. Digitale Signalverarbeitung mit FPGA (DSF) Quartus II 1

DDR subsystem: Enhancing System Reliability and Yield

ARM Cortex-A9 MPCore Multicore Processor Hierarchical Implementation with IC Compiler

Design and Analysis of Parallel AES Encryption and Decryption Algorithm for Multi Processor Arrays

Length extension attack on narrow-pipe SHA-3 candidates

ON SUITABILITY OF FPGA BASED EVOLVABLE HARDWARE SYSTEMS TO INTEGRATE RECONFIGURABLE CIRCUITS WITH HOST PROCESSING UNIT

Aims and Objectives. E 3.05 Digital System Design. Course Syllabus. Course Syllabus (1) Programmable Logic

Design Compiler Graphical Create a Better Starting Point for Faster Physical Implementation

Switched Interconnect for System-on-a-Chip Designs

design Synopsys and LANcity

Rapid System Prototyping with FPGAs

A 10,000 Frames/s 0.18 µm CMOS Digital Pixel Sensor with Pixel-Level Memory

Hardware Implementation of Improved Adaptive NoC Router with Flit Flow History based Load Balancing Selection Strategy

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)

State-of-Art (SoA) System-on-Chip (SoC) Design HPC SoC Workshop

Horst Görtz Institute for IT-Security

An Instruction Set Extension for Fast and Memory-Efficient AES Implementation

Pre-tested System-on-Chip Design. Accelerates PLD Development

ISSCC 2003 / SESSION 4 / CLOCK RECOVERY AND BACKPLANE TRANSCEIVERS / PAPER 4.7

An All-Digital Phase-Locked Loop with High Resolution for Local On-Chip Clock Synthesis

A 3.2Gb/s Clock and Data Recovery Circuit Without Reference Clock for a High-Speed Serial Data Link

40G MACsec Encryption in an FPGA

Universal Flash Storage: Mobilize Your Data

Design Cycle for Microprocessors

International Workshop on Field Programmable Logic and Applications, FPL '99

Serial port interface for microcontroller embedded into integrated power meter

Networking Virtualization Using FPGAs

Distributed Elastic Switch Architecture for efficient Networks-on-FPGAs

Introduction to CMOS VLSI Design (E158) Lecture 8: Clocking of VLSI Systems

AsicBoost A Speedup for Bitcoin Mining

ECE410 Design Project Spring 2008 Design and Characterization of a CMOS 8-bit Microprocessor Data Path

Floating Point Fused Add-Subtract and Fused Dot-Product Units

Hardware Implementation of the Stone Metamorphic Cipher

FPGA Implementation of IP Packet Segmentation and Reassembly in Internet Router*

IJESRT. [Padama, 2(5): May, 2013] ISSN:

Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware

SDLC Controller. Documentation. Design File Formats. Verification

A 1.62/2.7/5.4 Gbps Clock and Data Recovery Circuit for DisplayPort 1.2 with a single VCO

Introduction to Programmable Logic Devices. John Coughlan RAL Technology Department Detector & Electronics Division

Transcription:

2011 14th Euromicro Conference on Digital System Design Pre-silicon Characterization of NIST Final Round Candidates Xu Guo, Meeta Srivastav, Sinan Huang, Dinesh Ganta, Michael B. Henry, Leyla Nazhandali and Patrick Schaumont Center for Embedded Systems for Critical Applications (CESCA) Bradley Department of Electrical and Computer Engineering, Virginia Tech, Blacksburg, VA 24061 Email: {xuguo, meeta, shuang86, diganta, mbh, leyla, schaum}@vt.edu Abstract The NIST competition aims to select a new secure hash standard. Hardware implementation quality is an important factor in evaluating the finalists. However, a comprehensive methodology to benchmark five final round SHA- 3 candidates in ASIC is challenging. Many factors need to be considered, including application scenarios, target technologies and optimization goals. This work describes detailed steps in the silicon implementation of a ASIC. The plan of ASIC prototyping with all the finalists, as an integral part of our ASIC evaluation project, is motivated by our previously proposed methodology, which defines a consistent and systematic approach to move a hardware benchmark process from FPGA prototyping to ASIC implementation. We have designed the remaining five candidates in 0.13 μm IBM process using standard-cell CMOS technology. In this paper, we discuss our proposed methodology for ASIC evaluation and report the latest results based on post-layout simulation of the five finalists with Round 3 tweaks. I. INTRODUCTION The competition organized by NIST aims to select, in three phases, a successor for the mainstream SHA-2 hash algorithms in use today. By the completion of Phase II in December 2010, 5 out of the 14 Round 2 candidates were identified for further evaluation as finalists. For the final round competition, NIST is looking for additional cryptanalytic results, as well as for performance evaluation data on hardware platforms. ebacs is a well known benchmarking environment, including a scripting environment and a performance database, for the evaluation of crypto-software [1]. Compared to such a benchmarking environment, benchmarking crypto-hardware is ad-hoc. There are several reasons why the same progress is not seen in the hardware design community. This is due, in part, to the large heterogeneity of the hardware design space, to the absence of standard metrics for cost and performance, and to the absence of standard interfaces. To address the above issues we designed a ASIC by following a fair hardware evaluation methodology. We started by defining a standard interface, and optimized the designs with a single metric in mind, Throughput-to-Area ratio. Next, we developed an FPGA prototype that can provide a seamless transition into ASIC implementation. Finally, we designed an ASIC chip with all the five finalists with the latest round 3 tweaks. This ASIC is the focus of this paper. II. RELATED WORK The hardware evaluation of candidates has started shortly after the specifications of 51 algorithms submitted to the contest became available. The majority of initial comparisons were limited to less than five candidates. More comprehensive efforts became feasible only after NIST s announcement of 14 candidates qualified to the second round of the competition in July 2009. Since then, several comprehensive studies in ASIC implementations have been reported [2] [8]. Guo et al. [5] used a consistent and systematic approach to move the hardware benchmark process from the FPGA prototyping by [9] to ASIC implementations based 130nm CMOS standard cell technology. Tillich et al. [3] presented the first ASIC post-synthesis results using 180nm CMOS standard cell technology with high throughput as the optimization goal and further provided post-layout results [2]. Henzen et al. [4] implemented several architectures in a 90nm CMOS standard cell technology, targeting high- and moderatespeed constraints separately, and presented a complete benchmark of post-layout results. Table I compares these benchmarking efforts, and demonstrates that a comparison between different ASIC benchmarks is hard because of several reasons. First, most groups do not share the same source codes. Second, the ASIC benchmarks do not use a common hardware interface. Third, the reported metrics and optimization targets are different. III. METHODOLOGY This section describes the overall design flow that combines FPGA prototyping with ASIC design, and elaborate the efforts to automate and standardize the ASIC implementation process. A. Overview Figure 1 illustrates the hardware evaluation flow for our ASIC benchmarking process. We developed the register transfer level (RTL) designs for the 5 Final Round candidates for the Round 3 tweaks. These hardware descriptions are next mapped to FPGA technology or ASIC technology. We use the same RTL descriptions for both types of design flow. Our objective is to use the FPGA as a prototyping technology for the ASIC, rather than a direct technology target. Hence, dedicated FPGA optimizations are not used. 978-0-7695-4494-6/11 $26.00 2011 IEEE DOI 10.1109/DSD.2011.74 535

TABLE I COMPARE THE RELATED HARDWARE BENCHMARKING WORK IN ASICS Tillich [2], [3] Guo [5] Henzen [4] Technology Choices 180nm CMOS 130 nm CMOS 90nm CMOS Standard Cell Standard Cell Standard Cell Hardware Interface Assume infinite Defined standard Assume infinite bandwidth interface handshake interface bandwidth interface Chosen Metrics Area, Throughput Area, Throughput, Area, Throughput, Power, Energy Energy Design Flow Post-layout/synthesis Post-layout Post-layout simulation simulation simulation Fig. 1. FPGA Synthesis FPGA Layout FPGA Prototype RTL Development Area Delay Parasitic Power Phase II: 14 Round 2 Candidates Verification ASIC Synthesis ASIC Layout Area Delay Parasitic Power ASIC Prototype Delay Security Phase III: 5 Final Round Candidates An overview of the ASIC evaluation project. The ASIC and FPGA design flows look very similar, and cover the same two technology mapping steps. The first step is synthesis and maps the RTL code (in Verilog or VHDL) to a netlist of technology primitives. The second step is place and route, and this step decides the spatial relationships of technology primitives in a layout. Both of these steps can be automated using scripts. The results of technology mapping are performance estimates such as circuit area and circuit delay. The performance delays obtained after place-and-route are more accurate than those obtained after synthesis. With respect to the circuit area, place-and-route will reveal the precise dimensions of the ASIC design. With respect to the circuit delay, place-and-route reveals implementation effects (annotated as parasitics in Fig. 1) which characterize delay effects caused by the interconnections. In the case of ASIC prototyping, we have taped out an ASIC for the 5 final round candidates. During Phase II, we performed prototyping on FPGA only and reported ASIC post-layout numbers for individual candidates. The FPGA and ASIC prototyping are very useful to accurately evaluate the power consumption [9], which is especially important for further side-channel analysis. In the next subsection, we discuss the implementation details of the prototype design. B. Platform for integrated FPGA prototyping and ASIC performance evaluation The experimental environment for FPGA prototyping contains a PC, a SASEBO-GII board [10] and an oscilloscope as shown in Fig. 2. A SASEBO-GII board contains two FPGAs: a control FPGA, which supports the interfacing activities with a PC, and a cryptographic FPGA containing the hashing candidate. During the ASIC prototyping phase, the cryptographic FPGA is replaced by the ASIC. A board from the SASEBO-R [10] series will be used for this purpose. The SASEBO board was originally developed for sidechannel analysis. Hence, a potential research area for the future ASIC prototype is side-channel analysis of candidates. In our experiments, we used the SASEBO series board for a more obvious application, namely the measurement of power dissipation of the candidates mapped to ASICs. The interface of the SASEBO board on the PC side is a software driver that can send messages to and read a digest from the FPGA through USB. The Control FPGA manages the data flow of the messages and generates control signals according to the timing requirements of the extended hash interface based on [11]. After FPGA finishes hash operations, the digest is returned to the PC through the Control FPGA. C. Standard Interface So far, several research groups have proposed standard hardware interfaces with well supported design flows, including proposals from [4], [11] [13]. A more detailed discussion on hash interface issues can be found in [9]. The key issue for a fair comparison is to use a common interface for all candidates. Therefore, we selected the interface proposal of Chen et al. [11] (with a data I/O width of bit) and extended it to add mode selection and dual-clock support (see Fig. 8). D. Design Strategy There are three types of strategies used for hardware evaluation, namely fully autonomous, external memory and core functionality. More details of the differences between these three design strategies can be found at [14]. In this work we designed all the 5 finalists with a fully autonomous architecture. In this architecture, one transfers message data to a hash function over multiple clock cycles until a complete message block is provided. The hash module buffers a complete message block locally, before initiating the hash operation. Therefore, this architecture can work autonomously, and the resulting hash module is well suited for a hardware IP for system-on-chip integration. E. Optimization Target The use of Throughput-to-Area ratio as the optimization target for hardware evaluation was first proposed by 536

Oscilloscope PC Software Driver USB_d 8 USB_rxfn USB_txen USB_rdn USB_wr Power Measurement/ Side-Channel Analysis Control FPGA Slow CLK (Interface) RESET INIT LOAD FETCH ACK DIN DOUT FPGA/ ASIC SASEBO-GII Platform Fast CLK (Core Logic) Standard Hash I/O Interface System Control Input Sync CLK Management EN LOAD_MSG BUSY HASH_VALUE 256 Candidate 0 Candidate 1 Intermediate Value Reg. Hash Core Function Hash Value Reg. Candidate 4 Candidate 5 Message Reg. Output Sync FPGA Prototype ASIC Test Chip (SASEBO-R Platform) Fig. 2. Experimental environment for FPGA prototyping and final ASIC testing. Gaj et al. [12], and later appeared in NIST Status Report on the Second Round of the Competition as a hardware evaluation criterion. One of the obvious advantages of choosing this target rather than Throughput alone is that it can avoid highly unrolled hash designs with small throughput benefits but significant circuit area overhead. F. Evaluation Metrics In this work we have used Throughput-to-Area ratio as a primary metric and also reported other common metrics, including area, maximum frequency, maximum throughput, and power/energy efficiency. a) Area: We will use the circuit area of each candidate with both the interface and hash core after layout. The area will be reported in kilo gate equivalents (kge), where a gate equivalent corresponds to the area of a standard NAND2 gate in the standard-cell library. We divided the reported layout area with unit in μm 2 by the area of an NAND2 gate for conversion from the absolute circuit area to kge. b) Throughput: In general the time required to hash a message consists three parts: the latency for loading one block of message, L in, the hash core latency, L core, the latency for finalization step, L final, and the latency for outputting the message digest, L out. For short message hashing, all these four latencies are important performance factors. And the metric of Latency is frequently used to characterize the short message hashing speed instead of Throughput. In the case of hashing a long message, L final and L out can be neglected. Since L in is dependent on the system I/O throughput which may vary in different contexts, here we report the Throughput results of the hash core function: Tp core = W B f max, (1) L core where W B is the block size of the hash and f max is the maximum frequency the circuit can run at. c) Throughput-to-Area: The Throughput-to-Area Ratio is an effective metric to measure the hardware efficiency, where the Throughput is the above defined Tp core and the Area is for the layout circuit area expressed in terms of kge. Fig. 3. Hash IV State Finalization Data MSG Permutation G G G G Structure of the BLAKE-256 core. d) Power/Energy: The power is measured with a fixed achievable clock frequency based on the average power during hashing of long messages, and the capture period is only for the core hashing operations (e.g. round function for each message block). The energy metric is expressed as energy per bit of the input message block compressed by the hash core function. IV. VLSI IMPLEMENTATION OF HASH FUNCTIONS In this section we briefly review the implementations of each finalist. For details on the candidates please refer to the related specification documents on NIST web sites. For hardware architectures, we have looked into several public available reference implementations [15] [17] and optimized them for our system architecture. A. BLAKE BLAKE follows a HAIFA iteration mode and operates on an inner state that can be represented as a 4 by 4 matrix of words. The inner state is initialized using an Initial Value (IV), a salt and a counter. The state is updated using the G function, which is based on the ChaCha stream cipher [18]. The G function mainly contains modular addition, XOR, and rotate operations. As shown in Fig. 3, before the message block enters into the round function it will first go through a permutation layer and XOR with predefined constants. One stage of pipeline is 537

Data Data IV Const P State Q State M State SBoxes S0, S1 Round P Q H State IV R8 R6 Hash degroup Fig. 4. Structure of the Grøstl-256 core. Fig. 5. Structure of the JH-256 core. inserted inside the permutation layer for higher throughput. Four parallel G functions are implemented for the round process. Eight G functions or fully unrolled structures are also possible high performance solutions if there is no area constraint. Each G function instantiates two carry-save adders. B. Grøstl Grøtl is a wide-pipe Merkle-Dåmgard hash algorithm with an output transformation. The compression function is a novel construction, using two fixed 2n-bit permutations together. The output transformation processes the final chaining state, and discards half the bits of the result, yielding an n-bit hash output. The underlying fixed permutations are themselves based closely on the structure of AES, reusing the S-box, but expanding the size of the block to 512 bits for Grøtl-256 in a straightforward way. Grøstl can be implemented with parallel computation of P and Q permeations as well as a single permutation with iterations. As shown in Fig. 4, we implement the parallel P and Q structure, which enables better Throughput-to-Area ratio in our case since the hash core throughput can be doubled without doubling the overall area when considering the hardware interface and control circuits overhead. Within the parallel P and Q structure, 128 AES SBoxes are used and all of them are implemented in Galois field operations also for better hardware efficiency. C. JH The compression function of JH is constructed from a large block cipher with constant key. The large block cipher is based on a generalized AES design methodology and can be constructed with small components. There are three components of the underlying permutation E8 : 4 bit SBoxes, an 8 bit L-permutation, and a P-permutation. As shown in Fig. 5, two similar round operations, R8 and R6, are used for compression and round constant generation, respectively. R8 is used to update the 1024 bit hash state, and R6 generates the round constant on-the-fly. Data Buffer Fig. 6. State Keccak-f[00] (r=1024, c=576) Permutation Round Constant Structure of the Keccak-256 core. D. Keccak Keccak follows the sponge construction model. The permutation can be considered as a substitution-permutation network with 5 bit wide SBoxes, or as a combination of a linear mixing operation and a very simple nonlinear mixing operation. The building block permutation is from a set of 7 permutations, indicated by Keccak-f[b] (b is the width of Keccak-f with default value 00). We implement the Keccak-f[00] with rate r = 1024, capacity c = 576, and output digest size of 256 bits. The Keccak core design are based on the authors provided reference high speed core designs [17]. E. Skein Skein is an iterative hash algorithm built on a tweakable block cipher C Threefish. Threefish is used to build the compression function of Skein using a modified Mateas-Meyer- Oseas construction, which is then iterated in a chaining mode similar to HAIFA. The designers refer to the whole construction as a Unique Block Iteration (UBI) mode. Threefish is a 72-round substitution-permutation network using a 128-bit MIX function consisting of a 64-bit addition, rotate and XOR operations. As shown in Fig. 7, we implemented the Skein512-256 version and each Threefish-512 round out of 72 rounds consists 538

IV Data Key Add SubKey State Add SubKey Mix and Permute TABLE III THE SUMMARY OF ROUND 3 TWEAKS Algorithm Round 3 tweaks for 256 bit digest version Blake-256 Number of rounds is changed from 10 to 14 Grøstl-256 Change shift values in Q; Use bigger round constants in P and Q JH-256 Number of rounds is changed from 35.5 to 42 Keccak-256 Simplified and shortened padding rule Skein512-256 Change the key schedule parity constant Key Schedule Fig. 7. Structure of the Skein512-256 core. TABLE II THE SUMMARY OF DESIGN SPECIFICATIONS OF FINALISTS Algorithm Blake-256 Grøstl-256 JH-256 Keccak-256 Skein512-256 Implementation Descriptions 4 parallel G functions; 1-stage pipeline in permutation Parallel P and Q with 128 GF-based AES SBoxes SBoxes S0 and S1 are implemented in LUT One clock cycle per round Unrolled 4 Threefish rounds of four parallel MIX operation and a permutation. Four rounds are unrolled and chained together in hardware. F. Summary Table II summarizes the major implementation aspects of each finalist. The design decisions are made to achieve the primary optimization for Throughput-to-Area ratio. V. ASIC REALIZATION Compared to other published work on SHA3 chip design [4], our chip has the following benefits: Updated to Round-3 specifications. By the end of January 2011, all of the final round candidate authors released their Round 3 specifications reflecting the feedbacks from the extensive security and performance evaluation during the Round 2 competition. A summary of Round 3 tweaks can be found in Table III. Some tradeoffs between security and performance were made in several candidates and caused changes in the performance profile (e.g. for BLAKE-256, the round number is increased from 10 to 14; for JH, the round number is changed from 35.5 to 42). Depending on the way how designers implement these algorithm (e.g. whether the round function is unrolled), some of the changes including changing the round number may not only affect the control logic but also the hash core logic. Single technology and consistent methodology. As discussed in [5], the impact of technologies in benchmarking ASIC implementations when shifting from 130nm to 90nm is non-trivial. Even under the same technology feature size, the impact of different standard-cell libraries, synthesis/layout constraints, and tool flows can lead to biased comparison results. We fabricated all the five finalists on the same die with uniform tool flow and environmental settings, and this may enable a more fair comparison in ASIC performance between each candidate. For ASIC evaluation in general, the best way to follow is always to fabricate an actual chip, measure it and explore its true potential. However, as mentioned earlier the ASIC evaluation process is much more difficult due to the lack of concrete application scenarios and requirements. In addition, our ASIC design has constraints, too, including the area budget, the total number of available IOs for the chip socket on the testing platform, and the capabilities of the testing infrastructure. In the following sections, we will discuss how we designed the ASIC to tackle all the above issues and how the final area and performance results will be affected by those design decisions. A. Chip Architecture As shown in Fig. 8, besides the candidates modules our chip contains an on-chip clock management module, a system control module, and a hronization module. All these features are integrated in order to fulfill the needs of fitting the ASIC chip into the SASEBO-R platform and meet our final chip testing requirements. Clock Management Module. This module has two functions: clock gating and clock generation. The clock gating is used to isolate the impact of the other candidates when measuring the power consumption of one candidate at a time. As shown in Fig. 2, all the inputs to the ASIC are generated from the control FPGA on board which connects to the ASIC. By default the control FPGA runs at a relatively low frequency (e.g. 24 MHz). It is not recommended to transmit high frequency signals through on board connections. For high frequency testing purpose, we used the custom-cell design approach to integrate a ring oscillator based voltage-controlled oscillator (VCO) into the chip together with a standard-cell implemented clock divider, which can offer a good range of clock frequencies on chip. The on-chip generated clocks are also MUXed with the external clock input and can be configured through dedicated ports. System Control Module. The system control module is used to decode the control signals for algorithm selection, clock gating, clock division ratio and hash mode from ports. The ASIC can support two operation modes. The normal hashing mode loads bit input data for each transfer until it buffers a whole block of data to start compression. 539

sclk sinit System Control (input) sclk_0 sload_0 sack_0 sinit_0 to JH to sfetch_0 sdin_0 ~250MHz sdout_0 smode_0 sclk_1 sload_1 sack_1 sinit_1 to Keccak to sfetch_1 sdin_1 ~250MHz sdout_1 smode_1 ASIC sload fclk_0 fclk_1 sfetch sclk_2 sclk_3 smode sdin AlgSel 3 Clock Management CLK Gating fclk_0 fclk_5 sload_2 sack_2 sinit_2 to Grostl to sfetch_2 sdout_2 sdin_2 ~200MHz smode_2 fclk_2 sclk_4 sload_3 sack_3 sinit_3 to SHA256 to sfetch_3 sdout_3 sdin_3 ~200MHz smode_3 fclk_3 sclk_5 System Control (output) 3 sack sdout CLK_Switch EXT_fClk CLK_DIV_Sel 4 VCO_CLK_Sel 2 VCO_CLK_MON CLK Divider VCO Ring-Oscillators sload_4 sack_4 sinit_4 to BLAKE to sfetch_4 sdin_4 ~125MHz sdout_4 smode_4 fclk_4 sload_5 sack_5 sinit_5 to Skein to sfetch_5 sdin_5 ~125MHz sdout_5 smode_5 fclk_5 AlgSel Fig. 8. The chip diagram of ASIC. This I/O bottleneck makes it very difficult for full speed testing since there is a relatively long message loading period between two consecutive hashing. Hence, we defined a second mode of operation: full speed testing. Under this hash mode, the input buffer of each candidate only stores bit of input data per block, and replicates this input data to fill an entire block. Cross-Clock Domain Synchronizer. There are two clock domains in our chip: the one is for the interfacing logic and the one is for hash modules. In order to avoid complex hronizer designs based on ahronous FIFOs or feedback hronization and alleviate the burden of the backend process to deal with the two clock domains, we simplified the hronizer design by making a reasonable assumption that the internal hash clock working frequency is always at least two times er than the interface clock. As a result, the interface clock can be deemed as a normal control signal and the whole chip only has one single clock either input from external clock or internal VCO generated clock. Within this approach we extended the standard hash interface [11] of each candidate to integrate this hronizer, and the final reported layout area for each candidate will also include the overhead of this extended hash interface. B. Constraints The timing constraints are selected to optimize Throughputto-Area ratio, using the methodology described in [6]. Although all the RTL designs are optimized for Throughput-to- Area ratio, depending on the different application scenarios we may put different constraints during the synthesis and layout which may then greatly affect the quality of the ASIC results. For synthesis, we evaluate four design points for every implementation. MinArea: A minimum-area design will minimize the use of logic resources (GEs) at the expense of performance. MaxSpeed: A maximum-speed design will minimize the computational delay of the design, at the expense of area. TradeOff0: The first trade-off point is chosen to have a computational delay which is two-thirds between the MinArea and MaxSpeed design points. TradeOff1: The second trade-off point is chosen to have a computational delay which is five-sixths between the MinArea and MaxSpeed design points. The TradeOff points are chosen to investigate how the relationship (speed, area) evolves when a design gradually moves from the MinArea design point to the MaxSpeed design point. As shown in the Fig. 9, the point with highest Throughputto-Area ratio is always the MaxSpeed point except for Grøstl whose optimal point is Tradeoff1. However, the post-synthesis timings of each individual candidate cannot be directly used as the timing constraints for layout process. One reason is that designs with high frequency (e.g. 400MHz with 130nm technology) will be ed down because of high speed circuits related clock and power issues. Another reason is the MaxSpeed frequency obtained at synthesis level only considers device delay without routing delay. Based on several iterations of putting weight to the layout timing constraints, [f max ] synthesis [f max /area] layout =, (2) [weight area] synthesis we categorized the five candidates plus the SHA256 based on their achievable frequencies after layout into three groups: 250 MHz (JH and Keccak), 200 MHz (Grøstl and 540

Max Frequency (MHz) Max Frequency / Area Ratio (MHz/kGEs) Fig. 9. 700 650 Blake-256 600 Groestl-256 550 JH-256 500 Keccak-256 Post-synthesis 450 Skein-256 best 400 f SHA256 max -to-area 350 ratio 300 250 200 150 100 50 0 0 10 20 30 40 50 60 70 80 90 100 110 Area (kges) Synthesis results with best f max -to-area constraints 14 12 Post-Synthesis 10 Post-Layout 8 6 4 2 0 Layout results with adjusted constraints Blake-256 Groestl-256 JH-256 Keccak-256 Skein-256 SHA256 The comparison between synthesis and layout constraints. SHA256), and 125 MHz (BLAKE and Skein). As shown in Fig. 9, compare the individual synthesis results with the final layout results of all candidates on the same die, we put a little larger weight to the high speed designs, JH and Keccak, with an average weight of 1.9 for all the designs. With these timing constraints for each group of hash modules, we are able to finish the layout of the ASIC with the chip core of 1.656 mm 1.656 mm and overall chip area fitting in the die size of 5 mm 2 including pad cells. C. Design Environment We used the Synopsys Design Compiler (C-2009.06-SP3) to map the RTL codes to IBM MOSIS 130nm CMOS Technology with CMR8SF-RVT standard cell library. We use the typical case condition characterization of the standard cell libraries. The 130nm technology uses 7 metal layers. The Synopsys IC Compiler (C-2009.06-SP5) is used for the back-end process. The overall chip core area utilization ratio after layout is 73%. The utilization is defined as the die area devoted to active components (standard cells) as compared to the total die area. After place-and-route, design flow errors such as timing and Design Rule Check (DRC) violations may occur. In some cases, the initial utilization must be lowered in order to relax the constraints to the place-and-route process. The timing results can be obtained from the post-synthesis and post-layout steps. First, the Synopsys IC Compiler is used to extract the post-layout parasitic and generate an SDF file containing the delays of all the interconnections and instances. Second, Synopsys VCS can be used to do the postsimulation and generate the VCD file that records all the stdcell lib process lib IBM 130nm CMR8SF-RVT Process SAGE- XTM v2.0 Standard Cell Library Fig. 10. Design Compiler IC Compiler StarRCXT RTL Design in Verilog Logic Synthesis Layout Parasitic Extraction GDSII file VCS/PrimeTime test vectors Post-syn Simulation Hercules/Assura VCS/PrimeTime LVS/DRC Post-layout Simulation Design Quality latency throughput die area pin count latency throughput Power Energy The overview of our ASIC design flow. switching activities of the netlist. Finally, Synopsys Prime Time (C-2009.06-SP3) reads the final netlist, VCD file and.spef parasitic file and does the power estimation. D. ASIC Results and Analysis From the post-layout results shown in Table IV, all the five candidates meet the target maximum frequency and have a larger area but higher Throughput than the reference SHA256; the maximum throughput of Grøstl and Keccak can almost reach 10 Gbps; Keccak is the best in hardware and energy efficiency; closely followed by BLAKE and Keccak, JH is the most power efficient but still less efficient than SHA256. Although we have tried our best to ensure a fair methodology to guide our ASIC benchmark process, there are still many factors that may affect the results. The limitations of absolute results numbers. We very often see many papers cited other papers area results (unit: kge) for a direct comparison. However, we want to point out that the gate counts are strongly dependent on the standard-cell libraries and tool settings even with the same technology node. The comparison of absolute results numbers is considered as fair ONLY if the same library, same tools, and same settings are used. This is also one important reason of why we intend to open-source all of our RTL designs and scripts. Further optimizations of hash design. Due to the short period between the releasing the Round 3 specifications of each candidate and deadline for the chip tape-out run, we believed that fine grained optimizations are possible to better address the Throughput-to-Area Ratio optimization goals [19]. Since we have already optimized the designs based on some open-source projects [15] [17], the designs and results described in this paper can be served as a good basis for future work. VI. CONCLUSIONS In this paper we presented the methodology of evaluating ASIC implementations and reported the latest presilicon results for final round candidates. Our 541

TABLE IV ASIC CHARACTERIZATION OF THE ASIC CHIP IN IBM MOSIS 130nm CMOS TECHNOLOGY WITH CMR8SF-RVT STANDARD CELL LIBRARY, THE GATE EQUIVALENT COUNT IS CALCULATED BY DIVIDING THE POST-LAYOUT DIE AREA BY THE AREA OF A NAND2XLTF (5.76 μm 2 ) Block Size Core Latency Area Max Freq. Throughput Throughput-to-Area Power Energy [bits] [cycles] [kges] [MHz] [Gbps] [kbps/ge] [mw] [mj/gbits] BLAKE-256 512 30 34.15 125 2.13 62.47 15.65 36.67 Grøstl-256 512 11 124.34 200 9.31 74.87 99.59 85.58 JH-256 512 42 49.29 250 3.05 61.83 10.39 34.08 Keccak-256 1024 24 42.49 250 10.67 251.05 15.68 14.70 Skein512-256 512 21 66.36 125 3.05 45.93 39.71 65.15 SHA256 512 68 21.67 200 1.51 69.54 3.72 19.75 *: NIST Round 3 Specifications by January, 2011. **: The above numbers are from post-layout simulation with chip interface clock at 10MHz and hash core clock at 25MHz. ***: Throughput, Power, and Energy numbers are measured for hash core operations. ****: Each design s static power is estimated by multiplying the whole chip static power, 2.33 mw, with the area ratio of each design. Blake Groestl JH Keccak Skein SHA256 Fig. 11. Die layout of the ASIC chip in 130nm IBM process using standard cell CMOS technology. ASIC is very likely the first chip implementing five finalists based on the Round-3 specifications published online in January, 2011. We plan to use this chip for future security evaluation of SCA attacks based on SASEBO-R board. We also intend to open-source the RTL versions of the designs we evaluated and the EDA tool scripts we used for the backend process on our website []. ACKNOWLEDGMENT The effort reported in this paper was supported by a NIST Measurement, Science and Engineering Grant ( Environment for Fair and Comprehensive Performance Evaluation of Cryptographic Hardware and Software ). The authors would like to thank National Institute of Advanced Industrial Science and Technology (AIST) of Japan for their hardware support. REFERENCES [1] D. Bernstein and T. Lange, ebacs: ECRYPT Benchmarking of Cryptographic Systems, May 2011, http://bench.cr.yp.to. [2] S. Tillich, M. Feldhofer, M. Kirschbaum, T. Plos, J.-M. Schmidt, and A. Szekely, Uniform Evaluation of Hardware Implementations of the Round-Two Candidates, in The Second Candidate Conference, August 2010. [3], High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein, Cryptology eprint Archive, Report 2009/510, 2009, http://eprint.iacr.org/2009/510. [4] L. Henzen, P. Gendotti, P. Guillet, E. Pargaetzi, M. Zoller, and F. Gürkaynak, Developing a Hardware Evaluation Method for Candidates, in Cryptographic Hardware and Embedded Systems, CHES 2010, ser. LNCS, S. Mangard and F.-X. Standaert, Eds. Springer Berlin / Heidelberg, 2010, vol. 6225, pp. 248 263. [5] X. Guo, S. Huang, L. Nazhandali, and P. Schaumont, Fair and Comprehensive Performance Evaluation of 14 Second Round ASIC Implementations, in The Second Candidate Conference, August 2010. [6], On The Impact of Target Technology in Hardware Benchmark Rankings, Cryptology eprint Archive, Report 2010/536, 2010, http://eprint.iacr.org/2010/536. [7] A. Namin and M. Hasan, Hardware implementation of the compression function for selected candidates, CACR 2009-28, July 2009. [8] L. Henzen, J.-P. Aumasson, W. Meier, and R. C.-W. Phan, VLSI Characterization of the Cryptographic Hash Function BLAKE, Very Large Scale Integration (VLSI) Systems, IEEE Transactions on, 2010. [9] K. Kobayashi, J. Ikegami, M. Knezevic, E. Guo, S. Matsuo, S. Huang, L. Nazhandali, U. Kocabas, J. Fan, A. Satoh, I. Verbauwhede, K. Sakiyama, and K. Ohta, Prototyping platform for performance evaluation of candidates, in Hardware-Oriented Security and Trust (HOST), IEEE International Symposium on, 2010, pp. 60 63. [10] AIST-RCIS, Side-channel attack standard evaluation board, May 2011, http://staff.aist.go.jp/akashi.satoh/sasebo/en/index.html. [11] Z. Chen, S. Morozov, and P. Schaumont, A Hardware Interface for Hashing Algorithms, Cryptology eprint Archive, Report 2008/529, 2008, http://eprint.iacr.org/2008/529. [12] K. Gaj, E. Homsirikamol, and M. Rogawski, Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two Candidates Using FPGAs, in Cryptographic Hardware and Embedded Systems, CHES 2010, ser. LNCS, S. Mangard and F.-X. Standaert, Eds. Springer, 2010, vol. 6225, pp. 264 278. [13] B. Baldwin, N. Hanley, M. Hamilton, L. Lu, A. Byrne, M. ONeill, and W. P. Marnane, FPGA Implementations of the Round Two Candidates, in The Second Candidate Conference, August 2010. [14] ECRYPT, The Zoo, May 2011, http://ehash.iaik.tugraz.at/wiki/ Hardware Implementations. [15] AIST-RCIS, hardware project, May 2011, http://www.rcis.aist. go.jp/special/sasebo/sha3-en.html. [] X. Guo, S. Huang, M. Srivastava, L. Nazhandali, and P. Schaumont, Performance Evaluation of Cryptographic Hardware and Software Performance Evaluation of Candidates in ASIC and FPGA, May 2011, http://rijndael.ece.vt.edu/sha3/. [17] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche, The Keccak sponge function family Updated VHDL package, May 2011, http: //keccak.noekeon.org/vhdl 3.0.html. [18] D. Bernstein, ChaCha, a variant of Salsa20, January 2008, http://cr. yp.to/chacha/chacha-20080128.pdf. [19] E. Homsirikamol, M. Rogawski, and K. Gaj, Comparing hardware performance of fourteen round two sha-3 candidates using fpgas, Cryptology eprint Archive, Report 2010/445, 2010, http://eprint.iacr.org/. 542

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information