benchmarking of round 2 caesar candidates in hardware ... · • no full support for the caesar api...
TRANSCRIPT
![Page 1: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/1.jpg)
BenchmarkingofRound2CAESARCandidatesinHardware:
Methodology,Designs&ResultsEkawatHomsirikamol,
PanasayyaYalla,AhmedFerozpuri,
WilliamDiehl,FarnoudFarahmand,MichaelX.Lyons,
andKrisGajGeorgeMasonUniversity
USAhttp://cryptography.gmu.edu
https://cryptography.gmu.edu/athena
![Page 2: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/2.jpg)
2
Outline
• CAESAR Hardware API & the Compliant Code Development
• Overview of Submitted Designs • Benchmarking Methodology • Results • ATHENa Database of Results
![Page 3: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/3.jpg)
CAESAR Hardware API
![Page 4: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/4.jpg)
4
Specifies: • Minimum compliance criteria • Interface • Communication protocol • Timing characteristics
Assures: • Compatibility • Fairness
Timeline: • Based on the GMU Hardware API presented at CryptArchi 2015, DIAC 2015, and ReConFig 2015 • Revised version posted on Feb. 15, 2016 • Officially approved by the CAESAR Committee on May 6, 2016
CAESAR Hardware API
![Page 5: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/5.jpg)
5
Implementer’s Guide • v1.0 - May 12, 2016
Development Package a. VHDL code of generic pre-processing and post- processing units for high-speed implementations (src_rtl) b. Universal testbench (AEAD_TB) c. Python app used to automatically generate test vectors (aeadtvgen) d. Six reference high-speed implementations of Dummy authenticated
ciphers
GMU Support for Designers of VHDL/Verilog Code
https://cryptography.gmu.edu/athena/index.php?id=download
![Page 6: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/6.jpg)
6
Top-level block diagram of a High-Speed architecture
KEY_SIZE
ProcessorPre
ProcessorPost
do_ready do_ready
24 24
key_update
bdi_eot
bdi_eoi
bdi_type
bdi_ready
3
bdi_valid
bdi
key
bdo
Datapath
CipherCore
msg_auth_valid
msg_auth_done
key_update
bdi_eot
bdi_eoi
bdi_type
bdi_ready
bdo_size
bdo_ready
Controller
CipherCorebdi_valid bdo_valid
bdi
key
DBLK_SIZE
msg_auth_valid
msg_auth_done
bdo_size
bdo_ready
bdo_valid
bdo
key_valid
key_ready
key_valid
key_ready
LBS_BYTES+1
decrypt decrypt
bdi_valid_bytes
bdi_pad_loc
DBLK_SIZE/8
DBLK_SIZE/8
bdi_size
bdi_pad_loc
bdi_valid_bytes
bdi_sizeLBS_BYTES+1
CipherCore
AEAD
pdi_valid
pdi_readypdi_readypdi_valid
OptionalRequired
sdi_valid
sdi_readysdi_readysdi_valid
do_valid do_valid
sdi_data
pdi_data
do_datado_data
sdi_data
pdi_data
sw
w
w
din_valid
din_ready
din FIFOCMD
dout
dout_ready
dout_valid
cmd
_va
lid
cmd
_re
ad
ycm
d
cmd
_va
lid
cmd
_re
ad
y
cmd
bdi_partialbdi_partial
DBLK_SIZE
![Page 7: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/7.jpg)
7
RTL VHDL Code • AES (Enc/EncDec, 10/11 cycles per block, SubBytes in ROM/logic) • Keccak Permutation F • Ascon – example CAESAR candidate
Suggested List of Deliverables a. VHDL/Verilog code (folder structure) b. Implemented variants (corresponding generics & constants) d. Non-standard assumptions e. Formulas for the execution time f. Verification method (test vectors) g. Block diagrams (optional) h. License (optional) i. Preliminary results (optional)
GMU Support for Designers of VHDL/Verilog Code
![Page 8: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/8.jpg)
8
Known Limitations
• No support for intermediate tags
![Page 9: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/9.jpg)
The API Compliant Code Development
![Page 10: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/10.jpg)
10
Manual Design
HDLCode
Automated Optimization FPGATools
PreliminaryPostPlace&Route
Results(ResourceURlizaRon,Max.ClockFrequency)
Functional Verification
SpecificaRon
TestVectors
The API Compliant Code Development
ReferenceCCode
DevelopmentPackagesrc_rtl
DevelopmentPackageaeadtvgen
DevelopmentPackageAEAD_TB
Pass/ Fail
Formulasforthe
ExecuRonTime&Throughput
![Page 11: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/11.jpg)
Overview of Submitted Designs
![Page 12: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/12.jpg)
12
Summary of Submitted Designs (1) Algorithms with:
• 2 Compliant designs + 1 Non-Compliant Design 1: TriviA-ck
• 2 Compliant designs 3: ASCON, CLOC, Minalpher
• 1 Compliant Design + 1 Non-Compliant Design 8: Deoxys, ELmD, HS1-SIV, Joltik, NORX, Pi-Cipher, POET, SCREAM
• 1 Compliant Design 17: ACORN, AEGIS, AES-COPA, AES-JAMBU, AES-OTR, AEZ, ICEPOLE, Ketje, Keyak, MORUS, OCB, OMD, PAEQ, PRIMATEs-GIBBON, PRIMATEs-HANUMAN, SHELL, SILC, STRIBOB
• No Designs 1: Tiaoxin
![Page 13: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/13.jpg)
13
Summary of Submitted Designs (2) Algorithm Compliant
Designs Non-Compliant
Designs Primary Variants
Variants in Compliant Designs
Variants in Non-Compliant
Designs ACORN 1 - 1 1 -
AEGIS 1 - 1 1 -
AES-COPA 1 - 1 1 -
AES-JAMBU 1 - 1 1 -
AES-OTR 1 - 1 1 -
AEZ 1 - 1 1* -
ASCON 2 - 2 2 -
CLOC 2 - 3 2 -
Deoxys 1 1 4 1 4
* Authenticator length = 16 bytes, Key length = 384 bits (default), Nonce length = 128 bits
![Page 14: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/14.jpg)
14
Summary of Submitted Designs (3) Algorithm Compliant
Designs Non-Compliant
Designs Primary Variants
Variants in Compliant Designs
Variants in Non-Compliant
Designs
ELmD 1 1* 4 1 1*
HS1-SIV 1 1 3 1 1
ICEPOLE 1 - 3 1 -
Joltik 1 1 8 1 4
Ketje 1 - 1 2 -
Keyak 1 - 1 2 -
Minalpher 2 - 1 1 -
MORUS 1 - 1 1 -
NORX 1 1 5 4 1
* A variant with intermediate tags
![Page 15: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/15.jpg)
15
Summary of Submitted Designs (4) Algorithm Compliant
Designs Non-Compliant
Designs Primary Variants
Variants in Compliant Designs
Variants in Non-Compliant
Designs OCB 1 - 9 1 -
OMD 1 - 1 1 -
PAEQ 1 - 3 1 -
Pi-Cipher 1 1 8 3* 3*
POET 1 1 2** 1** 1**
PRIMATEs- GIBBON***
1 - 2 2 -
PRIMATEs- HANUMAN***
1 - 2 2 -
* Altogether, the compliant and non-compliant designs cover 4 variants with |SMN|=0 ** Only a variant without intermediate tags implemented *** Ciphers belonging to the same family. The 3rd member of this family, APE, not implemented
![Page 16: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/16.jpg)
16
Summary of Submitted Designs (5)
Algorithm Compliant Designs
Non-Compliant Designs
Primary Variants
Variants in Compliant Designs
Variants in Non-Compliant
Designs SCREAM 1 1 1 1 1
SHELL 1 - 8* 1 -
SILC 1 - 1 1 -
STRIBOB 1 - 1 1 -
TriviA-ck 2 1** 2 1 1**
AES-GCM 1 - 3 1*** -
* 4 values of d, 2 values of lnonce ** A variant with intermediate tags not supported by the CAESAR API *** GCM based on AES-128
![Page 17: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/17.jpg)
17
Effects of Known Limitations
• Current version of API does not support intermediate tags. The implementations of ELmD and TriviA-ck with intermediate tags follow the CAESAR API as much as possible, under this limitation.
![Page 18: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/18.jpg)
18
Variant vs. Architecture
• Two different variants of the same algorithm produce different outputs for the same input
(e.g., they differ in terms of the key/nonce/tag size) • Two different architectures of a specific variant produce the same output, but differ in terms of performance and/or resource utilization (e.g., basic iterative and unrolled x2 architectures)
![Page 19: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/19.jpg)
19
Architectures
• Majority of algorithms have designs based on Basic Iterative Architecture (One Round per Clock Cycle)
Exceptions:
§ ACORN: 8bit & 32bit lightweight § ASCON: Unrolled xN § HS1-SIV: Folded /2h § Pi-Cipher (by Pi-Cipher Team): Iterative § Pi-Cipher (by GMU Team): Folded /4v § SCREAM: Unrolled x2
![Page 20: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/20.jpg)
20
Submissions with Multiple Architectures
Algorithm Variants in Compliant Designs
Variants in Non-Compliant Designs
Variant-Architecture
Pairs In Compliant
Designs
Variant-Architecture
Pairs In Non-
Compliant Designs
ACORN 1 - 2 - ASCON 2 - 9 - Deoxys 1 4 2 4 SCREAM 1 1 2 2 STRIBOB 1 - 2 -
ACORN: 8bit and 32bit lightweight architectures ASCON: basic iterative and unrolled xN architectures Deoxys: basic iterative and basic iterative with speculative pre-computation SCREAM: basic iterative and unrolled x2 architectures STRIBOB: with and without Miniboxes
Architecture Types:
![Page 21: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/21.jpg)
21
Deviations from the CAESAR HW API Affecting Fairness of Comparison
Deoxys & Joltik (by Axel York Poschmann & Marc Stöttinger) • No decryption • Full-block width interface similar to that of CipherCore • Incomplete support for the CAESAR API Protocol (no PreProcessor or PostProcessor) [benchmarked, displayed under HW API: Full-Block width (custom)]
POET (by Amir Moradi) • Full-block width custom interface • No support for the CAESAR API Protocol [benchmarked, displayed under HW API: Full-Block width (custom)]
SCREAM (by Lubos Gaspar & Stephanie Kerckhof) • Full-block width custom interface • No support for the CAESAR API Protocol [benchmarked, displayed under HW API: Full-Block width (custom)]
![Page 22: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/22.jpg)
22
API Deviations and Other Problems Affecting Benchmarking Pi-Cipher (by Mohamed El-Haddedy)
• No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number of clock cycles per block (1782) [treated as compliant, but suboptimal results]
NORX (by Michael Muehlberghuber) • Full-block width interface (2 x 768 bits) based on AXI4-Stream • No support for the CAESAR API Protocol • A custom wrapper required for implementation using Xilinx ISE and Altera Quartus Prime (not submitted) [not benchmarked]
HS1-SIV (by Sergei Volokitin & Gerben Geltink) • Full-block width custom interface • No support for the CAESAR API Protocol • Code does not pass synthesis using Altera Quartus Prime, or implementation using Xilinx ISE [not benchmarked]
![Page 23: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/23.jpg)
23
Minor Deviation from the API Compliance Criteria
Keyak (by the Ketje-Keyak Team)
• Compliance criteria: § supported maximum size for AD should be 232-1 bytes
• Implementation: § supported maximum size for AD is 24 bytes
[treated as compliant in the database of results]
![Page 24: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/24.jpg)
24
Designs with the Highest Potential for Improvement
• SHELL by the SHELL Team § Preliminary design § Throughput to area ratio 130-180x worse than for AES-GCM
• OMD by the GMU Team § Preliminary design § Known improvements possible in the Datapath & Controller § Require substantial amount of time to be incorporated
![Page 25: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/25.jpg)
25
Other Factors Affecting Comparison
• Key sizes • Security level (lightweight vs. non lightweight, single-pass vs. two-pass, nonce misuse resistance, etc.) • Nonce sizes • Tag and/or authenticator sizes • PDI & DO port width, w
![Page 26: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/26.jpg)
26
Key sizes • Majority of implemented ciphers support 128-bit keys only
Exceptions: § Joltik: 64 & 128 § PRIMATEs: 80 & 120 § AES-JAMBU, Ketje: 96 § Pi-Cipher: 96, 128, 256 § Deoxys, NORX: 128 & 256 § STRIBOB: 192 § AEZ: 384
Possible allowed key ranges: |K| ≥ 96 |K| ≥ 120
• covers all families • excludes variants with 64 and 80-bit keys
• covers all families except AES-JAMBU and Ketje • covers stronger variants of PRIMATEs • excludes lightweight variants
![Page 27: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/27.jpg)
27
PDI & DO Ports Width, w
• The CAESAR API Minimum Compliance Criteria allow § High-speed: 32 ≤ w ≤ 256 § Lightweight: w = 8, 16, 32
• Majority of the API compliant implementations support w=32 or 64 only
Exceptions: § ACORN: 8 & 32 § PRIMATEs: 40 § HS1-SIV: 128 § NORX, Pi-Cipher: 128 & 256 § AEGIS, ICEPOLE, MORUS: 256
![Page 28: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/28.jpg)
28
Ciphers vs. Variants • Each cipher may have multiple variants, identified by
• name, e.g., KetjeSr and KetjeJr • identifier, e.g., NR-128-64 and NMR-64-64, or • a set of parameters.
• PRIMATEs HANUMAN and PRIMATEs GIBBON are treated as separate ciphers, rather than variants (each has its own variants)
• CLOC and SILC are treated as seperate ciphers, rather than variants
• In the database rankings, each cipher is represented by only one variant with the best value of a particular performance metrics used for ranking (e.g., Enc/Auth Throughput/LUTs, Auth-Only Throughput/Slices, Dec/Auth Throughput, LUTs, Slices, etc.)
![Page 29: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/29.jpg)
Benchmarking Methodology
![Page 30: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/30.jpg)
30
High-Performance FPGA Families used for benchmarking of All Round 2 Candidates & AES-GCM
• Xilinx Virtex-6: xc6vlx240tff1156-3 • Xilinx Virtex-7: xc7vx485tffg1761-3 • Altera Stratix IV: ep4se530h35c2 • Altera Stratix V: 5sgxea7k2f40c1
Low-Cost FPGA Families used for benchmarking of 10 Candidates with the Smallest Area in High-Performance Benchmarking:
• Xilinx Spartan-6: xc6slx16csg324-3 • Xilinx Artix-7: xc7a100tcsg324-3 • Altera Cyclone IV: EP4CE22F17C6 • Altera Cyclone V: 5CEBA4F23C7
FPGA Families & Devices Used for Benchmarking
![Page 31: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/31.jpg)
31
HDLCode
Automated Optimization FPGATools
PostPlace&Route
Results(ResourceURlizaRon,Max.ClockFrequency)
RTL Benchmarking
ReplicaRonScript
OpRmalOpRonsof
Tools(forbestTP/A)
![Page 32: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/32.jpg)
32
For Benchmarking Targeting Xilinx FPGAs (other than Virtex 7): Target FPGAs: Virtex-6, Spartan 6, Artix 7 Synthesis Tool: Xilinx XST 14.7 Implementation Tool: Xilinx ISE 14.7 Automated Optimization: ATHENa For Benchmarking Targeting Altera FPGAs: Target FPGAs: Stratix IV, Stratix V, Cyclone IV, Cyclone V Synthesis Tool: Quartus Prime 16.0.0 Implementation Tool: Quartus Prime 16.0.0 Automated Optimization: ATHENa
FPGA Tools (1)
![Page 33: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/33.jpg)
33
For Benchmarking Targeting Xilinx Virtex 7 FPGAs: Target FPGAs: Virtex-7 Synthesis Tool: Xilinx Vivado 2015.1 Implementation Tool: Xilinx Vivado 2015.1 Automated Optimization: 25 Default Strategies of Vivado
FPGA Tools (2)
![Page 34: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/34.jpg)
34
Embedded Memories & DSP Units
• No embedded memories and no embedded DSP units allowed inside of • AEAD: for single-pass algorithms, and • AEAD-TP: for two-pass algorithms
• Their use eliminated using options of the respective tools (including, if necessary, the synthesis tool directives added to HDL code) • Without this approach
• Area = Resource Utilization Vector e.g. Area = (1056 Slices, 4 BRAMs, 67 DSP units) • No known way of comparing FPGA Resource Utilization Vectors • No way of calculating Throughput/Area
• Additional Benefit • Good correlation of the obtained results with the corresponding ASIC results, as demonstrated during the SHA-3 Competition. See http://eprint.iacr.org/2012/368, Section 9
![Page 35: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/35.jpg)
35
Dealing with I/O Ports
• No wrappers used • Ports of
• AEAD: for single-pass algorithms, and • AEAD-TP: for two-pass algorithms,
connected directly to I/O pins of a target FPGA • In case of a number of I/O pins exceeded, a larger FPGA device of a given family used. This step required only for
§ low-cost FPGA families AND
§ a few API compliant designs with the largest PDI/SDI/DO port widths, as well as
§ a few non-compliant designs with the full-block width interfaces.
![Page 36: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/36.jpg)
Results
![Page 37: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/37.jpg)
37
Performance Metrics
• Throughput/Area • Throughput
Primary:
Secondary:
• Area
High-Speed Designs Lightweight & High-Speed/Lightweight
Designs
• Throughput/Area • Area
Primary:
Secondary:
• Throughput
![Page 38: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/38.jpg)
38
Throughput Types • Authenticated Encryption Throughput • Authenticated Decryption Throughput
• Different only for § HS1-SIV § SHELL
• Authentication-Only Throughput • Different only for
§ AEZ § CLOC, SILC (by CLOC-SILC Team) § Deoxys, Joltik (by Axel & Marc) § HS1-SIV § OMD § PAEQ § SHELL
![Page 39: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/39.jpg)
39
Area Units
For Xilinx FPGAs: Target FPGAs: Virtex-6, Virtex 7, Spartan-6, Artix-7 Units of Area: LUTs (Look-up Tables)
Slices (1 Slice contains 4 LUTs, 8 registers & additional logic) For Altera FPGAs (other than Cyclone IV): Target FPGAs: Stratix IV, Stratix V, Cyclone V Units of Area: ALUTs (Adaptive Look-up Tables)
ALM (Adaptive Logic Modules)
For Altera Cyclone IV: Units of Area: Logic Elements (LE)
![Page 40: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/40.jpg)
40
Included in High-Speed Rankings
• Only Compliant with the CAESAR Hardware API (including the design for Keyak with |AD| ≤ 24 bytes)
• Key size ≥ 96 bits
• AES-GCM • PRIMATEs-GIBBON, PRIMATEs-HANUMAN • CLOC, SILC • 25 other Round 2 Candidates (all other except Tiaoxin & SHELL) = 30 algorithms
Algorithms & Their Variants:
Designs:
![Page 41: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/41.jpg)
41
Relative Results vs. [Absolute] Results
• Relative Results • Results divided by the corresponding results for AES-GCM, e.g.,
Relative Throughput of Candidate X = Throughput of Candidate X / Throughput of AES-GCM • Represent speed-up, area savings, efficiency improvement compared to AES-GCM • No units • 29 results reported (all results for AES-GCM by definition 1)
• [Absolute] Results (“Absolute” portion in the metric name optional) • “Regular” results for each candidate • Reported in the ATHENa Database of Results • Units appropriate to the given performance metric, e.g., Mbit/s for Absolute Throughput
![Page 42: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/42.jpg)
Virtex-6
42
![Page 43: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/43.jpg)
43
Results for Virtex 6 – Throughput vs. Area Linear Scale
![Page 44: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/44.jpg)
44
Results for Virtex 6 – Throughput vs. Area Logarithmic Scale
A
E, D
E, D
A
A
E, D
E
D, A E, D A
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughputs the same for all 3 operations
![Page 45: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/45.jpg)
45 Throughput/Area of AES-GCM = 1.020 (Mbit/s)/LUTs
Relative Throughput/Area in Virtex 6 vs. AES-GCM
E – Throughput/Area for Encryption D – Throughput/Area for Decryption A – Throughput/Area for Authentication Only Default: Throughput/Area the same for all 3 operations
![Page 46: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/46.jpg)
46
Relative Throughput in Virtex 6 Ratio of a given Cipher Throughput/Throughput of AES-GCM
Throughput of AES-GCM = 3239 Mbit/s
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughput the same for all 3 operations
![Page 47: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/47.jpg)
47
Relative Area (#LUTs) in Virtex 6 Ratio of a given Cipher Area/Area of AES-GCM
Area of AES-GCM = 3175 LUTs
![Page 48: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/48.jpg)
Virtex-7
48
![Page 49: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/49.jpg)
49
Results for Virtex 7 – Throughput vs. Area Linear Scale
![Page 50: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/50.jpg)
50
Results for Virtex 7 – Throughput vs. Area Logarithmic Scale
A
E, D
E, D
A
A
E, D
E, D A
E
D, A
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughputs the same for all 3 operations
![Page 51: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/51.jpg)
51 Throughput/Area of AES-GCM = 1.103 (Mbit/s)/LUTs
Relative Throughput/Area in Virtex 7 vs. AES-GCM
E – Throughput/Area for Encryption D – Throughput/Area for Decryption A – Throughput/Area for Authentication Only
![Page 52: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/52.jpg)
52
Relative Throughput in Virtex 7 Ratio of a given Cipher Throughput/Throughput of AES-GCM
Throughput of AES-GCM = 3837 Mbit/s
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughput the same for all 3 operations
![Page 53: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/53.jpg)
53
Relative Area (#LUTs) in Virtex 7 Ratio of a given Cipher Area/Area of AES-GCM
Area of AES-GCM = 3478 LUTs
![Page 54: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/54.jpg)
Stratix IV
54
![Page 55: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/55.jpg)
55
Results for Stratix IV – Throughput vs. Area Linear Scale
![Page 56: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/56.jpg)
56
Results for Stratix IV – Throughput vs. Area Logarithmic Scale
A
E, D
E, D
A
A
E, D
E, D
A
E
D, A
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughputs the same for all 3 operations
![Page 57: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/57.jpg)
57 Throughput/Area of AES-GCM = 0.786 (Mbit/s)/ALUTs
Relative Throughput/Area in Stratix IV vs. AES-GCM
E – Throughput/Area for Encryption D – Throughput/Area for Decryption A – Throughput/Area for Authentication Only
![Page 58: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/58.jpg)
58
Relative Throughput in Stratix IV Ratio of a given Cipher Throughput/Throughput of AES-GCM
Throughput of AES-GCM = 2987 Mbit/s
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughput the same for all 3 operations
![Page 59: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/59.jpg)
59
Relative Area (#ALUTs) in Stratix IV Ratio of a given Cipher Area/Area of AES-GCM
Area of AES-GCM = 3800 ALUTs
![Page 60: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/60.jpg)
Stratix V
60
![Page 61: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/61.jpg)
61
Results for Stratix V – Throughput vs. Area Linear Scale
![Page 62: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/62.jpg)
62
Results for Stratix V – Throughput vs. Area Logarithmic Scale
A
E, D
E, D
A
A
E, D
E, D
A
E
D, A
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughputs the same for all 3 operations
![Page 63: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/63.jpg)
63 Throughput/Area of AES-GCM = 1.093 (Mbit/s)/ALUTs
Relative Throughput/Area in Stratix V vs. AES-GCM
E – Throughput/Area for Encryption D – Throughput/Area for Decryption A – Throughput/Area for Authentication Only
![Page 64: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/64.jpg)
64
Relative Throughput in Stratix V Ratio of a given Cipher Throughput/Throughput of AES-GCM
Throughput of AES-GCM = 4310 Mbit/s
E – Throughput for Encryption D – Throughput for Decryption A – Throughput for Authentication Only Default: Throughput the same for all 3 operations
![Page 65: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/65.jpg)
65
Relative Area (#ALUTs) in Stratix V Ratio of a given Cipher Area/Area of AES-GCM
Area of AES-GCM = 3943 ALUTs
![Page 66: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/66.jpg)
66
Included in Preliminary Lightweight Rankings
• Only Compliant with the CAESAR Hardware API
• Any key size • Among 10 smallest in the majority of High-Speed rankings
Algorithms & Their Variants:
Designs:
• ACORN, AES-JAMBU, ASCON, Joltik, Ketje, Minalpher, • PRIMATEs-HANUMAN, PRIMATEs-GIBBON, SCREAM, TriviA-ck
![Page 67: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/67.jpg)
Spartan-6
67
![Page 68: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/68.jpg)
68
Results for Spartan 6 – Throughput vs. Area Linear Scale
![Page 69: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/69.jpg)
69
Results for Spartan 6 – Throughput vs. Area Logarithmic Scale
![Page 70: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/70.jpg)
70
Absolute Throughput/Area [(Mbit/s)/LUT] in Spartan 6
![Page 71: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/71.jpg)
71
Absolute Area [LUTs] in Spartan 6
![Page 72: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/72.jpg)
72
Absolute Throughput [Mbits/s] in Spartan 6
![Page 73: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/73.jpg)
Artix-7
73
![Page 74: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/74.jpg)
74
Results for Artix 7 – Throughput vs. Area Linear Scale
![Page 75: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/75.jpg)
75
Results for Artix 7 – Throughput vs. Area Logarithmic Scale
![Page 76: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/76.jpg)
76
Absolute Throughput/Area [(Mbit/s)/LUT] in Artix 7
![Page 77: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/77.jpg)
77
Absolute Area [LUTs] in Artix 7
![Page 78: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/78.jpg)
78
Absolute Throughput [Mbits/s] in Artix 7
![Page 79: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/79.jpg)
Cyclone IV
79
![Page 80: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/80.jpg)
80
Results for Cyclone IV – Throughput vs. Area Linear Scale
![Page 81: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/81.jpg)
81
Results for Cyclone IV – Enc/Dec Throughput vs. Area Logarithmic Scale
![Page 82: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/82.jpg)
82
Absolute Throughput/Area [(Mbit/s)/LE] in Cyclone IV
![Page 83: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/83.jpg)
83
Absolute Area [LEs] in Cyclone IV
![Page 84: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/84.jpg)
84
Absolute Throughput [Mbits/s] in Cyclone IV
![Page 85: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/85.jpg)
Cyclone V
85
![Page 86: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/86.jpg)
86
Results for Cyclone V – Throughput vs. Area Linear Scale
![Page 87: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/87.jpg)
87
Results for Cyclone V – Throughput vs. Area Logarithmic Scale
![Page 88: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/88.jpg)
88
Absolute Throughput/Area [(Mbit/s)/ALUT] in Cyclone V
![Page 89: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/89.jpg)
89
Absolute Area [ALUTs] in Cyclone V
![Page 90: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/90.jpg)
90
Absolute Throughput [Mbits/s] in Cyclone V
![Page 91: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/91.jpg)
ATHENa Database of Results
![Page 92: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/92.jpg)
92
• Available at http://cryptography.gmu.edu/athena
• Developed by John Pham, a Master’s-level student of Jens-Peter Kaps as a part of the
SHA-3 Hardware Benchmarking project, 2010-2012, (sponsored by NIST) • In June 2015 extended to support Authenticated Ciphers
ATHENa Database of Results
![Page 93: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/93.jpg)
93
Two Views
• Rankings View • Easier to use • Provides Rankings • Only the best representative of each family/ the best
variant shown (based on the ranking criteria) • Table View
• More comprehensive • Allows close investigation of all designs & comparative analysis • Geared toward more advanced users • On-line help
![Page 94: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/94.jpg)
94
Hints on Using the Rankings View • After each change of options, click on Update • If you want to return to the default settings, please click on FPGA Rankings, in the menu located on the left side of the page • If you want to limit the key size to a particular range, please choose the
option Key size: From <min> To: <max> • You can further narrow down the search by using
Min Area: Max Area: Min Throughput: Max Throughput:
![Page 95: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/95.jpg)
95
Hints on Using the Rankings View • For the results of High-Speed Benchmarking, choose Family:
§ Virtex 6 (default) § Virtex 7 § Stratix IV § Stratix V
• For the very preliminary results of Lightweight Benchmarking, choose Family:
§ Spartan 6 § Artix 7 § Cyclone IV § Cyclone V
![Page 96: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/96.jpg)
96
Hints on Using the Rankings View • You can switch between ranking criteria by using the option: Ranking: [X] Throughput/Area [ ] Throughput [ ] Area • Unit of Area: allows you to choose between two alternative units of area for each type of FPGA:
§ for Xilinx Virtex 6, Virtex 7, Spartan 6, and Artix 7: LUTs and Slices § for Altera Stratix IV, Stratix V, and Cyclone V: ALUTs and ALMs.
Please note that after each change a different variant may be used to represent a given family of authenticated ciphers.
The displayed variant is the best in terms of the current ranking criteria.
![Page 97: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/97.jpg)
97
Hints on Using the Rankings View • In order to include in the rankings any implementations that are
non-compliant with the CAESAR Hardware API, please mark under Hardware API: [X] Full-Block width (custom) on top of [X] CAESAR Hardware API v1
Please keep in mind that making this change may lead to an unfair ranking, as the non-compliant designs may
have an incomplete functionality, and typically do not support the
CAESAR API Communication Protocol
![Page 98: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/98.jpg)
98
One Stop Website
https://cryptography.gmu.edu/athena/index.php?id=download OR
https://cryptography.gmu.edu/athena and click on Download
• VHDL/Verilog Code of CAESAR Candidates: Summary I • VHDL/Verilog Code of CAESAR Candidates: Summary II • ATHENa Database of Results: Rankings View • ATHENa Database of Results: Table View • Benchmarking of Round 2 CAESAR Candidates in Hardware:
Methodology, Designs & Results [this presentation] • GMU Implementations of Authenticated Ciphers and Their Building
Blocks • CAESAR Hardware API v1.0
![Page 99: Benchmarking of Round 2 CAESAR Candidates in Hardware ... · • No full support for the CAESAR API Protocol • No verification using a full set of test vectors • Large number](https://reader034.vdocuments.mx/reader034/viewer/2022042215/5ebcca8c020be9738e11fa94/html5/thumbnails/99.jpg)
Comments?
Thank you!
99
Questions?
Suggestions? ATHENa: http://cryptography.gmu.edu/athena
CERG: http://cryptography.gmu.edu