the university of north carolina at chapel hill cryptography on graphics processors francisco...

The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL

Cryptography on Graphics Processors

Francisco ChinchillaCOMP 290-GPGP Presentation


Papers

“Brute Force Attack on UNIX Passwords with SIMD Computer”

Gershon Kedem and Yuriko Ishihara, Computer Science Department, Duke University. Usenix ’99 Security Symposium

"CryptoGraphics: Secret Key Cryptography Using Graphics Cards"

Debra L. Cook, John Ioannidis, Angelos D. Keromytis, and Jake Luck, Columbia University. To appear in the Proceedings of the RSA Conference, Cryptographer's Track (CT-RSA). February 2005, San Francisco, CA.

Remotely-Keyed CryptographicsDebra L. Cook, Ricardo Baratto, and Angelos D. Keromytis, Columbia University.


Outline

Quick Tour of CryptographyBrute force password hacking using PixelFlowImplementing Cryptographic systems on a GPUUsing GPU based cryptographic systems in remote keyed systems in unfriendly environmentsConclusions


Cryptography Basics

Two functions of two variables

E(keye, text) encrypts

D(keyd, E(keye, text)) decrypts

If keye==keyd cryptosystem is called symmetric, otherwise it’s asymmetricWe’ll deal with symmetric


Cipher Types

Block CipherEncrypts fixed-size blocks of data

Stream CipherEncrypts input data one bit (sometimes one byte) at a timeUseful for data with unknown length

Stream ciphers are faster in hardware, but slower in software than block ciphersBoth use XOR heavily


Attacks to Break Encryption

Techniques usedDifferentialLinearBrute Force

Underlying methodsChosen PlaintextCiphertext-onlyKnown Plaintext

GoalsFind a passwordFind the key


DES

Block cipherDeveloped by IBM, made a FIPS in ‘76Uses only 56-bit keys, not 64, not 128, possibly due to NSADesigned against differential cryptoanalysis, a ‘new’ (not to IBM nor NSA) field of cryptography in the late 1980’s. Takes 2^47 chosen plaintexts to break.Not designed against linear cryptoanalysis. Takes 2^39-2^44 known plaintextsBroken in 56 hours by EFF $250k machine in 1998


DES Encryption Details

Subkey(48 bits)

The Feistel (F) function

Key Schedule


DES – Other Boxes

http://en.wikipedia.org/wiki/Substitution_box

http://en.wikipedia.org/wiki/DES_supplementary_material


Crypt

A variation of the DES algorithmUsed to encrypt Unix passwordsSample invocations:

crypt(password)=pajXG3p8vEaokcrypt(God)=GoqTni0y.7CH2crypt(sex)=se8lvCoF9FQE.crypt(money)=moIzVjU7RTRr6crypt(love)=loYMPnrPlj9gk


AES

Competition to replace DES FIPSCompetition won by RijndaelAES is fast in both SW and HWRelatively easy to implementRequires little memory


AES 128-bit Details

AES operates on a state, a 4×4 array of bytes. For encryption, each round of a total of 10 consists of four stages:

SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table, an S-block. This is the non-linear step.ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps. MixColumns — a mixing operation which operates on the columns of the state, combining the four bytes in each column using a linear transformation. This is the “Diffusion” step and is omitted in the final round!AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.


RC4

Stream cipherDesigned by Ron Rivest in ’87In 1994 a description was anonymously posted, which lead to ARCFOURIn 2001 it was found that the first 256 bytes of the output were non-random (this leads to one big vulnerability in WEP)Unusually simpleRequires only byte-length manipulations


RC4 - details

for i from 0 to 255 S[i] := i j: = 0 for i from 0 to 255 j := (j + S[i] + key[i mod l]) mod 256 swap(S[i],S[j])

pseudo-random gen. algorithm (PRGA)

i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j]) output S[(S[i] + S[j]) mod 256]

Key Scheduling Algorithm (KSA)Encrypt(bits, key){

S = new byte[256];

KSA(key,S);

randomBits = PRGA(S);

for i=0 to length(bits)-1{

bits[i] = XOR(bits[i],randomBits[i])

}

}

Decrypt(bits, key){ Encrypt(bits, key) }

RC4


PixelFlow Unit


Processing Element


PixelFlow


Password Hacking

Two full chassis=18 SIMD Arrays=147,456 PE’sFind the key used to encrypt a stream of bytes using RC4Check Unix passwords


Password Hacking Results

Each PE checks 1,000 RC4 keys in 3.75s = 38.8M/s for the systemEach PE checks 1,000 crypt passwords in 6s =24.6M/s for the systemSystem encrypts 614M DES passwords/second


Secret Key Cryptography

Test capability of XOR on different cards using different ciphers

RC4AES

Used OpenGL and GLUT, no CGDid not use ‘the latest greatest’ cardsBasic steps

Disable dithering!Copy pixels between coordinates, with colormapping and XOR on or off

Why colormaps?


Test systems

Note: 256KB RAM = 256 MB RAM?


RC4 on a GPU

Random bit stream must be precomputedSimply load the bit stream and the data to the GPU and then perform the XOR


RC4 Comparisons (includes all data transfers)


AES on a GPU

Key schedule is not done on GPUOnly store 1 byte of data in each pixel(De/En)crypts 4*n blocks simultaneously, given that the data is stored in n pixelsTested against reference and optimized CPU implementations


AES on GPU data layout


AES Encryption Rates


Cryptography on GPU -Conclusions

Performance isn’t great, now what?GPU’s can still offload some cycles off the CPU?• Not really, the CPU was still fully utilized

Look for a new application, like video system described in their next paper

ResolutionRequired

MB/sGeForce3 RC4

Radeon 7500 RC4 TNT2 RC4

320x200@10fps 1.92 pass pass pass

320x200@15fps 2.88 pass pass pass

1280x1024@10fps 39.25 pass maybe fail

1280x1024@15fps 58.9 pass fail fail


Remotely Keyed Cryptographics

Extend their previous workRC4 can be used to sustain rates that are ok for live videoThe video is not susceptible to attacks from within the OSFinally? explained why they didn’t use CG:

“Higher level languages do not allow the developer to specify which OpenGL commands are utilized when there are multiple ways of implementing a function via OpenGL commands and do not even guarantee the operations will be transformed into OpenGL commands but instead may transform it into C code… that may be executed on the OS and not using OpenGL.”


Regarding compression and transmission

Encrypted data doesn’t compress100 Mbps = 16.7 500x500 RGB frames/sIf you know about the RFP protocol (used in VNC) or MPG video, you know that the entire screen isn’t necessarily updated from frame to frame, only the sections that need it


System Overview


Session Overview


Test systems (again)

Note: 256KB RAM = 256 MB RAM?


Test results


Remote Keyed Cryptography- Conclusion and Comments

99% of time taken on GPU is writing the keystreamRates still good for thin-clientsGreat for encrypting very sensitive images in a system that is not completely trusted


Presentation Conclusion

GPU’s can have lots and lots of FLOPsCan we find applications that use them as the main PU?As a co-processor to offload cycles?If we fail, can we apply a different twist or find a special case/market of the setting where we had failed previously?


Discussion

Could make the performance of these algorithms better if we could use fragment programs for example?


Additional References

Wikipedia lots and lots of info and images taken from here

PixelFlow WebsiteIn particular:Eyles, John, Steven Molnar, John Poulton, Trey Greer, Anselmo Lastra, and Nick England, "PixelFlow: The Realization", Proceedings of the Siggraph/Eurographics Workshop on Graphics Hardware, Los Angeles, CA, August 3-4, 1997, 57-68.

the university of north carolina at chapel hill cryptography on graphics processors francisco...

Documents