Bachir Babale

CSEP590tu
03/05/2006
CryptoGraphics: Cryptography using Graphics Processing Units
Moores law is commonly known as the law that characterize the e!"onential
#rowth in "er$ormance o$ central "rocessin# units %CP&s' use in com"uters o(er the last
three ecaes) *t is o$ten inter"rete as "reictin# that "rocessor s"ee woul ou+le
e(ery ei#hteen months) ,(er the last ecae- #ra"hics "rocessin# units %.P&s'- a more
s"ecialize +ree o$ chi"s- ha(e +ecome common "lace in com"uters) /ri(en +y
com"etition an a stron# eman $rom the #amin# inustry- .P& s"ee is currently
ou+lin# e(ery si! months- which is three times $aster than Moores law) 0he $ast s"ee
an hi#hly "arallel nature o$ #ra"hics "rocessors are ri(in# their increase ao"tion $or
#eneral "ur"ose com"utin#) Cry"to#ra"hic "rimiti(es al#orithmic com"le!ities o$ten
turn them into real or "ercei(e +ottlenecks1 .P&s "resent there an o""ortunity to o$$loa
cry"to#ra"hic "rocessin# $rom the CP&) 2urthermore- "ortin# cry"to#ra"hic al#orithms
to #ra"hics chi"s woul ena+le the e(elo"ment o$ new class o$ a""lications that allow
the is"lay o$ sensiti(e secure content on untruste terminals or o"eratin# systems) 2irst
we will e!"lore the moti(ations +ehin usin# .P&s $or cry"to#ra"hy- an escri+e how
.P& a""lication "ro#rammin# inter$aces %3P*s' can +e use $or those "ur"oses) 4e will
then in(esti#ate the a""lica+ility o$ .P&s to im"lement known stream an +lock ci"hers)
0hir- we will re(iew "rototy"es o$ "otential a""lications an the associate "rotocols)
2inally- we will escri+e re5uire enhancements to current .P& 3P*s as well as
initiati(es in the inustry that coul hel" Cry"to.ra"hics- cry"to#ra"hy usin# .P&s-
+ecome a reality)
Security has +ecome essential to so$tware in an increasin#ly connecte worl) 0he
+uilin# +locks o$ cry"to#ra"hy are wiely use $or a +roa ran#e o$ a""lication $rom
online +ankin# to i#ital ri#hts mana#ement $or music an (ieos) 0he si#ni$icant
o(erhea cause +y cry"to#ra"hic al#orithms on systems that use them has le o(er the
years to the emer#ence o$ harware accelerators $or those al#orithms) *t is also common
$or e(elo"ers to take a(anta#e o$ s"ecial $unctions a(aila+le in some CP&s- such as the
MM6 instruction set) 7owe(er- CP& clock s"ee im"ro(ements ha(e +een consiera+ly
slowin# own since the year 2003) Per$ormance increases since then has mostly +een
rawn $rom increase "arallelism with the a""earance o$ multi8core chi"s) .P&s turn out
to alreay +e hi#hly "arallel with more that twenty $our $ra#ment shain# "i"elines on
current .P&s com"are to only two cores "er common CP&s) 2urthermore- .P&s
su""ort hunres o$ harware threas com"are to only one to two harware threas
su""orte on CP&s) 3lso- hi#h en #ra"hics chi"s like 9(iias .:0 can "rocess u" to
;50 +illion $loatin# "oint o"erations "er secons %.2<,PS'- while the hi#h en *ntel
Pentium = is limite uner ;0 .2<,PS) 0he com"arati(ely hi#h theoretical raw "ower
that e!ists in .P&s- ae to their u+i5uitous "resence in com"uters- "ersonal i#ital
assistants %P/3s'- an cell "hones- ri(en +y #ames- make .P&s an attracti(e "lat$orm
to o$$loa system resources use $or cry"to#ra"hy)
;
*n aition to e!"loitin# system resources- im"lementin# ci"hers within the .P&
woul allow ima#es to +e encry"te an ecry"te without ha(in# to tem"orarily write
the ima#e as "lainte!t in system memory) Cry"to#ra"hy insie the .P& woul ena+le the
e(elo"ment o$ systems where the .P& is the only truste com"onent) Cook- >arratto-
?eromytis- an <uck- "ro"ose a""lications $or secure (ieo con$erencin# an thin8client
terminals on s"yware in$este systems ena+le +y Cry"to.ra"hics) 0he same "arai#m
woul also o$$er a solution to the issue o$ securely sharin# hi#h resolution three8
imensional moels o$ art "ieces- researche +y ?oller an al)
Cook an al) use ,"en.<- a cross8"lat$orm .P& 3P* to "ro#ram the .P&
"i"eline) .P&s "rocess 32 +it "i!els- the smallest com"lete sam"le o$ an ima#e- as
$loatin# "oint (alues- with one +yte o$ ata store in each "i!el com"onent) .P&s
commonly su""ort two "i!el $ormats @e8.reen8>lue %@.>' an @e8.reen8>lue83l"ha
%@.>3'- which re"resent the res"ecti(e +yte8wie com"onents that constitute the "i!el)
0he "i!el "rocessin# "i"eline also contains +ack an $ront +u$$ers that are res"ecti(ely
use $or "re8"rocessin# o$ ata an to is"lay ima#es to the screen) 0he ,"en.<
commans use to "ort cry"to#ra"hic al#orithms to .P&s consist o$ co"yin# "i!els
+etween coorinates- with color ma""in# an the lo#ical e!clusi(e or o"eration %6,@'
ena+le or isa+le) *t is im"ortant to note that- un$ortunately- those o"erations are
currently amon# the slowest o"erations a(aila+le on a .P&)
0he most common $orm o$ stream ci"her use is synchronous +inary aiti(e
stream ci"hers) *n those ty"es o$ ci"hers- a stream o$ "seuo8ranom i#its is #enerate
ine"enently o$ the "lainte!t an ci"herte!t messa#es an then com+ine with the
"lainte!t $or encry"tion or with ci"herte!t $or ecry"tion usin# the lo#ical 6,@
o"eration) .P&s ha(e the +ene$it o$ +ein# a+le to 6,@ many "i!els concurrently)
2urthermore- "re8com"ute se#ments o$ key streams can +e store in an array o$ +yte-
then rea into the .P&s memory- an treate as a collection o$ "i!els) 0he ata to +e
encry"te or ecry"te is similarly store an loae into the .P& in the same area o$
memory as the key stream se#ment with the lo#ical 6,@ ena+le) 0he result can then +e
retrie(e $rom that area o$ .P& memory an hanle accorin#ly1 it woul +e co"ie to
the $ront +u$$er $or is"lay when ecry"tin# ata in a secure is"lay a""lication) 0he
num+er o$ "lainte!t +ytes that can +e "rocesse at a time is three or $our times the
num+er o$ "i!els su""orte +y the +ack +u$$er e"enin# on whether @.> or @.>3 is
use) Cook an al) note in the results o$ their e!"eriments that with a 50!50 "i!el area-
the encry"tion an ecry"tion rates are si#ni$icantly lower than with lar#er areas ue to a
#reater share o$ time s"ent reain# ata to an $rom system memory) 0here$ore the
+ene$it o$ the .P&s "arallel "rocessin# is iminishe i$ the com"ute ata is too small)
Cook an al) are a+le to reach a 6,@ "rocessin# rate o$ ;05)0M> "er secon $or a "i!el
area o$ 600!600 on the .P&- which re"resents a+out :5)5A o$ the +est rate achie(e +y a
C "ro#ram on the CP&)
*n turnin# our attention to +lock ci"hers- we realize that +it le(el o"erations use
in symmetric key ci"hers such as shi$ts an rotates are not reaily a(aila+le throu#h the
.P& 3P*s) 4hile some o"erations- such as e$inin# masks o$ "i!els an usin# multi"le
co"y commans to "er$orm rotation on sin#le +ytes can +e "er$orme on a .P&- other
o"erations such as shi$ts across multi"le +ytes an ta+le looku"s +ase on s"eci$ic +its
"ro(e to +e more i$$icult) Cook an al) e(aluate whether the 3(ance Encry"tion
2
Stanar %3ES' can +e re"resente in a $orm suita+le $or .P& im"lementation) 0he
stanar re"resentation o$ the ;2B8+it8+lock 3ES roun $unction $or encry"tion is a =!=8
+yte matri! u"on which the SubBytes- ShiftRows- MixColumns an AddRoundKey
o"erations are a""lie) 3 $aster im"lementation o"erates on 328+it wors an reuces the
3ES roun $unction to $our ta+le looku"s an 6,@s) Cook an al) etermine that there
is no strai#ht$orwar ,"en.< im"lementation o$ the stanar 3ES roun $unction)
Moreo(er- ,"en.< lacks a 328+it ata structure which ne#ates the "ossi+ility o$
im"lementin# the $orm o$ the al#orithm with $our ta+le looku"s an $our 6,@s)
3lthou#h the @.>3 $ormat is 32 +its- it is not "ossi+le to use a 328+it ine! with a color
ma") 7owe(er- they e$ine an intermeiate re"resentation o$ 3ES escri+e in the
e5uation +ellow- where three ta+les- re"resentin# ;- 2- an 3 times the S8>o! entries are
store) 0hen usin# a series o$ ta+le looku"s an 6,@s allows 3ES to +e im"lemente
usin# color ma"s an co"yin# "i!els) 9otice that this re"resentation o$ 3ES "rocesses
ata as ini(iual +ytes- instea o$ =8+yte wors) Cet- the im"lementation allows
"rocessin# =Dn +locks simultaneously- where n is the num+er o$ "i!els utilize $or the
ata- an may +e u" to the ma!imum "i!el hei#ht su""orte +y the .P&)
0he ,"en.< im"lementation o$ 3ES %3ES8.<' was measure to ha(e an
encry"tion rate o$ a+out 50A com"are to the stanar 3ES im"lementation %3ES8C;'-
+ut only 2)=A com"are to the o"timize im"lementation %3ES8C2') Sur"risin#ly- the
CP& usa#e $or all three im"lementations is ;00A) 0his woul only +e e!"ecte $rom
3ES8C; an 3ES8C2- +ut woul not +e e!"ecte $rom 3ES8.< as one o$ the moti(ations
$or cry"to#ra"hy in the .P& was o$$loain# system resources $rom the CP&) 0he hi#h
CP& usa#e can +e attri+ute to the sim"licity in which 3ES is re"resente- as a sin#le
,"en.< comman resulte in one 3ES o"eration +ein# "er$ormeE a ta+le looku" or
6,@in# o$ +ytes)
E(enthou#h 3ES8.< is slower than 3ES8C- the $act that symmetric key ci"hers
can +e im"lemente within a .P& im"lies it is "ossi+le to encry"t an ecry"t ima#es in
a way that oes not re5uire the ima#e to e(er +e "resent outsie the .P& in an
unencry"te $ormat) 3s mentione earlier- "otential uses o$ this "arai#m inclue secure
streamin# (ieo an (isualization a""lications in which the ata is ne(er a(aila+le as
"lainte!t in the o"eratin# system) 0o +e thorou#h- as we "er$orm cry"to#ra"hy in the
.P&- a $ew issues like com"ression an traitional ima#e enhancements like itherin#
woul also nee to +e aresse) Com"ression routines are increasin#ly su""orte +y
#ra"hics "rocessors an $eatures like itherin# can #enerally +e isa+le) 0he .P& also
nees to +e locke to "re(ent access to .P& memory +y other "rocesses)
Cook an al) e(elo"e a "rototy"e $or a secure remote is"lay usin# the systems
.P& as the only truste com"onent in a s"yware8sa$e system) 4hile it is "ossi+le to
3
im"lement some symmetric key ci"hers such as 3ES in ,"en.<- the "er$ormance is "oor
ue to the num+er an ty"es o$ o"erations re5uire1 which le them to im"lement as
many o"erations as "ossi+le within the .P& an con$ine the remainin# ones to a C
"ro#ram in orer to illustrate their conce"t) 0he system is com"ose o$ a ser(er- a "ro!y
%smartcar an reaer'- an a client- all communicatin# o(er an untruste network) *t is
assume that the .P& contains a "re8installe certi$icate an "ri(ate key- which is
currently not commonly a(aila+le) Commans to the .P& are issue +y so$tware runnin#
on the o"eratin# system1 it oes not howe(er ha(e access to the keys an ata containe
insie the .P&) 0hrou#h the system- the ata sent +y the ser(er remains encry"te until it
enters the .P& where it is ecry"te an is"laye) Cook an al) re5uire the ecry"tion
key to chan#e on a "er8session an a""lication +asis- so it must +e con(eye to the .P&
in a manner that "re(ents the clients o"eratin# system $rom #ainin# access to it)
0he nee $or a ynamic session key leas them to e$ine an authentication an
key e!chan#e mechanism) >y either esta+lishin# a session key with the .P& or usin# the
.P&s "u+lic key- the ser(er encry"ts the secret session key an sens it to the .P& (ia
the client) *n case the user re5uires authentication- the ser(er will con(ey the secret key to
the .P& (ia the "ro!y1 con(ertin# the key $rom +ein# encry"te uner a ser(er8"ro!y
session to +ein# encry"te in a "ro!y8.P& session re5uires that the key +e e!"ose only
to the smartcar which is +eyon the reach o$ the o"eratin# system) So the "rotocol use
$or remote keyin# re5uires utilizin# an asymmetric encry"tion al#orithm) .P& 3P*s
howe(er lack su""ort $or the o"erations re5uire $or "u+lic key ci"hers- such as moular
arithmetic $or lar#e inte#ers) 9onetheless- the .P& certi$icate must also +e "lace in the
.P& without e!"osin# the "ri(ate key to the o"eratin# system)
*n aition to authentication- a com"lete system woul re5uire "rotectin# any user
in"ut on the thin client which is sent to the ser(er) Cook an al) "ro"ose to that e$$ect to
encry"t key+oar in"ut insie the key+oar itsel$) 0hey also note that it is im"ortant to
ensure that the chosen ci"her can also +e e$$iciently im"lemente on the ser(er) 0he
escri+e system lea(es a hole $or an attacker to "er$orm a man in the mile attack
usin# another system- which has a .P& with a (ali certi$icate- to "er$orm the key
e!chan#e with the "ro!y e(ice) 0he attacker woul then +e a+le to is"lay the encry"te
stream) 0his is "ossi+le since the "ro!y cannot (eri$y that the .P& it is communicatin#
with resies on the same system as the en user) ,n the other han- the attacker cannot
e!tract the ecry"te ima#e $rom its .P&s $rame +u$$er1 so it cannot is"lay the stream
to the tar#et system- makin# the attack o+(ious to the en user)
0he e!"erimental system re(eale that the actual com"utation o$ the key stream
"er $rame- ena+lin# the lo#ical o"eration o$ 6,@ in the .P& an swa""in# o$ +u$$ers-
takes less than ;ms $or 500!500 $rames) 2or a (ieo con$erencin# a""lication- the
esira+le rate o$ 2= $"s $or hi#h 5uality (ieo was within reach with the ser(er an client
a""lication hoste on the same machine) 7owe(er- the minimum acce"ta+le rate o$ ;0 $"s
re5uire was not met o(er a <39 connection +etween the en entities) Cook an al) hint
that the remote streamin# a""lication howe(er was not +uilt usin# a streamin# meia
"rotocol like @0P- +ut instea use 0CP which woul account $or some o$ the elay- rate
o$ transmission- an loss o$ "acket o+ser(e) *n the case o$ a thin8client a""lication- the
rate o$ u"ates is e"enent on user re5uests which are s"oraic) 4hen testin# the
a(era#e thin8client size u"ate o$ 2-;;2 "i!els- the client can "rocess o(er 500 u"ates
"er secon1 inicatin# that the ecry"tion o(erhea an the .P& are not limitin# $actors
=
$or small u"ates) 3ccorin# to the e!"eriment $inin#s- the increase elay when the
entire is"lay chan#es are ty"ically in$re5uent an $rom the users "ers"ecti(e are no
worse than loain# o$ some we+"a#e or a""lications)
4hile Cook an al) o$$er a com"ellin# "roo$ o$ conce"t- there are a num+er o$
critical "ieces missin# to make Cry"to.ra"hics a mainstream reality) 0o ena+le the "u+lic
key ci"hers neee $or the authentication "rotocol we nee to create means throu#h the
.P& to "er$orm moular multi"lications on lar#e inte#er (alues) Moreo(er- a mechanism
$or usin# the content o$ a "i!el as a "arameter to an ,"en.< comman without $irst
reain# the "i!el (alue $rom the .P& is re5uire $or remote keyin# an key stream
#eneration)
0he nee to su""ort "u+lic key ci"hers within the .P& has recently recei(e the
+ackin# o$ inustry8leain# com"anies- which mi#ht hel" makin# Cry"to.ra"hics a
reality rather sooner than later) Microso$t Cor") has recently "u+lishe a s"eci$ication $or
a new Content Output Protection $eature in 4inows Fista- the ne!t #eneration o$ the
4inows o"eratin# system) 0he etails o$ the s"eci$ication re(eal a "lan $or a Protected
Video Path for the ser Accessible Bus u++e PFP8&3>) *t is intene to ensure that
in$ormation "assin# throu#h the system +us cannot +e snoo"e or otherwise co"ie at the
harware le(el +y encry"tin# all "remium content meia ata with a sim"li$ie $orm o$
;2B8+it 3ES encry"tion) 0he o"eratin# system must (eri$y whether a (ali #ra"hics
su+system is "resent- to a(oi senin# content to a hackers emulation e(ice) 2or PFP8
&3> su""ort- usin# uni5ue keys in #ra"hics chi"s is allowe +ut not re5uire- $or it
woul +e an e!"ensi(e "rocess $or harware manu$acturers) 9e(ertheless- authentication
o$ the .P& can make use o$ the com"le!ity o$ moern #ra"hics chi"s- which ha(e a
com"le! arran#ement o$ a lar#e num+er o$ #ates an a com"le! state moel) 2or "ur"oses
o$ authentication- the e(ice ri(er asks com"le! 5uestions to the harware an then
checks the answers) 2or PFP8&3> com"liance it is re5uire that #ra"hics chi"s
im"lement MPE.2 an 4inows Meia 9 ecoin# as well as 20=B8+it /i$$ie 7ellman)
PFP8&3> is "lanne to +e e"loye a year a$ter the initial release o$ the o"eratin#
system- an will as escri+e in its s"eci$ication "ro(ie the missin# +uilin# +locks $or
Cry"to.ra"hics ienti$ie earlier +y Cook an al)
0he work o$ Cook an al) inicates that a suita+ly moi$ie .P& can ser(e as the
+ase $or a truste com"utin# "lat$orm $or certain ty"es o$ (iewin# a""lications like (ieo
con$erencin# an remote eskto" is"lay access) Moreo(er- .P&s can +e use to o$$loa
the CP&s to a""ly stream ci"hers on lar#e se#ments o$ ata simultaneously while kee"in#
key material an "lainte!t outsie o$ system memory) 0he a(ent o$ PFP8&3> "ro(ies
to .P&8+ase cry"to#ra"hy the means to "er$orm authentication as well as "ractical
com"ression routines) ,(erall "er$ormance o$ currently known ci"her in the .P& woul
still howe(er remain a limitin# $actor- which inicates the nee to e(elo" ci"hers that
can +etter e!"loit the ca"a+ilities o$ moern .P&s)
5
Reference:
;' Cry"to.ra"hicsE Secret ?ey Cry"to#ra"hy &sin# .ra"hics Cars
!ebra "# Coo$# % &ohn 'oannidis# % An(elos !# Keromytis# % &a$e "uc$
htt"E//www;)cs)colum+ia)eu/Gcook/"u+s/C0@S38correcte)"$
2' @emotely ?eye Cry"to#ra"hics) Secure @emote /is"lay 3ccess &sin#)
%Mostly' &ntruste 7arware
!ebra "# Coo$#% Ricardo Baratto#% An(elos !# Keromytis
htt"E//www)ncl)cs)colum+ia)eu/"u+lications/icics2005)"$
3' Protecte *nteracti(e 3/ .ra"hics Fia @emote @enerin#
!a)id Koller% Michael *urit+in% Marc "e)oy,% Marco *arini% -iuseppe Croccia
htt"E//#ra"hics)stan$or)eu/"a"ers/"rotecte/"rotecte)"$
=' .P.P& *EEE Fisualization 2005 0&0,@*3
htt"E//www)#"#"u)or#/(is2005/
%03/05/2006'
5' ,ut"ut Content Protection an 4inows <on#horn
htt"E//www)microso$t)com/whc/e(ice/stream/out"utH"rotect)ms"!
%03/05/2006'
6