Abstract

NEON is a vector instruction set included in a large fraction of new ARM-based tablets and smartphones. This paper shows that NEON supports high-security cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of high-security cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 624846 cycles (1280/second) to verify a signature, and 244655 cycles (3269/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.

Keywords

vectorization-friendly cryptographic primitives efficient software implementations smartphones tablets there be dragons 

References

  1. 1.
    – (no editor): 9th IEEE symposium on application specific processors. Institute of Electrical and Electronics Engineers (2011). See [33]Google Scholar
  2. 2.
    Aciiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: CHES 2010 [31], pp. 110–124 (2010). Citations in this document: §1Google Scholar
  3. 3.
    ARM Limited: Cortex-A8 technical reference manual, revision r3p2 (2010), http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0344k/index.html. Citations in this document: §2
  4. 4.
    Bernstein, D.J.: Floating-point arithmetic and message authentication (1999), http://cr.yp.to/papers.html#hash127. Citations in this document: §4, §4, §4, §4
  5. 5.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: FSE 2005 [20], pp. 32–49 (2005), http://cr.yp.to/papers.html#poly1305. Citations in this document: §1, §4, §4
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: PKC 2006 [49], pp. 207–228 (2006), http://cr.yp.to/papers.html#curve25519. Citations in this document: §1, §5, §5, §5
  7. 7.
    Bernstein, D.J.: qhasm software package (2007), http://cr.yp.to/qhasm.html. Citations in this document: §2
  8. 8.
    Bernstein, D.J.: Polynomial evaluation and message authentication (2007), http://cr.yp.to/papers.html#pema. Citations in this document: §4
  9. 9.
    Bernstein, D.J.: The Salsa20 family of stream ciphers. In: [37], pp. 84–97 (2008), http://cr.yp.to/papers.html#salsafamily. Citations in this document: §1, §3
  10. 10.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed highsecurity signatures. In: CHES 2011 [36] (2011), http://eprint.iacr.org/2011/368. Citations in this document: §1, §5, §5
  11. 11.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Asiacrypt 2007 [30], pp. 29–50 (2007), http://eprint.iacr.org/2007/286. Citations in this document: §5
  12. 12.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems, accessed 5 March 2012 (2012), http://bench.cr.yp.to. Citations in this document: §1, §3, §4, §5, §5
  13. 13.
    Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library (2011), http://eprint.iacr.org/2011/646. Citations in this document: §1
  14. 14.
    Black, J., Cochran, M.: MAC reforgeability. In: FSE 2009 [19], pp. 345–362 (2009), http://eprint.iacr.org/2006/095. Citations in this document: §4
  15. 15.
    Canteaut, A., Viswanathan, K. (eds.): Progress in cryptology—INDOCRYPT 2004, 5th international conference on cryptology in India, Chennai, India, December 20-22, 2004, proceedings. LNCS, vol. 3348. Springer, Heidelberg (2004) ISBN 3-540-24130-2. See [32]Google Scholar
  16. 16.
    Clavier, C., Gaj, K. (eds.): Cryptographic hardware and embedded systems—CHES 2009, 11th international workshop, Lausanne, Switzerland, September 6-9, 2009, proceedings. LNCS, vol. 5747. Springer, Heidelberg (2009) ISBN 978-3-642- 04137-2. See [23]Google Scholar
  17. 17.
    Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the Cell Broadband Engine. In: Africacrypt 2009 [35], pp. 368–385 (2009), http://cryptojedi.org/users/peter/#celldh. Citations in this document: §1
  18. 18.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. Journal of Computer Security 2, 65–71 (1993) ISSN 0926-227X. Citations in this document: §4Google Scholar
  19. 19.
    Dunkelman, O. (ed.): Fast software encryption, 16th international workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, revised selected papers. LNCS, vol. 5665. Springer, Heidelberg (2009) ISBN 978-3-642-03316-2. See [14]Google Scholar
  20. 20.
    Gilbert, H., Handschuh, H. (eds.): Fast software encryption: 12th international workshop, FSE 2005, Paris, France, February 21-23, 2005, revised selected papers. LNCS, vol. 3557. Springer, Heidelberg (2005) ISBN 3-540-26541-4. See [5]Google Scholar
  21. 21.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: CRYPTO 2008 [46], pp. 144–161 (2008), https://www.iacr.org/archive/crypto2008/51570145/51570145.pdf. Citations in this document: §4
  22. 22.
    Helleseth, T. (ed.): Advances in cryptology—EUROCRYPT ’93, workshop on the theory and application of cryptographic techniques, Lofthus, Norway, May 23-27, 1993, proceedings. LNCS, vol. 765. Springer, Heidelberg (1994) ISBN 3-540-57600-2. See [24]Google Scholar
  23. 23.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: CHES 2009 [16], pp. 1–17 (2009), http://eprint.iacr.org/2009/129. Citations in this document: §3, §4
  24. 24.
    Johansson, T., Kabatianskii, G., Smeets, B.J.M.: On the relation between Acodes and codes correcting independent errors. In: EUROCRYPT ’93 [22], pp. 1–11 (1994). Citations in this document: §4Google Scholar
  25. 25.
    Joux, A. (ed.): Fast software encryption—18th international workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, revised selected papers. LNCS, vol. 6733. Springer, Heidelberg (2011) ISBN 978-3-642-21701-2. See [29]Google Scholar
  26. 26.
    Koblitz, N. (ed.): Advances in cryptology—CRYPTO ’96. LNCS, vol. 1109. Springer, Heidelberg (1996). See [39]Google Scholar
  27. 27.
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: FSE 2004 [38], pp. 408–426 (2004), http://eprint.iacr.org/2003/106. Citations in this document: §4
  28. 28.
    Krovetz, T., Rogaway, P.: Fast universal hashing with small keys and no preprocessing: the PolyR construction. In: ICISC 2000 [48], pp. 73–89 (2001), http://www.cs.ucdavis.edu/~rogaway/papers/poly.htm. Citations in this document: §4
  29. 29.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: FSE 2011 [25], pp. 306–327 (2011), http://www.cs.ucdavis.edu/~rogaway/papers/ae.pdf. Citations in this document: §3, §4, §4
  30. 30.
    Kurosawa, K. (ed.): Advances in cryptology—ASIACRYPT 2007, 13th international conference on the theory and application of cryptology and information security, Kuching, Malaysia, December 2-6, 2007, proceedings. LNCS, vol. 4833. Springer, Heidelberg (2007) ISBN 978-3-540-76899-9. See [11]Google Scholar
  31. 31.
    Mangard, S., Standaert, F.-X. (eds.): Cryptographic hardware and embedded systems, CHES 2010, 12th international workshop, Santa Barbara, CA, USA, August 17-20, 2010, proceedings. LNCS, vol. 6225. Springer, Heidelberg (2010) ISBN 978-3-642-15030-2. See [2]Google Scholar
  32. 32.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter mode (GCM) of operation. In: INDOCRYPT 2004 [15], pp. 343–355 (2004), http://eprint.iacr.org/2004/193. Citations in this document: §4
  33. 33.
    Morozov, S., Tergino, C., Schaumont, P.: System integration of elliptic curve cryptography on an OMAP Platform. In: SASP 2011 [1], pp. 52–57 (2011), http://rijndael.ece.vt.edu/schaum/papers/2011sasp.pdf. Citations in this document: §5
  34. 34.
    Nevelsteen, W., Preneel, B.: Software performance of universal hash functions. In: EUROCRYPT ’99 [41], pp. 24–41 (1999). Citations in this document: §4Google Scholar
  35. 35.
    Preneel, B. (ed.): Progress in cryptology—AFRICACRYPT 2009, second international conference on cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009, proceedings. LNCS, vol. 5580. Springer, Heidelberg (2009). See [17]Google Scholar
  36. 36.
    Preneel, B., Takagi, T. (eds.): Cryptographic hardware and embedded systems—CHES 2011, 13th international workshop, Nara, Japan, September 28-October 1, 2011, proceedings. LNCS. Springer, Heidelberg (2011) ISBN 978-3-642-23950-2. See [10]Google Scholar
  37. 37.
    Robshaw, M., Billet, O. (eds.): New stream cipher designs. LNCS, vol. 4986. Springer, Heidelberg (2008) ISBN 978-3-540-68350-6. See [9]Google Scholar
  38. 38.
    Roy, B.K., Meier, W. (eds.): Fast software encryption, 11th international workshop, FSE 2004, Delhi, India, February 5-7, 2004, revised papers. LNCS, vol. 3017. Springer, Heidelberg (2004) ISBN 3-540-22171-9. See [27]Google Scholar
  39. 39.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: CRYPTO ’96 [26], pp. 313–328 (1996), http://www.shoup.net/papers. Citations in this document: §4
  40. 40.
    Sobole, É.: Calculateur de cycle pour le Cortex A8 (2012), http://pulsar.webshaker.net/ccc/index.php. Citations in this document: §2
  41. 41.
    Stern, J. (ed.): Advances in cryptology—EUROCRYPT ’99. LNCS, vol. 1592. Springer, Heidelberg (1999) ISBN 3-540-65889-0. MR 2000i:94001. See [34]Google Scholar
  42. 42.
    Stinson, D.R. (ed.): Advances in cryptology–CRYPTO ’93: 13th annual international cryptology conference, Santa Barbara, California, USA, August 22-26, 1993, proceedings. LNCS, vol. 773. Springer, Heidelberg (1994) ISBN 3-540-57766-1, 0-387-57766-1. See [43]Google Scholar
  43. 43.
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: CRYPTO ’93 [42], pp. 40–48 (1994). Citations in this document: §4Google Scholar
  44. 44.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23, 37–71 (2010), http://people.csail.mit.edu/tromer/papers/cache-joc-official.pdf. Citations in this document: §1Google Scholar
  45. 45.
    Ulevitch, D.: DNSCrypt—critical, fundamental, and about time (2011), http://blog.opendns.com/2011/12/06/dnscrypt-%E2%80%93-critical-fundamental-and-about-time/. Citations in this document: §1
  46. 46.
    Wagner, D. (ed.): Advances in cryptology—CRYPTO 2008, 28th annual international cryptology conference, Santa Barbara, CA, USA, August 17-21, 2008, proceedings. LNCS, vol. 5157. Springer, Heidelberg (2008) ISBN 978-3-540-85173-8. See [21]Google Scholar
  47. 47.
    Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on AES in virtualization environments. In: Proceedings of Financial Cryptography 2012, to appear (2012), http://fc12.ifca.ai/pre-proceedings/paper_70.pdf. Citations in this document: §1, §3
  48. 48.
    Won, D. (ed.): Information security and cryptology—ICISC 2000, third international conference, Seoul, Korea, December 8-9, 2000, proceedings. LNCS, vol. 2015. Springer, Heidelberg (2001) ISBN 3-540-41782-6. See [28]Google Scholar
  49. 49.
    Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): Public key cryptography—9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24-26, 2006, proceedings. LNCS, vol. 3958. Springer, Heidelberg (2006) ISBN 978-3-540-33851-2. See [6]Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Peter Schwabe
    • 2
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Research Center for Information Technology Innovation and Institute of Information ScienceAcademia SinicaTaipeiTaiwan

Personalised recommendations