On-Chip-Network Cryptosystem: a High Throughput and High Security Architecture Chung-Ping Young and Chung-Chu Chia
Liang-Bi Chen and Ing-Jer Huang
Dept. of Computer Science and Information Engineering National Cheng Kung University Tainan, Taiwan, R.O.C.
[email protected];
[email protected]
Dept. of Computer Science and Engineering National Sun Yat-Sen University Kaohsiung, Taiwan, R.O.C.
[email protected]
Abstract—The nanoscale technology makes the design concept of the sea of processors possible in the coming billion transistor era for high performance implementations. In order to solve the scalability, complexity and timing problem of the communication between these processors in a large scale SoC (System on a Chip) implementation, the NoC (Network on a Chip) or OCN (On-Chip Network) paradigm, a replacement for traditional global buses or wires. Since security-related processing can consume as much as 95 percent of a server's processing capacity, in order to enhance the processing speed of cryptosystem, OCNC (on-chip-network cryptosystem), a novel cryptographic architecture based on a group of pipelinescheduled crypto-processors which encrypts the plaintext or decrypts the ciphertext through a packet switching interconnection, is introduced in this paper. OCNC is capable of integrating heterogeneous crypto-processors configured with different algorithms, block size, and key size to work in an efficient way.
I.
INTRODUCTION
NoC has been proposed as a promising solution to the increasing problems of deep submicron effects under timing, area, and low power constrains by replacing global wires and on-chip buses with packet switching networks which provides a good scalability. In this paper, we propose an OCNC architecture based on a packet switching interconnection for data cryptography as shown in Fig.1. EEs (Encryption Elements), DEs (Decryption Elements), CPE (Ciphertext Processing Element) and PPE (Plaintext Processing Element) are connected via an on-chip network for encrypting or decrypting the data sent to OCNC. Each EE or DE in OCNC is a configurable cryptographic processing element introduced in recent literatures [3][4]. In our proposed architecture, since the performance is dominated by the scheduling scheme and the number of processing elements, EE or DE is neither restricted to a microcontroller nor restricted to a dedicated hardware implemented for a cryptosystem. OCNC is promising in providing an interconnection to integrate many heterogeneous EEs, as well as DEs, for implementing a high throughput and high security cipher architecture capable of being configured in each EE or DE with different cipher algorithm, key size and block size at the same time.
information technologies today. The former uses a same private key to encrypt and decrypt the input data. The latter uses an open public key to encrypt the plaintext and require a different private key to decrypt the ciphertext. Secret-key ciphers have the advantage of running as much as 1000 times faster than comparable public-key ciphers [5] while publickey ciphers have the advantage of being able to establish a secure communication channel without an unsafe exchange of keys. To maximize security and performance, most secure protocols use a so-called public-secret key cryptography. Public-key ciphers are used at the start of a session to authenticate communicating parties and to securely distribute a shared secret key. The remainder of the session employs efficient secret key algorithms using the private key exchanged during authentication. Therefore, the private key ciphers dominate the performance in a secure communication. In our proposed cryptographic architecture based on a NoC platform, we will concentrate on two issues. The first issue is how to schedule the configurable cryptographic elements in order to upgrade the throughput in private-key ciphers with compound algorithms and diverse encrypting time. The second issue is how to build a compact NoC interconnection suitable for the communication feature mentioned in the first issue. The PPE at the right hand side of Fig.1 is responsible for two jobs. First, it slices the input plaintext into N units and packs them with a header for sending them to each EE. Second, it receives the decrypted packets from DEs and removes the headers of those packets before sending them out from OCNC. The CPE at the left hand side of Fig.1 does the same jobs as PPE except that the data processed by CPE is ciphertext.
Ciphertext Input/output
In Fig.1, an EE, as well as a DE, numbered in j (j=0, 1, 2,…, N-1) can be configured with [Aj, Bj, Kj] which represents the algorithm, block size and key size configured for EEj . Secretkey ciphers and public-key ciphers are commonly used in
978-1-4244-2342-2/08/$25.00 ©2008 IEEE.
EEn-1
EEn-2
EEn-3
[An-1, Bn-1, Kn-1]
[An-2, Bn-2, Kn-2]
[An-3, Bn-3, Kn-3]
…
EE2
EE1
EE0
[A2, B2, K2]
[A1, B1, K1]
[A0, B0, K0]
OCN interconnection
CPE
DEn-1
DEn-2
DEn-3
[An-1, Bn-1, Kn-1]
[An-2, Bn-2, Kn-2]
[An-3, Bn-3, Kn-3]
…
PPE
DE2
DE1
DE0
[A2, B2, K2]
[A1, B1, K1]
[A0, B0, K0]
Fig. 1. The OCNC architecture
1276
Authorized licensed use limited to: Univ of Calif Irvine. Downloaded on February 19, 2009 at 18:37 from IEEE Xplore. Restrictions apply.
Plaintext Input/output
Fig. 2. Encrypting burst
In the process of encrypting, each unit of plaintext can be encrypted by a designated EE. Since DE j [EE j (X j )] = X j , in the process of decrypting, an unit of ciphertext encrypted by a designated EE can be recovered by a correspondent DE as expressed in equation (1). DE(Y) =
N −1
∑ j= 0
=
N −1
∑X
j
DE j (Y j ) =
N −1
∑ DE
j
[EE j (X j )]
j= 0
Fig. 3. Random scheduling of encrypting elements
(1)
= X.
j= 0
It concludes that the ciphertext is recoverable in the architecture of OCNC. II.
ENCRYPTING ELEMENT SCHEDULING
In the following subsections, due to the reason that the encrypting process and decrypting process are the same, we will discuss the scheduling algorithm for encrypting elements only. Furthermore, since we will focus on the scheduling scheme of the cipher processing elements, the overhead delay of the network component will be considered comparative small and skipped when comparing with the packet transmission time. A. Encrypting burst We define an encrypting burst (Rj + Ej) shown in Fig.2. Rj represents the receiving time for the sliced plaintext Xj. Ej represents the encrypting time of EEj for Xj. When an encrypting burst is ended, the ciphertext will be sent out to CPE in Tj. Rj , Ej and Tj are all measured in cycles. Let us suppose that we have an ordered set of N encrypting bursts for OCNC, {R0+E0, R1+E1, R2+E2, …,RN-2+EN-2, RN1+EN-1}, where R0+E0
