[Cryptography] Specialized crypto processor architectures ?

Thierry Moreau thierry.moreau at connotech.com
Wed Mar 28 10:44:15 EDT 2018 

Is this post about instruction set architecture for some algorithm or 
about isolation of "secure" computations in a modern processor 
implementation? See more comments in-line.


On 27/03/18 04:46 PM, Henry Baker wrote:
> OK, if we're going to have to incorporate a separate
> crypto processor on each SoC, then what would be a
> good architecture for such a processor?
>
> Essentially all of these crypto "enclaves" appear to
> be derivatives of existing designs, and as such, they
> inherit most/all of the vulnerabilities of the parent
> architectures -- e.g., the recent Intel enclave HW/SW
> debacle.
>

I guess that those vulnerabilities are intrinsic to two broad classes of 
challenges: an API for a crypto module, and side channel leakage.

> If we're going to have to have a separate processor,
> why not a processor *specialized* for crypto?  I.e.,
> very wide data words -- 512 bits?  1024 bits?  2048
> bits?  4096 bits?  (Think ICL DAP or Pratt's boolean
> vector machines.)
>
> With a Harvard architecture, there's no need for
> instructions to use either the same memory or the
> same word size.  Indeed, I don't see much need for
> byte addressable data memory at all.  [We could
> even bring back Intel's iAPX432 bit-aligned
> instructions!  :-) ]
>
> It's not clear that the data memory for such a
> crypto processor needs to be all that large, so
> perhaps no cache, but instead a large directly
> addressable data memory?
>
> Instructions would likely be VLIW, except that
> the instruction cache should be managed by the
> compiler, in order to eliminate non-determinism.
>
> With very large data paths -- including very
> large ALU's -- there's less need for high clock
> rates, and high clock rates would drive up power
> requirements.
>
> We could go back to an extremely simple (very
> short pipelines) -- and extremely *deterministic*
> -- instruction execution regime, with perhaps the
> first fully deterministic instruction timing in
> 30 years.
>
> With today's on-chip memory sizes and today's
> on-chip capabilities for wide data paths, a
> lot of the constraints limiting performance
> of deterministic machines have been lifted,
> at least for this class of computations.
>

Then what? The economics of fielding a new processor architecture makes 
this attempt at reducing side channel vulnerabilities not feasible.

I see the "open source HSM" model with application agility as a more 
promising research avenue (put both the critical crypto and application 
logic in a device on which the end-user has more control than with 
features-rich computing devices).

Regards,

- Thierry

> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>

More information about the cryptography mailing list