Abstract
This paper describes a Heterogeneous Confidential Computing (HCC) system composed of a CPU Trusted Computing Environment and a hardware accelerator. We implement two AES-GCM hardware engines with high-bandwidth and low-latency that are designed for end-to-end encryption of DMA transfers. Our solution minimizes changes to the hardware platform and to the application and SW stack. We prototyped and report the performance of protected image classification with proposed encrypted-DMA on an Intel Arria-10 FPGA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Azure Confidential Computing. https://azure.microsoft.com/en-us/solutions/confidential-compute/
Google: Advancing confidential computing with asylo. https://cloud.google.com/blog/products/identity-security/advancing-confidential-computing-with-asylo-and-the-confidential-computing-challenge
IBM cloud data shield. https://www.ibm.com/cloud/blog/announcements/announcing-ibm-cloud-data-shield-experimental
McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP 2013, pp. 1–8 (2013)
Volos, S., Vaswani, K., Bruno, R.: Graviton: trusted execution environments on GPUs. In: Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2018) (2018)
Jang, I., Kim, T., Sethumadhavan, S., Huh, J.: Heterogeneous isolated execution for commodity GPUs. In: ASPLOS 2019, 13–17 April (2019)
Chung, E., et al.: Serving DNNs in real time at datacenter scale with project brainwave. IEEE Micro 38, 8–20 (2018)
Intel® Distribution of OpenVINO™ toolkit. https://software.intel.com/en-us/openvino-toolkit
Intel® Acceleration Stack for Intel Xeon® CPU with FPGA. https://www.intel.com/content/www/us/en/programmable/solutions/acceleration-hub/acceleration-stack.html
Intel® Programmable Accelerator Card with Intel Arria® 10 FPGA. https://www.intel.com/content/www/us/en/programmable/products/boards_and_kits/dev-kits/altera/acceleration-card-arria-10-gx/overview.html
McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_27
IEEE: IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security Amendment 1: Galois Counter Mode–Advanced Encryption Standard– 256 (GCM-AES-256) Cipher Suite.Satoh, A.: High-speed hardware architectures for authenticated encryption mode GCM. IEEE ISCAS (2006)
Crenne, J., Cotret, P., Gogniat, G., Tessier, R., Diguet, J.: Efficient key-dependent message authentication in reconfigurable hardware. In: International Conference on Field Programmable Technology (FPT), pp. 1–6 (2011)
Abdellatif, K.M., Chotin-Avot, R., Mehrez, H.: Authenticated encryption on FPGAs from the static part to the reconfigurable part. Microprocess. Microsyst. 38, 526–538 (2014)
Zhou, G., Michalik, H., Hinsenkamp, L.: Improving throughput of AES-GCM with pipelined Karatsuba multipliers on FPGAs. In: Becker, J., Woods, R., Athanas, P., Morgan, F. (eds.) ARC 2009. LNCS, vol. 5453, pp. 193–203. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00641-8_20
Abdellatif, K.M., Chotin-Avot, R., Mehrez, H.: AES-GCM and AEGIS: efficient and high speed hardware implementations. J. Sig. Process. Syst. 88(1), 1–12 (2016). https://doi.org/10.1007/s11265-016-1104-y
Mathew, S., et al.: 53 Gbps native GF(24)2 composite-field AES-Encrypt/Decrypt accelerator for content-protection in 45 nm high-performance microprocessors. J. Solid-State Circuits 46(4), 767–776 (2011)
Gueron, S., Mathew, S.: Hardware implementation of AES using area-optimal polynomials for composite-field representation GF(2^4)^2 of GF(2^8). In: ARITH 2016, pp. 112–117 (2016)
Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H., Paterson, K.G.: Pushing the limits: a very compact and a threshold implementation of AES. In: EUROCRYPT (2016)
Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 267–284. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6_17
Baby Chellam, M., Natarajan, R.: AES hardware accelerator on FPGA with improved throughput and resource efficiency. Arab. J. Sci. Eng. 43, 6873–6890 (2018)
Luebbeers, E., Liu, S., Chu, M.: Simplify software integration for FPGA accelerators with OPAE Whitepaper. https://01.org/sites/default/files/downloads/opae/open-programmable-acceleration-engine-paper.pdf
Martinasek, Z., et al.: 200 Gbps hardware accelerated encryption system for FPGA network cards. In: Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware Security (ASHES@CCS), pp. 11–17. ACM (2018)
Buhrow, B., Fritz, K., Gilbert, B., Daniel, E.: A highly parallel AESGCM core for authenticated encryption of 400 Gb/s network protocols. In: 2015 International Conference on ReConFigurable Computing and FPGAs (ReConFig), pp. 1–7 (2015)
Koteshwara, S., Das, A., Parhi, K.K.: FPGA implementation and comparison of AES-GCM and Deoxys authenticated encryption schemes. In: 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1–4 (2017)
Lemsitzer, S., Wolkerstorfer, J., Felber, N., Braendli, M.: Multi-gigabit GCM-AES architecture optimized for FPGAs. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 227–238. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_16
Vliegen, J., Reparaz, O., Mentens, N.: Maximizing the throughput of threshold-protected AES-GCM implementations on FPGA. In: 2017 IEEE 2nd International Verification and Security Workshop (IVSW), pp. 140–145 (2017). https://doi.org/10.1109/ivsw.2017.8031559
Vliegen, J., Reparaz, O., Mentens, N.: Maximizing the throughput of threshold-protected AES-GCM implementations on FPGA. In: 2017 IEEE 2nd International Verification and Security Workshop (IVSW), pp. 140–145 (2017)
Martinasek, Z., Hajny, J., Malina, L., Matousek, D.: Hardware-accelerated encryption with strong authentication. Secur. Protect. Inf. 1, 5 (2017)
Lu, T., Kenny, R., Atsatt, S.: Secure device manager for Intel® Stratix® 10 Devices Provides FPGA and SoC Whitepaper
Graphene - a Library OS for Unmodified Applications. https://grapheneproject.io/. Accessed 2020
Confidential Computing Consortium. https://confidentialcomputing.io/. Accessed 09 July 2020
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kida, L., Desai, S., Trivedi, A., Lal, R., Scarlata, V., Ghosh, S. (2020). HCC: 100 Gbps AES-GCM Encrypted Inline DMA Transfers Between SGX Enclave and FPGA Accelerator. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)