A. Murat Fiskiran and Ruby B. Lee, "Performance Impact of Addressing Modes on Encryption Algorithms," Proceedings of the International Conference on Computer Design (ICCD 2001), pp. 542-545, September 2001. Performance Impact of Addressing Modes on Encryption Algorithms A. Murat Fiskiran and Ruby B. Lee Department of Electrical Engineering Princeton University {fiskiran,rblee}@princeton.edu Abstract Encryption algorithms commonly use table lookups to perform substitution, which is a confusion primitive. The use of table lookups in this way is especially common in the more recent encryption algorithms, such as the AES finalists like MARS and Twofish, and the AES winner, Rijndael. Workload characterization studies indicate that these algorithms spend a significant fraction of their execution cycles on performing these table lookups, more specifically on effective address calculations. This study considers the five AES finalists (MARS, RC6, Rijndael, Serpent and Twofish) and studies the effect of different addressing modes that can be used to calculate the effective addresses during the table lookups. We report our findings for four different addressing modes and on varying width EPIC processors. The results indicate that speedups exceeding 2x can be obtained when fast addressing modes are used. 1. Introduction Diffusion and confusion are two cryptographic functions that are necessary to obscure the plaintext during encryption. Diffusion achieves this through mixing and reordering of data, such as in shifts or rotates. Confusion, on the other hand, relies on substitution, which means replacement of chunks of data by some other data, such as in a table lookup. Table lookups in encryption algorithms have been used in this way for a long time. DES, for instance, is a very widely used algorithm whose security depends exclusively on table lookups. In DES, these tables are known as the S- boxes. More recent algorithms also rely heavily on table lookups for security. Of the five algorithms that were the finalists in the Advanced Encryption Standard (AES) effort (MARS [1], RC6 [2], Rijndael [3], Serpent [4], and Twofish [5]), all except RC6 used table lookups. For some of these algorithms, table lookups are used for optimization purposes – beyond achieving confusion. Rijndael, for instance, is the AES winner and has a structure that involves various operations such as rotations and matrix multiplication following a series of table lookups. However, the algorithms is designed in such a way that the operations following the table lookups can be migrated into the table lookups by pre-modifying these tables, so that finally, the entire algorithm becomes only a series of table lookups. Similar optimizations are also possible for Twofish. For these algorithms, performing the table lookups efficiently has a direct and significant impact on the performance, since the algorithms are indeed a sequence of table lookups. 23 72 30 77 41 30 0 20 40 60 80 100 120 MARS Rijndael Twofish Execution time on a single issue machine (normalized to MARS = 100) Table lookups Other operations Figure 1. Distribution of execution cycles between table lookups and all other operations. 2. Table lookups in AES finalists Problems in the encryption algorithms with many table lookups are twofold. First, each table lookup involves operations other than loading of the data from the memory. Typically, this involves the effective address calculation. The index (that is the number specifying which entry of the table will be accessed) needs to be scaled and then added to the start address of the table (the base address) to get the effective address. The scaling is necessary whenever each entry of the table holds data that is larger than a single byte. This is quite often the case, since the most commonly used tables have 256 entries and each entry is 4 bytes. The addition of the scaled index value to the base address is usually a part of the load instruction. This is the indexed addressing mode. The scaling, however, usually requires a separate instruction (unless the scaling is also a part of the load