mbox series

[0/3] crypto: LEA block cipher implementation

Message ID 20230428110058.1516119-1-letrhee@nsr.re.kr
Headers show
Series crypto: LEA block cipher implementation | expand

Message

Dongsoo Lee April 28, 2023, 11 a.m. UTC
This submission contains a generic C implementation of the LEA block
cipher and its optimized implementation within ECB, CBC, CTR, and XTR
cipher modes of operation for the x86_64 environment.

The LEA algorithm is a symmetric key cipher that processes data blocks
of 128bits and has three different key lengths, each with a different
number of rounds:

- LEA-128: 128-bit key, 24 rounds,
- LEA-192: 192-bit key, 28 rounds, and
- LEA-256: 256-bit key, 32 rounds.

The round function of LEA consists of 32-bit ARX(modular Addition,
bitwise Rotation, and bitwise XOR) operations. See [1, 2] for details.

The LEA is a Korean national standard block cipher, described in
"KS X 3246" and is also included in the international standard,
"ISO/IEC 29192-2:2019 standard (Information security - Lightweight
cryptography - Part 2: Block ciphers)".

It is one of the approved block ciphers for the current Korean
Cryptographic Module Validation Program (KCMVP).

The Korean e-government framework contains various cryptographic
applications, and KCMVP-validated cryptographic module should be used
according to the government requirements. The ARIA block cipher, which
is already included in Linux kernel, has been widely used as a symmetric
key cipher. However, the adoption of LEA increase rapidly for new
applications.

By adding LEA to the Linux kernel, Dedicated device drivers that require
LEA encryption can be provided without additional crypto implementation.
An example of an immediately applicable use case is disk encryption
using cryptsetup.

The submitted implementation includes a generic C implementation that
uses 32-bit ARX operations, and an optimized implementation for the
x86_64 environment.

The implementation same as submitted generic C implementation is
distributed through the Korea Internet & Security Agency (KISA),
could be found [3].

For the x86_64 environment, we use SSE2/MOVBE/AVX2 instructions. Since
LEA use four 32-bit unsigned integers for 128-bit block, the SSE2 and
AVX2 implementations encrypts four and eight blocks at a time for
optimization, repectively.
Our submission provides a optimized implementation of 4/8 block ECB, CBC
decryption, CTR, and XTS cipher operation modes on x86_64 CPUs
supporting AVX2. The MOVBE instruction is used for optimizing the CTR
mode.

The implementation has been tested with kernel module tcrypt.ko and has
passed the selftest using test vectors for KCMVP[4]. The path also test
with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS enabled.

- [1] https://en.wikipedia.org/wiki/LEA_(cipher)
- [2] https://seed.kisa.or.kr/kisa/algorithm/EgovLeaInfo.do
- [3] https://seed.kisa.or.kr/kisa/Board/20/detailView.do
- [4] https://seed.kisa.or.kr/kisa/kcmvp/EgovVerification.do

Dongsoo Lee (3):
      crypto: LEA block cipher implementation
      crypto: add LEA testmgr tests
      crypto: LEA block cipher AVX2 optimization

 arch/x86/crypto/Kconfig               |   22 +
 arch/x86/crypto/Makefile              |    3 +
 arch/x86/crypto/lea_avx2_glue.c       | 1112 +++++++++++++++++++++++++
 arch/x86/crypto/lea_avx2_x86_64-asm.S |  778 ++++++++++++++++++
 crypto/Kconfig                        |   12 +
 crypto/Makefile                       |    1 +
 crypto/lea_generic.c                  |  915 +++++++++++++++++++++
 crypto/tcrypt.c                       |   73 ++
 crypto/testmgr.c                      |   32 +
 crypto/testmgr.h                      | 1211 ++++++++++++++++++++++++++++
 include/crypto/lea.h                  |   39 +
 11 files changed, 4198 insertions(+)

Comments

Eric Biggers April 28, 2023, 11:19 p.m. UTC | #1
Hi Dongsoo,

On Fri, Apr 28, 2023 at 08:00:55PM +0900, Dongsoo Lee wrote:
> The Korean e-government framework contains various cryptographic
> applications, and KCMVP-validated cryptographic module should be used
> according to the government requirements. The ARIA block cipher, which
> is already included in Linux kernel, has been widely used as a symmetric
> key cipher. However, the adoption of LEA increase rapidly for new
> applications.
> 
> By adding LEA to the Linux kernel, Dedicated device drivers that require
> LEA encryption can be provided without additional crypto implementation.
> An example of an immediately applicable use case is disk encryption
> using cryptsetup.
> 
> The submitted implementation includes a generic C implementation that
> uses 32-bit ARX operations, and an optimized implementation for the
> x86_64 environment.

Can you elaborate further on the use case for this cipher?  Your description
above is very vague.  What is the actual use case when so many other ciphers
already exist, including much better studied ones?  Are people being required to
use this cipher, and if so under what situations?  There is also already another
"national pride" block cipher from Korea (ARIA); do we really need another one?

BTW, in 2018, I investigated LEA and various other ciphers as options for
storage encryption on ARM processors without the crypto extensions.  We ended up
not selecting LEA for several different reasons (e.g. see
https://lore.kernel.org/r/20180507232000.GA194688@google.com), and we later
created Adiantum for the use case.  But, it sounds like "storage encryption on
processors without crypto instructions" isn't the use case you have in mind at
all anyway, seeing as the only assembly code you're providing is for x86_64.
What sort of use case do you actually have in mind?  Is this perhaps a PhD
thesis type of thing that won't actually be used in a real world application?

IIRC, one of the issues with LEA was that the LEA paper doesn't provide test
vectors, so I couldn't be certain that I had actually implemented the algorithm
correctly.  It sounds like there are now test vectors available.  How confident
are you that they actually match the original algorithm?

> The implementation has been tested with kernel module tcrypt.ko and has
> passed the selftest using test vectors for KCMVP[4]. The path also test
> with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS enabled.

There is a KASAN out-of-bounds error in lea_set_key() when running the
self-tests.

- Eric
Dongsoo Lee May 16, 2023, 4:27 a.m. UTC | #2
Thank you for your kind review and sorry for taking a bit of time to
respond.

We expect that the first application of the patch would be disk encryption
on the Gooroom platform ('Gooroom' is a Korean word, meaning 'cloud') [1].
Currently, the Gooroom platform uses AES-XTS for disk encryption. The main
reason for submitting this patch is to make disk encryption with LEA (e.g.
LEA-XTS) available in it.

The Gooroom platform is a government-driven Debian-based Linux distribution
in South Korea. In Korea, there are many crypto companies that want to
bundle Linux into their products and sell them. They create their own
Gooroom platforms by modifying the original Gooroom platform for their
services. (Of course, the Gooroom platform is not mandatory, and companies
wishing to use Linux are free to choose an appropriate distribution.) BTW,
in Korea, many crypto companies want to use LEA, because LEA is one of the
block ciphers of the KCMVP, a validation program for commercial crypto S/W
to be delivered to the Korean government.

The Linux Crypto API already has another Korean block cipher, ARIA, also
one of the block ciphers of the KCVMP. However, LEA is more widely used
than ARIA in industry nowadays, because LEA is one of the lightweight
cryptography standard of ISO/IEC [2] and performs well on low-end devices
that support 32-bit operations. So we think they are complementary to each
other.
LEA also performs slightly better in Generic C and AVX2 instruction
implementations than ARIA. While there is no AVX512 instruction
implementation of LEA yet, it is expected that the techniques used in the
AVX2 implementation can also be applied to AVX512. Rather, using 512-bit
registers and rotation instructions, LEA is expected to show even better
performance in AVX512 than in AVX2.

Performance comparisons of the two ciphers on a Ryzen R9 5950X using the
tcrypt module are shown below. Please note that this CPU does not support
GFNI and AVX512, so the results on ARIA may show less efficiency compared
to the ones offered by the current Linux kernel. The experiments on LEA
were done with the version that we are currently working on.

- 256-bit key, 4096 bytes
  - aes-aesni
    - ecb enc   1,637 cycles
    - ecb dec   1,608 cycles
    - ctr enc   1,649 cycles
  - aria-generic
    - ecb enc 235,293 cycles
    - ecb dec 237,949 cycles
    - ctr enc 240,754 cycles
  - lea-generic
    - ecb enc  31,945 cycles
    - ecb dec  50,511 cycles
    - ctr enc  33,942 cycles
  - aria-avx2
    - ecb enc  9,807 cycles
    - ecb dec 10,203 cycles
    - ctr enc 10,038 cycles
  - lea-avx2
    - ecb enc  5,784 cycles
    - ecb dec  7,423 cycles
    - ctr enc  6,136 cycles

In general, it's obvious that the hardware-accelerated AES is the best
performer. However, there exist not only environments where the hardware-
accelerated AES is not supported, but also situations where AES is not
preferred for various reasons. In these cases, if someone wants to encrypt
using a block cipher, LEA could be an alternative.

Apart from this, we also have implemented LEA in lightweight environments
such as 8-bit AVR and 16-bit MSP [3]. Only the assembly implementation of
LEA with AVX2 was submitted because the main goal was x86_64 as mentioned
earlier. If LEA were to be included in the Linux kernel, it would be
possible to modify and supplement the submission with lightweight
implementations to provide efficient encryption on low-performance devices.

Although the designers of LEA did not provide test vectors in their paper
[5], the ISO/IEC standard [2] and the KS standard [4] do. Furthermore, the
Block Cipher LEA Specification("블록암호 LEA 규격서", written in Korean)
document on the LEA introduction page [6] and the Wikipedia article on LEA
[7] show the same test vectors as in the standards.
The test vectors for ECB, CBC, CTR, and GCM modes included in the testmgr
module are taken from the KCMVP Cryptographic Algorithm Verification
Criteria V3.0("KCMVP 검증대상 암호알고리즘 검증기준 V3.0", written in
Korean) [8]. Test vectors for the XTS mode were generated by ourselves, and
we crosschecked them using Crypto++ [9] and testmgr on Linux.

[1] https://github.com/gooroom https://www.gooroom.kr/
[2] ISO/IEC 29192-2:2019, Information security - Lightweight cryptography -
Part 2: Block ciphers.
[3]
https://github.com/cryptolu/FELICS/tree/master/block_ciphers/source/ciphers/
LEA_128_128_v01/source
[4] KS X 3246, 128-bit block cipher LEA.
[5] Hong, Deukjo, et al. "LEA: A 128-bit block cipher for fast encryption
on common processors.", WISA 2013.
[6] https://seed.kisa.or.kr/kisa/algorithm/EgovLeaInfo.do
[7] https://en.wikipedia.org/wiki/LEA_(cipher)
[8] https://seed.kisa.or.kr/kisa/kcmvp/EgovVerification.do
[9] https://www.cryptopp.com/

+) We applied the optimization technique introduced in your the other
review to our decryption code. So, could you please let us know how to
state that fact clearly?

-----Original Message-----
From: Eric Biggers <ebiggers@kernel.org> 
Sent: Saturday, April 29, 2023 8:20 AM
To: Dongsoo Lee <letrhee@nsr.re.kr>
Cc: linux-crypto@vger.kernel.org; Herbert Xu <herbert@gondor.apana.org.au>;
David S. Miller <davem@davemloft.net>; Thomas Gleixner
<tglx@linutronix.de>; Ingo Molnar <mingo@redhat.com>; Borislav Petkov
<bp@alien8.de>; Dave Hansen <dave.hansen@linux.intel.com>; x86@kernel.org;
H. Peter Anvin <hpa@zytor.com>; linux-kernel@vger.kernel.org; David S.
Miller <abc@test.nsr.re.kr>; Dongsoo Lee <letrhee@gmail.com>
Subject: Re: [PATCH 0/3] crypto: LEA block cipher implementation

Hi Dongsoo,

On Fri, Apr 28, 2023 at 08:00:55PM +0900, Dongsoo Lee wrote:
> The Korean e-government framework contains various cryptographic 
> applications, and KCMVP-validated cryptographic module should be used 
> according to the government requirements. The ARIA block cipher, which 
> is already included in Linux kernel, has been widely used as a 
> symmetric key cipher. However, the adoption of LEA increase rapidly 
> for new applications.
> 
> By adding LEA to the Linux kernel, Dedicated device drivers that 
> require LEA encryption can be provided without additional crypto
implementation.
> An example of an immediately applicable use case is disk encryption 
> using cryptsetup.
> 
> The submitted implementation includes a generic C implementation that 
> uses 32-bit ARX operations, and an optimized implementation for the
> x86_64 environment.

Can you elaborate further on the use case for this cipher?  Your
description above is very vague.  What is the actual use case when so many
other ciphers already exist, including much better studied ones?  Are
people being required to use this cipher, and if so under what situations?
There is also already another "national pride" block cipher from Korea
(ARIA); do we really need another one?

BTW, in 2018, I investigated LEA and various other ciphers as options for
storage encryption on ARM processors without the crypto extensions.  We
ended up not selecting LEA for several different reasons (e.g. see
https://lore.kernel.org/r/20180507232000.GA194688@google.com), and we later
created Adiantum for the use case.  But, it sounds like "storage encryption
on processors without crypto instructions" isn't the use case you have in
mind at all anyway, seeing as the only assembly code you're providing is
for x86_64.
What sort of use case do you actually have in mind?  Is this perhaps a PhD
thesis type of thing that won't actually be used in a real world
application?

IIRC, one of the issues with LEA was that the LEA paper doesn't provide
test vectors, so I couldn't be certain that I had actually implemented the
algorithm correctly.  It sounds like there are now test vectors available.
How confident are you that they actually match the original algorithm?

> The implementation has been tested with kernel module tcrypt.ko and 
> has passed the selftest using test vectors for KCMVP[4]. The path also 
> test with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS enabled.

There is a KASAN out-of-bounds error in lea_set_key() when running the self-
tests.

- Eric