PuTTY:

Demonstration suites for encryption using Intel AES instruction set and ARM Cryptography Extension in PuTTY SSH client and derived tools.

Motivation

• 40x encryption/decryption boost over straightforward C implementation.
• 4.7x AES encryption and 13x AES decryption boost on Intel Core i5-2520M over lookup table implementation
  • CPU usage decreases from 50% to 30% for transmission of large files via Secure copy on Intel Core i5-2520M.
  • Lookup-table specific attacks on AES via cache miss analysis [Bangerter et al.] become impossible.
• 9x AES boost on Ampere eMAG CPU

Impact

• Hardware-accelerated versions of AES, SHA-256, SHA-1 are intergrated to PuTTY 0.71
• Performance results were presented by Maxim Kuznetsov in „Radio Engineering and Cryptography“ section of 55th MIPT Conference. The report got „The Best Report of the Section“ achievement.
• PuTTY with new AES instructions was developed as a part of MIPT Cryptography course activities.
• Established basic continious integration infrastructure (CI) for cross-platform PuTTY builds.
• LLVM bugs reported:
  • 34980: Bug with target attribute propagation. Fixed in Clang 6.0.1.
  • 38386: PuTTY CI needs LLVM resource compiler on Windows. Shipped in LLVM 7.0.0 package.
  • 40300: lld-link does not detect duplicate symbols with /O3. Fixed in LLVM 9.0.0.

Credits

AES NI

• Maxim Kuznetsov: original idea, AES key expansion, integration with SDE, paper
• Pavel Kryukov: AES encryption, unit tests, refactoring
• Svyatoslav Kuzmich: AES decryption, infrastructure

Details:

• Original 2012–2015 patches are available in repository history
• Original 2015–2017 patches are located in git branch
• Actual (applied to the main repository) patches are pointed by git branch
• Patched sources for PuTTY 0.64 in git branch
• Fixes and enhancements by community before the code was completely rewritten:
  • 599bab8 Condition out AES-NI support if using a too-old clang
  • a27f55e Use correct way to detect new instructions in Clang
  • d6338c2 Fix mishandling of IV in AES-NI CBC decryption
  • 7babe66 Make lots of generic data parameters into ‘void *‘.
  • f4ca28a Add a missing const
  • 91a624f sshaes.c: add some missing clang target attributes
  • 3347bd8 Fix AES-NI SDCTR to pass the new tests.
  • dfdb73e Complete rewrite of the AES code.
  • ced0f19 Ensure our aes_ni_context is 16-byte aligned.
  • fca13a1 Break up crypto modules containing HW acceleration.

SHA NI

• Jeffrey Walton: publc domain SHA implementation, fixes to CPUID code.
• Pavel Kryukov: integration of SHA into PuTTY code, unit tests

Details:

• Original patches are pointed by git branch
• Fixes and enhancements by community before the code was completely rewritten:
  • a27f55e Use correct way to detect new instructions in Clang
  • 1ec8a84 Add CPUID leaf checks prior to SHA checks
  • fbc8b7a Include intrin.h for hardware SHA on Windows
  • cbbd464 Rewrite the SHA-256 and SHA-1 hash function modules.

PuTTY Continious integration

• Pavel Kryukov

Details:

• CI repository is a PuTTY fork
• Previous history is available in PuTTY-AES-NI repository: Travis, Appveyor

Code Coverage Chart!

CPUs with AES NI support

Get sure that your CPU supports AES-NI by running make aescpuid && ./aescpuid. You may use Intel Product Specification Advanced Search to check if your CPU supports AES-NI and SHA-NI.

AES encryption and decryption

To observe boost of AES-NI algorithm, one may create standalone AES-256 encryptor and decryptor tools using PuTTY source code. After cloning repository and PuTTY submodule, binaries are buildable with CMake:

Type	SW AES	AES NI
Encrypt	aes-demo-sw-encode	aes-demo-hw-encode
Decrypt	aes-demo-sw-decode	aes-demo-hw-decode

Syntax is the same as ‘cp’ command. Please note that file size must be a multiple of 16 bytes. <sshdemo> src dst

AES performance tests

To run performance test, use make perf-geomean-aes.txt. The output is geometric mean of speedups per encryption/decryption of different data sets with memory range from 16 bytes to 16 Mbytes.

Raw performance data is stored to perf-original.txt and perf-output.txt, the first one is for standard version, second is for AES-NI version. Format of output files is following: code keylen blocklen time, where code 0 is encryption, code 1 is decryption, and code 2 is for encryption in sdctr mode.

AES and SHA functional tests

Since 2019, all cryptography functional tests are included to the PuTTY repository. To run the tests in Bash, simply execute following commands in a configured PuTTY workspace:

make testcrypt
export PUTTY_TESTCRYPT=/path/to/the/testcrypt
./test/cryptsuite.py

The same works for Windows environment if you use appropriate CMD or PowerShell commands.

Thanks

• PuTTY creator Simon Tatham for PuTTY, reviewing our code, and accepting the changes.
• Sergey Vladimirov for mentorship of AES NI development in MIPT.