Hello,
Currently I am learning ARM assembly on Raspberry Pi 1 Model B+ by writing my own implementations of AES finalists ciphers. I wanted to test my MARS implementation with IBM test vectors, but it seems that they are inconsistent. For example in these two files:https://web.archive.org/web/20010504113019/http://www.research.ibm.com/security/test-vectors/ecb_tbl.txt
https://web.archive.org/web/20010504112041/http://www.research.ibm.com/security/test-vectors/ecb_e_m.txt
plaintext: 00000000000000000000000000000000 and key: 00000000000000000000000000000000 give two different ciphertexts: DCC07B8DFB0738D6E30A22DFCF27E886 and F28C7E672247DE249C04BE791BCE4065. My code gives DCC07B8DFB0738D6E30A22DFCF27E886 as an answer. Is this answer correct? Does anyone have more test vectors and is certain that they are correct?
List of all test vectors files: https://web.archive.org/web/20000818115416/http://www.research.ibm.com/security/test-vectors/
IBM MARS specification: https://web.archive.org/web/20000815233719/http://www.research.ibm.com/security/mars.pdf
My ARM assembly code: http://www.zenker.pl/mars/arm/mars.s
Related
I would like to run the full 6502 test suite by Klaus Dormann to test my Kansas Lava 6502 implementation. However, the code uses self-modification (see all uses of range_adr), which, while trivial to implement in an emulator, doesn't bode well for a hardware implementation: the program image needs to be stored on ROM, so the write-backs are going to be blackholed by whatever routes writes based on addressing ROM or RAM-backed parts.
The same problem, of course, applies both to synthesizing it to a real FPGA and to running it in a simulator (either the low-level VHDL one or the high-level Kansas Lava one).
Is there a way to run the test suite without doing a lengthy (in terms of cycles) dance of suspending the CPU, copying the program from some unaddressable ROM into an all-RAM memory byte-by-byte, and then initializing the CPU and letting it run? I'd prefer not doing this because simulating these extra cycles at startup will slow down running the test considerably.
Knee-jerk observations:
Despite coming as a 64kb image, the test is actually just 14,093 bytes of actual content, from $0000 up to $370d, then a padded fill of $ffs up to the three vectors in $fffa–$ffff. So you'd need to copy at most 14,099 bytes rather than the prima facie 65,536.
Having set up that very test suite in an emulator I wrote yesterday (no, really) the full range of touched addresses — using [x, y] to denote the closed range, i.e. to include both x and y, is:
[000a, 0012], [0100, 0101], [01f9, 01ff] (i.e. the stack and zero pages);
0200;
[0203, 0207];
04a8;
2cbb;
2cdc;
2eb1;
2ed2;
30a7;
30c8;
33f2;
3409;
353b; and
3552.
From the .lst version of the program, that means all you need to move are the variables with labels:
test_case;
ada2;
sba2;
range_adr;
... and either move or remove the routines that:
test AND immediate from 2cac down to 2cec;
test EOR immediate from 2ea2 to 2ee2;
test ORA immediate from 3098 to 30d8;
test decimal ADC/SBC immediate from 33e7 down to 3414 (specifically to include chkdadi and chksbi);
test binary ADC/SBC immediate from 3531 down to 355d.
All the immediate tests self modify the operand. If you're happy leaving that one addressing mode untested then it shouldn't be too troublesome.
So, I guess, edit those tests out of the original file, and you can safely relocate range_adr to the middle of the stack page if my simulation is accurate.
I made a small test benchmark comparing .NET's System.Security.Cryptography AES implementation vs BouncyCastle.Org's AES.
Link to GitHub code: https://github.com/sidshetye/BouncyBench
I'm particularly interested in AES-GCM since it's a 'better' crypto algorithm and .NET is missing it. What I noticed was that while the AES implementations are very comparable between .NET an BouncyCastle, the GCM performance is quite poor (see extra background below for more). I suspect it's due to many buffer copies or something. To look deeper, I tried profiling the code (VS2012 => Analyze menu bar option => Launch performance wizard) and noticed that there was a LOT of CPU burn inside mscorlib.dll
Question: How can I figure out what's eating most of the CPU in such a case? Right now all I know is "some lines/calls in Init() burn 47% of CPU inside mscorlib.ni.dll" - but without knowing what specific lines, I don't know where to (try and) optimize. Any clues?
Extra background:
Based on the "The Galois/Counter Mode of Operation (GCM)" paper by David A. McGrew, I read "Multiplication in a binary field can use a variety of time-memory tradeoffs. It can be implemented with no key-dependent memory, in which case it will generally run several times slower than AES. Implementations that are willing to sacrifice modest amounts of memory can easily realize speeds greater than that of AES."
If you look at the results, the basic AES-CBC engine performances are very comparable. AES-GCM adds the GCM and reuses the AES engine beneath it in CTR mode (faster than CBC). However, GCM also adds multiplication in the GF(2^128) field in addition to the CTR mode, so there could be other areas of slowdown. Anyway, that's why I tried profiling the code.
For the interested, where is my quick test performance benchmark. It's inside a Windows 8 VM and YMMV. The test is configurable but currently it's to simulate crypto overhead in encrypting many cells of a database (=> many but small plaintext input)
Creating initial random bytes ...
Benchmark test is : Encrypt=>Decrypt 10 bytes 100 times
Name time (ms) plain(bytes) encypted(bytes) byte overhead
.NET ciphers
AES128 1.5969 10 32 220 %
AES256 1.4131 10 32 220 %
AES128-HMACSHA256 2.5834 10 64 540 %
AES256-HMACSHA256 2.6029 10 64 540 %
BouncyCastle Ciphers
AES128/CBC 1.3691 10 32 220 %
AES256/CBC 1.5798 10 32 220 %
AES128-GCM 26.5225 10 42 320 %
AES256-GCM 26.3741 10 42 320 %
R - Rerun tests
C - Change size(10) and iterations(100)
Q - Quit
This is a rather lame move from Microsoft as they obviously broke a feature that worked well before Windows 8, but no longer, as explained in this MSDN blog post:
:
On Windows 8 the profiler uses a different underlying technology than
what it does on previous versions of Windows, which is why the
behavior is different on Windows 8. With the new technology, the
profiler needs the symbol file (PDB) to know what function is
currently executing inside NGEN’d images.
(...)
It is however on our backlog to implement in the next version of Visual Studio.
The post gives directions to generate the PDB files yourself (thanks!).
I am a beginner on Ada language and I would like to know what notations means. I have read in Kreuger software reuse paper that Anna is a an annotation language to describe Ada. Is that consider to be a formal comment for Ada code ?
For example:
subtype EVEN is INTEGER;
--| where X : EVEN = ) X mod 2 = 0;
The 2nd line is Anna annotation for the first line which is Ada code.
Is the 2nd line just a comment to let the user understand the first line or is it a constraint that is a "must" to mention not just an optional line?
I am really confused
Anna is ancient, do not waste your time with it.
There are a number of places to get starting with Ada. Among them is the Ada Wikibook, and the Ada Information Clearinghouse (AdaIC) maintains a list of suggested resources.
If you're interested in formal logic as it applies to Ada, you'll want to look into SPARK ("SPARK is a programming language, a set of source code analysis (static verification) tools, and a design method for developing high-assurance software.") Here's a quick overview and tutorial, though you may not want to tackle that until you've got some practice with Ada under your belt.
You probably already know about the GNAT compiler, but just in case, GNAT GPL 2012 is an open source compiler available for Linux, Windows, and a few other platforms. (GNATPro is available for many platforms.)
Good luck, ask questions here, other resources include comp.lang.ada and the Ada sub-reddit.
EVEN is integer with the constraint of being, well, even. So the 2nd line is a constraint. But it will not be checked by the compiler -- and, to the best of my knowledge, the Anna toolset has never been able to check such constraints.
Anna is ancient and long gone -- but the recent Ada standard (Ada 2012) supports such annotations (which can even be checked by the compiler). So your Ada/Anna expression could be written in Ada 2012 as
subtype Even is Integer
with Dynamic_Predicate => Even mod 2 = 0;
This is actually an example from the Ada 2012 rationale, see Ada 2012.
I have very definitively come across the 'simulating a 6-faced die' (which produces a random integer between 1 and 6, all outcomes are equally probable) in Java, Python, Ruby and Bash. However, I am yet to see a similar program in Ada. Has anyone come across one?
See Random Number Generation (LRM A.5.2) for packages to assist with doing this. Either Ada.Numerics.Float_Random for uniform random number generation (range 0.0 .. 1.0) which you can then scale on your own, or instantiate Ada.Numerics.Discrete_Random with a suitable (sub)type (works for d4, d10, d12, and d20s as well!).
You might enjoy this simulation of the children's card game of war, which uses an instance of Ada.Numerics.Discrete_Random.
subtype Card_Range is Positive range 1 .. 52;
package Any_Card is new Ada.Numerics.Discrete_Random(Card_Range);
G : Any_Card.Generator;
…
N : Card_Range := Any_Card.Random(G);
With Ada 95, a random number generator was defined as part of the standard library making it a required component of every Ada 95 compilation system.
Therefore, yes you can simulate a 6-faced die in Ada quite easily.
RossetaCode.org usually have these kind of typical programs. You can find a simple 6-faced dice implementation in Pig the dice game.
These are the relevant parts of that program for a dice implementation.
You define the wanted range in a type:
type Dice_Score is range 1 .. 6;
instantiate Ada.Numerics.Discrete_Random with your type:
with Ada.Numerics.Discrete_Random;
package RND is new Ada.Numerics.Discrete_Random(Dice_Score);
Use the instantiation to get a random value in the range:
Gen: RND.Generator;
P.Recent_Roll := RND.Random(Gen);
In Object Oriented Paradigm, I would create an object/conceptual model before I start implementing it using OO language.
Is there anything parallel to object model in functional programming. Is it called functional model? or we create the same conceptual model in both the paradigm before implementing it in one of the language..
Are there articles/books where I can read about functional model in case it exist?
or to put it in different way... even if we are using functional programming language, would we start with object model?
In fact there is. There is a form of specification for functional languages based on Abstract Data Types called algebraic specification. Their behavior is very similar to that of objects in some ways, however the constructs are logical and mathematical, and are immutable like functional constructs.
A particular functional specification language that's used in the Algorithms and Data Structures class in the University of Buenos Aires has generators, observers, and additional operations.
A generator is an expression that is both an instance and a possible composition of the data type.
For example, for a binary tree (ADT bt), we have null nodes, and binary nodes. So we would have the generators:
-nil
-bin(left:bt, root: a, right:bt)
Where left is an instance of a bt, the root is a generic value, and right is another bt.
So, nil is a valid form of a bt, but bin(bin(nil,1,nil),2,nil) is also valid, representing a binary tree with a root node with a value of 2, a left child node with a value of 1, and a null child right node.
So for a function that say, calculates the number of nodes in a tree, you define an observer of the ADT, and you define a set of axioms which map to each generator.
So, for example:
numberOfNodes(nil) == 0
numberOfNodes(bin(left,x,right))== 1 + numberOfNodes(left) + numberOfNodes(right)
This has the advantage of using recursive definitions of operations, and has the more, formally interesting property that you can use something called structural induction to PROVE that your specification is correct (yes, you demonstrate that your algorithm will produce the proper result).
This is a fairly academic topic rarely seen outside of academic circles, but it's worth it to get an insight on program design that may change the way you think about algorithms and data structures.
The proper bibliography includes:
Bernot, G., Bidoit, M., and Knapik, T.
1995. Observational specifications and the indistinguishability assumption.
Theor. Comput. Sci. 139, 1-2 (Mar.
1995), 275-314. DOI=
http://dx.doi.org/10.1016/0304-3975(94)00017-D
Guttag, J. V. and Horning, J. J. 1993.
Larch: Languages and Tools for Formal
Specification. Springer-Verlag New
York, Inc. Abstraction and
Specification in Software Development,
Barbara Liskov y John Guttag, MIT
Press, 1986.
Fundamentals of Algebraic
Specification 1. Equations and Initial
Semantics. H. Ehrig y B. Mahr
Springer-Verlag, Berlin, Heidelberg,
New York, Tokyo, Germany, 1985.
With corresponding links:
http://www.cs.st-andrews.ac.uk/~ifs/Resources/Notes/FormalSpec/AlgebraicSpec.pdf
http://nms.lcs.mit.edu/larch/pub/larchBook.ps
It's a heck of an interesting topic.
In both OO and FP paradigms, you form your domain model (the problem you're solving) and then create objects in your program to mirror the domain objects. There are some differences, in that how the program objects mirror the domain objects is influenced by the paradigm and langauge you're using. Some examples (in Haskell):
from finance: Composing Contracts
from word processing: Bridging the Algorithm Gap
a simple web server: http://lstephen.wordpress.com/2008/02/14/a-simple-haskell-web-server/
music: http://www.haskell.org/haskore/
A flowchart and/or process model/diagram can be used as a functional model for non OO programs. But it still doesn't give the sense of boundaries similar to that of the OO model.
http://en.wikipedia.org/wiki/Functional_model