Implementation and evaluation of the Forro stream cipher in Tofino programmable hardware for remote attestation in datacenters

Rodrigo Alexander de Andrade Pierini; Caio Teixeira; Christian Rodolfo Esteve Rothenberg; Marco Aurélio Amaral Henriques

doi:10.5753/jbcs.2026.5625

Authors

Rodrigo Alexander de Andrade Pierini Universidade Estadual de Campinas https://orcid.org/0009-0009-7707-5194
Caio Teixeira Universidade Estadual de Campinas https://orcid.org/0000-0002-9902-0866
Christian Rodolfo Esteve Rothenberg Universidade Estadual de Campinas https://orcid.org/0000-0003-3109-4305
Marco Aurélio Amaral Henriques Universidade Estadual de Campinas https://orcid.org/0000-0001-9241-2229

DOI:

https://doi.org/10.5753/jbcs.2026.5625

Keywords:

software-defined networking, stream ciphers, cryptography, programmable data planes, Forro stream cipher, Tofino, P4 language

Abstract

The software-defined networking (SDN) paradigm has enabled several innovations in computer networking, specially in programmable packet processing. This paper shows the feasibility and impact on computing resources of the Forro stream cipher algorithm in the Tofino programmable hardware switch. For comparison purposes, the ChaCha algorithm was also analyzed in terms of its performance and impact on the same device. It was observed that the Forro algorithm performs better and uses fewer resources than ChaCha in sequential implementations. However, when parallelization techniques are adopted, ChaCha performs better for higher data rates, but uses more ternary matching resources than Forro. For the use case of remote attestation in programmable data planes, the Forro cipher seems more promising, as it uses less limited resources and can achieve sufficient throughput rates for this scenario. We then propose P4DRA, a distributed remote attestation solution based in the programmable data plane that can offload the verification process of remote devices to the data plane, freeing resources from a central verifier based on a x86 server and improving the attestation proof verification speed by around 150 times.

Downloads

Download data is not yet available.

References

Ambrosin, M., Conti, M., Lazzeretti, R., Rabbani, M. M., and Ranise, S. (2020). Collective remote attestation at the internet of things scale: State-of-the-art and future challenges. IEEE Communications Surveys & Tutorials, 22(4):2447-2461. DOI: 10.1109/comst.2020.3008879.

Arciszewski, S. (2020). XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305. Work in Progress.

Ben-Basat, R., Chen, X., Einziger, G., and Rottenstreich, O. (2018). Efficient measurement on programmable switches using probabilistic recirculation. In 2018 IEEE 26th International Conference on Network Protocols (ICNP), pages 313-323. IEEE. DOI: 10.1109/ICNP.2018.00047.

Bernstein, D. J. et al. (2008). Chacha, a variant of salsa20. In Workshop record of SASC, volume 8, pages 3-5. Citeseer. Available at:[link].

Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., et al. (2014). P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review, 44(3):87-95. DOI: 10.1145/2656877.2656890.

Chen, X. (2020). Implementing aes encryption on programmable switches via scrambled lookup tables. In Proceedings of the Workshop on Secure Programmable Network Infrastructure, pages 8-14. DOI: 10.1145/3405669.3405819.

Costa, F. G. (2023). Pipo-tg: parameterizable high performance traffic generation. Available at:[link].

Coutinho, M. (2023). forro_cipher. Available at:[link] Online: Acesso em 28-05-2024.

Coutinho, M., Passos, I., and Borges, F. (2023a). The design and implementation of xforró14-poly1305: a new authenticated encryption scheme. In Anais do XXIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 456-469, Porto Alegre, RS, Brasil. SBC. DOI: 10.5753/sbseg.2023.232879.

Coutinho, M., Passos, I., Vásquez, J. C. G., Sarkar, S., de Mendonça, F. L., de Sousa Jr, R. T., and Borges, F. (2023b). Latin dances reloaded: Improved cryptanalysis against salsa and chacha, and the proposal of forró. Journal of Cryptology, 36(3):18. DOI: 10.1007/s00145-023-09455-5.

Dang, H. T., Bressana, P., Wang, H., Lee, K. S., Zilberman, N., Weatherspoon, H., Canini, M., Pedone, F., and Soulé, R. (2020). P4xos: Consensus as a network service. IEEE/ACM Transactions on Networking, 28(4):1726-1738. DOI: 10.1109/TNET.2020.2992106.

Datta, R., Choi, S., Chowdhary, A., and Park, Y. (2018). P4guard: Designing p4 based firewall. In MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), pages 1-6. IEEE. DOI: 10.1109/MILCOM.2018.8599726.

Dworkin, M., Barker, E., Nechvatal, J., Foti, J., Bassham, L., Roback, E., and Dray, J. (2001). Advanced encryption standard (aes). DOI: 10.6028/NIST.FIPS.197.

Edgecore-Networks (2024). Dcs800. Available at:[link] Online: Acesso em 28-05-2024.

Fernandes, E. L. and Rothenberg, C. E. (2014). Openflow 1.3 software switch. Salao de Ferramentas do XXXII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuıdos SBRC, pages 1021-1028. Available at:[link].

Hauser, F., Häberle, M., Merling, D., Lindner, S., Gurevich, V., Zeiger, F., Frank, R., and Menth, M. (2023). A survey on data plane programming with p4: Fundamentals, advances, and applied research. Journal of Network and Computer Applications, 212:103561. DOI: 10.1016/j.jnca.2022.103561.

Intel (2024). Intel® tofino™. Available at:[link] Online: Acesso em 28-05-2024.

Jin, X., Li, X., Zhang, H., Soulé, R., Lee, J., Foster, N., Kim, C., and Stoica, I. (2017). Netcache: Balancing key-value stores with fast in-network caching. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 121-136. DOI: 10.1145/3132747.3132764.

Kfoury, E. F., Crichigno, J., and Bou-Harb, E. (2021). An exhaustive survey on p4 programmable data plane switches: Taxonomy, applications, challenges, and future trends. IEEE Access, 9:87094-87155. DOI: 10.1109/ACCESS.2021.3086704.

Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., and Uhlig, S. (2014). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14-76. DOI: 10.1109/JPROC.2014.2371999.

Kumar Sharma, N., Garai, H. K., and Dey, S. (2024). Breaching forró’s security with differential-linear foray. IEEE Access, 12:99175-99182. DOI: 10.1109/ACCESS.2024.3429140.

Li, G., Zhang, M., Liu, C., Kong, X., Chen, A., Gu, G., and Duan, H. (2019). Nethcf: Enabling line-rate and adaptive spoofed ip traffic filtering. In 2019 IEEE 27th international conference on network protocols (ICNP), pages 1-12. IEEE. DOI: 10.1109/ICNP.2019.8888057.

Ling, Z., Yan, H., Shao, X., Luo, J., Xu, Y., Pearson, B., and Fu, X. (2021). Secure boot, trusted boot and remote attestation for arm trustzone-based iot nodes. Journal of Systems Architecture, 119:102240. DOI: 10.1016/j.sysarc.2021.102240.

Mahrach, S., Mjihil, O., and Haqiq, A. (2018). Scalable and dynamic network intrusion detection and prevention system. In Innovations in Bio-Inspired Computing and Applications: Proceedings of the 8th International Conference on Innovations in Bio-Inspired Computing and Applications (IBICA 2017) held in Marrakech, Morocco, December 11-13, 2017, pages 318-328. Springer. DOI: 10.1007/978-3-319-76354-5_29.

Nir, Y. and Langley, A. (2015). ChaCha20 and Poly1305 for IETF Protocols. (7539). DOI: 10.17487/RFC7539.

Peterson, L., Cascone, C., and Davie, B. (2021). Software-Defined Networks: A Systems Approach. Systems Approach LLC. Available at:[link].

Scholz, D., Oeldemann, A., Geyer, F., Gallenmüller, S., Stubbe, H., Wild, T., Herkersdorf, A., and Carle, G. (2019). Cryptographic hashing in p4 data planes. In 2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), pages 1-6. IEEE. DOI: 10.1109/ANCS.2019.8901886.

Sivaraman, V., Narayana, S., Rottenstreich, O., Muthukrishnan, S., and Rexford, J. (2017). Heavy-hitter detection entirely in the data plane. In Proceedings of the Symposium on SDN Research, pages 164-176. DOI: 10.1145/3050220.3063772.

Tan, H., Hu, W., and Jha, S. (2011). A tpm-enabled remote attestation protocol (trap) in wireless sensor networks. In Proceedings of the 6th ACM Workshop on Performance Monitoring and Measurement of Heterogeneous Wireless and Wired Networks, PM2HW2N '11, page 9–16, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/2069087.2069090.

TCG (2024). What is a Trusted Platform Module (TPM)? Available at:[link] Acesso em: 27/09/2024.

Tokusashi, Y., Matsutani, H., and Zilberman, N. (2018). Lake: the power of in-network computing. In 2018 International Conference on ReConFigurable Computing and FPGAs (ReConFig), pages 1-8. IEEE. DOI: 10.1109/RECONFIG.2018.8641696.

Vieira, M. A., Castanho, M. S., Pacífico, R. D., Santos, E. R., Júnior, E. P. C., and Vieira, L. F. (2020). Fast packet processing with ebpf and xdp: Concepts, code, challenges, and applications. ACM Computing Surveys (CSUR), 53(1):1-36. DOI: 10.1145/3371038.

Yoo, S. and Chen, X. (2021). Secure keyed hashing on programmable switches. In Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure, pages 16-22. DOI: 10.1145/3472873.3472881.

Yoshinaka, Y., Takemasa, J., Koizumi, Y., and Hasegawa, T. (2022). On implementing chacha on a programmable switch. In Proceedings of the 5th International Workshop on P4 in Europe, pages 15-18. DOI: 10.1145/3565475.3569073.

Zheng, C., Rienecker, B., and Zilberman, N. (2023). Qcmp: Load balancing via in-network reinforcement learning. In Proceedings of the 2nd ACM SIGCOMM Workshop on Future of Internet Routing & Addressing, pages 35-40. DOI: 10.1145/3607504.3609291.