Comment
Author: Admin | 2025-04-28
Tests on an Intel Core I7-4600U CPU in 22 nm technology clocked at 1.4 GHz. The operating system is Ubuntu 14.04 and we use Crypto++ Library 5.6.3 compiled with GCC 4.6.4.Table 1. Measured energy cost (in nJ) per Byte for memory accesses and cryptographic operations on CPUs.Full size tableTable 1 reports the measured CPU energy cost per Bytes. For comparison, we take the memory access energy estimates for ASICs from two papers [37, 45], which have very close estimations. We take the SHA-256 energy cost for ASIC from the state-of-the-art Antminer S9 specification [1]. Antminer S9 spends 0.098 nJ to hash 80 Bytes, which normalizes to 0.0012 nJ/Byte.4.2 Better Energy Fairness with AES-NIFrom the above results, we have \(c_{b,\mathsf {cpu}}\approx 0.5\), \(c_{b,\mathsf {asic}}\approx 0.3\), and if we use SHA-256 to implement the random oracle \(\mathcal {H}\), then \(c_{r,\mathsf {cpu}}\approx 30\) and \(c_{r,\mathsf {asic}}\approx 0.1\). With these parameters, any function in the graph labeling framework can at most reduce an ASIC’s energy advantage to \(\overline{A_\mathsf {ec}}\approx (0.5 + 30) / (0.3 + 0.0012) \approx 100 \times \). While this represents an improvement over plain SHA-256 hashing (which suffers from an energy advantage of roughly \(30 / 0.0012 = 25,000\times \)), 100\(\times \) is still a quite substantial advantage.Is \(100\times \) the limit of energy fairness or can we do better? To push \(\overline{A_\mathsf {ec}}\) lower, we need a smaller \(c_{r,\mathsf {cpu}}\). The AES-NI extension gives exactly what we need. AES-NI (AES New Instructions) [3] is a set of new CPU instructions specifically designed to improve the speed and energy efficiency of AES operations on CPUs. Today AES-NI is available in all mainstream Intel processors. In fact, AES-NI is an ASIC-style AES circuit that Intel builds into its CPUs, which is why it reduces ASIC advantage. But also we cannot expect AES-NI to completely match stand-alone AES ASICs because it is subject to many design constrains imposed by Intel CPUs.We repeat our previous experiments to measure the energy efficiency of AES operations on CPUs. As expected, AES-NI delivers much better energy efficiency, 1.5 nJ per Byte. We do not know for sure what \(c_{r,\mathsf {asic}}\) would be for AES, but expect it to be no better than SHA-256 (and the bounds are insensitive to \(c_{r,\mathsf {asic}}\) since \(c_{b,\mathsf {asic}}\) dominates in the denominator). Therefore, if we use AES for pebbling, the lower bound drops to \(\overline{A_\mathsf {ec}}\approx (0.5 + 1.5) / 0.3 \approx 6.7 \times \). It is worth noting that using AES for pebbling also reduces an ASIC’s AT advantage as it makes CPUs run faster (smaller T).Great care needs to be taken when instantiating the random oracle with a concrete function. Boneh et al. [25] point out that the pebbling
Add Comment