Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

about sgx Cryptography Library (sgx_tcrypto)

Changzheng_W_Intel
1,856 Views

It seems that sgx_tcypto don't support RSA encryption/decryption, is that right?

I didn't see them in the spec.

Is there any plan to support RSA in the trust library of Linux SDK ?

 

0 Kudos
13 Replies
Surenthar_S_Intel
1,856 Views

Hi,

Using of elliptic curves allows shorter public key length and encourages cryptographers to create cryptosystems with the same or higher encryption strength as the RSA or DSA cryptosystems. Because of the relatively short key length, ECCs do encryption and decryption faster on the hardware that requires less computation processing volumes.

-Surenthar

0 Kudos
Surenthar_S_Intel
1,856 Views

The SGX SDK exposes the interface to the 8.x release of IPP. If they include ipp/ippcp.h in a source file in their enclave they will gain access to some RSA functions. In particular:

 

ippsRSAEncrypt

ippsRSADecrypt

ippsRSAGenerate

0 Kudos
Changzheng_W_Intel
1,856 Views

Surenthar Selvaraj. (Intel) wrote:

The SGX SDK exposes the interface to the 8.x release of IPP. If they include ipp/ippcp.h in a source file in their enclave they will gain access to some RSA functions. In particular:

 

ippsRSAEncrypt

ippsRSADecrypt

ippsRSAGenerate

Hi Surenthar

Thanks.

BTW, could you provide me more details information about how to integrate SGX SDK and intel IPP ?

Do you mean I install Intel IPP sdk and include it in Enclave like using the sgx_tcrypto library?

 

0 Kudos
Juan_d_Intel
Employee
1,856 Views

After you install the SGX SDK the IPP Crypto header files should be in $(SGXSDKInstallPath)include\ipp

All you have to do is include ippcore.h and ippcp.h in you enclave and make the regular calls to the IPP crypto API. The calls will be resolved by sgx_tcrypto.lib.

0 Kudos
Changzheng_W_Intel
1,856 Views

Hi Juan

Thanks

I have check my install dir of sgxsdk, but can't find ipp sub-dir or ipp related header files in the include dir.

Do I need to install IPP first? And how can I integrate IPP into SGXSDK?

 

0 Kudos
Juan_d_Intel
Employee
1,856 Views

The IPP crypto headers are integrated in the Windows SDK but I just realized that you're working with Linux.

In this case my suggestion is that you install the IPP crypto for Linux first. Then, you can include the standard IPP crypto header files in your enclave and link with sgx_tcrypto.

Remember not link with the standard IPP crypto library. This won't work because the standard IPP crypto uses the CPUID instruction to initialize the dispatcher.

0 Kudos
shivani_g_
Beginner
1,856 Views

Hello

Does the sgx_aes_ctr functionality provided in sgx_tcrypto use AES-NI instructions? If not, then is it possible to use AES-NI instruction inside enclave?

Thank You

0 Kudos
Surenthar_S_Intel
1,856 Views

Changzheng W. (Intel) wrote:

Quote:

Surenthar Selvaraj. (Intel) wrote:

 

The SGX SDK exposes the interface to the 8.x release of IPP. If they include ipp/ippcp.h in a source file in their enclave they will gain access to some RSA functions. In particular:

 

ippsRSAEncrypt

ippsRSADecrypt

ippsRSAGenerate

Hi Surenthar

Thanks.

BTW, could you provide me more details information about how to integrate SGX SDK and intel IPP ?

Do you mean I install Intel IPP sdk and include it in Enclave like using the sgx_tcrypto library?

An IPP Crypto library variant, optimized for SGX enclave use, is linked into the tcrypto library. There is no need to link in the standard IPP crypto product library into an enclave.  The application enclave can link in the tcrypto library, and the enclave code and include the IPP header file for function definitions.

-Surenthar

0 Kudos
Changzheng_W_Intel
1,856 Views

Surenthar Selvaraj. (Intel) wrote:

Quote:

Changzheng W. (Intel) wrote:

 

Quote:

Surenthar Selvaraj. (Intel) wrote:

 

The SGX SDK exposes the interface to the 8.x release of IPP. If they include ipp/ippcp.h in a source file in their enclave they will gain access to some RSA functions. In particular:

 

ippsRSAEncrypt

ippsRSADecrypt

ippsRSAGenerate

Hi Surenthar

Thanks.

BTW, could you provide me more details information about how to integrate SGX SDK and intel IPP ?

Do you mean I install Intel IPP sdk and include it in Enclave like using the sgx_tcrypto library?

 

An IPP Crypto library variant, optimized for SGX enclave use, is linked into the tcrypto library. There is no need to link in the standard IPP crypto product library into an enclave.  The application enclave can link in the tcrypto library, and the enclave code and include the IPP header file for function definitions.

-Surenthar

 

Hi Surenthar

How could I use the IPP crypto library variant you mentioned? I can't find the header files in SGX SDK 1.6 (linux version)

 

0 Kudos
Surenthar_S_Intel
1,856 Views

You install the IPP crypto for Linux first. Then, you can include the standard IPP crypto header files in your enclave and link with sgx_tcrypto.

Remember not link with the standard IPP crypto library. This won't work because the standard IPP crypto uses the CPUID instruction to initialize the dispatcher.

0 Kudos
Juan_d_Intel
Employee
1,856 Views

AES-GCM algorithms will use the AES-NI instructions if the corresponding feature bit is enabled, which is typically the case.

0 Kudos
Diga_W_
Beginner
1,856 Views

Surenthar Selvaraj. (Intel) wrote:

You install the IPP crypto for Linux first. Then, you can include the standard IPP crypto header files in your enclave and link with sgx_tcrypto.

Remember not link with the standard IPP crypto library. This won't work because the standard IPP crypto uses the CPUID instruction to initialize the dispatcher.

By doing this, does other IPP crypto library functionalities (like big number arithmetic) become available as well? Or will it be just a select number of functionalities?

0 Kudos
Juan_d_Intel
Employee
1,856 Views

Yes, big number arithmetic and functionality will become available when you link your enclave with sgx_tcrypto.
All IPP crypto API should be supported, with a few exceptions (MD5, SHA224, SHA384, SHA512-224, SM3, and EC-SM2) due to size concerns.

0 Kudos
Reply