I am working on a project that does a large amount of hashing, signing, and both asymmetric and symmetric encryption. Since these steps have a significant effect on our performance and available load, I was wondering if there is a hardware based solution to offloading the work.
I have done some surfing to find out, and the only items I can find are dedicated to SSL based communications. I need a more generic solution that will allow me to speed up signing and encryption regardless of where it occurs.
Is it possible to adapt these SSL based solutions (maybe it’s just marketing and it would be easy to re-use elsewhere)? Is there a good generic co-processor that can help out?
I need this on a Windows Server 2008 based box, but I would be interested in solutions on any platform.
If the algorithms you’re working on are standard encryption algorithms like 3DES and AES, there is definitely hardware available. Hifn is the most well known, but Broadcom also has a line of chips from their BlueSteel acquisition a number of years ago. nCipher also has a line of encryption products, though when last I looked at them (years ago) they were much more focussed on their secure key management hardware than the acceleration of block algorithms.
Even cards designed for SSL may be useful to you, though you’ll need to get access to the low level details. The biggest win for SSL hardware is an exponentiator and wide multipler unit, both of which are generally accessible independently in the hardware I know of. If you’re using asymmetric encryption algorithms, these two units would likely be useful to you as well.
You should also check whether a more efficient software implementation is available. For example, Dan Bernstein and Peter Schwabe published a paper in September 2008 regarding optimization of AES for modern CPUs. The software implementation has been placed in the public domain (i.e. disavow all copyright, use it however you like).
Finally, future AMD (and probably Intel) CPUs will include SSE5, which adds instructions specifically useful for AES. If you can hold out until then, your next server upgrade may provide all the hardware support you need.