GOST 28147-89 encryption on x86 and GPU processors
Encryption acceleration GOST 28147–89
With the development of IT technology, the volume of data transmitted over the global Internet, located in networked storages and processed in the "clouds" has increased dramatically. Some of this data is confidential, therefore, it is necessary to ensure their protection against unauthorized access. Encryption is traditionally used to protect confidential data, and symmetric encryption algorithms, such as the well-known block algorithm, AES, are used when encrypting large volumes. To comply with Russian law when encrypting such information as personal data, it is necessary to use the national symmetric block encryption algorithm GOST 28147–89. The data encryption operation is quite expensive and requires additional time for data processing, resulting in reduced performance and increased latency.
To reduce this negative effect when protecting data, it is necessary to increase the encryption speed. Basically, encryption algorithms are implemented in software, but they use hardware methods to achieve high speeds. Unfortunately, in modern x86 architecture processors, hardware-based encryption acceleration is implemented only for the AES standard (AES-NI instruction set). This standard is based on a special algebraic structure, and other encryption standards can be accelerated using AES-NI instructions only if their structure matches AES (for example, Camellia).When implementing GOST 28147–89, AES-NI instructions cannot be used, but other approaches can be used to accelerate encryption. For example, multi-block encryption - one encryption software stream processes several blocks in parallel. But to parallelize the processing of a single data array (Fig. 1) only in those encryption modes GOST 28147–89, where there is no feedback between the processed blocks (gamming, ECB). For modes with feedback between the blocks (CFB, MAC), you can use parallel processing of several blocks from different encryption streams (Fig. 2). With this approach, the encryption speed of GOST 28147–89 can be measured in ECB mode without loss of generality. At the same time, it is worth noting the buffer size for each such encryption stream - it should not exceed 4 KB (sector size on the HDD).
Acceleration of GOST 28147–89 on the central processor (CPU) using SIMD technologies
Modern x86 architecture processors (as well as ARM, PowerPC, etc.) contain a vector computing unit for parallel processing of several data streams using SIMD technology (single instruction, multiple data). This CPU unit can be effectively used for multiblock encryption GOST 28147–89. The greatest effect is achieved due to the hardware instruction for mixing PSHUFB data (Fig. 3), which allows one to significantly accelerate the nonlinear transformation (hereinafter S-box) in the algorithm. In combination with the extensions of the AVX (or AVX2) commands and the ability of x86 architecture processors to execute several commands in parallel (out-of-order execution), multi-block encryption provides high speed even for one processor core.
Acceleration of GOST 28147–89 on the central processor (CPU) on general purpose registers
When implementing GOST 28147–89 on general-purpose registers for the S-box operation, a 4 KB pre-calculation table is compiled (A. Vinokurov was the first to propose). Such an approach requires many operations of non-linear memory access, and the speed of such an implementation of the encryption algorithm depends on the CPU memory subsystem. For the Intel Sandy Bridge / Ivy Bridge architecture, the encryption performance in this case is 60 cycles / byte. In this architecture, there are 2 ports for loading data (LD - load data) in each CPU core, which allows multi-block encryption and, in this case, to encrypt 2 blocks in parallel.
Acceleration of GOST 28147–89 on the graphic processor (GPU)
To further accelerate encryption according to GOST 28147–89, we investigated heterogeneous systems (CPU + GPU). The development of the GPU architecture has led them to come closer to the CPU in terms of their capabilities, both in programming methods and in hardware. But using the GPU as an encryption accelerator is fraught with a number of technical problems. Typically, a graphics accelerator is a peripheral device that connects to the CPU via the PCI Express data bus. This brings to the implementation of any algorithm using the technology of general computing on graphic accelerators (GPGPU) additional operations for copying data from the CPU memory to the GPU memory and vice versa, but this effect can be reduced by pipelining data processing (Fig. 5). Kernels in modern GPUs are similar in structure to blocks of vector computing in CPUs.

Conclusion
According to its high-speed characteristics, GOST 28147–89 encryption approaches AES and can become a good alternative to it. If you combine encryption on the CPU and GPU, you can achieve encryption speed per node at 53 GB / s (platform 2 CPU Intel Xeon E5-2697 v3 + 4 GPU Nvidia GeForce GTX 980). We briefly list the areas where such encryption speeds may be in demand. Firstly, for encryption of networks of the standard 40 Gbit / s and 80 Gbit / s, which will be implemented in the next versions of Continental software complex. Secondly, in the distributed network disk storages. Currently, the Security Code is developing a pass-through encryptor for the iSCSI protocol. Thirdly, the encryption operation itself can be sold as a service in cloud services - the cloud client pays extra for encrypting his data or connection.