Jing Lin,Weiwei Lin,Hang Lin,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110662

IF: 5.493

2024-01-01

Computer Networks

Abstract:Regular expression matching is pivotal in numerous network applications. With the ever-increasing scale of data center traffic, deploying regular expression matching modules on traditional servers struggles to meet throughput demands. Emerging programmable switches have brought new prospects for high-speed pattern matching. However, deploying regular expression matching onto programmable switches presents the challenge of space explosion incurred by compiling regular expressions into a Deterministic Finite Automata (DFA). In this paper, we introduce P4Rex, a regular expression matching system designed for programmable switches. P4Rex synergistically leverages two following techniques: an efficient regular expression grouping algorithm that partitions regular expressions into different groups to reduce memory consumption, and DFA compression technology to achieve transition sharing. Experimental results demonstrate that P4Rex exhibits an average improvement of 17% and maximum improvement of 30% on memory consumption compared to prior regular expression grouping schemes and saves more than 10x memory consumption compared to deploying DFA directly on programmable switch.

Jingyuan Fan,Chaowen Guan,Kui Ren,Chunming Qiao

DOI: https://doi.org/10.1109/tnet.2018.2846791

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:To eliminate redundant transfers over WAN links and improve network efficiency, middleboxes have been deployed at ingress/egress. These middleboxes can operate on individual packets and are application layer protocol transparent. They can identify and remove duplicated byte strings on the fly. However, with the increasing use of HTTPS, current redundancy elimination (RE) solution can no longer work without violating end-to-end privacy. In this paper, we present RE over encrypted traffic (REET), the first middlebox-based system that supports both intra-user and inter-user packet-level RE directly over encrypted traffic. REET realizes this by using a novel protocol with limited overhead and protects end users from honestbut-curious middleboxes. We implement REET and show its performance for both end users and middleboxes using several hundred gigabytes of network traffic traces collected from a large U.S. university.

Jianting Ning,Geong Sen Poh,Jia-Chng Loh,Jason Chia,Ee-Chien Chang

DOI: https://doi.org/10.1145/3319535.3354204

2019-01-01

Abstract:Network middleboxes perform deep packet inspection (DPI) to detect anomalies and suspicious activities in network traffic. However, increasingly these traffic are encrypted and middleboxes can no longer make sense of them. A recent proposal by Sherry et al. (SIGCOMM 2015), named BlindBox, enables the middlebox to perform inspection in a privacy-preserving manner. BlindBox deploys garbled circuit to generate encrypted rules for the purpose of inspecting the encrypted traffic directly. However, the setup latency (which could be 97s on a ruleset of 3,000 as reported) and overhead size incurred by garbled circuit are high. Since communication can only be commenced after the encrypted rules being generated, such delay is intolerable in many real-time applications. In this work, we present PrivDPI, which reduces the setup delay while retaining similar privacy guarantee. Compared to BlindBox, for a ruleset of 3,000, our encrypted rule generation is 288x faster and requires 290,227x smaller overhead for the first session, and is even 1,036x faster and requires 3424,505x smaller overhead over 20 consecutive sessions. The performance gain is based on a new technique for generating encrypted rules as well as the idea of reusing intermediate results generated in previous sessions across subsequent sessions. This is in contrast to Blindbox which performs encrypted rule generation from scratch for every session. Nevertheless, PrivDPI is 6x slower in generating the encrypted traffic tokens, yet in our implementation, the token encryption rate of PrivDPI is more than 17,271 per second which is sufficient for many real-time applications. Moreover, the intermediate values generated in each session can be reused across subsequent sessions for repeated tokens, which could further speedup token encryption. Overall, our experiment shows that PrivDPI is practical and especially suitable for connections with short flows.

Jie Li,Jinshu Su,Xiaofeng Wang,Hao Sun,Shuhui Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_9

2017-01-01

Abstract:Hardware-based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arsing trend aims to address those problems by outsourcing the functions of traditional hardware-based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges. First, the widely adopted data encryption techniques contradict with payload inspection needs of some middleboxes such as DPI and IDS devices. Second, the inspection rules of middleboxes may be commercial properties, thus the middlebox providers want to keep their rules confidential under third-party cloud environments, and this creates hindrances for the cloud to perform outsourced middlebox functions. Third, performance of the outsourced middlebox is an inevitable issue that needs deliberate consideration. In this paper, we propose a cloud-based DPI middlebox implementation which performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our design employs a modified reversible sketch structure which is used for efficient error-free membership testing, and we utilize unkeyed one-way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. CloudDPI supports a wide range of real-world inspection rules, we conduct evaluations on ClamAV rule set and the experiment results demonstrate the effectiveness of our proposal.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content against a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to software-based or hardware-based implementation where the memory resources are limited.In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called Stride-DFA (StriD(2)FA). In the instance of LBM that we realize, a speedup of 10-15 is achievable while the required memory size is much less than that in the traditional DFA.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Liron Schiff,Stefan Schmid

DOI: https://doi.org/10.1109/spw.2016.34

2016-05-01

Abstract:Traffic inspection is a fundamental building block of many security solutions today. For example, to prevent the leakage or exfiltration of confidential insider information, as well as to block malicious traffic from entering the network, most enterprises today operate intrusion detection and prevention systems that inspect traffic. However, the state-of-the-art inspection systems do not reflect well the interests of the different involved autonomous roles. For example, employees in an enterprise, or a company outsourcing its network management to a specialized third party, may require that their traffic remains confidential, even from the system administrator. Moreover, the rules used by the intrusion detection system, or more generally the configuration of an online or offline anomaly detection engine, may be provided by a third party, e.g., a security research firm, and can hence constitute a critical business asset which should be kept confidential. Today, it is often believed that accounting for these additional requirements is impossible, as they contradict efficiency and effectiveness. We in this paper explore a novel approach, called Privacy Preserving Inspection (PRI), which provides a solution to this problem, by preserving privacy of traffic inspection and confidentiality of inspection rules and configurations, and e.g., also supports the flexible installation of additional Data Leak Prevention (DLP) rules specific to the company.

Fan Zhang,Ziyuan Liang,Cong Zuo,Jun Shao,Jianting Ning,Jun Sun,Joseph K. Liu,Yibao Bao

DOI: https://doi.org/10.1109/tcad.2020.3022841

IF: 2.9

2020-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Proxy re-encryption (PRE) allows a proxy to transform one ciphertext to another under different encryption keys while keeping the underlying plaintext secret. Because of the ciphertext transformability of PRE, there are many potential private communicating applications of this feature. However, existing PRE schemes are not as full-fledged as expected. The lack of necessary features makes them hard to apply in real-world scenarios. So far, there does not exist a unidirectional multihop PRE scheme with constant decryption efficiency and constant ciphertext size without extensions. Impractical performance and weak scalability also hinder PRE from most real-world applications. In this work, we present a new PRE scheme with secure hardware enclave named hPRESS (hardware-enhanced PRE scheme using secure enclave). To the best of our knowledge, hPRESS is the first unidirectional multihop PRE scheme which achieves both constant decryption efficiency and constant ciphertext size without extensions. A detailed security analysis demonstrates that our proposal is CCA secure based on the security of the underlying encryption schemes and the secure enclave. We also implement a prototype based on Intel SGX, one of the most popular secure enclave techniques in recent years, and evaluate its performance. The experimental results show that, compared with previous PRE schemes, our hPRESS is almost one order of magnitude faster in terms of the decryption and transformation.

WeiDong Zhong,Xu An Wang,Ziqing Wang,Yi Ding

DOI: https://doi.org/10.1109/CIS.2011.217

2011-01-01

Abstract:Proxy re-encryption (PRE) allows a proxy to transform a cipher text for Alice (delegator) to be the one which can be decrypted by Bob (delegatee). Since it is introduced by Blaze et al. in 1998, many variants of PRE have been proposed. In this paper, we concentrate on two of them: anonymous conditional proxy re-encryption (ACPRE) and constrained proxy re-encryption with keyword search (PRES). Conditional proxy re-encryption (CPRE) is a primitive which only allows those cipher texts satisfying the condition can be re-encrypted correctly by the proxy. Anonymous conditional proxy re-encryption (ACPRE) requires the proxy not knowing which condition the cipher text associated with. PRES is a primitive which allows the proxy simultaneously re-encrypt and search the delegator's cipher text. Based on the PRES proposed by Shao et al., We show the definition of constrained proxy re-encryption with keyword search (CPRES), give its security models and discuss its potential applications. At last, based on a concrete ACPRE scheme, we construct a concrete CPRES scheme.

Fucai Luo,Haiyan Wang,Willy Susilo,Xingfu Yan,Xiaofan Zheng

DOI: https://doi.org/10.1109/tifs.2024.3357240

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:Proxy re-encryption (PRE), as a promising cryptographic primitive for secure data sharing in clouds, has been widely studied for decades. PRE allows the proxies to use the re-encryption keys to convert ciphertexts computed under the delegator's public key into ones that can be decrypted using the delegatees' secret keys, without knowing anything about the underlying plaintext. This delegable property of decryption rights enables flexible cloud data sharing, but it raises an important issue: if some proxies reveal their re-encryption keys, or collude with some delegatees to create a pirate decoder, then anyone who gains access to the pirate decoder can decrypt all ciphertexts computed under the delegator's public key without the delegator's permission. This paper opens up a potentially new avenue of research to address the above (re-encryption) key abuse problem by proposing the first public trace-and-revoke PRE system, where the malicious delegatees and proxies involved in the generation of a pirate decoder can be identified by anyone who gains access to the pirate decoder, and their decryption capabilities can subsequently be revoked by the content distributor. Our construction is multi-hop, supports user revocation and public (black-box) traceability, and achieves significant efficiency advantages over previous constructions. Technically, our construction is a generic transformation from inner-product functional PRE (IPFPRE) that we introduce to trace-and-revoke PRE. In addition, we instantiate our generic construction of trace-and-revoke PRE from the Learning with Errors (LWE) assumption, which was widely believed to be quantum-resistant. This is achieved by proposing the first LWE-based IPFPRE scheme, which may be of independent interest. Finally, we conduct a comprehensive performance evaluation of our LWE-based trace-and-revoke PRE scheme, and the experimental results show that the proposed LWE-based trace-and-revoke PRE scheme is practical and outperforms current state-of-the-art traceable PRE schemes.

computer science, theory & methods,engineering, electrical & electronic

Hao Ren,Hongwei Li,Dongxiao Liu,Guowen Xu,Nan Cheng,Xuemin Shen,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tcc.2020.2991167

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

computer science, information systems, theory & methods

Minjun Deng,Kai Zhang,Pengfei Wu,Mi Wen,Jianting Ning

DOI: https://doi.org/10.1109/tcc.2023.3293134

IF: 5.697

2023-01-01

IEEE Transactions on Cloud Computing

Abstract:Secure outsourced middleboxes are deployed in network function virtualization services that detect malicious activities on communications, which provides privacy-preserving deep packet inspection (DPI) over encrypted traffic. To boost filtering efficiency of packets, the two-layer middlebox architecture has been adopted in recent DPI systems. Nevertheless, state-of-the-art solutions based on two-layer architecture mainly suffer from two limitations: i) cannot support dynamic rule addition; ii) failed to inspect discontinuous token for rule matching. To address these limitations, this work proposes an efficient, dynamic and continuous DPI (DCDPI) system in secure outsourced middleboxes. To achieve dynamic rule addition with forward privacy, we refine a data structure called virtual binary tree (VBTree) and further introduce a variant of VBTree for DCDPI, termed VBTree+. VBTree+ supports two new desirable features: i) taking the rule action information into consideration; ii) achieving both rule identifier and rule action hiding. By introducing a token continuity check mechanism, DCDPI can effectively identify discontinuous tokens and categorize continuous tokens into one group. The extensive experiment over the real dataset and rule set confirms the practicality and efficiency of DCDPI. Compared to state-of-the-art works with same setting, DCDPI is 18% $\sim$ 110% more efficient for a connection establishment between gateway/client and server.

Zengpeng Li,Chunguang Ma,Ding Wang,Minghao Zhao,Qian Zhao,Lu Zhou

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.300

2017-01-01

Abstract:Proxy re-encryption (PRE) is an important cryptographic primitive used for private information sharing. However, the recent advance in quantum computer has potentially crippled its security, as the traditional decisional Diffie-Hellman (DDH)-based PRE is venerable to the quantum attack. Thus, learning with errors (LWE)-based PRE schemes, as a kind of latticebased construction with the inherent quantum-resistant property, has attracted special research interest. Unfortunately, the main drawback of lattice-based public key encryption scheme is noise management after multiplication evaluation. Many cryptographers have been devoted to controlling the expansion of noise. In this line of work, Dagdelen-Gajek-G̈opfert (DGG) put forth the notion of learning with errors in the exponent (LWEE) which is based on lattice and group-theoretic assumption, meanwhile demonstrated a paradigm for constructing efficient quantum resistance public key schemes. In this paper, on top of DGG, we construct a single-bit, single-hop and unidirectional LWEE- based PRE scheme with indistinguishable chosen plaintext attack (IND-CPA) security. To the best of our knowledge, our scheme is the first LWEE-based PRE scheme.

Geong Sen Poh,Dinil Mon Divakaran,Hoon Wei Lim,Jianting Ning,Achintya Desai

DOI: https://doi.org/10.48550/arXiv.2101.04338

2021-01-12

Cryptography and Security

Abstract:Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow between two endpoints is interrupted, decrypted and analysed by the middleboxes. The MitM approach is straightforward and is used by many organisations, but there are both practical and privacy concerns. Due to the cost of the MitM appliances and the latency incurred in the encrypt-decrypt processes, enterprises continue to seek solutions that are less costly. There were discussion on the many efforts required to configure MitM. Besides, MitM violates end-to-end privacy guarantee, raising privacy concerns and issues on compliance especially with the rising awareness on user privacy. Furthermore, some of the MitM implementations were found to be flawed. Consequently, new practical and privacy-preserving techniques for inspection over encrypted traffic were proposed. We examine them to compare their advantages, limitations and challenges. We categorise them into four main categories by defining a framework that consist of system architectures, use cases, trust and threat models. These are searchable encryption, access control, machine learning and trusted hardware. We first discuss the man-in-the-middle approach as a baseline, then discuss in details each of them, and provide an in-depth comparisons of their advantages and limitations. By doing so we describe practical constraints, advantages and pitfalls towards adopting the techniques. We also give insights on the gaps between research work and industrial deployment, which leads us to the discussion on the challenges and research directions.

Zhengxiong Luo,Kai Liang,Yanyang Zhao,Feifan Wu,Junze Yu,Heyuan Shi,Yu Jiang

DOI: https://doi.org/10.14722/ndss.2024.24083

2024-01-01

Abstract:Automatic protocol reverse engineering is essential for various security applications.While many existing techniques achieve this task by analyzing static network traces, they face increasing challenges due to their dependence on high-quality samples.This paper introduces DYNPRE, a protocol reverse engineering tool that exploits the interactive capabilities of protocol servers to obtain more semantic information and additional traffic for dynamic inference.DYNPRE first processes the initial input network traces and learns the rules for interacting with the server in different contexts based on session-specific identifier detection and adaptive message rewriting.It then applies exploratory request crafting to obtain semantic information and supplementary samples and performs real-time analysis.Our evaluation on 12 widely used protocols shows that DYNPRE identifies fields with a perfection score of 0.50 and infers message types with a V-measure of 0.94, significantly outperforming state-of-the-art methods like Netzob, Netplier, FieldHunter, BinaryInferno, and Nemesys, which achieve average perfection and V-measure scores of (0.15, 0.72), (0.16, 0.73), (0.15, 0.83), (0.15, -), and (0.31, -), respectively.Furthermore, case studies on unknown protocols highlight the effectiveness of DYNPRE in real-world applications.

Wei Zhang,Yibo Xue,Dongsheng Wang,Tian Song

DOI: https://doi.org/10.1109/apcsac.2008.4625475

2008-01-01

Abstract:Pattern matching and regular expression matching are all the critical components for content inspection based applications. But current regular expression matching algorithms or architecture cannot provide a perfect solution for whole matching problem. In some real network security applications, exact strings are the biggest part of rule set, and the second part is simple regular expressions (dot-star and AND-logic), and the other complex regular expressions only occupy a very small part. So, we propose a new hardware-based multiple simple regular expression matching architecture, called MSRM, for Dot-Star and AND-logic regular expressions. Firstly, software compiler splits simple regular expressions into exact strings and relations. Multi-string-matching module judges whether strings match and outputs the matched ID. Based on these matched information and pre-generated RAM data, MSRM can judge whether dot-star and AND-logic regular expressions are satisfied easily and quickly. Experiments with random test data and ClamAV rule set show that MSRM can achieve a high throughput of 2.1 and 2.8 Gbps using Virtex2 and Virtex4 devices respectively which is much higher than software algorithms.

Shangqi Lai,Xingliang Yuan,Shi-Feng Sun,Joseph K. Liu,Ron Steinfeld,Amin Sakzad,Dongxi Liu

DOI: https://doi.org/10.48550/arXiv.2001.01848

2020-01-07

Cryptography and Security

Abstract:Network Function Virtualisation (NFV) advances the adoption of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require the enterprise gateway to tokenise packet payloads via sliding windows. Such tokenisation induces a considerable communication overhead, which can be over 100$\times$ to the packet size. To overcome this bottleneck, in this paper, we propose the first bandwidth-efficient encrypted pattern matching protocol for secure middleboxes. We resort to a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to achieve constant and moderate communication cost. To speed up, we devise encrypted filters to reduce the number of accesses to SHVE+ during matching highly. We formalise the security of our proposed protocol and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20k rules within 100 $\mu$s. Compared to prior work, it brings a saving of $94\%$ in bandwidth consumption.

Jianting Ning,Xinyi Huang,Geong Sen Poh,Shengmin Xu,Jia-Ch'ng Loh,Robert H. Deng,Jian Weng

DOI: https://doi.org/10.1007/978-3-030-58951-6_1

2020-01-01

Abstract:Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols.

Chenglong Gao,Kai Chen,Qiang Wang,Zhixian Chen

DOI: https://doi.org/10.1109/access.2022.3144725

IF: 3.9

2022-01-01

IEEE Access

Abstract:Public-key dual-receiver encryption (PK-DRE) is a kind of particular public-key encryption for enabling two independent recipients to obtain the same plaintext from the same ciphertext. Due to its dual-receiver property, PK-DRE is quite helpful in many scenarios, such as deniable authentication, global key escrow, security puzzle, and even blockchain. In this paper, we revisit the PK-DRE scheme $\mathtt {CFZ}14$ proposed at CT-RSA 2014 and propose a variant. This variant is original from a new security proof which allows us to remove some steps in $\mathtt {CFZ}14$ . To the best of our knowledge, the obtained variant is more efficient than the existing PK-DRE schemes in terms of public verifiability and key size.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ming Cong,Hong An,Lu Cao,Yuan Liu,Peng Li,Tao Wang,Zhi-hong Yu,Dong Liu

DOI: https://doi.org/10.1007/978-3-642-12189-0_38

2010-01-01

Abstract:Regular Expression (RE) is widely used in many aspects due to its high expressiveness, flexibility and compactness, which requires a high-performance and efficient matching method. A novel approach to accelerate RE pattern matching based on Pattern-Unit (PUREM) is proposed here, in which Pattern-Unit matching is accomplished by a Reconfigurable Function Unit (RFU). The RFU can be integrated into the pipeline of CPU architecture and shares matching jobs with software, without wrecking the compatibility of applications. Compared with other works, our approach offers a flexible mechanism under which hardware does NOT need to vary with RE patterns, and it holds the scalability that can be easily extended to most RE applications and software. For validation, the PUREM HW/SW system has been implemented on the Snort v2.8 and PCRE v7.6 applications. The experimental results show a significant speedup of 3~4x compared to the software performance on a 2GHz Pentium IV machine, where our RFU logic mapped onto Xilinx Virtex-5 XC5VLX50 only takes up 17% resource.