[en] The NIST LightWeight Cryptography (LWC) selection process aims to standardise cryptographic functionality which is suitable for resource-constrained devices. Since the outcome is likely to have significant, long-lived impact, careful evaluation of each submission with respect to metrics explicitly outlined in the call is imperative. Beyond the robustness of submissions against cryptanalytic attack, metrics related to their implementation (e.g., execution latency and memory footprint) form an important example. Aiming to provide evidence allowing richer evaluation with respect to such metrics, this paper presents the design, implementation, and evaluation of one separate Instruction Set Extension (ISE) for each of the 10 LWC final round submissions, namely Ascon, Elephant, GIFT-COFB, Grain-128AEADv2, ISAP, PHOTON-Beetle, Romulus, Sparkle, TinyJAMBU, and Xoodyak; although we base the work on use of RISC-V, we argue that it provides more general insight.
Disciplines :
Computer science
Author, co-author :
Cheng, Hao ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > APSIA
Groszschädl, Johann ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
Marshall, Ben; PQShield Ltd
Page, Dan; University of Bristol > Department of Computer Science
Pham, Thinh; University of Bristol > Department of Computer Science
External co-authors :
yes
Language :
English
Title :
RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography
Publication date :
November 2022
Event name :
Conference on Cryptographic Hardware and Embedded Systems (CHES 2023)
Event place :
Prague, Czechia
Event date :
from 10-09-2023 to 14-09-2023
Audience :
International
Journal title :
IACR Transactions on Cryptographic Hardware and Embedded Systems
[AAB+16] K. Asanović, R. Avizienis, J. Bachrach, S. Beamer, D. Biancolin, C. Celio, H. Cook, D. Dabbelt, J. Hauser, A. Izraelevitz, S. Karandikar, B. Keller, D. Kim, J. Koenig, Y. Lee, E. Love, M. Maas, A. Magyar, H. Mao, M. Moreto, A. Ou, D.A. Patterson, B. Richards, C. Schmidt, S. Twigg, H. Vo, and A. Waterman. The rocket chip generator. Technical Report UCB/EECS-2016-17, EECS Department, University of California, Berkeley, 2016. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html.
[ANP20] A. Adomnicai, Z. Najm, and T. Peyrin. Fixslicing: A new GIFT repre-sentation: Fast constant-time implementations of GIFT and GIFT-COFB on ARM Cortex-M. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2020(3):402–427, 2020. https://doi.org/10. 13154/tches.v2020.i3.402-427.
[AO21] Ö. Altınay and B. Örs. Instruction extension of RV32I and GCC back end for Ascon lightweight cryptography algorithm. In International Conference on Omni-Layer Intelligent Systems (COINS), pages 1–6, 2021. https://doi. org/10.1109/COINS51742.2021.9524190.
[AP20a] A. Adomnicai and T. Peyrin. Fixslicing-application to some NIST LWC round 2 candidates. In 4-th Lightweight Cryptography Workshop, 2020. https://csrc.nist.gov/Events/2020/lightweight-cryptography-workshop-2020.
[AP20b] A. Adomnicai and T. Peyrin. Fixslicing AES-like ciphers: New bitsliced AES speed records on ARM-Cortex M and RISC-V. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(1):402–425, 2020. https://doi.org/10.46586/tches.v2021.i1.402-425.
[BBdS+20a] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, and Q. Wang. Alzette: a 64-bit ARX-box (feat. CRAX and TRAX). In Advances in Cryptology (CRYPTO), LNCS 12172, pages 419–448. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-56877-1_15.
[BBdS+20b] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, and Q. Wang. Lightweight AEAD and hashing using the Sparkle permutation family. IACR Transactions on Symmetric Cryptology, 2020(S1):208–261, 2020. https://doi.org/10.13154/tosc. v2020.iS1.208-261.
[BBdS+21] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, Amir Moradi, L. Perrin, A.R. Shahmirzadi, A. Udovenko, V. Velichkov, and Q. Wang. Schwaemm and esch: Lightweight authenticated encryption and hashing using the sparkle permutation family. Submission to NIST (version 1.2), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/sparkle-spec-final.pdf.
[BCD+21] Z. Bao, A. Chakraborti, N. Datta, J. Guo, M. Nandi, T. Peyrin, and K. Yasuda. PHOTON-beetle. Submission to NIST, 2021. https://csrc.nist. gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/photon-beetle-spec-final.pdf.
[BCDM21] T. Beyne, Y.L. Chen, C. Dobraunig, and B. Mennink. Elephant. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/elephant-spec-final.pdf.
[BCI+21] S. Banik, A. Chakraborti, T. Iwata, K. Minematsu, M. Nandi, T. Peyrin, Y. Sasaki, S.M. Sim, and Y. Todo. GIFT-COFB. Submission to NIST (version 1.1), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/gift-cofb-spec-final.pdf.
[BGM09] S. Bartolini, R. Giorgi, and E. Martinelli. Instruction set extensions for cryptographic applications. In Ç.K. Koç, editor, Cryptographic Engineer-ing, chapter 9, pages 191–233. Springer, 2009. https://doi.org/10.1007/978-0-387-71817-0_9.
[BJK+16] C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, and S.M. Sim. The SKINNY family of block ciphers and its low-latency variant MANTIS. In Advances in Cryptology (CRYPTO), LNCS 9815, pages 123–153. Springer-Verlag, 2016. https://doi.org/10.1007/978-3-662-53008-5_5.
[BKL+07] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe. PRESENT: An ultra-lightweight block cipher. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 4727, pages 450–466. Springer-Verlag, 2007. https://doi.org/10. 1007/978-3-540-74735-2_31.
[BKL+13] A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, and I. Verbauwhede. SPONGENT: The design space of lightweight cryptographic hashing. IEEE Transactions on Computers, 62(10):2041–2053, 2013. https://doi.org/10. 1109/TC.2012.196.
[BPP+17] S. Banik, S.K. Pandey, T. Peyrin, Y. Sasaki, S.M. Sim, and Y. Todo. GIFT: A small present-towards reaching the limit of lightweight encryp-tion. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 10529, pages 321–345. Springer-Verlag, 2017. https://doi.org/10.1007/978-3-319-66787-4_16.
[CDPA16] C. Celio, P. Dabbelt, D.A. Patterson, and K. Asanović. The renewed case for the reduced instruction set computer: Avoiding ISA bloat with macro-op fusion for RISC-V. CoRR, abs/1607.02318, 2016. https://arxiv.org/abs/1607.02318.
[CJL+20] F. Campos, L. Jellema, M. Lemmen, L. Müller, D. Sprenkels, and B. Viguier. Assembly or optimized C for lightweight cryptography on RISC-V? In Cryptology and Network Security (CANS), LNCS 12579, pages 526–545. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-65411-5_ 26.
[CP20] L. Choquin and F. Piry. Arm custom instructions: Enabling innovation and greater flexibility on Arm. Technical report, Arm Ltd., 2020. https://www.arm.com/why-arm/technologies/custom-instructions.
[DEM+21] C. Dobraunig, M. Eichlseder, S. Mangard, F. Mendel, B. Mennink, R. Primas, and T. Unterluggauer. ISAP. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf.
[DEMS21] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer. Ascon. Submission to NIST (version 1.2), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf.
[DGK19] N. Drucker, S. Gueron, and V. Krasnov. Making AES great again: The forthcoming vectorized AES instruction. In Information Technology New Generations (ITNG), AISC 800, pages 37–41. Springer-Verlag, 2019. https://doi.org/10.1007/978-3-030-14070-0_6.
[DHAK18] J. Daemen, S. Hoffert, G. Van Assche, and R. Van Keer. The design of Xoodoo and Xoofff. IACR Transactions on Symmetric Cryptology, 2018(4):1–38, 2018. https://doi.org/10.13154/tosc.v2018.i4.1-38.
[DHM+21] J. Daemen, S. Hoffert, S. Mella, M. Peeters, G. van Assche, and R. van Keer. Xoodyak, a lightweight cryptographic scheme. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/xoodyak-spec-final.pdf.
[GGM+21] S. Gao, J. Großschädl, B. Marshall, D. Page, T. Pham, and F. Regaz-zoni. An instruction set extension to support software-based mask-ing. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(4):283–325, 2021. https://doi.org/10.46586/tches. v2021.i4.283-325.
[GIK+21] C. Guo, T. Iwata, M. Khairallah, K. Minematsu, and T. Peyrin. Ro-mulus. Submission to NIST (version 1.3), 2021. https://csrc.nist. gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/romulus-spec-final.pdf.
[GPP11] J. Guo, T. Peyrin, and A. Poschmann. The PHOTON family of lightweight hash functions. In Advances in Cryptology (CRYPTO), LNCS 6841, pages 222–239. Springer-Verlag, 2011. https://doi.org/10.1007/978-3-642-22792-9_13.
[Gue09] S. Gueron. Intel’s new AES instructions for enhanced performance and security. In Fast Software Encryption (FSE), LNCS 5665, pages 51–66. Springer-Verlag, 2009. https://doi.org/10.1007/978-3-642-03317-9_4.
[HJM07] M. Hell, T. Johansson, and W. Meier. Grain: a stream cipher for constrained environments. International Journal of Wireless and Mobile Computing, 2(1):86–93, 2007. https://doi.org/10.1504/IJWMC.2007.013798.
[HJM+21] M. Hell, T. Johansson, A. Maximov, W. Meier, J. Sön-nerup, and H. Yoshida. Grain-128AEADv2. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/grain-128aead-spec-final.pdf.
[HKSS12] Y. Hori, T. Katashita, A. Sasaki, and A. Satoh. SASEBO-GIII: A hardware security evaluation board equipped with a 28-nm FPGA. In IEEE Global Conference on Consumer Electronics, pages 657–660, 2012. https://doi. org/10.1109/GCCE.2012.6379944.
[HV11] A. Hakkala and S. Virtanen. Accelerating cryptographic protocols: A review of theory and technologies. In Communication Theory, Reliability, and Quality of Service (CTRQ), pages 103–109, 2011.
[Jel19] L. Jellema. Optimizing Ascon on RISC-V. BSc thesis, Radboud University, 2019. https://www.cs.ru.nl/bachelors-theses/2019/Lars_Jellema___ 4388747___Optimizing_Ascon_on_RISC-V.pdf.
[KJJ99] P.C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Advances in Cryptology (CRYPTO), LNCS 1666, pages 388–397. Springer-Verlag, 1999. https://doi.org/10.1007/3-540-48405-1_25.
[Lem20] M. Lemmen. Optimizing Elephant for RISC-V. BSc thesis, Radboud University, 2020. https://www.cs.ru.nl/bachelors-theses/2020/Mauk_ Lemmen___4798937___Optimizing_Elephant_for_RISC-V.pdf.
[MBTM17] K. McKay, L. Bassham, M.S. Turan, and N. Mouha. Report on lightweight cryptography. Technical report, 2017. https://doi.org/10.6028/NIST.IR. 8114.
[MNP+21] B. Marshall, G.R. Newell, D. Page, M.-J.O. Saarinen, and C. Wolf. The design of scalar AES instruction set extensions for RISC-V. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(1):109–136, 2021. https://doi.org/10.46586/tches.v2021.i1.109-136.
[MOP07] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, 2007. https://doi.org/10.1007/978-0-387-38162-6.
[MP21] B. Marshall and D. Page. SME: Scalable Masking Extensions. Cryptology ePrint Archive, Paper 2021/1416, 2021. https://eprint.iacr.org/2021/1416.
[MPC00] L. May, L. Penna, and A. Clark. An implementation of bitsliced DES on the Pentium MMX™ processor. In Australasian Conference on Information Security and Privacy (ACISP), LNCS 1841, pages 112–122. Springer-Verlag, 2000. https://doi.org/10.1007/10718964_10.
[NIK04] K. Nadehara, M. Ikekawa, and I. Kuroda. Extended instructions for the AES cryptography and their efficient implementation. In Signal Processing Systems (SIPS), pages 152–157, 2004. https://doi.org/10.1109/SIPS. 2004.1363041.
[NOOS95] E. Nahum, S. O’Malley, H. Orman, and R. Schroeppel. Towards high performance cryptographic software. In High Performance Communication Subsystems (HPCS), pages 69–72, 1995. https://doi.org/10.1109/HPCS. 1995.662009.
[rHJM11] M. Ågren, M. Hell, T. Johansson, and W. Meier. Grain128a: a new version of Grain-128 with optional authentication. International Journal of Wireless and Mobile Computing, 5(1):48–59, 2011. https://doi.org/10.1504/IJWMC. 2011.044106.
[RI16] F. Regazzoni and P. Ienne. Instruction set extensions for secure applications. In Design, Automation, and Test in Europe (DATE), pages 1529–1534, 2016.
[RPM20] S. Renner, E. Pozzobon, and J. Mottok. A hardware in the loop benchmark suite to evaluate NIST LWC ciphers on microcontrollers. In International Conference on Information and Communications Security (ICICS), LNCS 12282, pages 495–509. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-61078-4_28.
[Saa20] M.-J.O. Saarinen. A lightweight ISA extension for AES and SM4. 2020. https://ascslab.org/conferences/secriscv/program.html.
[SCA07] Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. National Institute of Standards and Technology (NIST) Special Publication 800-38D, 2007.
[SCA18b] Power ISA. Technical Report 2.07 B, IBM, 2018. https://ibm.ent.box. com/s/jd5w15gz301s5b5dt375mshpq9c3lh4u.
[SCA18c] Submission requirements and evaluation criteria for the lightweight cryptography standardization process, 2018. https://csrc.nist. gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdf.
[SCA19] The RISC-V instruction set manual. Technical Report Volume I: User-Level ISA (version 20190608-Base-Ratified), 2019. http://riscv.org/specifications.
[SCA20] Arm architecture reference manual: Armv8, for Armv8-A architecture pro-file. Technical report, 2020. https://static.docs.arm.com/ddi0487/fa/DDI0487F_a_armv8_arm.pdf.
[SP21] S. Steinegger and R. Primas. A fast and compact RISC-V accelerator for Ascon and friends. In Smart Card Research and Advanced Applications (CARDIS), LNCS 12609, pages 53–67. Springer-Verlag, 2021. https://doi. org/10.1007/978-3-030-68487-7_4.
[TGSMD20] E. Tehrani, T. Graba, A. Si-Merabet, and J.-L. Danger. RISC-V extension for lightweight cryptography. In Euromicro Conference on Digital System Design (DSD), pages 222–228, 2020. https://doi.org/10.1109/DSD51259. 2020.00045.
[TMC+21] M.S. Turan, K. McKay, D. Chang, Ç. Çalık, L. Bassham, J. Kang, and J. Kelsey. Status report on the second round of the NIST lightweight cryptography standardization process. Technical report, 2021. https://doi.org/10.6028/NIST.IR.8369.
[TMcc+19] M.S. Turan, K. McKay, Ç. Çalık, D. Chang, and L. Bassham. Status report on the first round of the NIST lightweight cryptography standardization process. Technical report, 2019. https://doi.org/10.6028/NIST.IR.8268.
[Wat16] A. Waterman. Design of the RISC-V Instruction Set Architecture. PhD thesis, University of California at Berkeley, 2016. https://people.eecs. berkeley.edu/~krste/papers/EECS-2016-1.pdf.
[WH21] H. Wu and T. Huang. TinyJAMBU. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/tinyjambu-spec-final.pdf.