RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography

[en] The NIST LightWeight Cryptography (LWC) selection process aims to standardise cryptographic functionality which is suitable for resource-constrained devices. Since the outcome is likely to have significant, long-lived impact, careful evaluation of each submission with respect to metrics explicitly outlined in the call is imperative. Beyond the robustness of submissions against cryptanalytic attack, metrics related to their implementation (e.g., execution latency and memory footprint) form an important example. Aiming to provide evidence allowing richer evaluation with respect to such metrics, this paper presents the design, implementation, and evaluation of one separate Instruction Set Extension (ISE) for each of the 10 LWC final round submissions, namely Ascon, Elephant, GIFT-COFB, Grain-128AEADv2, ISAP, PHOTON-Beetle, Romulus, Sparkle, TinyJAMBU, and Xoodyak; although we base the work on use of RISC-V, we argue that it provides more general insight.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

CHENG, Hao ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > APSIA

GROSZSCHÄDL, Johann ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

Marshall, Ben; PQShield Ltd

Page, Dan; University of Bristol > Department of Computer Science

Pham, Thinh; University of Bristol > Department of Computer Science

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography

Date de publication/diffusion :

novembre 2022

Nom de la manifestation :

Conference on Cryptographic Hardware and Embedded Systems (CHES 2023)

Lieu de la manifestation :

Prague, République Tchèque

Date de la manifestation :

from 10-09-2023 to 14-09-2023

Manifestation à portée :

International

Titre du périodique :

IACR Transactions on Cryptographic Hardware and Embedded Systems

eISSN :

2569-2925

Maison d'édition :

Ruhr-Universität Bochum, Bochum, Allemagne

Volume/Tome :

2023

Fascicule/Saison :

Pagination :

193-237

Peer reviewed :

Peer reviewed vérifié par ORBi

Focus Area :

Computational Sciences

URL complémentaire :

https://tches.iacr.org/index.php/TCHES/article/view/9951

Projet FnR :

FNR13641232 - Analysis And Protection Of Lightweight Cryptographic Algorithms, 2019 (01/01/2021-31/12/2023) - Alex Biryukov

Disponible sur ORBilu :

depuis le 07 avril 2023

Statistiques

Nombre de vues

247 (dont 32 Unilu)

Nombre de téléchargements

108 (dont 4 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

citations OpenAlex

Bibliographie

[AAB+16] K. Asanović, R. Avizienis, J. Bachrach, S. Beamer, D. Biancolin, C. Celio, H. Cook, D. Dabbelt, J. Hauser, A. Izraelevitz, S. Karandikar, B. Keller, D. Kim, J. Koenig, Y. Lee, E. Love, M. Maas, A. Magyar, H. Mao, M. Moreto, A. Ou, D.A. Patterson, B. Richards, C. Schmidt, S. Twigg, H. Vo, and A. Waterman. The rocket chip generator. Technical Report UCB/EECS-2016-17, EECS Department, University of California, Berkeley, 2016. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html.
[ANP20] A. Adomnicai, Z. Najm, and T. Peyrin. Fixslicing: A new GIFT repre-sentation: Fast constant-time implementations of GIFT and GIFT-COFB on ARM Cortex-M. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2020(3):402–427, 2020. https://doi.org/10. 13154/tches.v2020.i3.402-427.
[AO21] Ö. Altınay and B. Örs. Instruction extension of RV32I and GCC back end for Ascon lightweight cryptography algorithm. In International Conference on Omni-Layer Intelligent Systems (COINS), pages 1–6, 2021. https://doi. org/10.1109/COINS51742.2021.9524190.
[AP20a] A. Adomnicai and T. Peyrin. Fixslicing-application to some NIST LWC round 2 candidates. In 4-th Lightweight Cryptography Workshop, 2020. https://csrc.nist.gov/Events/2020/lightweight-cryptography-workshop-2020.
[AP20b] A. Adomnicai and T. Peyrin. Fixslicing AES-like ciphers: New bitsliced AES speed records on ARM-Cortex M and RISC-V. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(1):402–425, 2020. https://doi.org/10.46586/tches.v2021.i1.402-425.
[BBdS+20a] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, and Q. Wang. Alzette: a 64-bit ARX-box (feat. CRAX and TRAX). In Advances in Cryptology (CRYPTO), LNCS 12172, pages 419–448. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-56877-1_15.
[BBdS+20b] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, and Q. Wang. Lightweight AEAD and hashing using the Sparkle permutation family. IACR Transactions on Symmetric Cryptology, 2020(S1):208–261, 2020. https://doi.org/10.13154/tosc. v2020.iS1.208-261.
[BBdS+21] C. Beierle, A. Biryukov, L. Cardoso dos Santos, J. Großschädl, Amir Moradi, L. Perrin, A.R. Shahmirzadi, A. Udovenko, V. Velichkov, and Q. Wang. Schwaemm and esch: Lightweight authenticated encryption and hashing using the sparkle permutation family. Submission to NIST (version 1.2), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/sparkle-spec-final.pdf.
[BCD+21] Z. Bao, A. Chakraborti, N. Datta, J. Guo, M. Nandi, T. Peyrin, and K. Yasuda. PHOTON-beetle. Submission to NIST, 2021. https://csrc.nist. gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/photon-beetle-spec-final.pdf.
[BCDM21] T. Beyne, Y.L. Chen, C. Dobraunig, and B. Mennink. Elephant. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/elephant-spec-final.pdf.
[BCI+21] S. Banik, A. Chakraborti, T. Iwata, K. Minematsu, M. Nandi, T. Peyrin, Y. Sasaki, S.M. Sim, and Y. Todo. GIFT-COFB. Submission to NIST (version 1.1), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/gift-cofb-spec-final.pdf.
[Ber20] D.J. Bernstein. Cryptographic competitions. Cryptology ePrint Archive, Report 2020/1608, 2020. https://eprint.iacr.org/2020/1608.
[BGM09] S. Bartolini, R. Giorgi, and E. Martinelli. Instruction set extensions for cryptographic applications. In Ç.K. Koç, editor, Cryptographic Engineer-ing, chapter 9, pages 191–233. Springer, 2009. https://doi.org/10.1007/978-0-387-71817-0_9.
[BJK+16] C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, and S.M. Sim. The SKINNY family of block ciphers and its low-latency variant MANTIS. In Advances in Cryptology (CRYPTO), LNCS 9815, pages 123–153. Springer-Verlag, 2016. https://doi.org/10.1007/978-3-662-53008-5_5.
[BKL+07] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe. PRESENT: An ultra-lightweight block cipher. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 4727, pages 450–466. Springer-Verlag, 2007. https://doi.org/10. 1007/978-3-540-74735-2_31.
[BKL+13] A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, and I. Verbauwhede. SPONGENT: The design space of lightweight cryptographic hashing. IEEE Transactions on Computers, 62(10):2041–2053, 2013. https://doi.org/10. 1109/TC.2012.196.
[BPP+17] S. Banik, S.K. Pandey, T. Peyrin, Y. Sasaki, S.M. Sim, and Y. Todo. GIFT: A small present-towards reaching the limit of lightweight encryp-tion. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 10529, pages 321–345. Springer-Verlag, 2017. https://doi.org/10.1007/978-3-319-66787-4_16.
[CDPA16] C. Celio, P. Dabbelt, D.A. Patterson, and K. Asanović. The renewed case for the reduced instruction set computer: Avoiding ISA bloat with macro-op fusion for RISC-V. CoRR, abs/1607.02318, 2016. https://arxiv.org/abs/1607.02318.
[CJL+20] F. Campos, L. Jellema, M. Lemmen, L. Müller, D. Sprenkels, and B. Viguier. Assembly or optimized C for lightweight cryptography on RISC-V? In Cryptology and Network Security (CANS), LNCS 12579, pages 526–545. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-65411-5_ 26.
[CP20] L. Choquin and F. Piry. Arm custom instructions: Enabling innovation and greater flexibility on Arm. Technical report, Arm Ltd., 2020. https://www.arm.com/why-arm/technologies/custom-instructions.
[DEM+21] C. Dobraunig, M. Eichlseder, S. Mangard, F. Mendel, B. Mennink, R. Primas, and T. Unterluggauer. ISAP. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf.
[DEMS21] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer. Ascon. Submission to NIST (version 1.2), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf.
[DGK19] N. Drucker, S. Gueron, and V. Krasnov. Making AES great again: The forthcoming vectorized AES instruction. In Information Technology New Generations (ITNG), AISC 800, pages 37–41. Springer-Verlag, 2019. https://doi.org/10.1007/978-3-030-14070-0_6.
[DHAK18] J. Daemen, S. Hoffert, G. Van Assche, and R. Van Keer. The design of Xoodoo and Xoofff. IACR Transactions on Symmetric Cryptology, 2018(4):1–38, 2018. https://doi.org/10.13154/tosc.v2018.i4.1-38.
[DHM+21] J. Daemen, S. Hoffert, S. Mella, M. Peeters, G. van Assche, and R. van Keer. Xoodyak, a lightweight cryptographic scheme. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/xoodyak-spec-final.pdf.
[GGM+21] S. Gao, J. Großschädl, B. Marshall, D. Page, T. Pham, and F. Regaz-zoni. An instruction set extension to support software-based mask-ing. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(4):283–325, 2021. https://doi.org/10.46586/tches. v2021.i4.283-325.
[GIK+21] C. Guo, T. Iwata, M. Khairallah, K. Minematsu, and T. Peyrin. Ro-mulus. Submission to NIST (version 1.3), 2021. https://csrc.nist. gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/romulus-spec-final.pdf.
[GPP11] J. Guo, T. Peyrin, and A. Poschmann. The PHOTON family of lightweight hash functions. In Advances in Cryptology (CRYPTO), LNCS 6841, pages 222–239. Springer-Verlag, 2011. https://doi.org/10.1007/978-3-642-22792-9_13.
[Gue09] S. Gueron. Intel’s new AES instructions for enhanced performance and security. In Fast Software Encryption (FSE), LNCS 5665, pages 51–66. Springer-Verlag, 2009. https://doi.org/10.1007/978-3-642-03317-9_4.
[HJM07] M. Hell, T. Johansson, and W. Meier. Grain: a stream cipher for constrained environments. International Journal of Wireless and Mobile Computing, 2(1):86–93, 2007. https://doi.org/10.1504/IJWMC.2007.013798.
[HJM+21] M. Hell, T. Johansson, A. Maximov, W. Meier, J. Sön-nerup, and H. Yoshida. Grain-128AEADv2. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/grain-128aead-spec-final.pdf.
[HKSS12] Y. Hori, T. Katashita, A. Sasaki, and A. Satoh. SASEBO-GIII: A hardware security evaluation board equipped with a 28-nm FPGA. In IEEE Global Conference on Consumer Electronics, pages 657–660, 2012. https://doi. org/10.1109/GCCE.2012.6379944.
[HV11] A. Hakkala and S. Virtanen. Accelerating cryptographic protocols: A review of theory and technologies. In Communication Theory, Reliability, and Quality of Service (CTRQ), pages 103–109, 2011.
[Jel19] L. Jellema. Optimizing Ascon on RISC-V. BSc thesis, Radboud University, 2019. https://www.cs.ru.nl/bachelors-theses/2019/Lars_Jellema___ 4388747___Optimizing_Ascon_on_RISC-V.pdf.
[KJJ99] P.C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Advances in Cryptology (CRYPTO), LNCS 1666, pages 388–397. Springer-Verlag, 1999. https://doi.org/10.1007/3-540-48405-1_25.
[Lem20] M. Lemmen. Optimizing Elephant for RISC-V. BSc thesis, Radboud University, 2020. https://www.cs.ru.nl/bachelors-theses/2020/Mauk_ Lemmen___4798937___Optimizing_Elephant_for_RISC-V.pdf.
[MBTM17] K. McKay, L. Bassham, M.S. Turan, and N. Mouha. Report on lightweight cryptography. Technical report, 2017. https://doi.org/10.6028/NIST.IR. 8114.
[MNP+21] B. Marshall, G.R. Newell, D. Page, M.-J.O. Saarinen, and C. Wolf. The design of scalar AES instruction set extensions for RISC-V. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2021(1):109–136, 2021. https://doi.org/10.46586/tches.v2021.i1.109-136.
[MOP07] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, 2007. https://doi.org/10.1007/978-0-387-38162-6.
[MP21] B. Marshall and D. Page. SME: Scalable Masking Extensions. Cryptology ePrint Archive, Paper 2021/1416, 2021. https://eprint.iacr.org/2021/1416.
[MPC00] L. May, L. Penna, and A. Clark. An implementation of bitsliced DES on the Pentium MMX™ processor. In Australasian Conference on Information Security and Privacy (ACISP), LNCS 1841, pages 112–122. Springer-Verlag, 2000. https://doi.org/10.1007/10718964_10.
[NIK04] K. Nadehara, M. Ikekawa, and I. Kuroda. Extended instructions for the AES cryptography and their efficient implementation. In Signal Processing Systems (SIPS), pages 152–157, 2004. https://doi.org/10.1109/SIPS. 2004.1363041.
[NOOS95] E. Nahum, S. O’Malley, H. Orman, and R. Schroeppel. Towards high performance cryptographic software. In High Performance Communication Subsystems (HPCS), pages 69–72, 1995. https://doi.org/10.1109/HPCS. 1995.662009.
[rHJM11] M. Ågren, M. Hell, T. Johansson, and W. Meier. Grain128a: a new version of Grain-128 with optional authentication. International Journal of Wireless and Mobile Computing, 5(1):48–59, 2011. https://doi.org/10.1504/IJWMC. 2011.044106.
[RI16] F. Regazzoni and P. Ienne. Instruction set extensions for secure applications. In Design, Automation, and Test in Europe (DATE), pages 1529–1534, 2016.
[RPM20] S. Renner, E. Pozzobon, and J. Mottok. A hardware in the loop benchmark suite to evaluate NIST LWC ciphers on microcontrollers. In International Conference on Information and Communications Security (ICICS), LNCS 12282, pages 495–509. Springer-Verlag, 2020. https://doi.org/10.1007/978-3-030-61078-4_28.
[Saa20] M.-J.O. Saarinen. A lightweight ISA extension for AES and SM4. 2020. https://ascslab.org/conferences/secriscv/program.html.
[SCA07] Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. National Institute of Standards and Technology (NIST) Special Publication 800-38D, 2007.
[SCA16] Oracle SPARC architecture 2011. Technical Report D1.0.0, Oracle Corp., 2016. https://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documentation/140521-ua2011-d096-p-ext-2306580.pdf.
[SCA18a] Intel 64 and IA-32 architectures – software developer’s manual (volume 1: Basic architecture). Technical Report 325383-067US, Intel Corp., 2018. http://software.intel.com/en-us/articles/intel-sdm.
[SCA18b] Power ISA. Technical Report 2.07 B, IBM, 2018. https://ibm.ent.box. com/s/jd5w15gz301s5b5dt375mshpq9c3lh4u.
[SCA18c] Submission requirements and evaluation criteria for the lightweight cryptography standardization process, 2018. https://csrc.nist. gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdf.
[SCA19] The RISC-V instruction set manual. Technical Report Volume I: User-Level ISA (version 20190608-Base-Ratified), 2019. http://riscv.org/specifications.
[SCA20] Arm architecture reference manual: Armv8, for Armv8-A architecture pro-file. Technical report, 2020. https://static.docs.arm.com/ddi0487/fa/DDI0487F_a_armv8_arm.pdf.
[SCA21] RISC-V bit-manipulation ISA-extensions (version 1.0.0). Technical report, 2021. https://github.com/riscv/riscv-bitmanip.
[SCA22] RISC-V cryptographic extension proposals. Technical Report Volume I: Scalar & Entropy Source Instructions (version 1.0.1), 2022. https://github. com/riscv/riscv-crypto.
[SP21] S. Steinegger and R. Primas. A fast and compact RISC-V accelerator for Ascon and friends. In Smart Card Research and Advanced Applications (CARDIS), LNCS 12609, pages 53–67. Springer-Verlag, 2021. https://doi. org/10.1007/978-3-030-68487-7_4.
[TGSMD20] E. Tehrani, T. Graba, A. Si-Merabet, and J.-L. Danger. RISC-V extension for lightweight cryptography. In Euromicro Conference on Digital System Design (DSD), pages 222–228, 2020. https://doi.org/10.1109/DSD51259. 2020.00045.
[TMC+21] M.S. Turan, K. McKay, D. Chang, Ç. Çalık, L. Bassham, J. Kang, and J. Kelsey. Status report on the second round of the NIST lightweight cryptography standardization process. Technical report, 2021. https://doi.org/10.6028/NIST.IR.8369.
[TMcc+19] M.S. Turan, K. McKay, Ç. Çalık, D. Chang, and L. Bassham. Status report on the first round of the NIST lightweight cryptography standardization process. Technical report, 2019. https://doi.org/10.6028/NIST.IR.8268.
[Wat16] A. Waterman. Design of the RISC-V Instruction Set Architecture. PhD thesis, University of California at Berkeley, 2016. https://people.eecs. berkeley.edu/~krste/papers/EECS-2016-1.pdf.
[WH21] H. Wu and T. Huang. TinyJAMBU. Submission to NIST (version 2.0), 2021. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/tinyjambu-spec-final.pdf.