Status at a glance:
- Current Definition-of-Done Status: Stable
- Next Definition-of-Done Status:: Freeze
- (allows start of formal public review period)
Scalar Crypto Specification:
Lightweight instruction set extensions for RV32 and RV64 HARTs. Proposed extensions:
- Extensions fully defined in the Scalar Crypto Specification: K, Zkn, Zks, Zkr, Zkne, Zknd, Zknh, Zksed, Zksh
- Shared with the Bit-Manipulation Specification: Zkg, Zkb
Specification
- Latest Draft Scalar Crypto Specification (v0.9.0)
- Stable
- What's next:
- Needs translation into ASCIIDOC.
- Expecting this to happen after the specification is frozen, possibly post public review.
- Incorporate results of OpCode consistency review from Ken, once available
- Needs translation into ASCIIDOC.
- Roadmap:
- Next version will include any feedback from opcode consistency review, plus any small cleanups and editorial work.
- aes32* and sm4* encodings will change to remove the `rt` field.
- Change aes64ks1i "rcon" immediate to "rnum".
- v1.0.0 will be the public review version.
- Next version will include any feedback from opcode consistency review, plus any small cleanups and editorial work.
Encoding/OpCode consistency review
- Opcodes and encodings proposed
- Instruction extensions (instruction groupings) proposed
- Submitted to review task group
- The Bit-Manipulation shared subsets are being reviewed first as part of Bit-Manipulation specification review
- Proposed as Zkg (clmul) and Zkb (specific crypto-required bit-manipulation commands)
- The Proposed Scalar Crypto-unique subsets are next in line for review:
- K (Krypto):
- Zkn (full NIST Suite): ZKne (NIST encrypt suite), ZKnd (NIST decrypt suite), ZKnh (NIST hash suite), Zkg, Zkb (see above)
- Zkr (random entropy source)
- Zks (full ShangMi Suite): Zksed (SM4 encrypt/decrypt suite), Zksh (SM3 hash suite), Zkg, Zkb (see above)
- K (Krypto):
- OpCode and Consistency Review page
- What's next: Respond to OpCode and Consistency Review comments, once available, and achieve consensus on any changes.
- We need to discuss the aes32* and sm4* rt encodings.
- Comments from others and Andrew particularly suggest that having distinct rd/rs1/rs2 is acceptable and that we over-estimated the importance of minimising encoding cost.
- We will likely be reverting to the original form of these instructions, with separate rd/rs1/rs2 before public review.
Architecture Tests
- Test plan for the scalar-crypto specific instructions is available.
- No actual tests suitable for use currently available. An old experimental set need removing from the riscv-crypto repository, as these no longer work with the latest toolchain or architectural test framework.
- What's next:
- Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
- There is an open pull request in the riscv-arch-test repository, with many thanks to Imperas.
- They form a base we can use to develop prototype implementations / Spike / SAIL / QEMU very easily and quickly.
- IIT Madras are also looking at writing the scalar crypto tests for integration into the official architectural tests repo as well.
- Agreed SoW for IITM
- They will re-implement the tests as part of the blessed coverage and test generation tooling.
- We then switch over to using the IIT tests when they are finished, since they will be easier to maintain/extend going forward than the Imperas tests.
- YAML config changes for K have been merged in. See here.
- Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
Compilers / Toolchains
Imperas maintain pre-built toolchains for various in-progress RISC-V extensions here. See the "rvk-*" branches for scalar crypto.
GCC and Assembler
- Experimental / development toolchain available in the riscv-crypto repository.
- This cannot be up-streamed, but can be used for development work for now.
- Intrinsics proposal from Markku
- PLCT Lab are starting this work in an up-streamable way.
- Expecting an update next week. I.e. by March 20'th.
LLVM
- Work will be done by PLTC lab under the group contributor model.
- Meeting on Weds 10'th Feb to discuss progress.
- Slides from PLCT Update Weds 10'th Feb
- See link to Intrinsics proposal, above
Simulators
Though all listed under "simulators", these are actually a collection of formal model / virtual machine / architectural simulators / DV simulators etc.
SAIL
- Currently working on getting support merged in upstream in PR#80
- Support for all scalar-crypto dedicated instructions is present.
- Support for the entropy source is still the main point of discussion.
- No support for Bitmanip. The Bitmanip TG is waiting until after the opcode and consistency review to start writing SAIL code.
- This PR is "paused" until the next release of the scalar crypto spec, which will bring some functional changes to the `aes32*` and `sm4*` instructions.
Spike
- Upstream support has been merged in as of PR#635
- Support for all of scalar crypto specific instructions and entropy source.
- The only feature left is to enable the right Bitmanip instructions when K is enabled. Currently, one must include "b" in the spike "–isa=" argument.
- PR#649 has now been merged. Support now consistent with v0.9.0.
riscvOVPSimPlus
- Imperas Commercial Simulator
- Freeware version
- Support for:
- Crypto-scalar v0.7.2, v0.81 + Bitmanip subsets
- Bitmanip 0.92, 0.93
- Functional coverage collection.
QEMU
- Work will be done by PLTC lab under the group contributor model.
- Github repository
- Continuous integration status
- Next meeting will be on or about April 1'st 2021
Proof-of-Concept implementations
Hardware
Project Name | Base Architecture | Level of implementation | Notes |
---|---|---|---|
Stand-alone functional units | RV32/64 | Yosys Synthesis | Stand-alone functional-unit style implementations of the dedicated scalar crypto instructions. Free to use as "drop-ins" for prototyping. |
scarv-cpu | RV32 | Behavioural RTL simulation / Yosys Synthesis / FPGA | Completely Public/Open Source. Useful as a public baseline. Commercial implementations should aim to be better than this! |
PQShield security core | RV32 | (assumed) Behavioural RTL simulation. Running on FPGA. | Closed / commercial source - PQShield. |
Minidice TRNG | N/A | FPGA Implementation | Closed / commercial source - PQShield. Complete implementation of the RISC-V entropy source. |
Romain Dolbeau / VexRISC-V | RV32 | Running on FPGA. | Uses VexRiscv core as a base. Completely independent implementation from scratch, outside the Crypto TG. |
IQonIC Works RV32IC_P5 | RV32 | In development | "implemented Zkn (...), along with selectable Zb* and Zkb. We also have an optional custom extension that does AES block encrypt/decrypt, and a bus-based AES/cipher-mode accelerator. Work in progress benchmarking them on FPGA to compare relative performance in accelerating crypto library functions." |
croyde-riscv | RV64 | Behavioural RTL simulation / Yosys Synthesis / FPGA | 3-stage RV64 micro-controller. rv64imck . Free/Open source. Something commercial implementations should better. Implements everything except ZKR . |
- We still need RV64 implementations.
- Barry Spinney has offered to do advanced node synthesis runs for open source implementations.
- I (Ben) intend to take him up on this when I get time. No idea when that will be.
Software
Project/Maintainer | Description |
---|---|
Romain Dolbeau | Independent implementations of various important ciphers + modes of operation. |
rvkrypto-fips / Markku | "FIPS 140-3 and higher-level algorithm Tests for RISC-V Crypto Extension" |
riscv-crypto benchmarks | Initial benchmarks used to develop the scalar crypto extension. |
ABI Extensions
- None required