The design of scalar AES Instruction Set Extensions for RISC-V

Secure, efficient execution of AES is an essential requirement for most computing platforms. Dedicated Instruction Set Extensions (ISEs) are often included for this purpose. RISC-V is a (relatively) new ISA that lacks such a standardised ISE. We survey the state-of-the-art industrial and academic ISEs for AES, implement and evaluate five different ISEs, one of which is novel, and make recommendations for standardisation. We consider the side-channel security implications of the ISE designs, demonstrating how an implementation of one candidate ISE can be hardened against DPA-style attacks. We also explore how the proposed standard Bit-manipulation extension to RISC-V can be harnessed for efficient implementation of AES-GCM. Our work supports the ongoing RISC-V cryptography extension standardisation process.

[1]  Johann Großschädl,et al.  Light-Weight Instruction Set Extensions for Bit-Sliced Cryptography , 2008, CHES.

[2]  Arash Reyhani-Masoleh,et al.  Smashing the Implementation Records of AES S-box , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[3]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[4]  Andrew Waterman,et al.  Design of the RISC-V Instruction Set Architecture , 2016 .

[5]  Johann Großschädl,et al.  Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors , 2006, CHES.

[6]  Guido Bertoni,et al.  Efficient Software Implementation of AES on 32-Bit Platforms , 2002, CHES.

[7]  T. Austin,et al.  Architectural support for fast symmetric-key cryptography , 2000, ASPLOS IX.

[8]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[9]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[10]  Michael Tunstall,et al.  Side-Channel Analysis of Cryptographic Software via Early-Terminating Multiplications , 2009, ICISC.

[11]  Shay Gueron,et al.  Intel's New AES Instructions for Enhanced Performance and Security , 2009, FSE.

[12]  Julio César López-Hernández,et al.  SoK: A Performance Evaluation of Cryptographic Instruction Sets on Modern Architectures , 2018, APKC@AsiaCCS.

[13]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[14]  Guido Bertoni,et al.  Speeding Up AES By Extending a 32 bit Processor Instruction Set , 2006, IEEE 17th International Conference on Application-specific Systems, Architectures and Processors (ASAP'06).

[15]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[16]  Stefan Mangard,et al.  Protecting AES Software Implementations on 32-Bit Processors Against Power Analysis , 2007, ACNS.

[17]  I. Kuroda,et al.  Extended instructions for the AES cryptography and their efficient implementation , 2004, IEEE Workshop onSignal Processing Systems, 2004. SIPS 2004..

[18]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[19]  Elaine B. Barker,et al.  Report on the Development of the Advanced Encryption Standard (AES) , 2001, Journal of research of the National Institute of Standards and Technology.

[20]  Kris Gaj,et al.  Comparison of the Hardware Performance of the AES Candidates Using Reconfigurable Hardware , 2000, AES Candidate Conference.

[21]  Kris Gaj,et al.  FPGA and ASIC Implementations of AES , 2009, Cryptographic Engineering.

[22]  Peter Schwabe,et al.  New AES Software Speed Records , 2008, INDOCRYPT.

[23]  Koen Bertels,et al.  The Instruction-Set Extension Problem: A Survey , 2008, TRETS.

[24]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[25]  Peter Schwabe,et al.  All the AES You Need on Cortex-M3 and M4 , 2016, SAC.

[26]  Markku-Juhani O. Saarinen A Lightweight ISA Extension for AES and SM4 , 2020, ArXiv.

[27]  Ko Stoffelen,et al.  Efficient Cryptography on the RISC-V Architecture , 2019, IACR Cryptol. ePrint Arch..

[28]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[29]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[30]  Joan Boyar,et al.  A Small Depth-16 Circuit for the AES S-Box , 2012, SEC.

[31]  Roberto Giorgi,et al.  Instruction Set Extensions for Cryptographic Applications , 2009, Cryptographic Engineering.

[32]  Shay Gueron,et al.  Making AES great again: the forthcoming vectorized AES instruction , 2018, IACR Cryptol. ePrint Arch..

[33]  Sandra Dominikus,et al.  Efficient AES Implementations on ASICs and FPGAs , 2004, AES Conference.

[34]  Deian Stefan,et al.  Fast Software AES Encryption , 2010, FSE.

[35]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[36]  Michael Hamburg,et al.  Accelerating AES with Vector Permute Instructions , 2009, CHES.

[37]  Y. Hori,et al.  SASEBO-GIII: A hardware security evaluation board equipped with a 28-nm FPGA , 2012, The 1st IEEE Global Conference on Consumer Electronics 2012.

[38]  Jakub Szefer,et al.  Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses , 2018, Journal of Hardware and Systems Security.

[39]  Paolo Ienne,et al.  Instruction Set Extensions for secure applications , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[40]  Pankaj Rohatgi,et al.  Side-Channel Protections for Cryptographic Instruction Set Extensions , 2016, IACR Cryptol. ePrint Arch..

[41]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[42]  Johann Großschädl,et al.  Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography , 2005, ICCSA.

[43]  Robert Könighofer,et al.  A Fast and Cache-Timing Resistant Implementation of the AES , 2008, CT-RSA.

[44]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[45]  Ruby B. Lee,et al.  On-chip lookup tables for fast symmetric-key encryption , 2005, 2005 IEEE International Conference on Application-Specific Systems, Architecture Processors (ASAP'05).

[46]  Tim Good,et al.  AES on FPGA from the Fastest to the Smallest , 2005, CHES.

[47]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[48]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[49]  Johann Großschädl,et al.  An Instruction Set Extension for Fast and Memory-Efficient AES Implementation , 2005, Communications and Multimedia Security.

[50]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .

[51]  Ruby B. Lee,et al.  Performance impact of addressing modes on encryption algorithms , 2001, Proceedings 2001 IEEE International Conference on Computer Design: VLSI in Computers and Processors. ICCD 2001.