Public review for RISC-V Vector Cryptography Extensions
200 views
Skip to first unread message
Krste Asanovic
Jun 24, 2023, 2:30:17 AM6/24/23
to RISC-V ISA Dev, tech-a...@lists.riscv.org, Earl Killian
On behalf of the Crypto Task Group, we are thrilled to announce the start of the public review period for the following proposed standard extensions to the RISC-V ISA:
- Zvk - Vector Crypto (rollup of all of the following extensions)
- Zvbb - Vector Bit-manipulation used in Cryptography
- Zvbc - Vector Carryless Multiplication
- Zvkg - Vector GCM/GMAC
- Zvkned - NIST Suite: Vector AES Block Cipher
- Zvknha - NIST Suite: Vector SHA-2 Secure Hash: SHA-256
- Zvknhb - NIST Suite: Vector SHA-2 Secure Hash: SHA-512 and SHA-256
- Zvksed - ShangMi Suite: SM4 Block Cipher
- Zvksh - ShangMi Suite: SM3 Secure Hash
- Zvkn - NIST Algorithm Suite
- Zvknc - NIST Algorithm Suite with carryless multiply
- Zvkng - NIST Algorithm Suite with GCM
- Zvks - ShangMi Algorithm Suite
- Zvksc - ShangMi Algorithm Suite with carryless multiplication
- Zvksg - ShangMi Algorithm Suite with GCM
- Zvkt - Vector Data-Independent Execution Latency
The review period begins today, Tuesday June 23, 2023, and ends on Thursday July 23, 2023 (inclusive).
This extension is part of the Unprivileged Specification.
These extensions are described in the PDF spec available at: https://github.com/riscv/riscv-crypto/releases
The latest version is https://github.com/riscv/riscv-crypto/releases/download/v20230620/riscv-crypto-spec-vector.pdf
which was generated from the source available in the following GitHub repo:
To respond to the public review, please either email comments to the public isa-dev mailing list or add issues and/or pull requests (PRs) to the RISC-V Crypto GitHub repo: https://github.com/riscv/riscv-crypto/tree/master/doc/vector. We welcome all input and appreciate your time and effort in helping us by reviewing the specification.
During the public review period, corrections, comments, and suggestions will be gathered for review by the RISC-V Crypto Task Group. Any minor corrections and/or uncontroversial changes will be incorporated into the specification. Any remaining issues or proposed changes will be addressed in the public review summary report. If there are no issues that require incompatible changes to the public review specification, the Unprivileged ISA Committee will recommend the updated specifications be approved and ratified by the RISC-V Technical Steering Committee and the RISC-V Board of Directors.
Thanks to all the contributors for all their hard work.
Krste Asanovic, Chair, Unprivileged ISA Committee
Earl Killian, Vice-Chair, Unprivileged ISA Committee
James Cloos
Jun 24, 2023, 4:56:12 AM6/24/23
to 'Krste Asanovic' via RISC-V ISA Dev, tech-a...@lists.riscv.org, Krste Asanovic, Earl Killian
quick q:
i recently read that work is underway towards a version of aes with
256-bit blocks. how will support for that be added to these extensions?
-JimC
--
James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
i recently read that work is underway towards a version of aes with
256-bit blocks. how will support for that be added to these extensions?
-JimC
--
James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
Markku-Juhani O. Saarinen
Jun 24, 2023, 5:49:12 AM6/24/23
to James Cloos, tech-cr...@lists.riscv.org, 'Krste Asanovic' via RISC-V ISA Dev, tech-a...@lists.riscv.org, Earl Killian
On Sat, Jun 24, 2023 at 10:56 AM James Cloos <cl...@jhcloos.com> wrote:
quick q:
i recently read that work is underway towards a version of aes with
256-bit blocks. how will support for that be added to these extensions?
Hi,
If such a thing is standardised, then we can consider it. However, NIST has no plans to standardize AES with 256-bit block size at the moment. This would also need to be in widespread use and offer quantitative and security advantages to to motivate inclusion into the RISC-V ISA.
From 2023 perspective it would be seem more sensible to use permutation-based cryptography in applications anyway (e.g. Keccak AEAD modes), given that FIPS 202 already specifies a 1600-bit permutation. (The security margin of 24-round Keccak f-1600 is massive compared to any variant of Rijndael, including the one with 256-bit block cipher -- which has always existed, see below.)
ps. Occasionally amateur cryptographers peddle "improved" AES-like designs; these are of varying quality and almost never worth the effort. Even if they manage to not introduce additional security problems with their modifications, it's good to remember Rijndael is a 1990s era design. We have learned much since that time. As an important example, the designers of Rijndael were not really aware of side-channel engineering considerations.
Of course a 256-bit block size version of Rijndael has existed for 25 years. NIST just standardized the 128-bit block size version as AES. "Rijndael is an iterated block cipher with a variable block length and a variable key length. The block length and the key length can be independently specified to 128, 192 or 256 bits." https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
Cheers,
- markku
-JimC
--
James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
--
You received this message because you are subscribed to the Google Groups "RISC-V ISA Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isa-dev+u...@groups.riscv.org.
To view this discussion on the web visit https://groups.google.com/a/groups.riscv.org/d/msgid/isa-dev/m3r0q1nsrp.fsf%40carbon.jhcloos.org.
Reply all
Reply to author
Forward
0 new messages