Proposed CETG spin out "Mini TG": GOST-TG Charter
25 views
Skip to first unread message
Markku-Juhani O. Saarinen
Dec 21, 2021, 9:04:55 AM12/21/21
to secu...@lists.riscv.org, tech-cr...@lists.riscv.org, RISC-V ISA Dev, alexande...@cloudbear.ru
Hello All,
The need (in some markets) for ISA support of Russian symmetric cryptography standards has been recognized by CETG from the start. In a recent meeting, it was decided to try to spin out this work as a separate Task Group whose scope is explicitly limited to the current GOST-R block cipher and hash function standards. CETG can focus on other tasks, such as delivering high-performance vector cryptography in 2022.
GOST-TG is proposed organizationally as a "sub-TG" of Cryptographic Extension TG and will hopefully be sponsored by the Security HC; the charter is on the agenda of the following Security HC meeting on January 6. Feedback, questions, and suggestions are, of course, welcome before that date so that work can get swiftly underway.
Alexander Kozlov of Cloudbear (how gave a talk about the subject at the RISC-V Summit) has kindly agreed to be the acting chair of the GOST-TG. Vice-chairmanship is currently open. I will be acting as a technical liaison.
---
Proposed GOST-TG Charter
RISC-V International is committed to helping members succeed in specialized and regional markets where the flexibility of the RISC-V ISA offers a unique advantage in relation to cryptographic algorithm support and performance.
The focus of the GOST-R Crypto Extension TG (GOST-TG) is to investigate, evaluate, and specify ISA extensions for the implementation of Russian defined-symmetric cryptography. The main algorithms in scope are defined in GOST R 34.12-2015 ("Kuznyechik" and "Magma" block ciphers) and GOST R 34.11-2012 ("Streebog" cryptographic hash function). The goal of the extension is to both improve performance and also to reduce the risk of security vulnerabilities such as timing attacks in RISC-V cryptographic stacks. Quantitative analysis (e.g. modes of operation) is primarily based on use cases in IETF, ETSI, and 3GPP/5G security protocols and required platform security features. The TG may propose both stand-alone extensions and ones that work in conjunction with other extensions (such as vector, scalar cryptography, and bit manipulation).
NOTE. The initial algorithm selection rationale is from GOST / TLS 1.2 ( https://www.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-18.html ) and GOST / TLS 1.3 ( https://www.ietf.org/id/draft-smyshlyaev-tls13-gost-suites-05.html ) which themselves correspond to ratified standard protocol specifications R 1323565.1.020-2020 and R 1323565.1.030-2020.
--- end charter proposal ---
On behalf of GOST TG,
The need (in some markets) for ISA support of Russian symmetric cryptography standards has been recognized by CETG from the start. In a recent meeting, it was decided to try to spin out this work as a separate Task Group whose scope is explicitly limited to the current GOST-R block cipher and hash function standards. CETG can focus on other tasks, such as delivering high-performance vector cryptography in 2022.
GOST-TG is proposed organizationally as a "sub-TG" of Cryptographic Extension TG and will hopefully be sponsored by the Security HC; the charter is on the agenda of the following Security HC meeting on January 6. Feedback, questions, and suggestions are, of course, welcome before that date so that work can get swiftly underway.
Alexander Kozlov of Cloudbear (how gave a talk about the subject at the RISC-V Summit) has kindly agreed to be the acting chair of the GOST-TG. Vice-chairmanship is currently open. I will be acting as a technical liaison.
---
Proposed GOST-TG Charter
RISC-V International is committed to helping members succeed in specialized and regional markets where the flexibility of the RISC-V ISA offers a unique advantage in relation to cryptographic algorithm support and performance.
The focus of the GOST-R Crypto Extension TG (GOST-TG) is to investigate, evaluate, and specify ISA extensions for the implementation of Russian defined-symmetric cryptography. The main algorithms in scope are defined in GOST R 34.12-2015 ("Kuznyechik" and "Magma" block ciphers) and GOST R 34.11-2012 ("Streebog" cryptographic hash function). The goal of the extension is to both improve performance and also to reduce the risk of security vulnerabilities such as timing attacks in RISC-V cryptographic stacks. Quantitative analysis (e.g. modes of operation) is primarily based on use cases in IETF, ETSI, and 3GPP/5G security protocols and required platform security features. The TG may propose both stand-alone extensions and ones that work in conjunction with other extensions (such as vector, scalar cryptography, and bit manipulation).
NOTE. The initial algorithm selection rationale is from GOST / TLS 1.2 ( https://www.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-18.html ) and GOST / TLS 1.3 ( https://www.ietf.org/id/draft-smyshlyaev-tls13-gost-suites-05.html ) which themselves correspond to ratified standard protocol specifications R 1323565.1.020-2020 and R 1323565.1.030-2020.
--- end charter proposal ---
Motivational summary for GOST-TG (which is slightly narrower):
- Gap to be filled: A market for processors and coprocessors supporting GOST-R cryptography exists in Russia, and RISC-V members are well-positioned to meet this demand. There are regulations in place that mandate the use of these algorithms in some use cases. RISC-V already supports equivalent Chinese national ciphers and hashes SM4 and SM3 (as does ARM).
- Deliverables: An optional ISA extension for specific Russian national ciphers. The deliverables match CETG Definition-of-Done: Technical rationale, ISA definitions, specification document, architectural compatibility tests, SAIL, opcode allocation, compiler support, etc. The scope is limited to symmetric cryptography ("Kuznyechik", "Magma", and "Streebog") on both RV32 and RV64.
- Gap to be filled: A market for processors and coprocessors supporting GOST-R cryptography exists in Russia, and RISC-V members are well-positioned to meet this demand. There are regulations in place that mandate the use of these algorithms in some use cases. RISC-V already supports equivalent Chinese national ciphers and hashes SM4 and SM3 (as does ARM).
- Deliverables: An optional ISA extension for specific Russian national ciphers. The deliverables match CETG Definition-of-Done: Technical rationale, ISA definitions, specification document, architectural compatibility tests, SAIL, opcode allocation, compiler support, etc. The scope is limited to symmetric cryptography ("Kuznyechik", "Magma", and "Streebog") on both RV32 and RV64.
ps. It should be clear that RISC-V International neither endorses nor discourages the use of GOST-R algorithms over other algorithms -- even though individual members may do so. Local market requirements and the requirement for RISC-V cryptographic middleware compatibility drive this work.
PQShield has no such commercial interests, and hence I'm doing this in personal capability. However, If you have technological/cryptologic comments or questions, I may be able to respond as I've spent substantial time analyzing these algorithms (some of my Russian cryptanalyst counterparts can actually be more reserved when commenting on their design specifics.)
On behalf of GOST TG,
- Markku
Dr. Markku-Juhani O. Saarinen <mj...@pqshield.com> PQShield, Oxford UK.
Reply all
Reply to author
Forward
0 new messages