"Brief Comments on Rijndael-256 and the Standard RISC-V Cryptography Extensions"
83 views
Skip to first unread message
Markku-Juhani O. Saarinen
Jun 26, 2025, 1:40:06 PMJun 26
to ciphermodes-forum
Hi All,
The attached memo "Brief Comments on Rijndael-256 and the Standard RISC-V Cryptography Extensions" ( https://mjos.fi/doc/rij256-rvv.pdf ) contains a straightforward evaluation of Rijndael-256 on RISC-V Vector targets.
The attached memo "Brief Comments on Rijndael-256 and the Standard RISC-V Cryptography Extensions" ( https://mjos.fi/doc/rij256-rvv.pdf ) contains a straightforward evaluation of Rijndael-256 on RISC-V Vector targets.
The memo was submitted as a comment to NIST on June 25th in response to their call ( https://csrc.nist.gov/news/2024/nist-proposes-to-standardize-wider-variant-of-aes )
The related github source code repository is https://github.com/mjosaarinen/rij256-rv
This work was conducted in January 2025 as part of the cryptography ISA design evaluation at RISC-V International. However, this note was submitted in a personal capacity; I alone am responsible for all errors and omissions.
This work was conducted in January 2025 as part of the cryptography ISA design evaluation at RISC-V International. However, this note was submitted in a personal capacity; I alone am responsible for all errors and omissions.
ABSTRACT. We evaluate the implementation aspects of Rijndael-256 using the ratified RISC-V Vector Cryptography extension Zvkn. A positive finding is that Rijndael-256 can be implemented in constant time with the existing RISC-V ISA as the critical AES and fixed crossbar permutation instructions are in the DIEL (data-independent execution latency) set. Furthermore, simple tricks can be used to expand the functionality of key expansion instructions to cover the additional round constants required. However, due to the required additional byte shuffle in each round, Rijndael-256 will be significantly slower than AES-256 in terms of throughput. Without additional ISA modifications, the instruction count will be increased by the required switching of the ELEN (``effective element width'') parameter in each round between 8 bits (byte shuffle) and 32 bits (AES round instructions). Instruction counts for 1-kilobyte encryption and decryption with Rijndael-256 are factor $2.66\times$ higher than with AES-256. The precise amount of throughput slowdown depends on the microarchitectural details of a particular RISC-V ISA hardware instantiation, but it may be substantial with some high-performance vector AES architectures due to the breakdown of AES pipelining and the relative slowness of crossbar permutation instructions.
Cheers,
-Markku
Dr. Markku-Juhani O. Saarinen <mj...@iki.fi>
Reply all
Reply to author
Forward
0 new messages