...
- Current Definition-of-Done Status: Stable
- Next
...
...
- Status:: Freeze
- (allows start of formal public review period)
Scalar Crypto Specification:
...
- Extensions fully defined in the Scalar Crypto Specification: K, Zkn, Zks, Zkr, Zkne, Zknd, Zknh, Zkse, Zksd, Zksh
- Shared with the Bit-Manipulation Specification: Zkg, Zkb
Status by Topic:
...
Status (what's done, and not done), and What's next
links to GitHub, etc., as relevant to each of the topics here
links to PLTC and IIT Madras status pages, TBD
Specification
- Draft Scalar Crypto Specification (v0.8.1)
- Stable
- What's next:
- Needs translation into ASCIIDOC
- Incorporate results of OpCode consistency review, once available
Encoding/OpCode consistency review
- Opcodes and encodings proposed
- Instruction extensions (instruction groupings) proposed
- Submitted to review task group
- The Bit-Manipulation shared subsets are being reviewed first as part of Bit-Manipulation specification review
- Proposed as Zkg (clmul) and Zkb (specific crypto-required bit-manipulation commands)
- The Proposed Scalar Crypto-unique subsets are next in line for review:
- K (Krypto):
- Zkn (full NIST Suite): ZKne (NIST encrypt suite), ZKnd (NIST decrypt suite), ZKnh (NIST hash suite), Zkg, Zkb (see above)
- Zkr (random entropy source)
- Zks (full ShangMi Suite): Zkse (SM encrypt suite), Zksd (SM decrypt suite), Zksh (SM hash suite), Zkg, Zkb (see above)
- OpCode and Consistency Review page
- What's next: Respond to OpCode and Consistency Review comments, once available, and achieve consensus on any changes
Architecture Tests
- Test plan for the scalar-crypto specific instructions is available.
- No actual tests suitable for use currently available. An old experimental set need removing from the riscv-crypto repository, as these no longer work with the latest toolchain or architectural test framework.(Status)
- What's next: Currently exploring two paths:
ABI Extensions
GCC and Assembler
LLVM
SAIL
Spike
...
- Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
- Some work required to re-generate them in a form suitable for merging into the main architectural test suite.
- No exact estimate for how much work this is in days/weeks.
- IIT Madras are looking at writing the scalar crypto tests for integration into the official architectural tests repo as well.
- No estimate for how long that would take yet.
- Possible path forward:
- Ask Imperas to contribute their complete scalar-crypto + bitmanip subset tests.
- IIT Madras can then write the coverage plan for the architectural test framework.
- Any future changes to the contributed tests would need to be carefully managed, as they were not generated with the RISC-V test generator tool.
GCC and Assembler
- Experimental / development toolchain available in the riscv-crypto repository.
- This cannot be up-streamed, but can be used for development work for now.
- Up-streamable support is WiP with PQShield.
- Progress so far:
SAIL
- Currently working on getting support merged in upstream in PR#80
Spike
- Upstream support has been merged in as of PR#635
- Support for all of scalar crypto specific instructions and entropy source.
- The only feature left is to enable the right Bitmanip instructions when K is enabled. Currently, one must include "b" in the spike "–isa=" argument.
- Some pending bug fixes in PR#649
LLVM
- No work started yet.
- Work will be done by PLTC lab under the group contributor model.
QEMU
- No work started yet.
- Work will be done by PLTC lab under the group contributor model.
Proof-of-Concept hardware implementations
Project Name | Base Architecture | Level of implementation | Notes |
---|
scarv-cpu | RV32 | Behavioural RTL simulation. Running on FPGA. Post yosys synthesis results. | Completely Public/Open Source. Useful as a public baseline. Commercial implementations should aim to be better than this! |
PQShield security core | RV32 | (assumed) Behavioural RTL simulation. Running on FPGA. | Closed / commercial source. Most complete implementation of the entropy source. |
Romain Dolbeau / VexRISC-V | RV32 | Running on FPGA. | Uses VexRiscv core as a base. Completely independent implementation from scratch, outside the Crypto TG. |
- We still need a RV64 implementation.
- I (Ben) am working on adding support to a toy core of mine, but I don't have much time to dedicate to this.
- Barry Spinney has offered to do advanced node synthesis runs for open source implementations.
- I (Ben) intend to take him up on this when I get time. No idea when that will be.
ABI Extensions
- None required
- (project name/link)
- (extensions verified)
- level of verification achieved (behavioral RTL/simulation, synthesized RTL/area-&-timing, actual silicon, etc.)
RV64