A Fast and Compact RISC-V Accelerator for Ascon and Friends

Stefan Steinegger; Robert Primas

doi:10.1007/978-3-030-68487-7_4

A Fast and Compact RISC-V Accelerator for Ascon and Friends

Stefan Steinegger^*, Robert Primas

^*Corresponding author for this work

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With Isap, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, Isap focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-p

can be used to realize a wide range of cryptographic computations such as authenticated encryption, hashing, pseudorandom number generation, with or without the need for implementation security, which makes it the perfect choice for lightweight cryptography on embedded devices.

In this paper, we implement Ascon-p

as an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with Isap and Ascon’s family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired.

As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of Isap, when implemented using our instruction extension.

Original language	English
Title of host publication	Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers
Subtitle of host publication	19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers
Editors	Pierre-Yvan Liardet, Nele Mentens
Place of Publication	Cham
Publisher	Springer
Pages	53-67
Number of pages	15
ISBN (Print)	978-3-030-68486-0
DOIs	https://doi.org/10.1007/978-3-030-68487-7_4
Publication status	Published - 1 Jan 2021
Event	CARDIS 2020: 19th Smart Card Research and Advanced Application Conference - Virtuell, Germany Duration: 18 Nov 2020 → 19 Nov 2020 https://cardis2020.its.uni-luebeck.de/

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12609 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	CARDIS 2020
Abbreviated title	CARDIS
Country/Territory	Germany
City	Virtuell
Period	18/11/20 → 19/11/20
Internet address	https://cardis2020.its.uni-luebeck.de/

Keywords

Ascon
Authenticated encryption
CV32E40P
Fault attacks
Hardware acceleration
Isap
Leakage resilience
RI5CY
RISC-V
Side-channels

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-68487-7_4

Cite this

Steinegger, S., & Primas, R. (2021). A Fast and Compact RISC-V Accelerator for Ascon and Friends. In P.-Y. Liardet, & N. Mentens (Eds.), Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers: 19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers (pp. 53-67). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12609 LNCS). Springer. https://doi.org/10.1007/978-3-030-68487-7_4

A Fast and Compact RISC-V Accelerator for Ascon and Friends. / Steinegger, Stefan; Primas, Robert.
Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers: 19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers. ed. / Pierre-Yvan Liardet; Nele Mentens. Cham: Springer, 2021. p. 53-67 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12609 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Steinegger, S & Primas, R 2021, A Fast and Compact RISC-V Accelerator for Ascon and Friends. in P-Y Liardet & N Mentens (eds), Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers: 19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12609 LNCS, Springer, Cham, pp. 53-67, CARDIS 2020, Virtuell, Germany, 18/11/20. https://doi.org/10.1007/978-3-030-68487-7_4

Steinegger S, Primas R. A Fast and Compact RISC-V Accelerator for Ascon and Friends. In Liardet PY, Mentens N, editors, Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers: 19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers. Cham: Springer. 2021. p. 53-67. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-68487-7_4

Steinegger, Stefan ; Primas, Robert. / A Fast and Compact RISC-V Accelerator for Ascon and Friends. Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers: 19th International Conference, CARDIS 2020, Virtual Event, November 18–19, 2020, Revised Selected Papers. editor / Pierre-Yvan Liardet ; Nele Mentens. Cham : Springer, 2021. pp. 53-67 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b097f8ce287c46afba4723b802e0fd18,

title = "A Fast and Compact RISC-V Accelerator for Ascon and Friends",

abstract = "Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With Isap, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, Isap focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-pcan be used to realize a wide range of cryptographic computations such as authenticated encryption, hashing, pseudorandom number generation, with or without the need for implementation security, which makes it the perfect choice for lightweight cryptography on embedded devices.In this paper, we implement Ascon-pas an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with Isap and Ascon{\textquoteright}s family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired.As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of Isap, when implemented using our instruction extension.",

keywords = "Ascon, Authenticated encryption, CV32E40P, Fault attacks, Hardware acceleration, Isap, Leakage resilience, RI5CY, RISC-V, Side-channels",

author = "Stefan Steinegger and Robert Primas",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; CARDIS 2020 : 19th Smart Card Research and Advanced Application Conference , CARDIS ; Conference date: 18-11-2020 Through 19-11-2020",

year = "2021",

month = jan,

day = "1",

doi = "10.1007/978-3-030-68487-7_4",

language = "English",

isbn = "978-3-030-68486-0",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "53--67",

editor = "Pierre-Yvan Liardet and Nele Mentens",

booktitle = "Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers",

url = "https://cardis2020.its.uni-luebeck.de/",

}

TY - GEN

T1 - A Fast and Compact RISC-V Accelerator for Ascon and Friends

AU - Steinegger, Stefan

AU - Primas, Robert

PY - 2021/1/1

Y1 - 2021/1/1

N2 - Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With Isap, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, Isap focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-pcan be used to realize a wide range of cryptographic computations such as authenticated encryption, hashing, pseudorandom number generation, with or without the need for implementation security, which makes it the perfect choice for lightweight cryptography on embedded devices.In this paper, we implement Ascon-pas an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with Isap and Ascon’s family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired.As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of Isap, when implemented using our instruction extension.

AB - Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With Isap, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, Isap focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-pcan be used to realize a wide range of cryptographic computations such as authenticated encryption, hashing, pseudorandom number generation, with or without the need for implementation security, which makes it the perfect choice for lightweight cryptography on embedded devices.In this paper, we implement Ascon-pas an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with Isap and Ascon’s family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired.As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of Isap, when implemented using our instruction extension.

KW - Ascon

KW - Authenticated encryption

KW - CV32E40P

KW - Fault attacks

KW - Hardware acceleration

KW - Isap

KW - Leakage resilience

KW - RI5CY

KW - RISC-V

KW - Side-channels

UR - http://www.scopus.com/inward/record.url?scp=85101859866&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-68487-7_4

DO - 10.1007/978-3-030-68487-7_4

M3 - Conference paper

SN - 978-3-030-68486-0

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 53

EP - 67

BT - Smart Card Research and Advanced Applications - 19th International Conference, CARDIS 2020, Revised Selected Papers

A2 - Liardet, Pierre-Yvan

A2 - Mentens, Nele

PB - Springer

CY - Cham

T2 - CARDIS 2020

Y2 - 18 November 2020 through 19 November 2020

ER -

A Fast and Compact RISC-V Accelerator for Ascon and Friends

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes

EU - SOPHIA - Securing Software against Physical Attacks

Cite this

A Fast and Compact RISC-V Accelerator for Ascon and Friends

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Projects

Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes

EU - SOPHIA - Securing Software against Physical Attacks

Cite this