Scalar Cryptography v1.0.0-rc1

NOTE: This release has been superseded by v1.0.0-rc4

This is the public review release of the scalar cryptography extensions to RISC-V. The public review period will be announced on the RISC-V isa-dev mailing list, and run for 45 days from that announcement. Note that the appearance of this release on Github does not indicate the start of the public review period.

To respond to the public review, please either email comments to the public isa-dev mailing list or add issues and/or pull requests (PRs) to the Crypto GitHub repo. We welcome all input and appreciate your time and effort in helping us by reviewing the specification.

During the public review period, corrections, comments, and suggestions, will be gathered for review by the Cryptography task group. Any minor corrections and/or uncontroversial changes will be incorporated into the specification. Any remaining issues or proposed changes will be addressed in the public review summary report. If there are no issues that require incompatible changes to the public review specification, the unprivileged ISA committee will recommend the updated specifications be approved and ratified by the RISC-V Technical Steering Committee and the RISC-V Board of Directors.

We, the RISC-V Cryptography Task Group, would like to sincerely thank everyone taking part in the public review, and who has contributed to our specification so far.

v0.9.4-scalar

This release contains all updates relating to feedback from our architectural review. The original feedback can be found on the Scalar Cryptography extension status page here under "Architecture & Opcode consistency review".

Decisions Taken:

• Stop overlapping the aes32* and aes64* opcodes.

Changes:

• The aes32* opcodes have changed.

• All scalar crypto specific instructions which produce 32-bit results now sign-extend them to XLEN bits where relevant. Previously they were zero extended.

• The misa.K bit is no longer used to identify the scalar cryptography extension. Feature detection of scalar cryptography extensions will be done using the work-in-progress discovery mechanisms for RISC-V.

• The Entropy source section has been re-organised to move all non-normative text to an appendix. Functional changes to the normative part of the spec include:

  • The encodings for ES16 and WAIT states have changed.

  • How BIST is reported due to a non-fatal statistical alarm has been changed to allow software to record the events, without them happening silently. This was always a recommendation, but was made more explicit and moved to the normative part of the spec.

• Various misc changes to make the specification clearer / easier to read etc.

Additions:

• None

Removals:

• The mnoise CSR is now only provided as an example mechanism to vendors in the appendix, it is not required by the specification.

Open Issues:

See the status of the open issues in the project board.

v0.9.3-scalar

This release contains multiple clean-ups and fixes from the previous release, some of which are hangovers from the change to Asciidoc. There are no intended functional changes, additions or removals; only clarifications. See the status of the whole Scalar Cryptography extension here

Decisions Taken:

• None

Changes:

• Missing descriptions of the Bitmanip instructions used by the scalar crypto spec are now included directly in the specification. This mostly addresses the concern about empty links raised in #92, and the confusion raised by the previous releases..
  • We now have complete descriptions of Zbkb, Zkbc and Zbkx in our specification. These descriptions will also make their way to the Bitmanip specification (see riscv/riscv-bitmanip#134) in time, but have been included in the Scalar crypto spec as well because 1) they are directly relevant and 2) so that the specifications can exist somewhere while the first Bitmanip ratification package (which doesn't include some of the scalar crypto used instructions) is iterated on.
  • The Zbkb, Zkbc and Zbkx chapters have an explicit note stating their relationship to the first Bitmanip ratification package.
  • The Sail code for these instructions is not yet executable, but it is hopefully clear enough to be a good implementation guide. Fixes or clearer ways of expressing their functionality will be added in subsequent releases. Their functionality has not changed, so if you suspect a bug please raise an issue.
  • Note that not all intra/inter-document links are fixed. This won't happen until the spec is integrated into the wider RISC-V ISA specification.
• Fixed #94 - A bunch of typos relating to aes64dsm and aes64ds. Present since the initial move to Asciidoc in v0.9.1.
• Fixed #95 - Clarified bits of the aes64ks1i encoding. This was from a tool bug in Wavedrom which didn't render bitfields with all zeros correctly, since fixed.
• Fixed #97 - Valid values of the aes64ks1i rnum immediate had been lost in the Asciidoc translation.
• Fixed #98 - Clarified some confusion about removed instructions in a previous release (packu* and rev8.w).
• Fixed #99 - Illegal Opcode Exception -> Illegal Instruction Exception.
• Fixed #100 - Clarified mseccfg CSR inclusion conditions and added a pointer to the enhanced PMP spec which originally proposed this CSR.

Additions:

• None

Removals:

• None

Open Issues:

See the status of the open issues in the project board.

v0.9.2-scalar

This release contains multiple functional changes, some of which have been pending for a long time. See the status of the whole Scalar Cryptography extension here

Decisions Taken:

• None

Changes:

• The aes32* and sm4* instruction encodings have been changed back to regular R-type instructions.
• The aes64ks1 rcon immediate has been renamed to rnum. See #82
• The Instruction Extensions list has been changed: the ZKb group has been renamed and split into three.
  • Zbkx - The xperm.* instructions.
  • Zbkc - The Carry-less multiply instructions
  • Zbkb - All other bitmanip instructions currently in ZKb.
  • These extensions are described in this specification, and are making their way into the Bitmanip specificaiton as well. See this pull request for more. It is expected that they will be part of the Bitmanip ratification package, and simply pointed to by the scalar cryptography extension.
• Per some preliminary recommendations from the architectural consistency review:
  • packu[w] will be dropped as it is not needed for our use case of packing bytes into words.
  • rev8.w will be dropped in favour of rev8;srai
• The Entropy source has been updated to give optional access in Supervisor mode, and making it work with the Hypervisor extension.
• The Zkt extension for data independent execution latency has been updated with a complete list of instructions.

Additions:

• None

Removals:

• The packu[w] and rev8.w instructions have been removed from their relevant extensions as unnecessary / unjustified.

Open Issues:

See the status of the open issues in the project board.

v0.9.1-scalar

This release is an entirely non-functional one. It is simply a change management release to allow people to get used to the new AsciiDoc version of the specification. See the status of the whole Scalar Cryptography extension here

Decisions Taken:

• None

Changes:

• The entire specification has been translated from LaTeX into AsciiDoc.
• This has meant a large re-organisation of the content. Much explanatory or supplementary information has been dropped or moved to appendices.
• There are no functional changes.
  • If you spot one, that is a bug. Please raise it with the task group via a Github issue.
• People are strongly encouraged to re-read the specification and check it matches their expectations.

Additions:

• None

Removals:

• None

Pending Changes:

The following functional changes will be present in the next version of the specificaiton, v0.9.2. Note this is the expectation at the time of writing. It may change slightly. Note also we may need a v0.9.3 release to get all of the changes in.

• The aes32* and sm4* instruction encodings will be changed back to regular R-type instructions.
• The aes64ks1 rcon immediate will be renamed to rnum.
• The Instruction Extensions list will be changed:
  • The ZKb group will be renamed and split into three.
  • Zbkx - The xperm.* instructions.
  • Zbkc - The Carry-less multiply instructions
  • Zbkb - All other bitmanip instructions currently in ZKb.
• Per some preliminary recommendations from the architectural consistency review:
  • packu[h] will be dropped as it is not needed for our use case of packing bytes into words.
  • rev8.w will be dropped in favour of rev8;srai
• There will be some changes to the Entropy source around giving access to it in Supervisor mode, and making it work with the Hypervisor extension.

Open Issues:

See the status of the open issues in the project board.

v0.9.0-scalar

This release includes mostly non-functional changes and fixes since v0.8.1. It is a stepping stone release onto v1.0 and ratification. It is expected there will be one point release (0.9.x) with editorial and consistency improvements before then. See the status of the whole Scalar Cryptography extension here

Decisions Taken:

• The gorci instruction has been removed. See #73.

Changes:

• Fixed the ShangMi instruction groupings. See d0ae602.
• Fix table 2 [un]shfli labels. See 4a03217.
• Misc typo fixes.

Additions:

• Better documentation around Sail:
  • Added a short section to the introduction around how to read the Sail specifications.
  • Added auxiliary code for the Sail specifications to the appendix.

Removals:

• #73 - gorci instruction removed.

Open Issues:

See the status of the open issues in the project board.

v0.8.1-scalar

Decisions Taken:

• Following feedback (#65) and discussion at the Dec 17th 2020 TG meeting, the encoding scheme for the SM4 and RV32 AES instructions has been updated.

Changes:

• Changed how the SM4 and RV32 instructions are encoded.
  • Formerly, we required rd==rs1 to reclaim some encoding space, given that these instructions are designed to be used this way.
  • Now, we require implementations to source rd from the rs1 field, and the rd field is now re-used as normal encoding space.
  • We hope this paves the way for a more standardised "destructive" encoding format for RISC-V.
  • More rationale for this decision is found in Appendix A.1 of the specification.
  • Binutils, Spike, SAIL and the benchmarks have been updated to reflect this change. This includes a small assembly syntax change:
    • aes* rd, rs1, rs2, bs is now aes* rt, rs2, bs.
    • sm4* rd, rs1, rs2, bs is now sm4* rt, rs2, bs.
• Updated the Entropy Source diagram (See bcdcb31).

Additions:

• None

Removals:

• None

Open Issues:

See the status of the open issues in the project board.

v0.8.0-scalar

Decisions Taken:

• We are aiming to be declared stable by the end of 2020 or very early Q1'2021.
  • To this end, we are creating this release with proposed opcodes/encodings and mnemonics, subject to approval by the unpriv committee.
  • These encodings etc are subject to improvement, but stable enough for people to start implementing with.
• We are aiming for Freeze and Public Review by the end of Q1'2021.

Changes:

• Moved experimental encodings from the custom major opcode space into the OP and OP-IMM spaces.
  • These encodings are till subject to approval and improvement.
  • The Spike and Binutils patches have been synced with these new opcodes, meaning the benchmarks can all still be run. The SAIL patches will be updated shortly.
• Clarified WFI instruction behaviour with the entropy source extension in a virtualised environment. See commit 1404291
• Per the RISC-V Github repository policy:
  • The specification document is now explicitly covered by the CC-BY-4.0 license.

Additions:

• Rationale for developing the encodings has been added. See Appendix A of the specification document.

Removals:

• None

Open Issues:

See the status of the open issues in the project board.

v0.7.2-scalar

Decisions Taken:

• #58 Finalised the feature groups and moved them from working spreadsheet into the specification - Section 2.
• #64 Agreed on hint for instruction latency / constant time requirements - Section 3.6.
• #63 Removed register-register versions of grev,gorc,shfl,unshfl due to lack of use-case.

Changes:

• Section 3.1.2 now explicitly lists which pseudo-instructions and immediate values relating to grevi, gorci, shfli and unshfli are required, rather than appearing to require the whole instruction. This is a long overdue change reflecting common consensus at the meetings, but until now not codified in the specification.
• Moved constant-time requirements regarding clmul[h] into the new dedicated Section 3.6.
• #61, #62 More explanations around the Entropy Source section following meetings with BSI. These are non-functional changes.

Additions:

• A hint based on source register addresses to encode whether integer and carry-less multiply instructions must execute in constant time. Section 3.6.
• Details of the instruction feature sets. Section 2.

Removals:

• grev,gorc,shfl,unshfl due to lack of use-case. Specific immediate variants are still used. The instructions remain in the Bitmanip extension.

Open Issues:

See the status of the open issues in the project board. The most pressing issues for the scalar specification are:

• #16 Instruction Encodings.

v0.7.1-scalar

Decisions Taken:

• #55 The pollentropy instruction has been changed into a CSR, with mentropy the new CSR name and pollentropy a psuedo-instruction.
• #57 We now only require clmul and clmulh for RV32 and RV64 from bitmanip.
• All of the pending "feature groups" issues have been closed and are now tracked in Jira. These will be approved by the unprivileged standing committee and hopefully merged into the next specification release. A single placeholder issue (#58) remains to track this in the Github repo.
• Note: Because the scalar and vector specifications have been separated, this release is tagged as v0.7.1-scalar, rather than just v0.7.1. The most recent vector spec release remains v0.7.0. In future, all releases will be suffixed with -scalar or -vector depending on which volume of the specification they refer to.

Changes:

• See section 4 of the scalar spec for changes to the pollentropy interface.

Additions:

• A getnoise interface has been added to the Entropy Source section. This is an interface for vendors to use when validating their entropy source. See section 4.5.

Removals:

• Per #57, the clmulr, clmulw, clmulhw, clmulrw instructions are no longer included from Bitmanip in the Scalar cryptography specification.

Open Issues:

See the status of the open issues in the project board. The most pressing issues for the scalar specification are:

• #16 Instruction Encodings.
• #58 Scalar feature groups.