[libre-riscv-dev] [Bug 96] New: Add AES, SHA1, SHA256, and SHA3 instructions

Wed Jun 12 20:49:44 BST 2019

http://bugs.libre-riscv.org/show_bug.cgi?id=96

            Bug ID: 96
           Summary: Add AES, SHA1, SHA256, and SHA3 instructions
           Product: Libre Shakti M-Class
           Version: unspecified
          Hardware: Other
                OS: All
            Status: CONFIRMED
          Severity: enhancement
          Priority: ---
         Component: Specification
          Assignee: lkcl at lkcl.net
          Reporter: programmerjake at gmail.com
                CC: libre-riscv-dev at lists.libre-riscv.org
   NLnet milestone: ---

I think it would be a good idea to add instructions to accelerate cryptographic
primitives.

We would specifically NOT design them to be resistant to power/emi attacks,
since those aren't typically visible over a network and because they take a lot
of time and effort to design properly.
They would be resistant to timing attacks, since those are much easier to
design for and are exploitable over the network.

They wouldn't be intended as much for cryptography as for things like git,
cryptocurrency mining (see Monero's new RandomX algorithm) and BTRFS.

The main reason to implement special instructions is to accelerate the crypto
instructions and because implementing S-box based primitives (such as AES)
introduces timing issues when using software because of part of the lookup
table not being in the cache.

If resistance to power/emi attacks is required, users would still have to use
other HW.

-- 
You are receiving this mail because:
You are on the CC list for the bug.