Acting as a component part of the wider SCARV project, XCrypto is a general-purpose Instruction Set Extension (ISE) for RISC-V that supports software-based cryptographic workloads.
A given cryptographic workload is commonly expected to satisfy a challenging and diverse range of traditional design metrics, including some combination of high-throughput, low-latency, low-footprint, power-efficiency, and high-assurance, while executing in what is potentially an adversarial environment. A large design space of options can be drawn from when developing a concrete implementation: these options span a spectrum, between those entirely based on hardware (e.g., a dedicated IP core) and those entirely based on software. ISEs can be viewed as representing a hybrid option, in the sense they alter a general-purpose processor core with special-purpose hardware and associated instructions; such targeted alterations then help to improve a software-based implementation wrt. some design metric (e.g., latency).
As an ISE, we pitch XCrypto as a solution (vs. the solution) within the wider design space of options. For example, it offers as an alternative to the solution being proposed by the RISC-V cryptography extensions group (see, e.g., their presentation: the design extends the RISC-V vector ISE). The idea is to leverage extensive existing literature and hence experience wrt. cryptographic ISEs (see, e.g., published work at the CHES conference), translating and applying it to RISC-V. Although potentially less performant than alternatives, we expect implementations using XCrypto to be more lightweight and flexible; as a result, we view it as representing an attractive solution in the context of micro-controller class cores.
XCrypto is a non-standard RISC-V extension. Over time, it has evolved along various branches (each identified by an associated major version):
-
The (now abandoned)
0.x.y
branch represents an initial prototype. It can be characterised as deliberately disjoint from the RISC-V base ISA(s), and so, in concept, aligned with implementation as a separate co-processor. -
The (current)
1.x.y
branch represents a refinement of0.x.y
. It can be characterised as taking the functionality from0.x.y
, but integrating inline with vs. alongside the RISC-V base ISA(s), i.e., in the form of a conventional ISA vs. a co-processor.
The long-term goal is to develop the 1.x.y
branch, ultimately
using it as a basis for a standard (i.e., "official") RISC-V
extension proposal.
- Some slides presented at the RISC-V meetup in Bristol, April 2019.
- A poster presented at the RISC-V Workshop in Zurich, June 2019.
Originally this was a monorepo that housed all resources in one place, but, to make them easier to manage, it now acts as a container where each resource is housed in dedicated submodule. Specifically, these include:
scarv/xcrypto-spec
houses the XCrypto specification: this document captures the ISE itself, acting as both a) a design document, and b) a definition of additional architectural state (e.g., register file and CSRs) and instructions (i.e., their semantics and encoding).scarv/xcrypto-ref
houses the a formally verified, area-optimised reference implementation: as well as supporting validation of the ISE, it can be coupled to a RISC-V core such ascliffordwolf/picorv32
to form a functioning, useful instantiation.scarv/xcrypto-rtl
contains re-usable hardware implementations of XCrypto instructions.scarv/libscarv
is a library of cryptographic reference implementations, which includes support for XCrypto.
Various other resources support or relate to XCrypto, but are not submodules per se. Specifically, these include
-
scarv/riscv-tools
is a fork ofriscv/riscv-tools
, including a GCC-based toolchain and ISA simulator; support for XCrypto is added to various components, includingscarv/riscv-opcodes
(e.g., to capture the XCrypto instruction encodings),scarv/riscv-gnu-toolchain
(e.g., to support assembly of XCrypto instructions),scarv/riscv-binutils-gdb
(e.g., to support disassembly of XCrypto instructions),scarv/riscv-isa-sim
(e.g., to support simulation of XCrypto instructions).
Note that our fork updates submodules so they refer to
scarv/riscv-X
where XCrypto-specific changes are made toX
, or toriscv/riscv-X
otherwise.
-
The releases page of each submodule, i.e.,
houses pre-built content: acting as a detailed explanation and specification of XCrypto, the former is an ideal starting point.
-
${REPO_HOME}/src/docker
contains material related to a Docker-based, XCrypto container. It supports containerised use ofmake
, within an environment where the XCrypto toolchain (e.g., XCrypto-enabledriscv32-unknown-elf-gcc
andspike
) are pre-installed; doing so offers a way to quickly experiment with XCrypto in simulation without installing the toolchain, but clearly may not be suitable for use-cases beyond that.-
An example of this approach is supplied in
${REPO_HOME}/src/helloworld
, which relates to a simple "hello world" program; the associated build system is in${REPO_HOME}/src/helloworld/Makefile
. -
The idea is that for any target
X
in theMakefile
, one can also useX-docker
. For example, executingmake all-docker
will
- mount the current working directory, i.e.,
${REPO_HOME}/src/helloworld
as/mnt/scarv/xcrypto
within the container, then - execute
make all
in/mnt/scarv/xcrypto
within the container, as a user whose UID and GID match${USER}
,
and, as such, do the same as executing
make all
except using the containerised toolchain.
- mount the current working directory, i.e.,
-
This work has been supported in part by EPSRC via grant EP/R012288/1, under the RISE programme.