In this paper, we implement Ascon-p as an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with ISAP and Ascon's family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired.
As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of ISAP, when implemented using our instruction extension.
Category / Keywords: implementation / authenticated encryption, ascon, isap, hardware acceleration, risc-v, ri5cy, cv32e40p, side-channels, fault attacks, leakage resilience Original Publication (with minor differences): CARDIS 2020 Date: received 8 Sep 2020, last revised 2 Oct 2020 Contact author: stefan steinegger at iaik tugraz at, robert primas@iaik tugraz at Available format(s): PDF | BibTeX Citation Version: 20201002:090722 (All versions of this report) Short URL: ia.cr/2020/1083