# Symmetric Cryptography on RISC-V: Performance Evaluation of Standardized Algorithms

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Previous and Related Work

#### 1.2. Objectives

## 2. Materials and Methods

## 3. Cryptographic Algorithms

## 4. Software Implementations

#### 4.1. Software Implementation of AES

#### 4.2. Software Implementation of Seed

#### 4.3. Software Implementation of CAMELLIA

#### 4.4. Software Implementation of CAST

#### 4.5. Software Implementation of SHA-256 and SHA-512

#### 4.6. Software Implementation of TDEA

#### 4.7. Software Implementation of MISTY1

Algorithm 1: MISTY1 key scheduling. |

1.35 Date: 128-bit Main Key(K)Result: Array of 16-bit round keysfor i = 0 to 7 { EK[i] = K[i×2]×256 XOR K[i×2 + 1]; } for i = 0 to 7 { EK[i + 8] = FI(EK[i], EK[(i + 1)%8]); EK[i + 16] = EK[i + 8] & 0x1ff; EK[i + 24] = EK[i + 8] $>>$ 9; } |

#### 4.8. Software Implementation of HIGHT

Algorithm 2 HIGHT key scheduling. |

Date: s0 = 0, s1 = 1, s2 = 0, s3 = 1, s4 = 1, s5 = 0, s6 = 1d0 = s6 $\left|\right|$ s5 $\left|\right|$ s4 $\left|\right|$ s3 $\left|\right|$ s2 $\left|\right|$ s1 $\left|\right|$ s0 Result: Subkey Array SKfor i = 1 to 127{ $s(i+6)=s(i+2)\oplus s(i-1)$ di = s(i + 6)$\left|\right|$ s(i + 5) $\left|\right|$ s(i + 4) $\left|\right|$ s(i + 3) $\left|\right|$ s(i + 2) $\left|\right|$ s(i + 1) $\left|\right|$ si } for i = 0 to 7 { for i = 0 to 7 { SK(16×i + j) = K(j − i mod 8) [+] d(16×i + j) } } for j = 0 to 7 { SK(16×i + j + 8) = K((j − i mod 8) + 8) [+] d(16×i + j + 8) } |

#### 4.9. Software Implementation of PRESENT

## 5. Hardware Implementations

- 1.
- RISC-V Core
- 2.
- Bit Re-positioning Instructions
- 3.
- Carry-Less Multiply Instructions
- 4.
- Crossbar Permutation Instructions
- 5.
- Logic With Negate Instructions
- 6.
- Packing Instructions
- 7.
- Hash Instructions
- 8.
- AES and SM4 Instructions

#### 5.1. Hardware Architecture of Bit Re-Positioning Instructions

#### 5.2. Hardware Architecture of Carry-Less Multiply Instructions

## 6. Hardware Architecture of 32-bit Algorithm Specific Cryptography Instructions

#### 6.1. Hardware Architecture of Hash Instructions

#### 6.2. Hardware Implementation of AES and SM4 Instructions

- Multiplication in GF(${2}^{4}$):

- Square in GF(${2}^{4}$):

- Addition in GF(${2}^{4}$):

- Inverse in GF(${2}^{4}$):

## 7. Results

#### 7.1. Clock Cycle Count

#### 7.2. Program Memory

#### 7.3. Static Memory

#### 7.4. Analysis for Cryptography Instructions

#### 7.5. Proposed New Instruction for SBOX Address Calculation

#### 7.6. Conclusion

- Compared to implementations using only the base rv32i instruction set, implementations with the cryptography set extension provide 1.5× to 8.6× faster execution speed and 1.2× to 5.8× less program memory for five of the eleven algorithms. For the remaining six algorithms, the increase in execution speed and reduction in program memory requirement is less than 6%.
- The hardware crypto implementations have an additional hardware complexity of 0.3% to 7.7% over the software implementations using the rv32i ISA.
- The benefit-cost analysis in Figure 31 graphically shows the acceleration of execution time as a function of the relative hardware cost, summarizing the gains in execution time as a function of the costs in terms of hardware complexity for each algorithm. As one illustration of the benefit vs. cost, we see that for the SHA algorithms, we achieve an acceleration of approximately 1.7× at a hardware cost increase of less than 7.5%.
- Based on our analysis of execution times, we proposed a new instruction to accelerate the memory address calculation operations for the 8-bit input SBOX table, which is dominant in the execution time for four of the eleven algorithms. This new instruction provided a 1.2× to 1.6× faster execution time for the four algorithms with only a 1.1% additional hardware cost, as shown in Figure 35.

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Abbreviations

AES | Advanced Encryption Standard |

SHA | Secure Hash Algorithm |

FPGA | Field Programmable Gate Array |

ISE | Instruction Set Extension |

ISA | Instruction Set Architecture |

HDL | Hardware Description Language |

RTL | Register Transfer Level |

GF | Galois Field |

RISC | Reduced Instruction Set Computer |

PI | Proposed Instruction |

GE | Gate Equivalent |

NC | Not Calculated |

## References

- History-RISC-V International. Available online: https://riscv.org/about/history/ (accessed on 26 March 2021).
- Waterman, A.; Lee, Y.; Patterson, D.A.; Asanovic, K. UCB/EECS-2011-62; The RISC-V Instruction Set Manual, Volume i Base User-Level Isa; EECS Department: Berkeley, CA, USA, 2011; Volume 116. [Google Scholar]
- RISC-V INTERNATIONAL. Available online: https://riscv.org/ (accessed on 26 March 2021).
- The RISC-V Instruction Set Manual Volume I: Unprivileged ISA 2019, volume 1. Available online: https://riscv.org/wp-content/uploads/2019/12/riscv-spec-20191213.pdf (accessed on 3 August 2022).
- Zeh, A.; Glew, A.; Spinney, B.; Marshall, B.; Page, D.; Atkins, D.; Dockser, K.; Saarinen, M.-J.O.; Menhorn, N.; Deutsch, L.P.; et al. RISC-V Cryptographic Extension Proposals Volume I: Scalar & Entropy Source Instructions Version v1.0.0-rc6. 2021. Available online: https://github.com/riscv/riscv-crypto/releases/tag/v1.0.0-rc6-scalar (accessed on 20 July 2022).
- Zeh, A.; Glew, A.; Spinney, B.; Marshall, B.; Page, D.; Atkins, D.; Dockser, K.; Saarinen, M.J.O.; Menhorn, N.; Newell, R.; et al. RISC-V Cryptographic Extension Proposals Volume II: Vector Instructions. 2020. Available online: https://github.com/riscv/riscv-crypto/releases/tag/v0.7.0 (accessed on 20 July 2022).
- RISC-V Bitmanip Extension Document Version 0.94 Draft. Available online: https://github.com/riscv/riscv-bitmanip/blob/main-history/bitmanip-draft.pdf (accessed on 24 July 2022).
- Pub, N.F. FIPS 197: Advanced Encryption Standard (AES), FIPS PUB 197, US Department of Commerce/NIST, November 2001. 2001. Available online: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf (accessed on 3 August 2022).
- Dang, Q. Changes in Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard. Cryptologia
**2013**, 37, 69–73. [Google Scholar] [CrossRef] - Specification of SM3 Cryptographic Hash Function. 2010. Organization of State Commercial Administration of China. Available online: https://www.chinesestandard.net/PDF.aspx/GBT32905-2016 (accessed on 3 August 2022).
- Diffie, W.; Translators, G.L. SMS4 Encryption Algorithm for Wireless Networks. Cryptology ePrint Archive. Paper 2008/329. 2008. Available online: https://eprint.iacr.org/2008/329 (accessed on 3 August 2022).
- Zeh, A.; Glew, A.; Spinney, B.; Marshall, B.; Page, D.; Atkins, D.; Dockser, K.; Saarinen, M.J.O.; Menhorn, N.; Newell, R. RISC-V Cryptographic Extension Proposals Volume I: Scalar & Entropy Source Instructions Version 0.7.2. 2021. Available online: https://github.com/riscv/riscv-crypto/releases/tag/v0.7.2-scalar (accessed on 3 August 2022).
- Saarinen, M.J.O. A Lightweight ISA Extension for AES and SM4. arXiv
**2020**. arXiv.2002.07041. [Google Scholar] - Marshall, B.; Newell, G.R.; Page, D.; Saarinen, M.J.O.; Wolf, C. The Design of Scalar AES Instruction Set Extensions for RISC-V. Cryptology ePrint Archive. Paper 2020/930. 2020. Available online: https://eprint.iacr.org/2020/930 (accessed on 3 August 2022).
- Marshall, B.; Page, D.; Hung Pham, T. A lightweight ISE for ChaCha on RISC-V. In Proceedings of the 2021 IEEE 32nd International Conference on Application-Specific Systems, Architectures and Processors (ASAP), Virtual, 7–9 July 2021; pp. 25–32. [Google Scholar]
- Bernstein, D.J. ChaCha, a Variant of Salsa20. In Workshop Record of SASC; University of Illinois: Chicago, IL, USA, 2008; Volume 8, pp. 3–5. Available online: http://cr.yp.to/chacha/chacha-20080120.pdf (accessed on 3 August 2022).
- Steinegger, S.; Primas, R. A Fast and Compact Accelerator for Ascon and Friends. IACR Cryptol. ePrint Arch.
**2020**, 2020, 1083. [Google Scholar] - Fritzmann, T.; Sigl, G.; Sepúlveda, J. RISQ-V: Tightly Coupled RISC-V Accelerators for Post-Quantum Cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2020**, 2020, 239–280. [Google Scholar] [CrossRef] - Wang, W.; Han, J.; Cheng, X.; Zeng, X. An energy-efficient crypto-extension design for RISC-V. Microelectron. J.
**2021**, 115, 105165. [Google Scholar] [CrossRef] - Stoffelen, K. Efficient Cryptography on the RISC-V Architecture. In Progress in Cryptology–LATINCRYPT 2019; Schwabe, P., Thériault, N., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 323–340. [Google Scholar] [CrossRef]
- Kuo, Y.M.; Garcia-Herrero, F.; Ruano, O.; Maestro, J.A. RISC-V Galois Field ISA Extension for Non-Binary Error-Correction Codes and Classical and Post-Quantum Cryptography. IEEE Trans. Comput.
**2022**. [Google Scholar] [CrossRef] - Saraiva, D.A.F.; Leithardt, V.R.Q.; de Paula, D.; Sales Mendes, A.; González, G.V.; Crocker, P. PRISEC: Comparison of Symmetric Key Algorithms for IoT Devices. Sensors
**2019**, 19, 4312. [Google Scholar] [CrossRef] [PubMed] - Barker, E.; Mouha, N. Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher; NIST Special Publication 800-67 Revision 2; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017. [Google Scholar] [CrossRef]
- Matsui, M. New block encryption algorithm MISTY. In Fast Software Encryption; Biham, E., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; pp. 54–68. [Google Scholar] [CrossRef]
- Adams, C. The CAST-128 Encryption Algorithm. Available online: https://www.ietf.org/rfc/rfc2144.txt (accessed on 3 August 2022).
- Hong, D.; Sung, J.; Hong, S.; Lim, J.; Lee, S.; Koo, B.S.; Lee, C.; Chang, D.; Lee, J.; Jeong, K.; et al. HIGHT: A New Block Cipher Suitable for Low-Resource Device. In Cryptographic Hardware and Embedded Systems-CHES 2006; Goubin, L., Matsui, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; pp. 46–59. (accessed on 3 August 2022). [Google Scholar] [CrossRef]
- Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.B.; Seurin, Y.; Vikkelsoe, C. PRESENT: An Ultra-Lightweight Block Cipher. In Cryptographic Hardware and Embedded Systems-CHES 2007; Paillier, P., Verbauwhede, I., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 450–466. (accessed on 24 July 2022). [Google Scholar] [CrossRef]
- Aoki, K.; Ichikawa, T.; Kanda, M.; Matsui, M.; Moriai, S.; Nakajima, J.; Tokita, T. Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms—Design andAnalysis. In Selected Areas in Cryptography; Stinson, D.R., Tavares, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 39–56. (accessed on 20 July 2022). [Google Scholar] [CrossRef]
- Lee, S.; Yoon, J.; Cheon, D.H.; Lee, J.; Lee, H. The SEED Encryption Algorithm. RFC 4269. 2005. Available online: https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.374.1600 (accessed on 24 July 2022). [CrossRef]
- Dworkin, M. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions; FIPS PUB 202. Federal Information Processing Standards Publication. Information Technology Laboratory National Institute of Standards and Technology: Gaithersburg, MD, USA, 2015. Available online: https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions (accessed on 3 August 2022). [CrossRef]
- Wolf, C.; Glaser, J.; Kepler, J. Yosys-a free Verilog synthesis suite. In Proceedings of the 21st Austrian Workshop on Microelectronics (Austrochip), Linz, Austria, 10 October 2013. [Google Scholar]
- ISO/IEC 18033-3:2010; Information Security—Lightweight Cryptography—Part 3: Block Ciphers. ISO: London, UK, 2010.
- ISO/IEC 29192-2:2019; Information security—Lightweight Cryptography—Part 2: Block Ciphers. ISO: London, UK, 2019.
- Daemen, J.; Rijmen, V. AES Proposal: Rijndael 1999. AES Submission Document on Rijndael. Available online: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf (accessed on 3 August 2022).
- Paar, C. Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields. PhD Thesis, Institute for Experimental Mathematics, University of Duisburg-Essen, Essen, Germany, 1994. [Google Scholar]
- Canright, D. A Very Compact S-Box for AES. In Cryptographic Hardware and Embedded Systems–CHES 2005; Rao, J.R., Sunar, B., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; pp. 441–455. [Google Scholar] [CrossRef]
- Gueron, S.; Kounavis, M.E. Intel® Carry-Less Multiplication Instruction and Its Usage for Computing the GCM Mode. White Paper, April 2014. Revision 2.02. Available online: https://www.intel.com/content/dam/develop/external/us/en/documents/clmul-wp-rev-2-02-2014-04-20.pdf (accessed on 3 August 2022).
- RISC-V Cryptography Extensions Standardisation Work. 2022. Available online: https://github.com/riscv/riscv-crypto (accessed on 24 July 2022).

**Figure 35.**Acceleration vs. hardware cost of crypto implementations with new address calculation instruction.

Cipher | Block Size (Bits) | Key Size (Bits) | Comment | Reference |
---|---|---|---|---|

AES | 128 | 128,192,256 | ISO/IEC 18033-3:2010, FIPS 197 | [8,32] |

SEED | 128 | 128 | ISO/IEC 18033-3:2010 | [29,32] |

CAMELLIA | 128 | 128,192,256 | ISO/IEC 18033-3:2010 | [28,32] |

MISTY1 | 64 | 128 | ISO/IEC 18033-3:2010 | [24,32] |

CAST-128 | 64 | 40 to 128 | ISO/IEC 18033-3:2010 | [25,32] |

HIGHT | 64 | 128 | ISO/IEC 18033-3:2010 | [26,32] |

TDEA | 64 | 112,168 | ISO/IEC 18033-3:2010 | [23,32] |

PRESENT | 64 | 80,128 | ISO/IEC 29192-2:2019 | [27,33] |

Function | Output Size (Bits) | State Size (Bits) | Round # | Comment | Reference |
---|---|---|---|---|---|

SHA-256 | 256 | 256 (8 × 32) | 64 | FIPS 180-3 | [9] |

SHA-512 | 512 | 512 (8 × 64) | 80 | FIPS 180-3 | [9] |

SHA3-256 | 256 | 1600 (5 ×5 ×64) | 24 | FIPS 202 | [30] |

Element | Inverse |
---|---|

${y}^{0}$ = 1 | 1 |

${y}^{1}$ = y | ${y}^{3}+1$ |

${y}^{2}$ = ${y}^{2}$ | ${y}^{3}+{y}^{2}+1$ |

${y}^{3}$ = ${y}^{3}$ | ${y}^{3}+{y}^{2}+y+1$ |

${y}^{4}$ = $y+1$ | ${y}^{3}+{y}^{2}+y$ |

${y}^{5}$ = ${y}^{2}+y$ | ${y}^{2}+y+1$ |

${y}^{6}$ = ${y}^{3}+{y}^{2}$ | ${y}^{3}+y$ |

${y}^{7}$ = ${y}^{3}+y+1$ | ${y}^{2}+1$ |

${y}^{8}$ = ${y}^{2}+1$ | ${y}^{3}+y+1$ |

${y}^{9}$ = ${y}^{3}+y$ | ${y}^{3}+{y}^{2}$ |

${y}^{10}$ = ${y}^{2}+y+1$ | ${y}^{2}+y$ |

${y}^{11}$ = ${y}^{3}+{y}^{2}+y$ | $y+1$ |

${y}^{12}$ = ${y}^{3}+{y}^{2}+y+1$ | ${y}^{3}$ |

${y}^{13}$ = ${y}^{3}+{y}^{2}+1$ | ${y}^{2}$ |

${y}^{14}$ = ${y}^{3}+1$ | y |

${y}^{15}$ = 1 | 1 |

Algorithm | TDEA | MISTY1 | CAST-128 | HIGHT | PRESENT |
---|---|---|---|---|---|

rv32i | 25,041 | 1013 | 2237 | 4528 | 14,102 |

rv32i+crypto | NC | 977 | 2139 | 4400 | 1641 |

Acceleration | NC | 1.037 | 1.046 | 1.029 | 8.607 |

Algorithm | AES | CAMELLIA V1 | CAMELLIA V2 | SEED V1 | SEED V2 |
---|---|---|---|---|---|

rv32i | 1606 | 1861 | 2258 | 2133 | 4533 |

rv32i+crypto | 438 | 1768 | NC | NC | 2854 |

Acceleration | 3.685 | 1.053 | NC | NC | 1.589 |

Algorithm | SHA-256 | SHA-512 | SHA3-256 |
---|---|---|---|

rv32i | 4755 | 13975 | 25,976 |

rv32i+crypto | 2708 | 8471 | NC |

Acceleration | 1.756 | 1.650 | NC |

Algorithm | V1 (rv32i) | V2 (rv32i) | V2 (rv32i+crypto) |
---|---|---|---|

SBOX Address Calculation | 800 | 800 | 640 |

Operation | V1 (rv32i) | V2 (rv32i) | V1 (rv32i+crypto) |
---|---|---|---|

128-bit Rotate | 132 | 132 | 132 |

32-bit Rotate | 12 | 12 | 4 |

8-bit Rotate | 0 | 396 | 0 |

SBOX Address Calculation | 440 | 440 | 352 |

Operation | rv32i | rv32i+crypto |
---|---|---|

SBOX calculation | 1152 | 1152 |

32-bit Rotate | 64 | 16 |

Operation | rv32i | rv32i+crypto |
---|---|---|

8-bit Rotation | 1408 | 1280 |

Operation | rv32i |
---|---|

Initial Permutation | 152 |

Inverse Initial Permutation | 254 |

SBOX Table Read | 5424 |

E Permutation | 2016 |

P Permutation | 6144 |

Permuted Choice 1 | 399 |

Permuted Choice 2 | 9216 |

Operation | rv32i | rv32i+crypto |
---|---|---|

pLayer | 7936 | 558 |

sBoxLayer | 5766 | 248 |

Algorithm | TDEA | MISTY1 | CAST-128 | HIGHT | PRESENT |
---|---|---|---|---|---|

rv32i | 6680 | 3256 | 3760 | 3028 | 1552 |

rv32i+crypto | NC | 3132 | 3704 | 2996 | 352 |

Reduction | NC | 1.040 | 1.015 | 1.011 | 4.409 |

Algorithm | AES | CAMELLIA V1 | CAMELLIA V2 | SEED V1 | SEED V2 |
---|---|---|---|---|---|

rv32i | 2536 | 7448 | 9032 | 1048 | 2248 |

rv32i+crypto | 436 | 7076 | NC | NC | 1416 |

Reduction | 5.817 | 1.053 | NC | NC | 1.588 |

Algorithm | SHA-256 | SHA-512 | SHA3-256 |
---|---|---|---|

rv32i | 632 | 1392 | 3996 |

rv32i+crypto | 488 | 1088 | NC |

Reduction | 1.295 | 1.279 | NC |

Algorithm | TDEA | MISTY1 | CAST-128 | HIGHT | PRESENT |
---|---|---|---|---|---|

Memory | 256 | 642 | 8192 | 10 | 8 |

Algorithm | AES | CAMELLIA V1 | CAMELLIA V2 | SEED V1 | SEED V2 |
---|---|---|---|---|---|

Memory | 1288 | 1072 | 304 | 4176 | 576 |

Algorithm | SHA-256 | SHA-512 | SHA3-256 |
---|---|---|---|

Memory | 288 | 704 | 188 |

Hardware Module | AREA (GE) |
---|---|

RISC-V Core | 19,706 |

Bit Re-positioning Instructions | 766 |

Carry-Less Multiply Instructions | 2248.5 |

Crossbar Permutation Instructions | 756.5 |

Logic With Negate Instructions | 177 |

Packing Instructions | 52 |

Hash Instructions | 2030.5 |

AES and SM4 Instructions | 1437 |

**Table 20.**Cryptography instruction and instruction module extension usage of crypto implementations.

Cryptographic Algorithm | Instruction Usage | Instruction Module Extension |
---|---|---|

AES | aes32esmi, aes32esi | AES and SM4 |

SEED V2 | xperm4, rori | Crossbar Permutation, Bit Re-positioning |

CAMELLIA V1 | xperm4, rol | Crossbar Permutation, Bit Re-positioning |

MISTY1 | pack | Packing |

CAST-128 | pack | Packing |

HIGHT | grev | Bit Re-positioning |

PRESENT | xperm4, unshfli, rori | Crossbar Permutation, Bit Re-positioning |

SHA-256 | SHA-256 Instructions | Hash |

SHA-512 | SHA-512 Instructions | Hash |

Hardware Module | AREA (GE) |
---|---|

Address Calculation Instruction | 220 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Nişancı, G.; Flikkema, P.G.; Yalçın, T.
Symmetric Cryptography on RISC-V: Performance Evaluation of Standardized Algorithms. *Cryptography* **2022**, *6*, 41.
https://doi.org/10.3390/cryptography6030041

**AMA Style**

Nişancı G, Flikkema PG, Yalçın T.
Symmetric Cryptography on RISC-V: Performance Evaluation of Standardized Algorithms. *Cryptography*. 2022; 6(3):41.
https://doi.org/10.3390/cryptography6030041

**Chicago/Turabian Style**

Nişancı, Görkem, Paul G. Flikkema, and Tolga Yalçın.
2022. "Symmetric Cryptography on RISC-V: Performance Evaluation of Standardized Algorithms" *Cryptography* 6, no. 3: 41.
https://doi.org/10.3390/cryptography6030041