Releases: riscv/riscv-crypto
Releases · riscv/riscv-crypto
v0.7.0
Decisions Taken:
- #47 - The specification has now been split into two documents.
- Volume I - Deals with the scalar and entropy source instructions.
- Volume II - Deals with the vector instructions.
- This was done to recognise that the scalar specification is much closer to meeting the definition of done, and has fewer dependencies, than the vector specification. Per the meeting on September 10'th 2020, we are aiming to freeze the scalar specification by the end of October 2020.
- #44 - We have updated the
xperm
instruction borrowed from Bitmanip. We now include thexperm.n
andxperm.b
variants. - Based on the September 10'th 2020 meeting, we are including the
gorc
instruction due to its usefulness in implementing generic permutations.
Changes:
- #48 - All instruction name changes have now been implemented.
- #50 - Fixed a decode conflict involving the
pollentropy
temporary opcode assignment.
Additions:
- The
gorc
instruction is now included in the borrowed from Bitmanip specification. - #44 - The
xperm.b
instruction is also now included in the borrowed from Bitmanip specification. - Continued progress with SAIL code, not yet inlined into the vector specification document.
Removals:
- None
Open Issues:
See the status of the open issues in the project board.
- #16 - Final Instruction encodings are yet to be assigned.
- Various open issues around "feature groups"
- #49 - Vector extension
ELEN
requirements - some clarification needed.- riscvarchive/riscv-v-spec#566 - related issue raised under the vector spec.
- Sail code for vector SHA2 #23 and AES #24
- Compliance tests for Scalar #27 and Vector #29 instructions.
v0.6.2
- This is a dummy release reflecting that the Github repository location has changed.
- Previously the repository lived at
github.com/
scarv/riscv-crypto
. - Now it lives at
github.com/
riscv/riscv-crypto
.
- Previously the repository lived at
- All URLs and links in the repository and specification document have been updated to reflect the repository move.
- In all other respects, this release is identical to
v0.6.1
. - Re-built versions of the specification can be downloaded below.
v0.6.1
Decisions Taken:
- Added vectorised grev and rotate instructions.
Changes:
- #13 - The
lut4
instruction has been moved to the Bitmanip extension, and is now "borrowed" from it. It has been re-namedxperm.*
- #20 - Replaced scalar cryptography instruction pseudo-code with SAIL formal model code snippets.
- Miscellaneous typo and code fixes.
- Fix example RTL implementations of
ssm3
andssha512
instructions. - Fix Spike implementation of
ssm3
instructions. - Spec typo fixes around vector sha2 instructions.
- Fix example RTL implementations of
Additions:
- #18 - Added vector
grev
instruction, a vectorised version of the Bitmanip instruction with the same name. - #19 - Added vector rotate instruction.
- #20 - Added experimental SAIL implementations of the scalar cryptography instructions.
- See issue #22 for a log of questions which have arisen as part of this process.
- SAIL implementations of borrowed bitmanip instructions expected to be implemented as part of the Bitmanip TG.
- SAIL implementations of vector cryptography instructions are blocked by lack of SAIL support for base vector extension.
Removals:
- None
Open Issues:
See the status of the open issues in the project board.
v0.6.0
Decisions Taken:
- Agreed on the Entropy Source Proposal. See #14 .
- Agreed on set of vector carry-less multiply instructions. See #17
Changes:
- None
Additions:
- Entropy Source Proposals.
- Specification of instruction behavior appears in section
6
. - Supplementary information and guidance for implementers appears in Appendix B.
- Specification of instruction behavior appears in section
- Vector carry-less multiply instruction variants.
- Hi/Lo, Widening, Hi/Lo with accumulate.
- Exact support for particular instructions and parameters (
SEW
) to be decided during profiles discussion.
Removals:
- Empty section on scalar micro-architectural recommendations. Will be better placed in supplementary materials section.
- Appendix section on benchmark results. Again, better placed in supplementary materials section later on.
Open Issues:
v0.5.0
Decisions Taken:
- None
Changes:
- Re-written the "Feature Discovery" section as "Implementation Profiles"
- Actual feature discovery mechanisms are for the tech-config task group.
- This section starts a discussion about implementation profiles for the cryptography extension.
- Renamed the "Random Bit Extension" section to "Entropy Source Extension"
Additions:
- The Vector instructions have been added to the spec, transcribed from Richard's 2019 RISC-V summit slideshow.
Removals:
- Non
v0.4.0
Decisions Taken:
- Remove the indexed load+store instructions.
- Remove the old fused multiply add & accumulate instructions.
- Remove
cmov
from proposed shared Bitmanip instructions list.- Can be added back in the future if people believe a single ternary instruction is worth it.
Changes:
- Re-written the example Verilog implementations for all Cryptography extension instructions.
Additions:
- Supplementary information being gathered in
doc/supp
Removals:
- Indexed load+store instructions.
- Old fused multiply add & accumulate instructions.
cmov
from proposed shared Bitmanip instructions list.
v0.3.1
Decisions Taken:
- Include the SHA512 RV32 instructions.
Changes:
- Optimised the AES RV64 instructions.
- The
hi
/lo
variant instructions were not needed, since we can just use thelo
variants with flipped source operands. - Updated spec, spike, binutils, benchmarks and example RTL as appropriate.
- The
- Toolchain: simplify the build flow for the experimental toolchain by using the riscv-gnu-toolchain repository as a base.
- Point the
gcc
andbinutils
submodules at their respectiveriscv-bitmanip
branches.
- Point the
- Updated the AES and SHA benchmark code to be a bit nicer.
Additions:
- SHA512 RV32 Sigma/Sum instructions. See draft spec section 5.5.2.
Removals:
- All
saes64.*.hi
instructions were removed as unnecessary.
v0.3.0
Decisions Taken:
- Settled on the RV64 scalar AES acceleration instruction designs.
- Removed the scalar sha3 indexing instructions from the proposal, since they are not useful.
- Remove the funnel shift instructions from the "shared with Bitmanip" section.
- These were only tentatively proposed as a faster way of doing 64-bit rotations (for SHA3) on RV32, but ultimately proved unnecessary.
Changes:
- Modified the RV64 scalar AES instructions with Barry's enhanced KeySchedule proposal.
- Numerous miscellaneous typos/spelling/grammar fixes from Alexander Zeh.
Additions:
- Lightweight SM4 proposal based on lwaes_isa
- Lightweight SM3 proposal based on lwsha_isa
- Simple feature discovery mechanism.
Removals:
- All scalar SHA3 (
ssha3
) instructions.- Removed appendix section discussing on the SHA3 instructions.
- Funnel Shift instructions.
v0.2.1
Decisions Taken:
- Select Markku's lwaes proposal going forward for RV32 based systems.
- Tentatively agree to have separate AES instructions for scalar RV32 and RV64 systems.
Changes:
- Swapped the order of
rs1
andrs2
in the 32-bit AES proposal. Allowsrd=rs1
for all usages of the instruction. - Re-structured the draft specification document to clearly separate between RV32 and RV64 AES proposals.
- Moved old AES proposals to an appendix for posterity.
- Adopted the
saes32.*
andsaes64.*
naming conventions for the scalar AES instructions.- Updated the binutils and spike patches accordingly.
Additions:
- A dedicated RV64 only aes proposal. Appears as section
4.4.2
in the draft specification.
Removals:
- Old AES proposal variant code has been removed because of the amount of repository clutter it generated. They can be recovered easily via version control if need be.
v0.2.0
Decisions Taken:
- None
Changes:
- General improvements to consistency of psuedo-code and instruction behaviour specification.
- LUT4 instruction change to have very efficent RV64-only variant, and lo/hi versions for RV32.
Additions:
- SHA256/512 benchmark results.
- AES proposal variants 1,2,3.1,3.2 all ready for discussion.
- Benchmark results for RTL and software performance.
- Placeholder for scalar SM4 acceleration instructions.
- Codified design policies for the scalar instructions to make motivations / decisions consistent across the extension.
- Start keeping track of contributors.
Removals:
- None.
- SHA3 proposals marked as tenuous given how SHA3 is normally implemented as loop-unrolled in the wild, and the instructions only help loop-rolled-up implementations.