v0.7.0

Decisions Taken:

• #47 - The specification has now been split into two documents.
  • Volume I - Deals with the scalar and entropy source instructions.
  • Volume II - Deals with the vector instructions.
  • This was done to recognise that the scalar specification is much closer to meeting the definition of done, and has fewer dependencies, than the vector specification. Per the meeting on September 10'th 2020, we are aiming to freeze the scalar specification by the end of October 2020.
• #44 - We have updated the xperm instruction borrowed from Bitmanip. We now include the xperm.n and xperm.b variants.
• Based on the September 10'th 2020 meeting, we are including the gorc instruction due to its usefulness in implementing generic permutations.

Changes:

• #48 - All instruction name changes have now been implemented.
• #50 - Fixed a decode conflict involving the pollentropy temporary opcode assignment.

Additions:

• The gorc instruction is now included in the borrowed from Bitmanip specification.
• #44 - The xperm.b instruction is also now included in the borrowed from Bitmanip specification.
• Continued progress with SAIL code, not yet inlined into the vector specification document.
  • #32 - Vector CLMUL Mock Sail Code.
  • #31 - Vector GREV Mock Sail Code.
  • #33 - Vector Rotate Mock Sail Code.

Removals:

• None

Open Issues:

See the status of the open issues in the project board.

• #16 - Final Instruction encodings are yet to be assigned.
• Various open issues around "feature groups"
  • #40 - Work with BitManip TG to ensure they have groupings that work for Crypto
  • #35 - Overall Issue - what are the crypto feature grouops and recommended subsets?
  • Some issues blocked by feature group discussions: #20,
• #49 - Vector extension ELEN requirements - some clarification needed.
  • riscv/riscv-v-spec#566 - related issue raised under the vector spec.
• Sail code for vector SHA2 #23 and AES #24
• Compliance tests for Scalar #27 and Vector #29 instructions.

v0.6.2

• This is a dummy release reflecting that the Github repository location has changed.
  • Previously the repository lived at github.com/scarv/riscv-crypto.
  • Now it lives at github.com/riscv/riscv-crypto.
• All URLs and links in the repository and specification document have been updated to reflect the repository move.
• In all other respects, this release is identical to v0.6.1.
• Re-built versions of the specification can be downloaded below.

v0.6.1

Decisions Taken:

• Added vectorised grev and rotate instructions.

Changes:

• #13 - The lut4 instruction has been moved to the Bitmanip extension, and is now "borrowed" from it. It has been re-named xperm.*
• #20 - Replaced scalar cryptography instruction pseudo-code with SAIL formal model code snippets.
• Miscellaneous typo and code fixes.
  • Fix example RTL implementations of ssm3 and ssha512 instructions.
  • Fix Spike implementation of ssm3 instructions.
  • Spec typo fixes around vector sha2 instructions.

Additions:

• #18 - Added vector grev instruction, a vectorised version of the Bitmanip instruction with the same name.
• #19 - Added vector rotate instruction.
• #20 - Added experimental SAIL implementations of the scalar cryptography instructions.
  • See issue #22 for a log of questions which have arisen as part of this process.
  • SAIL implementations of borrowed bitmanip instructions expected to be implemented as part of the Bitmanip TG.
  • SAIL implementations of vector cryptography instructions are blocked by lack of SAIL support for base vector extension.

Removals:

• None

Open Issues:

See the status of the open issues in the project board.

• #24 - Vector AES pseudo-code.
• #23 - Vector SHA2 pseudo-code.
• #20 - Sail support is still work in progress.
• #16 - Instruction encodings still TBD.
• #15 - SM3 example code.

v0.6.0

Decisions Taken:

• Agreed on the Entropy Source Proposal. See #14 .
• Agreed on set of vector carry-less multiply instructions. See #17

Changes:

• None

Additions:

• Entropy Source Proposals.
  • Specification of instruction behavior appears in section 6.
  • Supplementary information and guidance for implementers appears in Appendix B.
• Vector carry-less multiply instruction variants.
  • Hi/Lo, Widening, Hi/Lo with accumulate.
  • Exact support for particular instructions and parameters (SEW) to be decided during profiles discussion.

Removals:

• Empty section on scalar micro-architectural recommendations. Will be better placed in supplementary materials section.
• Appendix section on benchmark results. Again, better placed in supplementary materials section later on.

Open Issues:

• #20 SAIL Formal ISA Specification Support.
• #19 Vector Rotation Support.
• #18 Vector Bit Reversal Support.
• #16 Instruction Encodings.
• #15 SM3 Example code.
• #13 lut4 instruction move to Bitmanip changes.

v0.5.0

Decisions Taken:

• None

Changes:

• Re-written the "Feature Discovery" section as "Implementation Profiles"
  • Actual feature discovery mechanisms are for the tech-config task group.
  • This section starts a discussion about implementation profiles for the cryptography extension.
• Renamed the "Random Bit Extension" section to "Entropy Source Extension"

Additions:

• The Vector instructions have been added to the spec, transcribed from Richard's 2019 RISC-V summit slideshow.

Removals:

• Non

v0.4.0

Decisions Taken:

• Remove the indexed load+store instructions.
• Remove the old fused multiply add & accumulate instructions.
• Remove cmov from proposed shared Bitmanip instructions list.
  • Can be added back in the future if people believe a single ternary instruction is worth it.

Changes:

• Re-written the example Verilog implementations for all Cryptography extension instructions.

Additions:

• Supplementary information being gathered in doc/supp

Removals:

• Indexed load+store instructions.
• Old fused multiply add & accumulate instructions.
• cmov from proposed shared Bitmanip instructions list.

v0.3.1

Decisions Taken:

• Include the SHA512 RV32 instructions.

Changes:

• Optimised the AES RV64 instructions.
  • The hi/lo variant instructions were not needed, since we can just use the lo variants with flipped source operands.
  • Updated spec, spike, binutils, benchmarks and example RTL as appropriate.
• Toolchain: simplify the build flow for the experimental toolchain by using the riscv-gnu-toolchain repository as a base.
  • Point the gcc and binutils submodules at their respective riscv-bitmanip branches.
• Updated the AES and SHA benchmark code to be a bit nicer.

Additions:

• SHA512 RV32 Sigma/Sum instructions. See draft spec section 5.5.2.

Removals:

• All saes64.*.hi instructions were removed as unnecessary.

v0.3.0

Decisions Taken:

• Settled on the RV64 scalar AES acceleration instruction designs.
• Removed the scalar sha3 indexing instructions from the proposal, since they are not useful.
• Remove the funnel shift instructions from the "shared with Bitmanip" section.
  • These were only tentatively proposed as a faster way of doing 64-bit rotations (for SHA3) on RV32, but ultimately proved unnecessary.

Changes:

• Modified the RV64 scalar AES instructions with Barry's enhanced KeySchedule proposal.
• Numerous miscellaneous typos/spelling/grammar fixes from Alexander Zeh.

Additions:

• Lightweight SM4 proposal based on lwaes_isa
• Lightweight SM3 proposal based on lwsha_isa
• Simple feature discovery mechanism.

Removals:

• All scalar SHA3 (ssha3) instructions.
  • Removed appendix section discussing on the SHA3 instructions.
• Funnel Shift instructions.

v0.2.1

Decisions Taken:

• Select Markku's lwaes proposal going forward for RV32 based systems.
• Tentatively agree to have separate AES instructions for scalar RV32 and RV64 systems.

Changes:

• Swapped the order of rs1 and rs2 in the 32-bit AES proposal. Allows rd=rs1 for all usages of the instruction.
• Re-structured the draft specification document to clearly separate between RV32 and RV64 AES proposals.
  • Moved old AES proposals to an appendix for posterity.
• Adopted the saes32.* and saes64.* naming conventions for the scalar AES instructions.
  • Updated the binutils and spike patches accordingly.

Additions:

• A dedicated RV64 only aes proposal. Appears as section 4.4.2 in the draft specification.

Removals:

• Old AES proposal variant code has been removed because of the amount of repository clutter it generated. They can be recovered easily via version control if need be.

v0.2.0

Decisions Taken:

• None

Changes:

• General improvements to consistency of psuedo-code and instruction behaviour specification.
• LUT4 instruction change to have very efficent RV64-only variant, and lo/hi versions for RV32.

Additions:

• SHA256/512 benchmark results.
• AES proposal variants 1,2,3.1,3.2 all ready for discussion.
  • Benchmark results for RTL and software performance.
• Placeholder for scalar SM4 acceleration instructions.
• Codified design policies for the scalar instructions to make motivations / decisions consistent across the extension.
• Start keeping track of contributors.

Removals:

• None.
• SHA3 proposals marked as tenuous given how SHA3 is normally implemented as loop-unrolled in the wild, and the instructions only help loop-rolled-up implementations.