Overview
- The SCARV project was one of four core (aka. tranche 1) research projects funded by National CyberSecurity Center (NCSC) and Engineering and Physical Sciences Research Council (EPSRC) as grant EP/R012288/1 under the Research Institute in Secure Hardware and Embedded Systems (RISE) programme, and was hosted at the University of Bristol.
- The project was originally intended to run for a 5 year period from 01/02/18 until 31/01/23. Due to the impact of COVID-19, however, this period was extended by 1 year meaning it eventually ran until 31/01/24.
- The project was
supported throughout by two specific industrial partners:
Original proposal
As reflected by the record maintained by EPSRC, the original grant proposal (circa 2017) specified a program of work that can be (and was) summarised as follows:RISC-V is an Instruction Set Architecture (ISA). An ISA is essentially a specification for the instructions any compatible processor implementation should be able to execute, plus resources (e.g., registers and memory) those instructions can access; it acts as the interface between the processor implementation (hardware) and programs that execute on it (software). In sharp contrast with proprietary alternatives, such as the x86 ISA from Intel, RISC-V is an open design. This means it can be used freely by anyone for any purpose, which, in part, has meant rapid development of a rich support infrastructure around the project: this includes a) vibrant developer and user communities, built around the associated, non-profit foundation, b) numerous implementations of the ISA, both in HDL (i.e., soft cores for use on FPGAs) and silicon (i.e., ASICs), and c) ports of programming tool-chains (e.g., GCC and LLVM), and operating systems (e.g., Linux).
Similar openness is a core principle in security-critical contexts, which contrasts with the alternative often colloquially termed "security by obscurity". This is particularly true in the field of cryptography, a technology which is routinely tasked with ensuring secrecy, robustness, and provenience of our data (whether communicated or stored), and the authenticity of parties we interact with: open development of cryptographic standards, designs, and implementations is the modern norm. As a result, RISC-V presents various opportunities when used to execute cryptographic workloads. The SCARV (pronounced "scarf") project aims to capitalise on these opportunities, in a way designed to address advanced, persistent threats to our digital security, and, by extension, society. More specifically, the research goals span three broad themes:
Since RISC-V can be implemented by anyone, it is possible to develop a domain-specific processor implementation which is hardened against certain types of attack. We will focus on the threat of side-channel attacks, which is particularly relevant to embedded use-cases, e.g., IoT. In addition, we will also investigate how detailed information regarding a processor implementation can be harnessed to produce more effective security evaluations.
Since RISC-V can be adapted by anyone, it is possible to develop various cryptography-specific extensions or variants of the ISA that offer either, for example, higher efficiency. If cryptographic software is more efficient it can also be more secure, because, for example, larger keys or more robust attack countermeasures can be deployed without as significant an impact on latency.
Evaluation of side-channel security can be prohibitive in the sense it needs various specific items of equipment. Harnessing a platform based on RISC-V, the proposed research with address this problem by offering a "lab. free" (i.e., cloud-based) acquisition and analysis workflow available to anyone.
Notable outcomes
- After the project concluded, the staff involved have gone on to hold a wide range of technical and non-technical, typically cyber-security related roles spanning industry and academia; examples include Andrea Basso (now at IBM), Ben Marshall (now at PQShield), Thinh Pham (now at Arm), Daniel Page (still at University of Bristol), and James Webb (then and now at Ultra Horizon and Elliptic Systems). As part of various threads of collaboration with researchers at the University of Luxembourg, we are proud to have hosted a 6-month PhD internship by Hao Cheng (who successfully defended his thesis in 2023, for which he subsequently received the Excellent Thesis Award).
- We disseminated our research output via 20+ publications; significant examples include 8 at (T)CHES, 2 at EUROCRYPT, and 2 at ASIACRYPT. We are proud to have won the best paper award at (T)CHES'23 (see, e.g., the paper and presentation).
- We disseminated our research output via contributed and invited presentations at a range of academic- and industry-oriented venues; significant examples include CYBER'21, COSADE'22, CARDIS'22, and CYBER'23.
- We were involved in establishing the Topics in hArdware SEcurity and RISC-V (TASER) workshop, which ran in 2021, 2022, 2023, and 2024.
- Our internal XCrypto project, plus our work on RISC-V ISEs for AES, transformed into a contribution to the RISC-V scalar cryptography extensions (aka. Zk) which were ratified in late 2021: Ben Marshall acted as the editor while working on the SCARV project, and subsequently 1) served as an elected member of the RISC-V Technical Steering Committee (TSC) until late 2022, plus 2) received a Technical Contributors Award at RISC-V Summit'21 for this work.
- Our work on RISC-V ISEs for lightweight symmetric cryptography was cited in a NIST report summarising the final round of their Lightweight Cryptography (LWC) standardisation process.
Publications
Theses
The SCARV project is hosted within the Department of Computer Science at the University of Bristol and, as such, has supported a number of associated undergraduate (e.g., BSc and MEng), post-graduate taught (i.e., MSc), and post-graduate research (i.e., PhD) projects. Some such projects align with a core activity within SCARV, others explore something at the periphery; either way this repository is an archive of their output, namely the PDF-format thesis produced in each case. |
Papers
- H. Cheng, J. Großschädl, B. Marshall, D. Page, and M.-J. O. Saarinen.
SoK: Instruction Set Extensions for Cryptographers.
In Cryptology ePrint Archive, Report 2024/1323, 2024. - H. Cheng, G. Fotiadis, J. Großschädl, D. Page, T.H. Pham, and P.Y.A. Ryan.
RISC-V Instruction Set Extensions for Multi-Precision Integer Arithmetic.
Design Automation Conference (DAC), 329:1--329:6, 2024. - H. Cheng, D. Page, and W. Wang.
eLIMInate: a Leakage-focused ISE for Masked Implementation.
IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(2), 329--358, 2024 (see also Cryptology ePrint Archive, Report 2023/966). - A. Basso and T.B. Fouotsa.
New SIDH Countermeasures for a More Efficient Key Exchange.
In Advances in Cryptology (ASIACRYPT), Springer-Verlag, LNCS 14445, 208--233, 2023 (see also Cryptology ePrint Archive, Report 2023/791). - A. Basso, L. Maino, and G. Pope.
FESTA: Fast Encryption from Supersingular Torsion Attacks.
In Advances in Cryptology (ASIACRYPT), Springer-Verlag, LNCS 14444, 98--126, 2023 (see also Cryptology ePrint Archive, Report 2023/660). - A. Basso.
A Post-Quantum Round-Optimal Oblivious PRF from Isogenies.
In Cryptology ePrint Archive, Report 2023/225, 2023. - A. Aikata, A. Basso, G. Cassiers, A.C. Mert, and S.S. Roy.
Kavach: Lightweight masking techniques for polynomial arithmetic in lattice-based cryptography.
IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(3), 366--390, 2023 (see also Cryptology ePrint Archive, Report 2023/517). - A. Basso, G. Codogni, D. Connolly, L. De Feo, T.B. Fouotsa, G.M. Lido, T. Morrison, L. Panny, S. Patranabis, and B. Wesolowski.
Supersingular Curves You Can Trust.
In Theory and Application of Cryptographic Techniques (EUROCRYPT), Springer-Verlag, LNCS 14005, 405--437, 2023 (see also Cryptology ePrint Archive, Report 2022/1469). - H. Cheng, J. Großschädl, B. Marshall, D. Page, and T.H. Pham.
RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography.
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(1), 193--237, 2023 (see also 5th Lightweight Cryptography Workshop). - B. Marshall, D. Page, T.H. Pham, and M. Whale.
HYDRA: a multi-core RISC-V with cryptographically useful modes of operation.
In 6th Workshop on Computer Architecture Research with RISC-V (CARRV), 2022. - S. Gao, E. Oswald, and D. Page.
Towards Micro-Architectural Leakage Simulators: Reverse Engineering Micro-Architectural Leakage Features is Practical.
In Theory and Application of Cryptographic Techniques (EUROCRYPT), Springer-Verlag, LNCS 13277, 284--311, 2022 (see also Cryptology ePrint Archive, Report 2021/794). - M.-J. O. Saarinen, G.R. Newell, and B. Marshall.
Development of the RISC-V entropy source interface.
In Journal of Cryptographic Engineering, 2022 (see also Cryptology ePrint Archive, Report 2020/866, and ASHES'20). - B. Marshall, D. Page, and J. Webb.
MIRACLE: MIcRo-ArChitectural Leakage Evaluation.
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1), 175--220, 2021 (see also Cryptology ePrint Archive, Report 2021/261). - B. Marshall and D. Page.
SME: Scalable Masking Extensions.
In Cryptology ePrint Archive, Report 2021/1416, 2021. - S. Gao, J. Großschädl, B. Marshall, D. Page, T.H. Pham, and F. Regazzoni.
An Instruction Set Extension to Support Software-Based Masking.
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(4), 283--325, 2021 (see also Cryptology ePrint Archive, Report 2020/773). - B. Marshall, D. Page, and T.H. Pham.
A lightweight ISE for ChaCha on RISC-V.
In Application-specific Systems, Architectures and Processors (ASAP), 25--32, 2021 (see also Cryptology ePrint Archive, Report 2021/1030). - T.H. Pham, B. Marshall, A. Fell, S.-K. Lam, and D. Page.
eXtended DIVersifying INStruction Agent to Mitigate Power Side-Channel Leakage.
In Application-specific Systems, Architectures and Processors (ASAP), 179--186, 2021 (see also Cryptology ePrint Archive, Report 2021/1053). - B. Marshall, G.R. Newell, D. Page, M.-J. O. Saarinen, and C. Wolf.
The design of scalar AES Instruction Set Extensions for RISC-V.
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(1), 109--136, 2020 (see also Cryptology ePrint Archive, Report 2020/930). - B. Marshall, D. Page, and T.H. Pham.
Implementing the Draft RISC-V Scalar Cryptography Extensions.
To appear in Hardware and Architectural Support for Security and Privacy (HASP), 2020. - S. Gao, B. Marshall, D. Page, and T.H. Pham.
FENL: an ISE to mitigate analogue micro-architectural leakage.
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(2), 73--98, 2020. - S. Gao, B. Marshall, D. Page, and E. Oswald.
Share-slicing: Friend or Foe?
In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(1), 152--174, 2020. - B. Marshall.
On Hardware Verification In An Open Source Context.
In Workshop on Open Source Design Automation (OSDA), 2019.
Projects
The RISC-V compatible SCARV micro-controller (comprising a processor core and SoC) is the eponymous, capstone output, e.g., representing a demonstrator for the XCrypto ISE. | |
XCrypto is a general-purpose Instruction Set Extension (ISE) for RISC-V that supports software-based cryptographic workloads. | |
The NIST
lightweight cryptography process
is an attempt to
"solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments".
From an initial 57 submissions, 10
final-round candidates
were selected. The
lwise
project and repo. capture an exploration of
Instruction Set Extensions (ISEs)
for (a subset of) these candidates, based on the use of
RISC-V:
the goal is to add understanding to and so inform selection
of any resulting standard, with respect to implementation-related criteria
such as execution latency.
|
|
libscarv
is a library of cryptographic reference implementations for RISC-V in
general, and the SCARV-related cryptographic ISE
XCrypto
specifically; the implementations are written in a mixture of C and/or
assembly language.
Note that
libscarv
definitely isn't a library you'd expect (or want) to see in production
code: it's really only intended for internal use, e.g., as
a) a guide for (e.g., ISE) design and implementation work,
plus
b) a resource for benchmarking and evaluation.
One could therefore view it as a cryptography-specific analogue of more
general-purpose alternatives, e.g., the
Embench
benchmark.
|
|
MIRACLE captures a range of components that relate to the study of micro-architectural side-channel leakage, i.e., leakage that stems from micro-architectural behaviour. Specifically, there are three main components, namely a suite of software kernels, specifically constructed to assess whether or not a given form of leakage is evident; a framework for executing such kernels and acquiring associated data sets, e.g., traces of power consumption; and a framework for analysing such data sets, and then presenting the results (via a web-based front-end). | |
SCA3S is a collection of resources that support the development and analysis of cryptographic implementations wrt. side-channel attack: SCA3A is, more specifically, pitched as offering "side-channel analysis as a service": it allows users to acquire and analyse side-channel data-sets which stem from execution of their implementation, without (necessarily) owning or operating the associated infrastructure. Mirroring the goals of SCARV, it places particular emphasis on analogue side-channels (e.g., power and EM) stemming from RISC-V-based platforms. |