Overview

Original proposal

As reflected by the record maintained by EPSRC, the original grant proposal (circa 2017) specified a program of work that can be (and was) summarised as follows:

RISC-V is an Instruction Set Architecture (ISA). An ISA is essentially a specification for the instructions any compatible processor implementation should be able to execute, plus resources (e.g., registers and memory) those instructions can access; it acts as the interface between the processor implementation (hardware) and programs that execute on it (software). In sharp contrast with proprietary alternatives, such as the x86 ISA from Intel, RISC-V is an open design. This means it can be used freely by anyone for any purpose, which, in part, has meant rapid development of a rich support infrastructure around the project: this includes a) vibrant developer and user communities, built around the associated, non-profit foundation, b) numerous implementations of the ISA, both in HDL (i.e., soft cores for use on FPGAs) and silicon (i.e., ASICs), and c) ports of programming tool-chains (e.g., GCC and LLVM), and operating systems (e.g., Linux).

Similar openness is a core principle in security-critical contexts, which contrasts with the alternative often colloquially termed "security by obscurity". This is particularly true in the field of cryptography, a technology which is routinely tasked with ensuring secrecy, robustness, and provenience of our data (whether communicated or stored), and the authenticity of parties we interact with: open development of cryptographic standards, designs, and implementations is the modern norm. As a result, RISC-V presents various opportunities when used to execute cryptographic workloads. The SCARV (pronounced "scarf") project aims to capitalise on these opportunities, in a way designed to address advanced, persistent threats to our digital security, and, by extension, society. More specifically, the research goals span three broad themes:

  1. Since RISC-V can be implemented by anyone, it is possible to develop a domain-specific processor implementation which is hardened against certain types of attack. We will focus on the threat of side-channel attacks, which is particularly relevant to embedded use-cases, e.g., IoT. In addition, we will also investigate how detailed information regarding a processor implementation can be harnessed to produce more effective security evaluations.

  2. Since RISC-V can be adapted by anyone, it is possible to develop various cryptography-specific extensions or variants of the ISA that offer either, for example, higher efficiency. If cryptographic software is more efficient it can also be more secure, because, for example, larger keys or more robust attack countermeasures can be deployed without as significant an impact on latency.

  3. Evaluation of side-channel security can be prohibitive in the sense it needs various specific items of equipment. Harnessing a platform based on RISC-V, the proposed research with address this problem by offering a "lab. free" (i.e., cloud-based) acquisition and analysis workflow available to anyone.

Notable outcomes


Publications

Theses

The SCARV project is hosted within the Department of Computer Science at the University of Bristol and, as such, has supported a number of associated undergraduate (e.g., BSc and MEng), post-graduate taught (i.e., MSc), and post-graduate research (i.e., PhD) projects. Some such projects align with a core activity within SCARV, others explore something at the periphery; either way this repository is an archive of their output, namely the PDF-format thesis produced in each case.

Papers

  1. H. Cheng, J. Großschädl, B. Marshall, D. Page, and M.-J. O. Saarinen.
    SoK: Instruction Set Extensions for Cryptographers.
    In Cryptology ePrint Archive, Report 2024/1323, 2024.
  2. H. Cheng, G. Fotiadis, J. Großschädl, D. Page, T.H. Pham, and P.Y.A. Ryan.
    RISC-V Instruction Set Extensions for Multi-Precision Integer Arithmetic.
    Design Automation Conference (DAC), 329:1--329:6, 2024.
  3. H. Cheng, D. Page, and W. Wang.
    eLIMInate: a Leakage-focused ISE for Masked Implementation.
    IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(2), 329--358, 2024 (see also Cryptology ePrint Archive, Report 2023/966).
  4. A. Basso and T.B. Fouotsa.
    New SIDH Countermeasures for a More Efficient Key Exchange.
    In Advances in Cryptology (ASIACRYPT), Springer-Verlag, LNCS 14445, 208--233, 2023 (see also Cryptology ePrint Archive, Report 2023/791).
  5. A. Basso, L. Maino, and G. Pope.
    FESTA: Fast Encryption from Supersingular Torsion Attacks.
    In Advances in Cryptology (ASIACRYPT), Springer-Verlag, LNCS 14444, 98--126, 2023 (see also Cryptology ePrint Archive, Report 2023/660).
  6. A. Basso.
    A Post-Quantum Round-Optimal Oblivious PRF from Isogenies.
    In Cryptology ePrint Archive, Report 2023/225, 2023.
  7. A. Aikata, A. Basso, G. Cassiers, A.C. Mert, and S.S. Roy.
    Kavach: Lightweight masking techniques for polynomial arithmetic in lattice-based cryptography.
    IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(3), 366--390, 2023 (see also Cryptology ePrint Archive, Report 2023/517).
  8. A. Basso, G. Codogni, D. Connolly, L. De Feo, T.B. Fouotsa, G.M. Lido, T. Morrison, L. Panny, S. Patranabis, and B. Wesolowski.
    Supersingular Curves You Can Trust.
    In Theory and Application of Cryptographic Techniques (EUROCRYPT), Springer-Verlag, LNCS 14005, 405--437, 2023 (see also Cryptology ePrint Archive, Report 2022/1469).
  9. H. Cheng, J. Großschädl, B. Marshall, D. Page, and T.H. Pham.
    RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography.
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(1), 193--237, 2023 (see also 5th Lightweight Cryptography Workshop).
  10. B. Marshall, D. Page, T.H. Pham, and M. Whale.
    HYDRA: a multi-core RISC-V with cryptographically useful modes of operation.
    In 6th Workshop on Computer Architecture Research with RISC-V (CARRV), 2022.
  11. S. Gao, E. Oswald, and D. Page.
    Towards Micro-Architectural Leakage Simulators: Reverse Engineering Micro-Architectural Leakage Features is Practical.
    In Theory and Application of Cryptographic Techniques (EUROCRYPT), Springer-Verlag, LNCS 13277, 284--311, 2022 (see also Cryptology ePrint Archive, Report 2021/794).
  12. M.-J. O. Saarinen, G.R. Newell, and B. Marshall.
    Development of the RISC-V entropy source interface.
    In Journal of Cryptographic Engineering, 2022 (see also Cryptology ePrint Archive, Report 2020/866, and ASHES'20).
  13. B. Marshall, D. Page, and J. Webb.
    MIRACLE: MIcRo-ArChitectural Leakage Evaluation.
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1), 175--220, 2021 (see also Cryptology ePrint Archive, Report 2021/261).
  14. B. Marshall and D. Page.
    SME: Scalable Masking Extensions.
    In Cryptology ePrint Archive, Report 2021/1416, 2021.
  15. S. Gao, J. Großschädl, B. Marshall, D. Page, T.H. Pham, and F. Regazzoni.
    An Instruction Set Extension to Support Software-Based Masking.
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(4), 283--325, 2021 (see also Cryptology ePrint Archive, Report 2020/773).
  16. B. Marshall, D. Page, and T.H. Pham.
    A lightweight ISE for ChaCha on RISC-V.
    In Application-specific Systems, Architectures and Processors (ASAP), 25--32, 2021 (see also Cryptology ePrint Archive, Report 2021/1030).
  17. T.H. Pham, B. Marshall, A. Fell, S.-K. Lam, and D. Page.
    eXtended DIVersifying INStruction Agent to Mitigate Power Side-Channel Leakage.
    In Application-specific Systems, Architectures and Processors (ASAP), 179--186, 2021 (see also Cryptology ePrint Archive, Report 2021/1053).
  18. B. Marshall, G.R. Newell, D. Page, M.-J. O. Saarinen, and C. Wolf.
    The design of scalar AES Instruction Set Extensions for RISC-V.
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(1), 109--136, 2020 (see also Cryptology ePrint Archive, Report 2020/930).
  19. B. Marshall, D. Page, and T.H. Pham.
    Implementing the Draft RISC-V Scalar Cryptography Extensions.
    To appear in Hardware and Architectural Support for Security and Privacy (HASP), 2020.
  20. S. Gao, B. Marshall, D. Page, and T.H. Pham.
    FENL: an ISE to mitigate analogue micro-architectural leakage.
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(2), 73--98, 2020.
  21. S. Gao, B. Marshall, D. Page, and E. Oswald.
    Share-slicing: Friend or Foe?
    In IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(1), 152--174, 2020.
  22. B. Marshall.
    On Hardware Verification In An Open Source Context.
    In Workshop on Open Source Design Automation (OSDA), 2019.

Projects

The RISC-V compatible SCARV micro-controller (comprising a processor core and SoC) is the eponymous, capstone output, e.g., representing a demonstrator for the XCrypto ISE.
XCrypto is a general-purpose Instruction Set Extension (ISE) for RISC-V that supports software-based cryptographic workloads.
The NIST lightweight cryptography process is an attempt to "solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments". From an initial 57 submissions, 10 final-round candidates were selected. The lwise project and repo. capture an exploration of Instruction Set Extensions (ISEs) for (a subset of) these candidates, based on the use of RISC-V: the goal is to add understanding to and so inform selection of any resulting standard, with respect to implementation-related criteria such as execution latency.
libscarv is a library of cryptographic reference implementations for RISC-V in general, and the SCARV-related cryptographic ISE XCrypto specifically; the implementations are written in a mixture of C and/or assembly language. Note that libscarv definitely isn't a library you'd expect (or want) to see in production code: it's really only intended for internal use, e.g., as a) a guide for (e.g., ISE) design and implementation work, plus b) a resource for benchmarking and evaluation. One could therefore view it as a cryptography-specific analogue of more general-purpose alternatives, e.g., the Embench benchmark.
MIRACLE captures a range of components that relate to the study of micro-architectural side-channel leakage, i.e., leakage that stems from micro-architectural behaviour. Specifically, there are three main components, namely a suite of software kernels, specifically constructed to assess whether or not a given form of leakage is evident; a framework for executing such kernels and acquiring associated data sets, e.g., traces of power consumption; and a framework for analysing such data sets, and then presenting the results (via a web-based front-end).
SCA3S is a collection of resources that support the development and analysis of cryptographic implementations wrt. side-channel attack: SCA3A is, more specifically, pitched as offering "side-channel analysis as a service": it allows users to acquire and analyse side-channel data-sets which stem from execution of their implementation, without (necessarily) owning or operating the associated infrastructure. Mirroring the goals of SCARV, it places particular emphasis on analogue side-channels (e.g., power and EM) stemming from RISC-V-based platforms.