CRISP : A Cryptographic RISC Processor

Like many areas of computer science, research into ways of improving Complex Instruction Set Computers (CISC) was initially undertaken by both industry and academia. Early experiments by IBM into the removal of many under-utilised and over-designed features eventually lead to the POWER and PowerPC architectures. At the same time, research in Berkeley and Stanford heavily influenced the MIPS and SPARC designs. These processors command a significant market share; in particular they dominate the games console and embedded arenas. Since this initial research and subsequent commercialisation in the late 1970s and early 1980s, Reduced Instruction Set Computer (RISC) design has dominated the field of computer architecture and is often taught as the default choice in most universities.

Although the RISC philosophy encompasses many concepts, the core architecture typically has a minimalist load-store based micro-architecture executing very simple instructions on every cycle. Coupled with the use of pipelining techniques and more involved compiler technology, RISC based processors often exceed the performance of their CISC counterparts at a fraction of the cost. Even processors which were conventionally CISC based, such as the Intel Pentium, have gradually migrated to using an internal RISC core behind a translation layer for compatibility. However, like most aspects of computer architecture, successful RISC designs rely heavily on selecting an effective trade-off between many competing factors. Such decisions are typically resolved by performing a workload characterisation of the sorts of program that the processor will execute. By considering an average program, the architecture is designed so that the average case is optimised while non-typical cases are marginalised or omitted.

A quarter century after many design decisions and assumptions were made by the pioneers of RISC, we are still using largely similar processor designs. One expects that such decisions were initially made using a mix of research and common sense based on prevailing technologies of the time. Despite the success of these assumptions, the technology landscape has now changed radically: the types of program we execute today are different and many of the constraints which guided initial thinking have disappeared. Certainly innovative research has met many of the challenges presented, but equally as many legacy assumptions still exist behind the scenes. This is focus by the increasing by domain-specific needs from certain application areas. Although multimedia has been a driving factor behind many innovations in processor design, cryptography is an equally demanding area which receives far less attention. Most of the kernels involved are very computationally demanding but since information security is far less visible and saleable than multimedia, commodity RISC processor design has done little to accommodate its needs.

Areas of Interest

Reassessment of RISC principles for cryptography.
- Data-path width and instruction set design.
- Form and use of memory interface.
- Cryptography specific SWAR design.
Implementation and use of Instruction Set Extensions (ISEs).
- Extensions for block ciphers and hash functions, focussing on general purpose extensions for a domain of ciphers, e.g. all AES finalists, instead of a single cipher.
- Specific extensions to support efficient implementation of block ciphers and hash function using bit-slicing.
(Micro-)architectural measures to mitigate side-channel attack.
- Design, implementation and evaluation of methods for secure cache architecture [1][2].
- Design, implementation and evaluation of methods for non-deterministic processors [3][4][5][6].
- Design and use of secure logic styles.
Hardware/Software interface with cryptography-aware compiler.
- Contribution to the CAO project.
- Code generation techniques for ISE enabled processors.
Formal verification and verification-by-design.
Architectural support for secure and trusted code execution.
Techniques for (very large) design space exploration.

Bibliography

[1] Z. Wang and R.B. Lee.
New Cache Designs for Thwarting Software Cache-based Side Channel Attacks.
In International Symposium on Computer Architecture (ISCA), 494--505, 2007.
[2] D. Page.
Partitioned Cache Architecture as a Side-Channel Defence Mechanism.
In Cryptology ePrint Archive, Report 2005/280, 2005.
[3] J. Irwin and D. Page and N.P. Smart.
Instruction Stream Mutation for Non-Deterministic Processors.
In Application-specific Systems, Architectures and Processors (ASAP), 286--295, 2002.
[4] D. May, H.L. Muller and N.P. Smart.
Non-deterministic Processors.
In Information Security and Privacy (ACISP),
Springer-Verlag LNCS 2119, 115--129, 2001.
[5] D. May, H.L. Muller and N.P. Smart. Random Register Renaming to Foil DPA.
In Cryptographic Hardware and Embedded Systems (CHES),
Springer-Verlag LNCS 2162, 28--38, 2001.
[6] J.A. Ambrose, R. Ragel and G. Parameswaran.
RIJID: Random Code Injection to Mask Power Analysis based Side Channel Attacks.
Design Automation Conference (DAC), 489--492, 2007.

Related Work

PALMS

Funding

EU FP6 NoE ECRYPT.
EPSRC grant EP/E001556/1 Reassessing Processor Design Assumptions in Cryptography.

People

Publications

P. Grabher, D. Page and J. Großschädl.
Cryptographic Side-Channels from Low Power Cache Memory.
To appear in Cryptography And Coding, 2007.
M. Koschuch, J. Großschädl and D. Page.
Hardware/Software Co-Design of Public-Key Cryptography for SSL Protocol Execution in Embedded Systems.
To appear in 2nd Workshop on Embedded Systems Security (WESS), 2007.
P. Leadbitter, D. Page and N.P. Smart.
Non-deterministic Multi-threading.
In IEEE Transactions on Computers, 56(7), 992--998, 2007.