RISC-V Summit 2023

The PQC Task Group aims to provide a ratifiable candidate ISA extension for Post-Quantum Cryptography (PQC). Since we target general-purpose processors rather than custom acceleration, these instructions are designed to align with RISC-V architectural principles, existing ISA extensions, and common processor design patterns in application-class CPUs. The main PQC algorithms intended to replace RSA and Elliptic Curve cryptography in mainstream applications (e.g., TLS/Web) are Kyber and Dilithium. Both are lattice-based schemes. While the older algorithms used mainly "big integer" arithmetic, the instruction mix of Kyber (key establishment) and Dilithium (digital signatures) contains a lot of vectorizable small-integer modular arithmetic operations and SHA3/SHAKE computation. There are also important use cases for hash-based signature schemes SPHINCS+, LMS/HSS, and XMSS, which benefit from SHA2 and SHA3 acceleration. We describe the PQC extensions under consideration and offer quantitative analysis to support them: Instruction count reduction (in end-to-end algorithm testing with and without the ISA extension), Implementation area/power, and vector unit critical path/speed.