Investigating the Potential of Custom Instruction Set Extensions for SHA-3 Candidates on a 16-bit Microcontroller Architecture Jeremy Constantin1, Andreas Burg1, and Frank K. Gürkaynak2 1 Telecommunications Circuits Laboratory, EPFL, Switzerland {jeremy.constantin,andreas.burg}@epfl.ch 2 Microelectronics Designs Center, ETH Zurich, Switzerland
[email protected] Abstract. In this paper, we investigate the benefit of instruction set extensions for software implementations of all five SHA-3 candidates. To this end, we start from optimized assembly code for a common 16-bit microcontroller instruction set architecture. By themselves, these implementations provide reference for complexity of the algo- rithms on 16-bit architectures, commonly used in embedded systems. For each algorithm, we then propose suitable instruction set extensions and implement the modified processor core. We assess the gains in throughput, mem- ory consumption, and the area overhead. Our results show that with less than 10% additional area, it is possible to increase the execution speed on average by almost 40%, while reducing memory requirements on average by more than 40%. In particular, the Grøstl algorithm, which was one of the slowest algorithms in previous reference implementations, ends up being the fastest implementation by some margin, once minor (but dedicated) instruction set extensions are taken into account. Key words: SHA-3 Final Round Candidates, Software Implementation, Assembler, 16-bit Microcontroller, In- struction Set Extensions, ISA Exploration 1 Introduction In 2007, the U.S. National Institute of Standards and Technology (NIST) started a public competition aiming at the selection of a new standard for cryptographic hashing [13]. The cryptographic community was asked to propose new hash functions and to evaluate the security level of other candidates.