{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:49Z","timestamp":1778040949379,"version":"3.51.4"},"reference-count":36,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T00:00:00Z","timestamp":1769990400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,15]]},"abstract":"\n Specified as part of the (standard, optional) M extension, the mul and mulhu instructions reflect support for unsigned integer multiplication in RISC-V base Instruction Set Architectures (ISA) such as RV32I and RV64I: given\n \n \n w<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n -bit integers\n \n \n x<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n and\n \n \n y<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n for a word size\n \n \n w<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n , they respectively produce the less- and more-significant\n \n \n w<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n bits of the\n \n \n (<\/mml:mo>\n 2<\/mml:mn>\n \u00b7<\/mml:mi>\n w<\/mml:mi>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math>\n -bit product\n \n \n r<\/mml:mi>\n =<\/mml:mo>\n x<\/mml:mi>\n \u00d7<\/mml:mi>\n y<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n . This typically minimal, and hence RISC-like form contrasts sharply with many alternative ISA. For example, ARMv7-M includes a rich set of multiply and multiply-accumulate instructions; these cater for a wide variety of important use-cases in cryptography, where multi-precision integer arithmetic is often a central requirement. In this paper, we explore the extension of RV32I and RV64I, i.e., an Instruction Set Extension (ISE), with richer support for unsigned integer multiplication. Our design has three central features: 1) it includes dedicated carry propagation and multiply-accumulate instructions, 2) those instructions allow flexible selection of the radix (thus catering for reduced- and full-radix representations), and 3) the design can be considered for any\n \n \n w<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n , and so uniformly across both RV32I and RV64I. A headline outcome of our evaluation is that, for X25519-based scalar multiplication, use of the ISE affords\n \n \n 1.5<\/mml:mn>\n \u00d7<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n and\n \n \n 1.6<\/mml:mn>\n \u00d7<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n improvement for full- and reduced-radix cases, respectively, on RV32I, and\n \n \n 1.3<\/mml:mn>\n \u00d7<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n and\n \n \n 1.7<\/mml:mn>\n \u00d7<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n improvement for full- and reduced-radix cases, respectively, on RV64I.\n <\/jats:p>","DOI":"10.62056\/absgvu7sf","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Extending RISC-V to Support Flexible-Radix Multiply-Accumulate Operations"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-3603-6925","authenticated-orcid":false,"given":"Isaar","family":"Ahmad","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0524sp257","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Bristol","place":["Bristol, UK"],"department":["School of Computer Science"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4539-3034","authenticated-orcid":false,"given":"Hao","family":"Cheng","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0207yh398","id-type":"ROR","asserted-by":"publisher"}],"name":"Shandong University","place":["Qingdao, China"],"department":["School of Cyber Science and Technology"]},{"id":[{"id":"https:\/\/ror.org\/0207yh398","id-type":"ROR","asserted-by":"publisher"}],"name":"Shandong University","place":["Qingdao, China"],"department":["State Key Laboratory of Cryptography and Digital Economy Security"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3210-3102","authenticated-orcid":false,"given":"Johann","family":"Gro\u00dfsch\u00e4dl","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/036x5ad56","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Luxembourg","place":["Esch-sur-Alzette, Luxembourg"],"department":["DCS and SnT"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6366-7641","authenticated-orcid":false,"given":"Daniel","family":"Page","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0524sp257","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Bristol","place":["Bristol, UK"],"department":["School of Computer Science"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:Galbraith:2012:MPK","isbn-type":"print","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9781139012843","volume-title":"Mathematics of Public Key Cryptography","author":"S.D. Galbraith","year":"2012","ISBN":"https:\/\/id.crossref.org\/isbn\/9781107013926"},{"key":"ref2:HanMenVan:04","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/b97644","volume-title":"Guide to Elliptic Curve Cryptography","author":"D.R. Hankerson","year":"2004","ISBN":"https:\/\/id.crossref.org\/isbn\/038795273X"},{"key":"ref3:ElMrabet:2017:GPB","isbn-type":"print","doi-asserted-by":"crossref","DOI":"10.1201\/9781315370170","volume-title":"Guide to Pairing-Based Cryptography","author":"N. El Mrabet","year":"2017","ISBN":"https:\/\/id.crossref.org\/isbn\/9781498729505"},{"key":"ref4:CLMPR:18","series-title":"LNCS 11274","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1007\/978-3-030-03332-3_15","article-title":"CSIDH: An Efficient Post-Quantum Commutative Group\n Action","author":"W. Castryck","year":"2018"},{"key":"ref5:MenOorVan:96","volume-title":"Handbook of Applied Cryptography","author":"A.J. Menezes","year":"1996"},{"key":"ref6:Comba:90","doi-asserted-by":"publisher","first-page":"526","DOI":"10.1147\/sj.294.0526","article-title":"Exponentiation Cryptosystems on the IBM PC","volume":"29","author":"P.G. Comba","year":"1990","journal-title":"IBM Systems Journal"},{"key":"ref7:RVI:Unpriv:24","volume-title":"The RISC-V Instruction Set Manual Volume I:\n Unprivileged Architecture","author":"RISC-V","year":"2024"},{"key":"ref8:ARMv7_M:21","volume-title":"ARMv7-M Architecture Reference Manual","author":"ARM Ltd.","year":"2021"},{"key":"ref9:CFGPPR:24","doi-asserted-by":"publisher","DOI":"10.1145\/3649329.3657347","article-title":"RISC-V Instruction Set Extensions for Multi-Precision\n Integer Arithmetic","author":"H. Cheng","year":"2024"},{"key":"ref10:Stoffelen:19","series-title":"LNCS 11774","doi-asserted-by":"publisher","first-page":"323","DOI":"10.1007\/978-3-030-30530-7_16","article-title":"Efficient Cryptography on the RISC-V Architecture","author":"K. Stoffelen","year":"2019"},{"key":"ref11:Bernstein:06","series-title":"LNCS 3958","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/11745853_14","article-title":"Curve25519: New Diffie-Hellman Speed Records","author":"D.J. Bernstein","year":"2006"},{"key":"ref12:CSWP:39","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.CSWP.39.2pd","volume-title":"Considerations for Achieving Cryptographic Agility:\n Strategies and Practices","author":"National Institute of Standards","year":"2025"},{"key":"ref13:Hamburg:15","volume-title":"Ed448-Goldilocks, a new elliptic curve","author":"M. Hamburg","year":"2015"},{"key":"ref14:CasDec:23","series-title":"LNCS 14008","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-031-30589-4_15","article-title":"An Efficient Key Recovery Attack on SIDH","author":"W. Castryck","year":"2023"},{"key":"ref15:MMPPW:23","series-title":"LNCS 14008","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-031-30589-4_16","article-title":"A Direct Key Recovery Attack on SIDH","author":"L. Maino","year":"2023"},{"key":"ref16:Robert:23","series-title":"LNCS 14008","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-031-30589-4_17","article-title":"Breaking SIDH in Polynomial Time","author":"D. Robert","year":"2023"},{"key":"ref17:JACCFHHJKKLLNPRSU:20","volume-title":"Supersingular Isogeny Key Encapsulation","author":"D. Jao","year":"2020"},{"key":"ref18:ARMv6_M:18","volume-title":"ARMv6-M Architecture Reference Manual","author":"ARM Ltd.","year":"2018"},{"key":"ref19:ARMv8_M:21","volume-title":"Armv8-M Architecture Reference Manual","author":"Arm Ltd.","year":"2021"},{"key":"ref20:Waterman:16","volume-title":"Design of the RISC-V Instruction Set Architecture","author":"A. Waterman","year":"2016"},{"key":"ref21:AsaPat:14","volume-title":"Instruction Sets Should Be Free: The Case For RISC-V","author":"K. Asanovi\u0107","year":"2014"},{"key":"ref22:HCPYCS:16","doi-asserted-by":"publisher","first-page":"58","DOI":"10.1109\/MM.2016.61","article-title":"Proprietary versus Open Instruction Sets","volume":"36","author":"M.D. Hill","year":"2016","journal-title":"IEEE Micro"},{"key":"ref23:PatWat:17","volume-title":"The RISC-V Reader: An Open Architecture Atlas","author":"D. Patterson","year":"2017"},{"key":"ref24:Gura:2004:CEC","series-title":"LNCS 3156","doi-asserted-by":"publisher","first-page":"119","DOI":"10.1007\/978-3-540-28632-5_9","article-title":"Comparing Elliptic Curve Cryptography and RSA on 8-bit\n CPUs","author":"N. Gura","year":"2004"},{"key":"ref25:vdBerg:20","volume-title":"RISC-V implementation of the NaCl-library","author":"S.H.M. van den Berg","year":"2020"},{"key":"ref26:HutSch:15","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1007\/s13389-015-0093-2","article-title":"Multiprecision multiplication on AVR revisited","volume":"5","author":"M. Hutter","year":"2015","journal-title":"Journal of Cryptographic Engineering (JCEN)"},{"key":"ref27:EPJLGPC:24","doi-asserted-by":"publisher","first-page":"1704","DOI":"10.1145\/3656446","article-title":"Foundational Integration Verification of a Cryptographic\n Server","volume":"8","author":"A. Erbsen","year":"2024","journal-title":"Proceedings of the ACM on Programming Languages"},{"key":"ref28:EPGSC:19","doi-asserted-by":"publisher","first-page":"1202","DOI":"10.1109\/SP.2019.00005","article-title":"Simple High-Level Code for Cryptographic Arithmetic - With\n Proofs, Without Compromises","author":"A. Erbsen","year":"2019"},{"key":"ref29:PPJEC:22","doi-asserted-by":"publisher","first-page":"918","DOI":"10.1145\/3519939.3523706","article-title":"Relational compilation for performance-critical\n applications: extensible proof-producing translation of functional models\n into low-level code","author":"C. Pit-Claudel","year":"2022"},{"key":"ref30:GSDZLRL:24","series-title":"LNCS 14527","doi-asserted-by":"publisher","first-page":"130","DOI":"10.1007\/978-981-97-0945-8_8","article-title":"V-Curve25519: Efficient Implementation of Curve25519 on\n RISC-V Architecture","author":"Q. Gao","year":"2024"},{"key":"ref31:Scott:24","volume-title":"Elliptic Curve Cryptography for the masses: Simple and fast\n finite field arithmetic","author":"M. Scott","year":"2024"},{"key":"ref32:CGMPS:24","volume-title":"SoK: Instruction Set Extensions for Cryptographers","author":"H. Cheng","year":"2024"},{"key":"ref33:RVI:Priv:24","volume-title":"The RISC-V Instruction Set Manual Volume II:\n Privileged Architecture","author":"RISC-V","year":"2024"},{"key":"ref34:CDPA:16","volume-title":"The Renewed Case for the Reduced Instruction Set Computer:\n Avoiding ISA Bloat with Macro-Op Fusion for RISC-V","author":"C. Celio","year":"2016"},{"key":"ref35:SPJR:22","doi-asserted-by":"publisher","first-page":"199","DOI":"10.1109\/MICRO56248.2022.00026","article-title":"Exploring Instruction Fusion Opportunities in General\n Purpose Processors","author":"S. Singh","year":"2022"},{"key":"ref36:ZarBen:19","doi-asserted-by":"publisher","first-page":"2629","DOI":"10.1109\/TVLSI.2019.2926114","article-title":"The Cost of Application-Class Processing: Energy and\n Performance Analysis of a Linux-Ready 1.7-GHz 64-Bit RISC-V Core in\n 22-nm FDSOI Technology","volume":"27","author":"F. Zaruba","year":"2019","journal-title":"IEEE Transactions on Very Large Scale Integration (VLSI)\n Systems"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:04:10Z","timestamp":1778040250000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/30"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":36,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/absgvu7sf","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-02-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-15","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-89"}}