PQC / Keccak Instructions Ratification Plan
This document outlines the plan to ratify a RISC-V Specification, establishing a solid foundation and clear expectations for the entire specification development lifecycle. The timeline set here will serve as a reference to monitor progress and ensure milestones are met. Investing in a well-prepared plan promotes effective communication, enhances collaboration, and streamlines the process.
About
Specification Name: PQC / Keccak Instructions
Task Group: https://riscv.atlassian.net/browse/RVG-84
Task Group Charter: https://github.com/riscv-admin/post-quantum-cryptography
Spec Jira: https://riscv.atlassian.net/browse/RVS-2360
Background
With the ratification of the major Post-Quantum Cryptography standards (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, SP 800-208) by U.S. NIST and the ongoing transition from Elliptic Curve and RSA Cryptography to the new algorithms, RISC-V International needs to consider the impact of PQC algorithms on the ISA level.
The implementation of these algorithms has a significant impact on connection establishment latency and power consumption in common networking protocols, such as TLS and IPSec, for both servers and clients. Hence, their performance is relevant for most networked devices. Both key establishment and digital signatures (authentication) are required. There are additional everyday use cases, such as the verification of system components and application integrity performed by operating systems.
NIST IR 8547 ( 
NIST Internal or Interagency Report (NISTIR) 8547 (Draft), Transition to Post-Quantum Cryptography Standards ) deprecates much of RSA and Elliptic Curve cryptography after 2030 and prohibits their use (in U.S. Federal Information Systems) after 2035. European Union ( 
Overview
The new instruction aims at measurable speedup of the execution of standard PQC algorithms on Application-class processors equipped with a vector unit. The main computational feature being considered is:
Keccak instruction or instructions for evaluating the 1600-bit keyless permutation that underpins SHA3 hashes and SHAKE (FIPS 202) and extensible-output functions (XOFs).
From a computational perspective, the older public key algorithms primarily employed large integer arithmetic. While PQC algorithms are more complex than older number-theoretic algorithms, quantitative analysis indicates that the main (lattice-based) PQC standards (FIPS 203, 204) use polynomial ring arithmetic over smaller finite fields and make significant computational use of the SHA3 standard (FIPS 202) internally. Analysis of FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) implementations has shown that their ring arithmetic can be accelerated significantly using standard Vector extension instructions, with Keccak (hash/XOF) becoming a performance bottleneck. FIPS 205 (SLH-DSA) is entirely built from short message hash computations.
Hence, the focus of the extension is on accelerating the Keccak/SHA-3 hash operation, as this provides the best overall performance across the main PQC algorithms. PQC TG may also propose other instructions during the course of the work.
Stakeholders Identification
Essential stakeholders are the Cryptography SIG, Security HC, and all task groups working on cryptographic extensions.
References: Active Groups and Specifications Under Development
Design Considerations
The Keccak permutation operates on a 1600-bit state (25 x 64-bit words) and has 24 rounds. There are two main implementation strategies: one that performs the entire operation in a single step, and a second that decomposes each round into several distinct operations.
Due to the mathematical structure of the Keccak permutation, the single-instruction, full-rounds approach can be expected to yield significantly better performance (for microprocessor architectures that support it). In contrast, the multiple-instruction approach may be more suitable for addition to existing microarchitectures but may be an order of magnitude slower.
For the full-rounds Keccak option, ceil(1600/VLEN) vector registers are required to hold the state. With VLEN=256 or larger, the single-instruction model can be realized by using register groups (LMUL=8), but realization for VLEN=128 requires special considerations.
While a circuit implementing the Keccak permutation can perform 1 or 2 rounds per cycle with common technology nodes and clock frequencies, the overall latency of a “full” Keccak permutation can still be in tens of cycles. Its external performance and operational characteristics resemble those of vrgather with a large VLEN.
Proof-of-Concept and Tests
Software support: ML-KEM, ML-DSA, and SLH-DSA implementations that utilize the RISC-V vector extension are being developed under the “PQ Code Package” (PQCA) project, which is organized by the PQC Alliance (a Linux Foundation project). Early versions of these implementations have been tested with a Keccak instruction simulated with SPIKE.
Implementation requires a suitable vector processor, TBD.
In addition architectural tests, the reference RISC-V implementations have NIST ACVP tests.
Software Ecosystem Impacts
Android - BoringSSL
Linux - OpenSSL
Browsers and web servers, some system tools
Freeze Checklists
Select one of the options below (ISA or NON-ISA) and complete the table with the required information.
Key Milestones
To define your plan milestone dates, please use the RISC-V Spec Plan Editor.
Milestone | Date |
|---|---|
Specification Development Completed (v0.6) by | May 5, 2026 |
Internal Review Start (v0.6) by | May 6, 2026 |
Specification Stabilized (v0.8) by | Jul 2, 2026 |
ARC Freeze Approval Request by | Jul 3, 2026 |
Specification Frozen (v0.9) by | Sep 3, 2026 |
Public Review Start (v0.9) by | Sep 22, 2026 |
TSC Approval (v0.99) by | Nov 20, 2026 |
Specification Ratified (v1.0) by | Dec 31, 2026 |
Additional Notes
