Zvk: Update AES instruction specs

- Make destructive in most cases - Add `rnum` immediate to key schedule instructions On branch master Your branch is up-to-date with 'origin/master'. Changes to be committed: modified: insns/vaes128e.adoc new file: insns/vaes192e.adoc new file: insns/vaes256e.adoc modified: insns/vaesds.adoc modified: insns/vaesdsm.adoc modified: insns/vaeses.adoc modified: insns/vaesesm.adoc modified: insns/vaeskf128.vv.adoc modified: insns/vaeskf192.vv.adoc modified: insns/vaeskf256.vv.adoc modified: riscv-crypto-spec-vector.adoc
riscv · Jan 7, 2022 · 73de909 · 73de909
1 parent 17c2c39
commit 73de909
Show file tree

Hide file tree

Showing 11 changed files with 273 additions and 78 deletions.
diff --git a/doc/vector/insns/vaes128e.adoc b/doc/vector/insns/vaes128e.adoc
@@ -2,7 +2,7 @@
 = vaes128e.[vv,vs]
 
 Synopsis::
-Vector AES all rounds encryption instruction.
+Vector AES-128 all rounds encryption instruction.
 
 Mnemonic::
 vaes128e.[vv,vs] vd, vs1, vs2
@@ -15,7 +15,7 @@ Encoding (Vector-Scalar)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
@@ -28,21 +28,21 @@ Encoding (Vector-Vector)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
 
 Description:: 
 This instruction implements the entire AES-128 block cipher encryption
 function.
-It treats each element of `vs1` as the current AES round state,
-and elements of `vs2` as the encryption key.
-The Vector-Vector (VV) variant encrypts elements of `vs1` under corresponding
-elements of `vs2`.
-The Vector-Scalar (VV) variant encrypts elements of `vs1` under the
-zeroth element of `vs2`.
-The result (i.e. the next round state) is written to elements of `vd`.
+It treats each element of `vd` as the plaintext
+and elements of `vs1` as the encryption key.
+The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding
+elements of `vs1`.
+The Vector-Scalar (VV) variant encrypts elements of `vd` under the
+zeroth element of `vs1`.
+The result (i.e. the ciphertext) is written to elements of `vd`.
 
 This instruction treats `EEW=128`, regardless of `vtype.vsew`
 and requires that `Zvl128b` be implemented (i.e `VLEN>=128`).
@@ -52,12 +52,12 @@ supported for any other instruction.
 Operation::
 [source,sail]
 --
-function clause execute (VAES128E(vs2, vs1, vd, vv)) = {
+function clause execute (VAES128E(vs1, vd, vv)) = {
   assert(VLEN>=128);
   foreach (i from vlstart to vl) {
     let keyelem = if vv then i else 0;
-    state : bits(128) = get_velem(vs1, EEW=128, i);
-    rkey  : bits(128) = get_velem(vs2, EEW=128, keyelem);
+    state : bits(128) = get_velem(vd, EEW=128, i);
+    rkey  : bits(128) = get_velem(vs1, EEW=128, keyelem);
     state = state ^ rkey;
     foreach(r from 0 to 10) {
       state = aes_fwd_sub_bytes(state);
@@ -87,5 +87,3 @@ Included in::
 | In Development
 |===
 
-
-
diff --git a/doc/vector/insns/vaes192e.adoc b/doc/vector/insns/vaes192e.adoc
@@ -0,0 +1,93 @@
+[[insns-vaes192e, Vector AES-192 all-rounds encrypt]]
+= vaes192e.[vv,vs]
+
+Synopsis::
+Vector AES-192 all rounds encryption instruction.
+
+Mnemonic::
+vaes192e.[vv,vs] vd, vs1, vs2
+
+Encoding (Vector-Scalar)::
+[wavedrom, , svg]
+....
+{reg:[
+{bits: 7, name: '???????'},
+{bits: 5, name: 'vd'},
+{bits: 3, name: '???'},
+{bits: 5, name: 'vs1'},
+{bits: 5, name: 'vs2'},
+{bits: 7, name: '???????'},
+]}
+....
+
+Encoding (Vector-Vector)::
+[wavedrom, , svg]
+....
+{reg:[
+{bits: 7, name: '???????'},
+{bits: 5, name: 'vd'},
+{bits: 3, name: '???'},
+{bits: 5, name: 'vs1'},
+{bits: 5, name: 'vs2'},
+{bits: 7, name: '???????'},
+]}
+....
+
+Description:: 
+This instruction implements the entire AES-192 block cipher encryption
+function.
+It treats each element of `vd` as the plaintext
+and concatenates elements of `vs1` and `vs2` to create the 192-bit key.
+The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding
+elements of `vs1` and `vs2`.
+The Vector-Scalar (VV) variant encrypts elements of `vd` under the
+zeroth element of `vs1` and `vs2`.
+The result (i.e. the ciphertext) is written to elements of `vd`.
+
+This instruction treats `EEW=128`, regardless of `vtype.vsew`
+and requires that `Zvl128b` be implemented (i.e `VLEN>=128`).
+It _does not_ require that `EEW=128` be
+supported for any other instruction.
+
+Operation::
+[source,sail]
+--
+function clause execute (VAES192E(vs1, vd, vv)) = {
+  assert(VLEN>=128);
+  foreach (i from vlstart to vl) {
+    let keyelem = if vv then i else 0;
+    state : bits(128) = get_velem(vd, EEW=128, i);
+    ekey  : bits(192) = get_velem(vs1, EEW=128, keyelem) @
+                        get_velem(vs2, EEW=128, keyelem) [128..64];
+    rkey  : bits(128) = ekey[127..0];
+    state = state ^ rkey;
+    foreach(r from 0 to 12) {
+      state = aes_fwd_sub_bytes(state);
+      state = aes_fwd_shift_rows(state);
+      state = aes_fwd_mix_columns(state);
+      state = state ^ rkey;
+      rkey  = aes_192_forward_key_schedule(ekey);
+      ekey  = rkey @ ekey[128..64];
+    }
+    state = aes_fwd_sub_bytes(state);
+    state = aes_fwd_shift_rows(state);
+    state = state ^ rkey;
+    set_velem(vd, EEW=128, i, state);
+  }
+  RETIRE_SUCCESS
+}
+--
+
+Included in::
+[%header,cols="4,2,2"]
+|===
+|Extension
+|Minimum version
+|Lifecycle state
+
+| <<zvknf>>
+| v0.1.0
+| In Development
+|===
+
+
diff --git a/doc/vector/insns/vaes256e.adoc b/doc/vector/insns/vaes256e.adoc
@@ -0,0 +1,94 @@
+[[insns-vaes256e, Vector AES-256 all-rounds encrypt]]
+= vaes256e.[vv,vs]
+
+Synopsis::
+Vector AES-256 all rounds encryption instruction.
+
+Mnemonic::
+vaes256e.[vv,vs] vd, vs1, vs2
+
+Encoding (Vector-Scalar)::
+[wavedrom, , svg]
+....
+{reg:[
+{bits: 7, name: '???????'},
+{bits: 5, name: 'vd'},
+{bits: 3, name: '???'},
+{bits: 5, name: 'vs1'},
+{bits: 5, name: 'vs2'},
+{bits: 7, name: '???????'},
+]}
+....
+
+Encoding (Vector-Vector)::
+[wavedrom, , svg]
+....
+{reg:[
+{bits: 7, name: '???????'},
+{bits: 5, name: 'vd'},
+{bits: 3, name: '???'},
+{bits: 5, name: 'vs1'},
+{bits: 5, name: 'vs2'},
+{bits: 7, name: '???????'},
+]}
+....
+
+Description:: 
+This instruction implements the entire AES-256 block cipher encryption
+function.
+It treats each element of `vd` as the plaintext
+and concatenates elements of `vs1` and `vs2` to create the 256-bit key.
+The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding
+elements of `vs1` and `vs2`.
+The Vector-Scalar (VV) variant encrypts elements of `vd` under the
+zeroth element of `vs1` and `vs2`.
+The result (i.e. the ciphertext) is written to elements of `vd`.
+
+This instruction treats `EEW=128`, regardless of `vtype.vsew`
+and requires that `Zvl128b` be implemented (i.e `VLEN>=128`).
+It _does not_ require that `EEW=128` be
+supported for any other instruction.
+
+Operation::
+[source,sail]
+--
+function clause execute (VAES256E(vs1, vd, vv)) = {
+  assert(VLEN>=128);
+  foreach (i from vlstart to vl) {
+    let keyelem = if vv then i else 0;
+    state : bits(128) = get_velem(vd, EEW=128, i);
+    ekey  : bits(256) = get_velem(vs1, EEW=128, keyelem) @
+                        get_velem(vs2, EEW=128, keyelem) ;
+    rkey  : bits(128) = ekey[127..0];
+    state = state ^ rkey;
+    foreach(r from 0 to 12) {
+      state = aes_fwd_sub_bytes(state);
+      state = aes_fwd_shift_rows(state);
+      state = aes_fwd_mix_columns(state);
+      state = state ^ rkey;
+      rkey  = aes_256_forward_key_schedule(ekey);
+      ekey  = rkey @ ekey[256..128];
+    }
+    state = aes_fwd_sub_bytes(state);
+    state = aes_fwd_shift_rows(state);
+    state = state ^ rkey;
+    set_velem(vd, EEW=128, i, state);
+  }
+  RETIRE_SUCCESS
+}
+--
+
+Included in::
+[%header,cols="4,2,2"]
+|===
+|Extension
+|Minimum version
+|Lifecycle state
+
+| <<zvknf>>
+| v0.1.0
+| In Development
+|===
+
+
+
diff --git a/doc/vector/insns/vaesds.adoc b/doc/vector/insns/vaesds.adoc
@@ -15,7 +15,7 @@ Encoding (Vector-Scalar)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
@@ -28,20 +28,20 @@ Encoding (Vector-Vector)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
 
 Description:: 
 This instruction implements the final-round decryption function of the AES
 block cipher for all parameterisations.
-It treats each element of `vs1` as the current AES round state,
-and elements of `vs2` as the round key.
-The Vector-Vector (VV) variant decrypts elements of `vs1` under corresponding
-elements of `vs2`.
-The Vector-Scalar (VV) variant dwcrypts elements of `vs1` under the
-zeroth element of `vs2`.
+It treats each element of `vd` as the current AES round state,
+and elements of `vs1` as the round key.
+The Vector-Vector (VV) variant decrypts elements of `vd` under corresponding
+elements of `vs1`.
+The Vector-Scalar (VV) variant decrypts elements of `vd` under the
+zeroth element of `vs1`.
 The result (i.e. the next round state) is written to elements of `vd`.
 
 This instruction treats `EEW=128`, regardless of `vtype.vsew`
@@ -52,12 +52,12 @@ supported for any other instruction.
 Operation::
 [source,sail]
 --
-function clause execute (VAESDS(vs2, vs1, vd, vv)) = {
+function clause execute (VAESDS(vs1, vd, vv)) = {
   assert(VLEN>=128);
   foreach (i from vlstart to vl) {
     let keyelem = if vv then i else 0;
-    let state : bits(128) = get_velem(vs1, EEW=128, i);
-    let rkey  : bits(128) = get_velem(vs2, EEW=128, keyelem);
+    let state : bits(128) = get_velem(vd, EEW=128, i);
+    let rkey  : bits(128) = get_velem(vs1, EEW=128, keyelem);
     let sr    : bits(128) = aes_inv_shift_rows(state);
     let sb    : bits(128) = aes_inv_sub_bytes(sr);
     let ark   : bits(128) = sb ^ rkey;

diff --git a/doc/vector/insns/vaesdsm.adoc b/doc/vector/insns/vaesdsm.adoc
@@ -15,7 +15,7 @@ Encoding (Vector-Scalar)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
@@ -28,20 +28,20 @@ Encoding (Vector-Vector)::
 {bits: 5, name: 'vd'},
 {bits: 3, name: '???'},
 {bits: 5, name: 'vs1'},
-{bits: 5, name: 'vs2'},
+{bits: 5, name: '?????'},
 {bits: 7, name: '???????'},
 ]}
 ....
 
 Description:: 
 This instruction implements the middle-round decryption function of the AES
 block cipher for all parameterisations.
-It treats each element of `vs1` as the current AES round state,
-and elements of `vs2` as the round key.
-The Vector-Vector (VV) variant decrypts elements of `vs1` under corresponding
-elements of `vs2`.
-The Vector-Scalar (VV) variant decrypts elements of `vs1` under the
-zeroth element of `vs2`.
+It treats each element of `vd` as the current AES round state,
+and elements of `vs1` as the round key.
+The Vector-Vector (VV) variant decrypts elements of `vd` under corresponding
+elements of `vs1`.
+The Vector-Scalar (VV) variant decrypts elements of `vd` under the
+zeroth element of `vs1`.
 The result (i.e. the next round state) is written to elements of `vd`.
 
 This instruction treats `EEW=128`, regardless of `vtype.vsew`
@@ -52,7 +52,7 @@ supported for any other instruction.
 Operation::
 [source,sail]
 --
-function clause execute (VAESDSM(vs2, vs1, vd, vv)) = {
+function clause execute (VAESDSM(vs1, vd, vv)) = {
   assert(VLEN>=128);
   foreach (i from vlstart to vl) {
     let keyelem = if vv then i else 0;