From 73de90956932a8878a26b858a060aedef3ba6769 Mon Sep 17 00:00:00 2001 From: Ben Marshall Date: Fri, 7 Jan 2022 15:39:41 +0000 Subject: [PATCH] Zvk: Update AES instruction specs - Make destructive in most cases - Add `rnum` immediate to key schedule instructions On branch master Your branch is up-to-date with 'origin/master'. Changes to be committed: modified: insns/vaes128e.adoc new file: insns/vaes192e.adoc new file: insns/vaes256e.adoc modified: insns/vaesds.adoc modified: insns/vaesdsm.adoc modified: insns/vaeses.adoc modified: insns/vaesesm.adoc modified: insns/vaeskf128.vv.adoc modified: insns/vaeskf192.vv.adoc modified: insns/vaeskf256.vv.adoc modified: riscv-crypto-spec-vector.adoc --- doc/vector/insns/vaes128e.adoc | 28 ++++--- doc/vector/insns/vaes192e.adoc | 93 +++++++++++++++++++++++ doc/vector/insns/vaes256e.adoc | 94 ++++++++++++++++++++++++ doc/vector/insns/vaesds.adoc | 22 +++--- doc/vector/insns/vaesdsm.adoc | 18 ++--- doc/vector/insns/vaeses.adoc | 22 +++--- doc/vector/insns/vaesesm.adoc | 22 +++--- doc/vector/insns/vaeskf128.vv.adoc | 16 ++-- doc/vector/insns/vaeskf192.vv.adoc | 18 +++-- doc/vector/insns/vaeskf256.vv.adoc | 14 ++-- doc/vector/riscv-crypto-spec-vector.adoc | 4 + 11 files changed, 273 insertions(+), 78 deletions(-) create mode 100644 doc/vector/insns/vaes192e.adoc create mode 100644 doc/vector/insns/vaes256e.adoc diff --git a/doc/vector/insns/vaes128e.adoc b/doc/vector/insns/vaes128e.adoc index 3a99f3b7..fed1164a 100644 --- a/doc/vector/insns/vaes128e.adoc +++ b/doc/vector/insns/vaes128e.adoc @@ -2,7 +2,7 @@ = vaes128e.[vv,vs] Synopsis:: -Vector AES all rounds encryption instruction. +Vector AES-128 all rounds encryption instruction. Mnemonic:: vaes128e.[vv,vs] vd, vs1, vs2 @@ -15,7 +15,7 @@ Encoding (Vector-Scalar):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -28,7 +28,7 @@ Encoding (Vector-Vector):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -36,13 +36,13 @@ Encoding (Vector-Vector):: Description:: This instruction implements the entire AES-128 block cipher encryption function. -It treats each element of `vs1` as the current AES round state, -and elements of `vs2` as the encryption key. -The Vector-Vector (VV) variant encrypts elements of `vs1` under corresponding -elements of `vs2`. -The Vector-Scalar (VV) variant encrypts elements of `vs1` under the -zeroth element of `vs2`. -The result (i.e. the next round state) is written to elements of `vd`. +It treats each element of `vd` as the plaintext +and elements of `vs1` as the encryption key. +The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding +elements of `vs1`. +The Vector-Scalar (VV) variant encrypts elements of `vd` under the +zeroth element of `vs1`. +The result (i.e. the ciphertext) is written to elements of `vd`. This instruction treats `EEW=128`, regardless of `vtype.vsew` and requires that `Zvl128b` be implemented (i.e `VLEN>=128`). @@ -52,12 +52,12 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAES128E(vs2, vs1, vd, vv)) = { +function clause execute (VAES128E(vs1, vd, vv)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { let keyelem = if vv then i else 0; - state : bits(128) = get_velem(vs1, EEW=128, i); - rkey : bits(128) = get_velem(vs2, EEW=128, keyelem); + state : bits(128) = get_velem(vd, EEW=128, i); + rkey : bits(128) = get_velem(vs1, EEW=128, keyelem); state = state ^ rkey; foreach(r from 0 to 10) { state = aes_fwd_sub_bytes(state); @@ -87,5 +87,3 @@ Included in:: | In Development |=== - - diff --git a/doc/vector/insns/vaes192e.adoc b/doc/vector/insns/vaes192e.adoc new file mode 100644 index 00000000..15c6d002 --- /dev/null +++ b/doc/vector/insns/vaes192e.adoc @@ -0,0 +1,93 @@ +[[insns-vaes192e, Vector AES-192 all-rounds encrypt]] += vaes192e.[vv,vs] + +Synopsis:: +Vector AES-192 all rounds encryption instruction. + +Mnemonic:: +vaes192e.[vv,vs] vd, vs1, vs2 + +Encoding (Vector-Scalar):: +[wavedrom, , svg] +.... +{reg:[ +{bits: 7, name: '???????'}, +{bits: 5, name: 'vd'}, +{bits: 3, name: '???'}, +{bits: 5, name: 'vs1'}, +{bits: 5, name: 'vs2'}, +{bits: 7, name: '???????'}, +]} +.... + +Encoding (Vector-Vector):: +[wavedrom, , svg] +.... +{reg:[ +{bits: 7, name: '???????'}, +{bits: 5, name: 'vd'}, +{bits: 3, name: '???'}, +{bits: 5, name: 'vs1'}, +{bits: 5, name: 'vs2'}, +{bits: 7, name: '???????'}, +]} +.... + +Description:: +This instruction implements the entire AES-192 block cipher encryption +function. +It treats each element of `vd` as the plaintext +and concatenates elements of `vs1` and `vs2` to create the 192-bit key. +The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding +elements of `vs1` and `vs2`. +The Vector-Scalar (VV) variant encrypts elements of `vd` under the +zeroth element of `vs1` and `vs2`. +The result (i.e. the ciphertext) is written to elements of `vd`. + +This instruction treats `EEW=128`, regardless of `vtype.vsew` +and requires that `Zvl128b` be implemented (i.e `VLEN>=128`). +It _does not_ require that `EEW=128` be +supported for any other instruction. + +Operation:: +[source,sail] +-- +function clause execute (VAES192E(vs1, vd, vv)) = { + assert(VLEN>=128); + foreach (i from vlstart to vl) { + let keyelem = if vv then i else 0; + state : bits(128) = get_velem(vd, EEW=128, i); + ekey : bits(192) = get_velem(vs1, EEW=128, keyelem) @ + get_velem(vs2, EEW=128, keyelem) [128..64]; + rkey : bits(128) = ekey[127..0]; + state = state ^ rkey; + foreach(r from 0 to 12) { + state = aes_fwd_sub_bytes(state); + state = aes_fwd_shift_rows(state); + state = aes_fwd_mix_columns(state); + state = state ^ rkey; + rkey = aes_192_forward_key_schedule(ekey); + ekey = rkey @ ekey[128..64]; + } + state = aes_fwd_sub_bytes(state); + state = aes_fwd_shift_rows(state); + state = state ^ rkey; + set_velem(vd, EEW=128, i, state); + } + RETIRE_SUCCESS +} +-- + +Included in:: +[%header,cols="4,2,2"] +|=== +|Extension +|Minimum version +|Lifecycle state + +| <> +| v0.1.0 +| In Development +|=== + + diff --git a/doc/vector/insns/vaes256e.adoc b/doc/vector/insns/vaes256e.adoc new file mode 100644 index 00000000..e711fa2f --- /dev/null +++ b/doc/vector/insns/vaes256e.adoc @@ -0,0 +1,94 @@ +[[insns-vaes256e, Vector AES-256 all-rounds encrypt]] += vaes256e.[vv,vs] + +Synopsis:: +Vector AES-256 all rounds encryption instruction. + +Mnemonic:: +vaes256e.[vv,vs] vd, vs1, vs2 + +Encoding (Vector-Scalar):: +[wavedrom, , svg] +.... +{reg:[ +{bits: 7, name: '???????'}, +{bits: 5, name: 'vd'}, +{bits: 3, name: '???'}, +{bits: 5, name: 'vs1'}, +{bits: 5, name: 'vs2'}, +{bits: 7, name: '???????'}, +]} +.... + +Encoding (Vector-Vector):: +[wavedrom, , svg] +.... +{reg:[ +{bits: 7, name: '???????'}, +{bits: 5, name: 'vd'}, +{bits: 3, name: '???'}, +{bits: 5, name: 'vs1'}, +{bits: 5, name: 'vs2'}, +{bits: 7, name: '???????'}, +]} +.... + +Description:: +This instruction implements the entire AES-256 block cipher encryption +function. +It treats each element of `vd` as the plaintext +and concatenates elements of `vs1` and `vs2` to create the 256-bit key. +The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding +elements of `vs1` and `vs2`. +The Vector-Scalar (VV) variant encrypts elements of `vd` under the +zeroth element of `vs1` and `vs2`. +The result (i.e. the ciphertext) is written to elements of `vd`. + +This instruction treats `EEW=128`, regardless of `vtype.vsew` +and requires that `Zvl128b` be implemented (i.e `VLEN>=128`). +It _does not_ require that `EEW=128` be +supported for any other instruction. + +Operation:: +[source,sail] +-- +function clause execute (VAES256E(vs1, vd, vv)) = { + assert(VLEN>=128); + foreach (i from vlstart to vl) { + let keyelem = if vv then i else 0; + state : bits(128) = get_velem(vd, EEW=128, i); + ekey : bits(256) = get_velem(vs1, EEW=128, keyelem) @ + get_velem(vs2, EEW=128, keyelem) ; + rkey : bits(128) = ekey[127..0]; + state = state ^ rkey; + foreach(r from 0 to 12) { + state = aes_fwd_sub_bytes(state); + state = aes_fwd_shift_rows(state); + state = aes_fwd_mix_columns(state); + state = state ^ rkey; + rkey = aes_256_forward_key_schedule(ekey); + ekey = rkey @ ekey[256..128]; + } + state = aes_fwd_sub_bytes(state); + state = aes_fwd_shift_rows(state); + state = state ^ rkey; + set_velem(vd, EEW=128, i, state); + } + RETIRE_SUCCESS +} +-- + +Included in:: +[%header,cols="4,2,2"] +|=== +|Extension +|Minimum version +|Lifecycle state + +| <> +| v0.1.0 +| In Development +|=== + + + diff --git a/doc/vector/insns/vaesds.adoc b/doc/vector/insns/vaesds.adoc index d144671b..bf537fd5 100644 --- a/doc/vector/insns/vaesds.adoc +++ b/doc/vector/insns/vaesds.adoc @@ -15,7 +15,7 @@ Encoding (Vector-Scalar):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -28,7 +28,7 @@ Encoding (Vector-Vector):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -36,12 +36,12 @@ Encoding (Vector-Vector):: Description:: This instruction implements the final-round decryption function of the AES block cipher for all parameterisations. -It treats each element of `vs1` as the current AES round state, -and elements of `vs2` as the round key. -The Vector-Vector (VV) variant decrypts elements of `vs1` under corresponding -elements of `vs2`. -The Vector-Scalar (VV) variant dwcrypts elements of `vs1` under the -zeroth element of `vs2`. +It treats each element of `vd` as the current AES round state, +and elements of `vs1` as the round key. +The Vector-Vector (VV) variant decrypts elements of `vd` under corresponding +elements of `vs1`. +The Vector-Scalar (VV) variant decrypts elements of `vd` under the +zeroth element of `vs1`. The result (i.e. the next round state) is written to elements of `vd`. This instruction treats `EEW=128`, regardless of `vtype.vsew` @@ -52,12 +52,12 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAESDS(vs2, vs1, vd, vv)) = { +function clause execute (VAESDS(vs1, vd, vv)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { let keyelem = if vv then i else 0; - let state : bits(128) = get_velem(vs1, EEW=128, i); - let rkey : bits(128) = get_velem(vs2, EEW=128, keyelem); + let state : bits(128) = get_velem(vd, EEW=128, i); + let rkey : bits(128) = get_velem(vs1, EEW=128, keyelem); let sr : bits(128) = aes_inv_shift_rows(state); let sb : bits(128) = aes_inv_sub_bytes(sr); let ark : bits(128) = sb ^ rkey; diff --git a/doc/vector/insns/vaesdsm.adoc b/doc/vector/insns/vaesdsm.adoc index 127f8ee5..e829c865 100644 --- a/doc/vector/insns/vaesdsm.adoc +++ b/doc/vector/insns/vaesdsm.adoc @@ -15,7 +15,7 @@ Encoding (Vector-Scalar):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -28,7 +28,7 @@ Encoding (Vector-Vector):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -36,12 +36,12 @@ Encoding (Vector-Vector):: Description:: This instruction implements the middle-round decryption function of the AES block cipher for all parameterisations. -It treats each element of `vs1` as the current AES round state, -and elements of `vs2` as the round key. -The Vector-Vector (VV) variant decrypts elements of `vs1` under corresponding -elements of `vs2`. -The Vector-Scalar (VV) variant decrypts elements of `vs1` under the -zeroth element of `vs2`. +It treats each element of `vd` as the current AES round state, +and elements of `vs1` as the round key. +The Vector-Vector (VV) variant decrypts elements of `vd` under corresponding +elements of `vs1`. +The Vector-Scalar (VV) variant decrypts elements of `vd` under the +zeroth element of `vs1`. The result (i.e. the next round state) is written to elements of `vd`. This instruction treats `EEW=128`, regardless of `vtype.vsew` @@ -52,7 +52,7 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAESDSM(vs2, vs1, vd, vv)) = { +function clause execute (VAESDSM(vs1, vd, vv)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { let keyelem = if vv then i else 0; diff --git a/doc/vector/insns/vaeses.adoc b/doc/vector/insns/vaeses.adoc index f1516e0f..1b13e27f 100644 --- a/doc/vector/insns/vaeses.adoc +++ b/doc/vector/insns/vaeses.adoc @@ -15,7 +15,7 @@ Encoding (Vector-Scalar):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -28,7 +28,7 @@ Encoding (Vector-Vector):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -36,12 +36,12 @@ Encoding (Vector-Vector):: Description:: This instruction implements the final-round function of the AES block cipher for all parameterisations. -It treats each element of `vs1` as the current AES round state, -and elements of `vs2` as the round key. -The Vector-Vector (VV) variant encrypts elements of `vs1` under corresponding -elements of `vs2`. -The Vector-Scalar (VV) variant encrypts elements of `vs1` under the -zeroth element of `vs2`. +It treats each element of `vd` as the current AES round state, +and elements of `vs1` as the round key. +The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding +elements of `vs1`. +The Vector-Scalar (VV) variant encrypts elements of `vd` under the +zeroth element of `vs1`. The result (i.e. the next round state) is written to elements of `vd`. This instruction treats `EEW=128`, regardless of `vtype.vsew` @@ -52,12 +52,12 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAESES(vs2, vs1, vd, vv)) = { +function clause execute (VAESES(vs1, vd, vv)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { let keyelem = if vv then i else 0; - let state : bits(128) = get_velem(vs1, EEW=128, i); - let rkey : bits(128) = get_velem(vs2, EEW=128, keyelem); + let state : bits(128) = get_velem(vd, EEW=128, i); + let rkey : bits(128) = get_velem(vs1, EEW=128, keyelem); let sb : bits(128) = aes_fwd_sub_bytes(state); let sr : bits(128) = aes_fwd_shift_rows(sb); let ark : bits(128) = sr ^ rkey; diff --git a/doc/vector/insns/vaesesm.adoc b/doc/vector/insns/vaesesm.adoc index 9303f613..9e71e5da 100644 --- a/doc/vector/insns/vaesesm.adoc +++ b/doc/vector/insns/vaesesm.adoc @@ -15,7 +15,7 @@ Encoding (Vector-Scalar):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -28,7 +28,7 @@ Encoding (Vector-Vector):: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, +{bits: 5, name: '?????'}, {bits: 7, name: '???????'}, ]} .... @@ -36,12 +36,12 @@ Encoding (Vector-Vector):: Description:: This instruction implements the middle-round function of the AES block cipher for all parameterisations. -It treats each element of `vs1` as the current AES round state, -and elements of `vs2` as the round key. -The Vector-Vector (VV) variant encrypts elements of `vs1` under corresponding -elements of `vs2`. -The Vector-Scalar (VV) variant encrypts elements of `vs1` under the -zeroth element of `vs2`. +It treats each element of `vd` as the current AES round state, +and elements of `vs1` as the round key. +The Vector-Vector (VV) variant encrypts elements of `vd` under corresponding +elements of `vs1`. +The Vector-Scalar (VV) variant encrypts elements of `vd` under the +zeroth element of `vs1`. The result (i.e. the next round state) is written to elements of `vd`. This instruction treats `EEW=128`, regardless of `vtype.vsew` @@ -52,12 +52,12 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAESESM(vs2, vs1, vd, vv)) = { +function clause execute (VAESESM(vs1, vd, vv)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { let keyelem = if vv then i else 0; - let state : bits(128) = get_velem(vs1, EEW=128, i); - let rkey : bits(128) = get_velem(vs2, EEW=128, keyelem); + let state : bits(128) = get_velem(vd, EEW=128, i); + let rkey : bits(128) = get_velem(vs1, EEW=128, keyelem); let sb : bits(128) = aes_fwd_sub_bytes(state); let sr : bits(128) = aes_fwd_shift_rows(sb); let mix : bits(128) = aes_fwd_mix_columns(sr); diff --git a/doc/vector/insns/vaeskf128.vv.adoc b/doc/vector/insns/vaeskf128.vv.adoc index c973b094..9ddff5bc 100644 --- a/doc/vector/insns/vaeskf128.vv.adoc +++ b/doc/vector/insns/vaeskf128.vv.adoc @@ -14,15 +14,17 @@ Encoding:: {bits: 7, name: '???????'}, {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, -{bits: 5, name: 'vs1'}, -{bits: 5, name: 'rnum'}, -{bits: 7, name: '???????'}, +{bits: 5, name: '?????'}, +{bits: 4, name: 'rnum'}, +{bits: 8, name: '????????'}, ]} .... Description:: This instruction implements a single round of the forward AES-128 KeySchedule. -It treats each element of `vs1` as the current AES round key. +It treats each element of `vd` as the current AES round key. +The round number of the KeySchedule operation is stored in the 4-bit `rnum` +immediate. It applies a single AES-128 KeySchedule round to each element, and writes the 128-bit result to the corresponding element in `vd`. @@ -38,11 +40,11 @@ supported for any other instruction. Operation:: [source,sail] -- -function clause execute (VAESESM(vs1, vd)) = { +function clause execute (VAESESM(rnum, vd)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { - let current : bits(128) = get_velem(vs2, EEW=128, i); - let next : bits(128) = aes_128_forward_key_schedule(current); + let current : bits(128) = get_velem(vd, EEW=128, i); + let next : bits(128) = aes_128_forward_key_schedule(rnum, current); set_velem(vd, EEW=128, i, next); } RETIRE_SUCCESS diff --git a/doc/vector/insns/vaeskf192.vv.adoc b/doc/vector/insns/vaeskf192.vv.adoc index e83dab89..9290eea7 100644 --- a/doc/vector/insns/vaeskf192.vv.adoc +++ b/doc/vector/insns/vaeskf192.vv.adoc @@ -15,15 +15,17 @@ Encoding:: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, -{bits: 7, name: '???????'}, +{bits: 4, name: 'rnum'}, +{bits: 8, name: '????????'}, ]} .... Description:: This instruction implements a single round of the forward AES-192 KeySchedule. -It concatenates the top half of the element in `vs2` with the whole -element in `vs1` to create a 192-bit value. +It concatenates the top half of the element in `vs1` with the whole +element in `vd` to create a 192-bit value. +The round number of the KeySchedule operation is stored in the 4-bit `rnum` +immediate. From this, the next 128-bit round key is computed and written to `vd`. Only a Vector-Vector version of this instruction is provided. To use this @@ -45,12 +47,12 @@ in chunks of 128-bits. Operation:: [source,sail] -- -function clause execute (VAESESM(vs1, vd)) = { +function clause execute (VAESESM(rnum, vs1, vd)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { - let current : bits(192) = get_velem(vs1, EEW=128, i) @ - get_velem(vs2, EEW=128, i) [128..64] - let next : bits(128) = aes_192_forward_key_schedule(current); + let current : bits(192) = get_velem(vd, EEW=128, i) @ + get_velem(vs1, EEW=128, i) [128..64] + let next : bits(128) = aes_192_forward_key_schedule(rnum, current); set_velem(vd, EEW=128, i, next); } RETIRE_SUCCESS diff --git a/doc/vector/insns/vaeskf256.vv.adoc b/doc/vector/insns/vaeskf256.vv.adoc index f690cab8..cddba650 100644 --- a/doc/vector/insns/vaeskf256.vv.adoc +++ b/doc/vector/insns/vaeskf256.vv.adoc @@ -15,8 +15,8 @@ Encoding:: {bits: 5, name: 'vd'}, {bits: 3, name: '???'}, {bits: 5, name: 'vs1'}, -{bits: 5, name: 'vs2'}, -{bits: 7, name: '???????'}, +{bits: 4, name: 'rnum'}, +{bits: 8, name: '????????'}, ]} .... @@ -25,6 +25,8 @@ This instruction implements a single round of the forward AES-256 KeySchedule. It concatenates the 128-bit element in `vs2` with the 128-bit element in `vs1` to create a 256-bit value. From this, the next 128-bit round key is computed and written to `vd`. +The round number of the KeySchedule operation is stored in the 4-bit `rnum` +immediate. Only a Vector-Vector version of this instruction is provided. To use this instruction with the Vector-Scalar varients of the AES encrypt/decrypt @@ -45,12 +47,12 @@ in chunks of 128-bits. Operation:: [source,sail] -- -function clause execute (VAESESM(vs1, vd)) = { +function clause execute (VAESESM(rnum, vs1, vd)) = { assert(VLEN>=128); foreach (i from vlstart to vl) { - let current : bits(256) = get_velem(vs1, EEW=128, i) @ - get_velem(vs2, EEW=128, i) ; - let next : bits(128) = aes_256_forward_key_schedule(current); + let current : bits(256) = get_velem(vd, EEW=128, i) @ + get_velem(vs1, EEW=128, i) ; + let next : bits(128) = aes_256_forward_key_schedule(rnum, current); set_velem(vd, EEW=128, i, next); } RETIRE_SUCCESS diff --git a/doc/vector/riscv-crypto-spec-vector.adoc b/doc/vector/riscv-crypto-spec-vector.adoc index 73a43d43..f7312fdb 100644 --- a/doc/vector/riscv-crypto-spec-vector.adoc +++ b/doc/vector/riscv-crypto-spec-vector.adoc @@ -135,6 +135,10 @@ include::insns/vaeskf256.vv.adoc[leveloffset=+2] <<< include::insns/vaes128e.adoc[leveloffset=+2] <<< +include::insns/vaes192e.adoc[leveloffset=+2] +<<< +include::insns/vaes256e.adoc[leveloffset=+2] +<<< include::insns/vandn.adoc[leveloffset=+2] <<< include::insns/vclmul.adoc[leveloffset=+2]