diff options
Diffstat (limited to 'src/scalar-crypto.adoc')
-rw-r--r-- | src/scalar-crypto.adoc | 190 |
1 files changed, 95 insertions, 95 deletions
diff --git a/src/scalar-crypto.adoc b/src/scalar-crypto.adoc index 61d70e2..b879474 100644 --- a/src/scalar-crypto.adoc +++ b/src/scalar-crypto.adoc @@ -207,7 +207,7 @@ operate in. NIST ciphers are a part of most standardised internet protocols, while ShangMi ciphers are required for use in China. ==== -[[zbkb,Zbkb]] +[[zbkb-sc,Zbkb-sc]] ==== `Zbkb` - Bitmanip instructions for Cryptography These are a subset of the Bitmanipulation Extension `Zbb` which are @@ -215,13 +215,13 @@ particularly useful for Cryptography. NOTE: Some of these instructions are defined in the first Bitmanip ratification package, and some are not ( -<<insns-pack,pack>>, -<<insns-packh,packh>>, -<<insns-packw,packw>>, +<<insns-pack-sc,pack>>, +<<insns-packh-sc,packh>>, +<<insns-packw-sc,packw>>, <<insns-brev8,brev8>>, -<<insns-zip,zip>>, -<<insns-unzip,unzip>>). -All of the instructions in <<zbkb>> have their complete specification included +<<insns-zip-sc,zip>>, +<<insns-unzip-sc,unzip>>). +All of the instructions in <<zbkb-sc>> have their complete specification included in this document, including those _not_ present in the initial Bitmanip ratification package. This is to make the present specification complete as a standalone document. @@ -240,35 +240,35 @@ and Bitmanip are being rapidly iterated on prior to public review. |Mnemonic |Instruction -| ✓ | ✓ | ror | <<insns-ror>> -| ✓ | ✓ | rol | <<insns-rol>> -| ✓ | ✓ | rori | <<insns-rori>> -| | ✓ | rorw | <<insns-rorw>> -| | ✓ | rolw | <<insns-rolw>> -| | ✓ | roriw | <<insns-roriw>> -| ✓ | ✓ | andn | <<insns-andn>> -| ✓ | ✓ | orn | <<insns-orn>> -| ✓ | ✓ | xnor | <<insns-xnor>> -| ✓ | ✓ | pack | <<insns-pack>> -| ✓ | ✓ | packh | <<insns-packh>> -| | ✓ | packw | <<insns-packw>> +| ✓ | ✓ | ror | <<insns-ror-sc>> +| ✓ | ✓ | rol | <<insns-rol-sc>> +| ✓ | ✓ | rori | <<insns-rori-sc>> +| | ✓ | rorw | <<insns-rorw-sc>> +| | ✓ | rolw | <<insns-rolw-sc>> +| | ✓ | roriw | <<insns-roriw-sc>> +| ✓ | ✓ | andn | <<insns-andn-sc>> +| ✓ | ✓ | orn | <<insns-orn-sc>> +| ✓ | ✓ | xnor | <<insns-xnor-sc>> +| ✓ | ✓ | pack | <<insns-pack-sc>> +| ✓ | ✓ | packh | <<insns-packh-sc>> +| | ✓ | packw | <<insns-packw-sc>> | ✓ | ✓ | brev8 | <<insns-brev8>> -| ✓ | ✓ | rev8 | <<insns-rev8>> -| ✓ | | zip | <<insns-zip>> -| ✓ | | unzip | <<insns-unzip>> +| ✓ | ✓ | rev8 | <<insns-rev8-sc>> +| ✓ | | zip | <<insns-zip-sc>> +| ✓ | | unzip | <<insns-unzip-sc>> |=== -[[zbkc,Zbkc]] +[[zbkc-sc,Zbkc-sc]] ==== `Zbkc` - Carry-less multiply instructions Constant time carry-less multiply for Galois/Counter Mode. -These are separated from the <<zbkb>> because they +These are separated from the <<zbkb-sc>> because they have a considerable implementation overhead which cannot be amortised across other instructions. NOTE: These instructions are defined in the first Bitmanip ratification package for the `Zbc` extension. -All of the instructions in <<zbkc>> have their complete specification included +All of the instructions in <<zbkc-sc>> have their complete specification included in this document, including those _not_ present in the initial Bitmanip ratification package. This is to make the present specification complete as a standalone document. @@ -288,21 +288,21 @@ and Bitmanip are being rapidly iterated on prior to public review. |Instruction | ✓ | ✓ | clmul | <<insns-clmul>> -| ✓ | ✓ | clmulh | <<insns-clmulh>> +| ✓ | ✓ | clmulh | <<insns-clmulh-sc>> |=== -[[zbkx,Zbkx]] +[[zbkx-sc,Zbkx-sc]] ==== `Zbkx` - Crossbar permutation instructions These instructions are useful for implementing SBoxes in constant time, and potentially with DPA protections. -These are separated from the <<zbkb>> because they +These are separated from the <<zbkb-sc>> because they have an implementation overhead which cannot be amortised across other instructions. NOTE: All of these instructions are missing from the first Bitmanip ratification package. -Hence, all of the instructions in <<zbkx>> have their complete specification +Hence, all of the instructions in <<zbkx-sc>> have their complete specification included in this document. This is to make the present specification complete as a standalone document. Inevitably there might be small divergences between the Bitmanip and @@ -461,9 +461,9 @@ This extension is shorthand for the following set of other extensions: |Included Extension |Description -| <<zbkb>> | Bitmanipulation instructions for cryptography. -| <<zbkc>> | Carry-less multiply instructions. -| <<zbkx>> | Cross-bar Permutation instructions. +| <<zbkb-sc>> | Bitmanipulation instructions for cryptography. +| <<zbkc-sc>> | Carry-less multiply instructions. +| <<zbkx-sc>> | Cross-bar Permutation instructions. | <<zkne>> | AES encryption instructions. | <<zknd>> | AES decryption instructions. | <<zknh>> | SHA2 hash function instructions. @@ -481,9 +481,9 @@ This extension is shorthand for the following set of other extensions: |Included Extension |Description -| <<zbkb>> | Bitmanipulation instructions for cryptography. -| <<zbkc>> | Carry-less multiply instructions. -| <<zbkx>> | Cross-bar Permutation instructions. +| <<zbkb-sc>> | Bitmanipulation instructions for cryptography. +| <<zbkc-sc>> | Carry-less multiply instructions. +| <<zbkx-sc>> | Cross-bar Permutation instructions. | <<zksed>> | SM4 block cipher instructions. | <<zksh>> | SM3 hash function instructions. |=== @@ -1272,7 +1272,7 @@ Included in:: <<< -[#insns-andn,reftext="AND with inverted operand"] +[#insns-andn-sc,reftext="AND with inverted operand"] ==== andn Synopsis:: @@ -1314,7 +1314,7 @@ Included in:: |1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== @@ -1370,14 +1370,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-clmul,reftext="Carry-less multiply (low-part)"] +[#insns-clmul-sc,reftext="Carry-less multiply (low-part)"] ==== clmul Synopsis:: @@ -1429,14 +1429,14 @@ Included in:: |1.0.0 |Ratified -|Zbkc (<<#zbkc>>) +|Zbkc (<<#zbkc-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-clmulh,reftext="Carry-less multiply (high-part)"] +[#insns-clmulh-sc,reftext="Carry-less multiply (high-part)"] ==== clmulh Synopsis:: @@ -1488,14 +1488,14 @@ Included in:: |1.0.0 |Ratified -|Zbkc (<<#zbkc>>) +|Zbkc (<<#zbkc-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-orn,reftext="OR with inverted operand"] +[#insns-orn-sc,reftext="OR with inverted operand"] ==== orn Synopsis:: @@ -1537,14 +1537,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-pack,reftext="Pack low halves of registers"] +[#insns-pack-sc,reftext="Pack low halves of registers"] ==== pack Synopsis:: @@ -1585,14 +1585,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-packh,reftext="Pack low bytes of registers"] +[#insns-packh-sc,reftext="Pack low bytes of registers"] ==== packh Synopsis:: @@ -1634,14 +1634,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-packw,reftext="Pack low 16-bits of registers (RV64)"] +[#insns-packw-sc,reftext="Pack low 16-bits of registers (RV64)"] ==== packw Synopsis:: @@ -1685,14 +1685,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-rev8,reftext="Byte-reverse register"] +[#insns-rev8-sc,reftext="Byte-reverse register"] ==== rev8 Synopsis:: @@ -1769,14 +1769,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-rol,reftext="Rotate left (Register)"] +[#insns-rol-sc,reftext="Rotate left (Register)"] ==== rol Synopsis:: @@ -1823,14 +1823,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-rolw,reftext="Rotate Left Word (Register)"] +[#insns-rolw-sc,reftext="Rotate Left Word (Register)"] ==== rolw Synopsis:: @@ -1876,14 +1876,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-ror, reftext="Rotate right (Register)"] +[#insns-ror-sc, reftext="Rotate right (Register)"] ==== ror Synopsis:: @@ -1930,14 +1930,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-rori,reftext="Rotate right (Immediate)"] +[#insns-rori-sc,reftext="Rotate right (Immediate)"] ==== rori Synopsis:: @@ -1998,14 +1998,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-roriw,reftext="Rotate right Word (Immediate)"] +[#insns-roriw-sc,reftext="Rotate right Word (Immediate)"] ==== roriw Synopsis:: @@ -2054,14 +2054,14 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-rorw,reftext="Rotate right Word (Register)"] +[#insns-rorw-sc,reftext="Rotate right Word (Register)"] ==== rorw Synopsis:: @@ -2107,7 +2107,7 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== @@ -3327,7 +3327,7 @@ Included in:: <<< -[#insns-unzip,reftext="Bit deinterleave"] +[#insns-unzip-sc,reftext="Bit deinterleave"] ==== unzip Synopsis:: @@ -3353,7 +3353,7 @@ Encoding:: Description:: This instruction gathers bits from the high and low halves of the source word into odd/even bit positions in the destination word. -It is the inverse of the <<insns-zip,zip>> instruction. +It is the inverse of the <<insns-zip-sc,zip>> instruction. This instruction is available only on RV32. Operation:: @@ -3381,14 +3381,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) (RV32) +|Zbkb (<<#zbkb-sc>>) (RV32) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-xnor,reftext="Exclusive NOR"] +[#insns-xnor-sc,reftext="Exclusive NOR"] ==== xnor Synopsis:: @@ -3430,7 +3430,7 @@ Included in:: |v1.0.0 |Ratified -|Zbkb (<<#zbkb>>) +|Zbkb (<<#zbkb-sc>>) |v1.0.0-rc4 |Ratified |=== @@ -3488,7 +3488,7 @@ Included in:: |Minimum version |Lifecycle state -|Zbkx (<<#zbkx>>) +|Zbkx (<<#zbkx-sc>>) |v1.0.0-rc4 |Ratified |=== @@ -3547,14 +3547,14 @@ Included in:: |Minimum version |Lifecycle state -|Zbkx (<<#zbkx>>) +|Zbkx (<<#zbkx-sc>>) |v1.0.0-rc4 |Ratified |=== <<< -[#insns-zip,reftext="Bit interleave"] +[#insns-zip-sc,reftext="Bit interleave"] ==== zip Synopsis:: @@ -3581,7 +3581,7 @@ Encoding:: Description:: This instruction scatters all of the odd and even bits of a source word into the high and low halves of a destination word. -It is the inverse of the <<insns-unzip,unzip>> instruction. +It is the inverse of the <<insns-unzip-sc,unzip>> instruction. This instruction is available only on RV32. Operation:: @@ -3609,7 +3609,7 @@ Included in:: |Minimum version |Lifecycle state -|Zbkb (<<#zbkb>>) (RV32) +|Zbkb (<<#zbkb-sc>>) (RV32) |v1.0.0-rc4 |Ratified |=== @@ -4251,7 +4251,7 @@ See <<crypto_scalar_appx_es_access>>. ===== RVB (Bitmanip) -The <<zbkb>>, <<zbkc>> and <<zbkx>> extensions are included in their entirety. +The <<zbkb-sc>>, <<zbkc-sc>> and <<zbkx-sc>> extensions are included in their entirety. .Note to implementers [NOTE,caption="SH"] @@ -4267,26 +4267,26 @@ specific instances of `grevi`, `shfli` and `unshfli` respectively. |Mnemonic |Instruction -| ✓ | ✓ | clmul | <<insns-clmul>> -| ✓ | ✓ | clmulh | <<insns-clmulh>> +| ✓ | ✓ | clmul | <<insns-clmul-sc>> +| ✓ | ✓ | clmulh | <<insns-clmulh-sc>> | ✓ | ✓ | xperm4 | <<insns-xperm4>> | ✓ | ✓ | xperm8 | <<insns-xperm8>> -| ✓ | ✓ | ror | <<insns-ror>> -| ✓ | ✓ | rol | <<insns-rol>> -| ✓ | ✓ | rori | <<insns-rori>> -| | ✓ | rorw | <<insns-rorw>> -| | ✓ | rolw | <<insns-rolw>> -| | ✓ | roriw | <<insns-roriw>> -| ✓ | ✓ | andn | <<insns-andn>> -| ✓ | ✓ | orn | <<insns-orn>> -| ✓ | ✓ | xnor | <<insns-xnor>> -| ✓ | ✓ | pack | <<insns-pack>> -| ✓ | ✓ | packh | <<insns-packh>> -| | ✓ | packw | <<insns-packw>> +| ✓ | ✓ | ror | <<insns-ror-sc>> +| ✓ | ✓ | rol | <<insns-rol-sc>> +| ✓ | ✓ | rori | <<insns-rori-sc>> +| | ✓ | rorw | <<insns-rorw-sc>> +| | ✓ | rolw | <<insns-rolw-sc>> +| | ✓ | roriw | <<insns-roriw-sc>> +| ✓ | ✓ | andn | <<insns-andn-sc>> +| ✓ | ✓ | orn | <<insns-orn-sc>> +| ✓ | ✓ | xnor | <<insns-xnor-sc>> +| ✓ | ✓ | pack | <<insns-pack-sc>> +| ✓ | ✓ | packh | <<insns-packh-sc>> +| | ✓ | packw | <<insns-packw-sc>> | ✓ | ✓ | brev8 | <<insns-brev8>> -| ✓ | ✓ | rev8 | <<insns-rev8>> -| ✓ | | zip | <<insns-zip>> -| ✓ | | unzip | <<insns-unzip>> +| ✓ | ✓ | rev8 | <<insns-rev8-sc>> +| ✓ | | zip | <<insns-zip-sc>> +| ✓ | | unzip | <<insns-unzip-sc>> |=== [[crypto_scalar_appx_rationale]] @@ -4335,10 +4335,10 @@ and cryptographic hash functions are well supported by the RISC-V Bitmanip cite:[riscv:bitmanip:repo] extensions. NOTE: This section repeats much of the information in -<<zbkb>>, -<<zbkc>> +<<zbkb-sc>>, +<<zbkc-sc>> and -<<zbkx>>, +<<zbkx-sc>>, but includes more rationale. We proposed that the scalar cryptographic extension _reuse_ a |