Skip to content

Commit

Permalink
[v0.0.4] applying internal review feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
nibrunie authored and nibrunieAtSi5 committed Feb 7, 2024
1 parent eff2e90 commit 4ce6a83
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 27 deletions.
33 changes: 18 additions & 15 deletions doc/vector-extra/riscv-crypto-spec-vector-extra.adoc
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
[[riscv-doc-template]]
= RISC-V Cryptography Extensions Volume III: Extra Vector Instructions
:description: The vector extra cryptography extensions for the RISC-V ISA.
= RISC-V Cryptography Extensions Volume III: Additional Vector Instructions
:description: The addtional vector cryptography extensions for the RISC-V ISA.
:company: RISC-V.org
:revdate: 1 February 2024
:revnumber: v0.0.3
:revdate: 6 February 2024
:revnumber: v0.0.4
:revremark:
:url-riscv: http://riscv.org
:doctype: book
Expand Down Expand Up @@ -46,7 +46,7 @@ endif::[]
[colophon]
= Colophon

This document describes the Vector Cryptography Extra extensions to the
This document describes additional Vector Cryptography extensions to the
RISC-V Instruction Set Architecture.

This document is _Discussion Document_.
Expand All @@ -73,6 +73,7 @@ for more information.

Contributors to this specification (in alphabetical order)
include: +
Eric Biggers,
Ken Dockser,
Markku-Juhani O. Saarinen,
Nicolas Brunie,
Expand All @@ -95,26 +96,28 @@ include::riscv-crypto-vector-extra-introduction.adoc[]
[[crypto_vector_extensions]]
== Extensions Overview

The section introduces all of the extensions in the Vector Cryptography Extra
The section introduces all of the extensions in the Additional Vector Cryptography
Instruction Set Extension Specification.


All the Vector Crypto Extra Extensions can be built
All the Additional Vector Crypto Extensions can be built
on _any_ embedded (Zve*) or application ("V") base Vector Extension.

// See <<crypto-vector-element-groups>> for more details on vector element groups and the drawbacks of
// small `VLEN` values.


All _cryptography-specific_ instructions defined in this Vector Crypto specification (i.e., those
in <<Zvkgs>>, but _not_ <<zvbc32e>>) shall
be executed with data-independent execution latency as defined in the
As the instructions defined in this specification might be used to implement cryptographic primitives
they may be implemented with data-independent execution latencies as
defined in the
link:https://github.com/riscv/riscv-crypto/releases/tag/v1.0.1-scalar[RISC-V Scalar Cryptography Extensions specification].
It is important to note that the Vector Crypto instructions are independent of the
implementation of the `Zkt` extension and do not require that `Zkt` is implemented.

//This specification includes a <<Zvkt>> extension that, when implemented, requires certain vector instructions
//(including <<zvbb>>, <<zvkb>>, and <<zvbc>>) to be executed with data-independent execution latency.
If `Zvkt` is implemented, all the instructions from `Zvbc32e` (`vclmul[h].[vv,vx]`)
shall be executed with data-independent execution latency as

Whether `Zvkt` is implemented or not, all instructions from `Zvkgs` (`vgmul.vs`, `vghsh.vs`)
shall be executed with data-independent execution latency.


Detection of individual cryptography extensions uses the
unified software-based RISC-V discovery method.
Expand All @@ -134,7 +137,7 @@ include::./riscv-crypto-vector-extra-zvkgs.adoc[]

// ------------------------------------------------------------

[[crypto_vector_extra_insns, reftext="Vector Cryptography Extra Instructions"]]
[[crypto_vector_extra_insns, reftext="Additional Vector Cryptography Instructions"]]
== Instructions


Expand Down
4 changes: 2 additions & 2 deletions doc/vector-extra/riscv-crypto-vector-extra-inst-table.adoc
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
[appendix]
[[crypto_vector_instructions]]
=== Crypto Vector Cryptographic Instructions
=== Additional Vector Cryptographic Instructions

OP-P (0x77)
Crypto Vector instructions, including Zvkgs, except Zvbb and Zvbc
Additional Vector Crypto instructions, including Zvkgs, except Zvbb and Zvbc
The new/modified encoding are in bold and underlined.

// [cols="4,1,1,1,8,4,1,1,8,4,1,1,8"]
Expand Down
6 changes: 3 additions & 3 deletions doc/vector-extra/riscv-crypto-vector-extra-introduction.adoc
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[[crypto_vector_introduction]]
== Introduction

This document describes the proposed _vector_ _extra_ cryptography
This document describes the proposed _additional_ _vector_ cryptography
extensions for RISC-V.
Those extensions extend the _vector_ cryptography extensions for RISC-V,
providing extra features not mandatory for a high performace implementation but which
can help further improve the efficiency of the algorithms that use them.
providing additional features not mandatory for a high performace implementation but which
can help further improve the efficiency some algorithms (e.g. CRC, AES-GCM).
All instructions proposed here are based on the Vector registers.

18 changes: 11 additions & 7 deletions doc/vector-extra/riscv-crypto-vector-extra-zvkgs.adoc
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
[[zvkgs,Zvkgs]]
=== `Zvkgs` - Vector-Scalar GCM/GMAC

`Zvkgs` depends on `Zvkg`, it extends the existing `vghsh.vv` and `vgmul.vv` instructions with new vector-scalar variants: `vghsh.vs` and `vgmul.vs`.

Instructions to enable the efficient implementation of parallel versions of GHASH~H~ which is used in Galois/Counter Mode (GCM) and
Galois Message Authentication Code (GMAC).

The instructions inherit the same constraints as the ones mandated for `Zvkg` instructions: (element group size, data independent execution timing and `vl`/`vstart` multiple constraints).
`Zvkgs` depends on `Zvkg`. It extends the existing `vghsh.vv` and `vgmul.vv` instructions with new vector-scalar variants: `vghsh.vs` and `vgmul.vs`.

The instructions inherit the constraints defined in `Zvkg`:

- element group size (EGS) is 4
- data independent execution timing
- `vl`/`vstart` must be multiples of EGS=4multiple constraints

All of these instructions work on 128-bit element groups comprised of four 32-bit elements, in element group parlance `EGS=4`, `EGW=128` and the instructions are only defined for `SEW=32`.
All of these instructions work on 128-bit element groups comprised of four 32-bit elements.

To help avoid side-channel timing attacks, these instructions shall always be implemented with data-independent timing.
To help avoid side-channel timing attacks, these instructions shall be implemented with data-independent timing.

The number of element groups to be processed is `vl`/`EGS`.
`vl` must be set to the number of `SEW=32` elements to be processed and
Expand All @@ -25,8 +29,8 @@ Likewise, `vstart` must be a multiple of `EGS=4`.
|EGW
|Mnemonic
|Instruction
| 32 | 128 | `vghsh.vs` | <<insns-vghsh-vs>>
| 32 | 128 | `vgmul.vs` | <<insns-vgmul-vs>>
| 32 | 128 | vghsh.vs | <<insns-vghsh-vs>>
| 32 | 128 | vgmul.vs | <<insns-vgmul-vs>>

|===

0 comments on commit 4ce6a83

Please sign in to comment.