From 4ce6a83830f9241eb45d7258684310ec7e499f09 Mon Sep 17 00:00:00 2001 From: Nicolas Brunie Date: Tue, 6 Feb 2024 20:14:19 -0800 Subject: [PATCH] [v0.0.4] applying internal review feedback --- .../riscv-crypto-spec-vector-extra.adoc | 33 ++++++++++--------- .../riscv-crypto-vector-extra-inst-table.adoc | 4 +-- ...iscv-crypto-vector-extra-introduction.adoc | 6 ++-- .../riscv-crypto-vector-extra-zvkgs.adoc | 18 ++++++---- 4 files changed, 34 insertions(+), 27 deletions(-) diff --git a/doc/vector-extra/riscv-crypto-spec-vector-extra.adoc b/doc/vector-extra/riscv-crypto-spec-vector-extra.adoc index 040573e8..3dfd4ce5 100644 --- a/doc/vector-extra/riscv-crypto-spec-vector-extra.adoc +++ b/doc/vector-extra/riscv-crypto-spec-vector-extra.adoc @@ -1,9 +1,9 @@ [[riscv-doc-template]] -= RISC-V Cryptography Extensions Volume III: Extra Vector Instructions -:description: The vector extra cryptography extensions for the RISC-V ISA. += RISC-V Cryptography Extensions Volume III: Additional Vector Instructions +:description: The addtional vector cryptography extensions for the RISC-V ISA. :company: RISC-V.org -:revdate: 1 February 2024 -:revnumber: v0.0.3 +:revdate: 6 February 2024 +:revnumber: v0.0.4 :revremark: :url-riscv: http://riscv.org :doctype: book @@ -46,7 +46,7 @@ endif::[] [colophon] = Colophon -This document describes the Vector Cryptography Extra extensions to the +This document describes additional Vector Cryptography extensions to the RISC-V Instruction Set Architecture. This document is _Discussion Document_. @@ -73,6 +73,7 @@ for more information. Contributors to this specification (in alphabetical order) include: + +Eric Biggers, Ken Dockser, Markku-Juhani O. Saarinen, Nicolas Brunie, @@ -95,26 +96,28 @@ include::riscv-crypto-vector-extra-introduction.adoc[] [[crypto_vector_extensions]] == Extensions Overview -The section introduces all of the extensions in the Vector Cryptography Extra +The section introduces all of the extensions in the Additional Vector Cryptography Instruction Set Extension Specification. -All the Vector Crypto Extra Extensions can be built +All the Additional Vector Crypto Extensions can be built on _any_ embedded (Zve*) or application ("V") base Vector Extension. // See <> for more details on vector element groups and the drawbacks of // small `VLEN` values. -All _cryptography-specific_ instructions defined in this Vector Crypto specification (i.e., those -in <>, but _not_ <>) shall -be executed with data-independent execution latency as defined in the +As the instructions defined in this specification might be used to implement cryptographic primitives + they may be implemented with data-independent execution latencies as +defined in the link:https://github.com/riscv/riscv-crypto/releases/tag/v1.0.1-scalar[RISC-V Scalar Cryptography Extensions specification]. -It is important to note that the Vector Crypto instructions are independent of the -implementation of the `Zkt` extension and do not require that `Zkt` is implemented. -//This specification includes a <> extension that, when implemented, requires certain vector instructions -//(including <>, <>, and <>) to be executed with data-independent execution latency. +If `Zvkt` is implemented, all the instructions from `Zvbc32e` (`vclmul[h].[vv,vx]`) +shall be executed with data-independent execution latency as + +Whether `Zvkt` is implemented or not, all instructions from `Zvkgs` (`vgmul.vs`, `vghsh.vs`) +shall be executed with data-independent execution latency. + Detection of individual cryptography extensions uses the unified software-based RISC-V discovery method. @@ -134,7 +137,7 @@ include::./riscv-crypto-vector-extra-zvkgs.adoc[] // ------------------------------------------------------------ -[[crypto_vector_extra_insns, reftext="Vector Cryptography Extra Instructions"]] +[[crypto_vector_extra_insns, reftext="Additional Vector Cryptography Instructions"]] == Instructions diff --git a/doc/vector-extra/riscv-crypto-vector-extra-inst-table.adoc b/doc/vector-extra/riscv-crypto-vector-extra-inst-table.adoc index d52d3ff5..ee5a09c6 100644 --- a/doc/vector-extra/riscv-crypto-vector-extra-inst-table.adoc +++ b/doc/vector-extra/riscv-crypto-vector-extra-inst-table.adoc @@ -1,9 +1,9 @@ [appendix] [[crypto_vector_instructions]] -=== Crypto Vector Cryptographic Instructions +=== Additional Vector Cryptographic Instructions OP-P (0x77) -Crypto Vector instructions, including Zvkgs, except Zvbb and Zvbc +Additional Vector Crypto instructions, including Zvkgs, except Zvbb and Zvbc The new/modified encoding are in bold and underlined. // [cols="4,1,1,1,8,4,1,1,8,4,1,1,8"] diff --git a/doc/vector-extra/riscv-crypto-vector-extra-introduction.adoc b/doc/vector-extra/riscv-crypto-vector-extra-introduction.adoc index c01afa59..8d057e6a 100644 --- a/doc/vector-extra/riscv-crypto-vector-extra-introduction.adoc +++ b/doc/vector-extra/riscv-crypto-vector-extra-introduction.adoc @@ -1,10 +1,10 @@ [[crypto_vector_introduction]] == Introduction -This document describes the proposed _vector_ _extra_ cryptography +This document describes the proposed _additional_ _vector_ cryptography extensions for RISC-V. Those extensions extend the _vector_ cryptography extensions for RISC-V, -providing extra features not mandatory for a high performace implementation but which -can help further improve the efficiency of the algorithms that use them. +providing additional features not mandatory for a high performace implementation but which +can help further improve the efficiency some algorithms (e.g. CRC, AES-GCM). All instructions proposed here are based on the Vector registers. diff --git a/doc/vector-extra/riscv-crypto-vector-extra-zvkgs.adoc b/doc/vector-extra/riscv-crypto-vector-extra-zvkgs.adoc index f54683f4..c8d83965 100644 --- a/doc/vector-extra/riscv-crypto-vector-extra-zvkgs.adoc +++ b/doc/vector-extra/riscv-crypto-vector-extra-zvkgs.adoc @@ -1,16 +1,20 @@ [[zvkgs,Zvkgs]] === `Zvkgs` - Vector-Scalar GCM/GMAC -`Zvkgs` depends on `Zvkg`, it extends the existing `vghsh.vv` and `vgmul.vv` instructions with new vector-scalar variants: `vghsh.vs` and `vgmul.vs`. - Instructions to enable the efficient implementation of parallel versions of GHASH~H~ which is used in Galois/Counter Mode (GCM) and Galois Message Authentication Code (GMAC). -The instructions inherit the same constraints as the ones mandated for `Zvkg` instructions: (element group size, data independent execution timing and `vl`/`vstart` multiple constraints). +`Zvkgs` depends on `Zvkg`. It extends the existing `vghsh.vv` and `vgmul.vv` instructions with new vector-scalar variants: `vghsh.vs` and `vgmul.vs`. + +The instructions inherit the constraints defined in `Zvkg`: + +- element group size (EGS) is 4 +- data independent execution timing +- `vl`/`vstart` must be multiples of EGS=4multiple constraints -All of these instructions work on 128-bit element groups comprised of four 32-bit elements, in element group parlance `EGS=4`, `EGW=128` and the instructions are only defined for `SEW=32`. +All of these instructions work on 128-bit element groups comprised of four 32-bit elements. -To help avoid side-channel timing attacks, these instructions shall always be implemented with data-independent timing. +To help avoid side-channel timing attacks, these instructions shall be implemented with data-independent timing. The number of element groups to be processed is `vl`/`EGS`. `vl` must be set to the number of `SEW=32` elements to be processed and @@ -25,8 +29,8 @@ Likewise, `vstart` must be a multiple of `EGS=4`. |EGW |Mnemonic |Instruction -| 32 | 128 | `vghsh.vs` | <> -| 32 | 128 | `vgmul.vs` | <> +| 32 | 128 | vghsh.vs | <> +| 32 | 128 | vgmul.vs | <> |===