 | This article's tone or style may not reflect the encyclopedic tone used on Wikipedia.(July 2024) |
| Part of a series on |
| x86 instruction listings |
|---|
|
Instructions that have been added to the x86 instruction set in order to assist efficient calculation of cryptographic primitives, such as e.g. AES encryption, SHA hash calculation and random number generation.
6 new instructions.
| Instruction | Encoding | Description |
|---|---|---|
AESENC xmm1,xmm2/m128 | 66 0F 38 DC /r | Perform one round of an AES encryption flow |
AESENCLAST xmm1,xmm2/m128 | 66 0F 38 DD /r | Perform the last round of an AES encryption flow |
AESDEC xmm1,xmm2/m128 | 66 0F 38 DE /r | Perform one round of an AES decryption flow |
AESDECLAST xmm1,xmm2/m128 | 66 0F 38 DF /r | Perform the last round of an AES decryption flow |
AESKEYGENASSIST xmm1,xmm2/m128,imm8 | 66 0F 3A DF /r ib | Assist in AES round key generation |
AESIMC xmm1,xmm2/m128 | 66 0F 38 DB /r | Assist in AES Inverse Mix Columns |
| Instruction | Opcode | Description |
|---|---|---|
PCLMULQDQ xmm1,xmm2,imm8 | 66 0F 3A 44 /r ib | Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF(2k). |
PCLMULLQLQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 00 | Multiply the low halves of the two 128-bit operands. |
PCLMULHQLQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 01 | Multiply the high half of the destination register by the low half of the source operand. |
PCLMULLQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 10 | Multiply the low half of the destination register by the high half of the source operand. |
PCLMULHQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 11 | Multiply the high halves of the two 128-bit operands. |
| Instruction | Encoding | Description | Added in |
|---|---|---|---|
RDRAND r16RDRAND r32 | NFx 0F C7 /6 | Return a random number that has been generated with a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) compliant with NIST SP 800-90A. [lower-alpha 1] | Ivy Bridge, Excavator, Puma, ZhangJiang, Knights Landing, Gracemont |
RDRAND r64 | NFx REX.W 0F C7 /6 | ||
RDSEED r16RDSEED r32 | NFx 0F C7 /7 | Return a random number that has been generated with a HRNG/TRNG (Hardware/"True" Random Number Generator) compliant with NIST SP 800-90B and C. [lower-alpha 1] | Broadwell, ZhangJiang, Knights Landing, Zen 1, Gracemont |
RDSEED r64 | NFx REX.W 0F C7 /7 |
RDRAND and RDSEED instructions may fail to obtain and return a random number if the CPU's random number generators cannot keep up with the issuing of these instructions – if this happens, then software may retry the instructions (although the number of retries should be limited, in order to ensure forward progress [1] ). The instructions set EFLAGS.CF to 1 if a random number was successfully obtained and 0 otherwise. Failure to obtain a random number will also set the instruction's destination register to 0.7 new instructions.
| Instruction | Encoding | Description |
|---|---|---|
SHA1RNDS4 xmm1,xmm2/m128,imm8 | NP 0F 3A CC /r ib | Perform Four Rounds of SHA1 Operation |
SHA1NEXTE xmm1,xmm2/m128 | NP 0F 38 C8 /r | Calculate SHA1 State Variable E after Four Rounds |
SHA1MSG1 xmm1,xmm2/m128 | NP 0F 38 C9 /r | Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords |
SHA1MSG2 xmm1,xmm2/m128 | NP 0F 38 CA /r | Perform a Final Calculation for the Next Four SHA1 Message Dwords |
SHA256RNDS2 xmm1,xmm2/m128,<XMM0> | NP 0F 38 CB /r | Perform Two Rounds of SHA256 Operation |
SHA256MSG1 xmm1,xmm2/m128 | NP 0F 38 CC /r | Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords |
SHA256MSG2 xmm1,xmm2/m128 | NP 0F 38 CD /r | Perform a Final Calculation for the Next Four SHA256 Message Dwords |
These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.
| Instruction | Encoding | Description | Notes |
|---|---|---|---|
LOADIWKEY xmm1,xmm2 | F3 0F 38 DC /r | Load internal wrapping key ("IWKey") from xmm1, xmm2 and XMM0. | The two explicit operands (which must be register operands) specify a 256-bit encryption key. The implicit operand in XMM0 specifies a 128-bit integrity key. EAX contains flags controlling operation of instruction. After being loaded, the IWKey cannot be directly read from software, but is used for the key wrapping done by
|
ENCODEKEY128 r32,r32 | F3 0F 38 FA /r | Wrap a 128-bit AES key from XMM0 into a 384-bit key handle and output handle in XMM0-2. | Source operand specifies handle restrictions to build into the handle. Destination operand is initialized with information about the source and attributes of the key. These instruction may also modify XMM4-6 (zeroed out in existing implementations, but this should not be relied on). |
ENCODEKEY256 r32,r32 | F3 0F 3A FB /r | Wrap a 256-bit AES key from XMM1:XMM0 into a 512-bit key handle and output handle in XMM0-3. | |
AESENC128KL xmm,m384 | F3 0F 38 DC /r | Encrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | All of the Key Locker encode/decode instructions will check whether the handle is valid for the current IWKey and encode/decode data only if the handle is valid. These instructions will set the ZF flag to indicate whether the provided handle was valid (ZF=0) or not (ZF=1). |
AESDEC128KL xmm,m384 | F3 0F 38 DD /r | Decrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | |
AESENC256KL xmm,m512 | F3 0F 38 DE /r | Encrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESDEC256KL xmm,m512 | F3 0F 38 DF /r | Decrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESENCWIDE128KL m384 | F3 0F 38 D8 /0 | Encrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | |
AESDECWIDE128KL m384 | F3 0F 38 D8 /1 | Decrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | |
AESENCWIDE256KL m512 | F3 0F 38 D8 /2 | Encrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. | |
AESDECWIDE256KL m512 | F3 0F 38 D8 /3 | Decrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. |
The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.
| Padlock subset | Instruction | Encoding | Description | Added in |
|---|---|---|---|---|
| XSTORE | NFx 0F A7 C0 | Store random bytes to ES:[rDI], and increment ES:rDI accordingly. XSTORE will store currently-available bytes, which may be from 0 to 8 bytes. REP XSTORE will write the number of random bytes specified by rCX, waiting for the random number generator when needed. EDX specifies a "quality factor". | Nehemiah (stepping 3) |
REP XSTORE | F3 0F A7 C0 | |||
| REP XCRYPTECB | F3 0F A7 C8 | Encrypt/Decrypt data, using the AES cipher in various block modes (ECB, CBC, CFB, OFB and CTR, respectively). rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rAX a pointer to an initialization vector for block modes that need it, and rDX a pointer to a control word. [lower-alpha 1] | Nehemiah (stepping 8) |
REP XCRYPTCBC | F3 0F A7 D0 | |||
REP XCRYPTCFB | F3 0F A7 E0 | |||
REP XCRYPTOFB | F3 0F A7 E8 | |||
| REP XCRYPTCTR | F3 0F A7 D8 | C7 "Esther" [2] | |
| REP XSHA1 | F3 0F A6 C8 | Compute a cryptographic hash (using the SHA-1 and SHA-256 functions, respectively). ES:rSI points to data to compute a hash for, ES:rDI points to a message digest and rCX specifies the number of bytes. rAX should be set to 0 at the start of a calculation. [lower-alpha 3] | Esther |
REP XSHA256 | F3 0F A6 D0 | |||
| REP MONTMUL | F3 0F A6 C0 | Perform Montgomery Multiplication. Takes an operand width in ECX (given as a number of bits – must be in range 256..32768 and divisble by 128) and pointer to a data structure in ES:ESI. [lower-alpha 4] | Esther |
CCS_HASH | F3 0F A6 E8 | Compute SM3 hash, similar to the REP XSHA* instructions. The rBX register is used to specify hash function (20h for SM3 being the only documented value). | ZhangJiang | |
CCS_ENCRYPT | F3 0F A7 F0 | Encrypt/Decrypt data, using the SM4 cipher in various block modes. rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rDX a pointer to an initialization vector for block modes that need it, and rAX contains a control word. [lower-alpha 5] | ||
REP XCRYPT* is a 128-bit data structure with the following layout: | Bits | Usage |
|---|---|
| 3:0 | AES round count |
| 4 | Digest mode enable (ACE2 only) |
| 5 | 1=allow data that is not 16-byte aligned (ACE2 only) |
| 6 | Cipher: 0=AES, 1=undefined |
| 7 | Key schedule: 0=compute (128bit key only), 1=load from memory |
| 8 | 0=normal, 1=intermediate-result |
| 9 | 0=encrypt, 1=decrypt |
| 11:10 | Key size: 00=128bit, 01=192bit, 10=256bit, 11=reserved |
| 127:12 | Reserved, set to 0 |
REP XCRYPT instructions: a digest mode for the CBC and CFB instructions, and the ability to use input/output data that are not 16-byte aligned for the non-ECB instructions.REP XSHA* instructions will enable an alternate operation mode, where rCX specifies the number of 64-byte blocks, and where the standard FIPS-180-2 length extension procedure at the end of the hash calculation is omitted. This makes for a variant more suitable for data streaming than the original EAX=0 variant. [3] This functionality also exists for CCS_HASH.REP MONTMUL contains six 32-bit elements, where the first one is a negated modular inverse of the bottom 32 bits of the modulus and the remaining 5 are pointers to various memory buffers: | Offset | Data item |
|---|---|
| 0 | Negated modular inverse |
| 4 | Pointer to first multiplicand |
| 8 | Pointer to second multiplicand |
| 12 | Pointer to result buffer |
| 16 | Pointer to modulus |
| 20 | Pointer to 32-byte scratchpad |
CCS_ENCRYPT control word in rAX has the following format: | Bits | Usage |
|---|---|
| 0 | 0=Encrypt, 1=Decrypt |
| 5:1 | Must be 10000b for SM4. |
| 6 | ECB block mode |
| 7 | CBC block mode |
| 8 | CFB block mode |
| 9 | OFB block mode |
| 10 | CTR block mode |
| 11 | Digest enable |
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.
In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.
A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:
In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.
The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.
Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.
Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.
SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.
The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.
An AES instruction set is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes.
The following outline is provided as an overview of and topical guide to cryptography:
There are various implementations of the Advanced Encryption Standard, also known as Rijndael.
VIA PadLock is a central processing unit (CPU) instruction set extension to the x86 microprocessor instruction set architecture (ISA) found on processors produced by VIA Technologies and Zhaoxin. Introduced in 2003 with the VIA Centaur CPUs, the additional instructions provide hardware-accelerated random number generation (RNG), Advanced Encryption Standard (AES), SHA-1, SHA256, and Montgomery modular multiplication.
In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.
BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.
In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Sponge functions have both theoretical and practical uses. They can be used to model or implement many cryptographic primitives, including cryptographic hashes, message authentication codes, mask generation functions, stream ciphers, pseudo-random number generators, and authenticated encryption.
AArch64 or ARM64 is the 64-bit Execution state of the ARM architecture family. It was first introduced with the Armv8-A architecture, and had many extension updates.