VIA PadLock

Last updated June 17, 2024

VIA PadLock is a central processing unit (CPU) instruction set extension to the x86 microprocessor instruction set architecture (ISA) found on processors produced by VIA Technologies and Zhaoxin. Introduced in 2003 with the VIA Centaur CPUs, the additional instructions provide hardware-accelerated random number generation (RNG), Advanced Encryption Standard (AES), SHA-1, SHA256, and Montgomery modular multiplication.^[1]^[2]

Instructions

The PadLock instruction set can be divided into four subsets:^[1]

Random number generation (RNG)
- XSTORE: Store Available Random Bytes (aka XSTORERNG)
- REP XSTORE: Store ECX Random Bytes
Advanced cryptography engine (ACE) - for AES crypto; two versions
- REP XCRYPTECB: Electronic code book
- REP XCRYPTCBC: Cipher Block Chaining
- REP XCRYPTCTR: Counter Mode (ACE2)
- REP XCRYPTCFB: Cipher Feedback Mode
- REP XCRYPTOFB: Output Feedback Mode
SHA hash engine (PHE)
- REP XSHA1: Hash Function SHA-1
- REP XSHA256: Hash Function SHA-256
Montgomery multiplier (PMM)
- REP MONTMUL

The padlock capability is indicated via a CPUID instruction with EAX = 0xC0000000. If the resultant EAX >= 0xC0000001, the CPU is aware of Centaur features. An additional request with EAX = 0xC0000001 then returns PadLock support in EDX. The padlock capability can be toggled on or off with MSR 0X1107.^[1]

VIA PadLock found on some Zhaoxin CPUs have SM3 hashing and SM4 block cipher added.^[3]

CPUs with PadLock

All VIA Nano CPUs support SHA, AES, and RNG.
All VIA Eden CPUs since 2003 (C3 Nehemiah) support AES and RNG. All these released since 2006 support AES, RNG, SHA, and PMM.
All VIA C7 CPUs support AES, RNG, SHA, and PMM.

Supporting software

Linux kernel since 2.6.11 has PadLock AES. PadLock SHA was introduced in 2.6.19. These are handled as "hardware crypto devices".^[4]
FreeBSD, NetBSD and OpenBSD support PadLock.^[5]
OpenSSL supports PadLock AES and SHA since 2004 (0.9.7f/0.9.8a).^[6]
GNU assembler supports PadLock since 2004.^[7]

Related Research Articles

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

Fortuna is a cryptographically secure pseudorandom number generator (CS-PRNG) devised by Bruce Schneier and Niels Ferguson and published in 2003. It is named after Fortuna, the Roman goddess of chance. FreeBSD uses Fortuna for /dev/random and /dev/urandom is symbolically linked to it since FreeBSD 11. Apple OSes have switched to Fortuna since 2020 Q1.

Crypto API is a cryptography framework in the Linux kernel, for various parts of the kernel that deal with cryptography, such as IPsec and dm-crypt. It was introduced in kernel version 2.5.45 and has since expanded to include essentially all popular block ciphers and hash functions.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

Centaur Technology was an x86 CPU design company started in 1995 and subsequently a wholly owned subsidiary of VIA Technologies. In 2015, the documentary Rise of the Centaur covered the early history of the company. The company was broken up in 2021.

EAX mode (encrypt-then-authenticate-then-translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.

CryptGenRandom is a deprecated cryptographically secure pseudorandom number generator function that is included in Microsoft CryptoAPI. In Win32 programs, Microsoft recommends its use anywhere random number generation is needed. A 2007 paper from Hebrew University suggested security problems in the Windows 2000 implementation of CryptGenRandom. Microsoft later acknowledged that the same problems exist in Windows XP, but not in Vista. Microsoft released a fix for the bug with Windows XP Service Pack 3 in mid-2008.

<span class="mw-page-title-main">Cryptographic accelerator</span> Co-processor optimized for cryptographic operations

In computing, a cryptographic accelerator is a co-processor designed specifically to perform computationally intensive cryptographic operations, doing so far more efficiently than the general-purpose CPU. Because many servers' system loads consist mostly of cryptographic operations, this can greatly increase performance.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

An AES instruction set is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. It is also known as Intel Secure Key Technology, codenamed Bull Mountain. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

1 2 3 "VIA PadLock Programming Guide". August 4, 2005. Archived from the original on May 26, 2010.
↑ "VIA PadLock - Wicked Fast Encryption". www.logix.cz.
↑ "Kaixian ZX-C+ Series 4-core CPU". Shanghai Zhaoxin Semiconductor Co., Ltd.
↑ "VIA PadLock support for Linux". www.logix.cz.
↑ padlock(4) – FreeBSD Kernel Interfaces Manual
↑ "openssl/engines/e_padlock.c". GitHub. 26 November 2022.
↑ "Added new instructions for next version of VIA PadLock core. · bminor/binutils-gdb@30d1c83". GitHub.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[doc-1] 1 2 3 "VIA PadLock Programming Guide". August 4, 2005. Archived from the original on May 26, 2010.

[2] "VIA PadLock - Wicked Fast Encryption". www.logix.cz.

[3] "Kaixian ZX-C+ Series 4-core CPU". Shanghai Zhaoxin Semiconductor Co., Ltd.

[4] "VIA PadLock support for Linux". www.logix.cz.

[5] padlock(4) – FreeBSD Kernel Interfaces Manual

[6] "openssl/engines/e_padlock.c". GitHub. 26 November 2022.

[7] "Added new instructions for next version of VIA PadLock core. · bminor/binutils-gdb@30d1c83". GitHub.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e VIA Technologies
Lists	Microprocessors Chipsets Nano Eden C7 C3
Products	VIA Nano VIA Eden VIA CoreFusion VIA C7 VIA C3 Cyrix III
See also	VIA PadLock Centaur Technology WonderMedia Zhaoxin JV

v t e Instruction set extensions
SIMD (RISC)	Alpha MVI ARM NEON SVE MIPS MDMX MIPS-3D MXU MIPS SIMD PA-RISC MAX Power ISA VMX SPARC VIS
SIMD (x86)	MMX (1996) 3DNow! (1998) SSE (1999) SSE2 (2001) SSE3 (2004) SSSE3 (2006) SSE4 (2006) SSE5 ~~(2007)~~ AVX (2008) F16C (2009) XOP (2009) FMA (FMA4: 2011, FMA3: 2012) AVX2 (2013) AVX-512 (2015) AMX (2022) AVX10 (2023)
Bit manipulation	BMI (ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012) ADX (2014)
Compressed instructions	Thumb MIPS16e ASE RVC
Security and cryptography	PadLock (2003) AES-NI (2008); ARMv8 also has AES instructions CLMUL (2010) RDRAND (2012) SHA (2013) MPX (2015) SGX (2015) TDX (2021)
Transactional memory	TSX (2013) ASF
Virtualization	VT-x (2005) AMD-V (2006) VT-d (AMD-Vi)
Suspended extensions' dates are ~~struck through~~.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE
Utilization	Initialization vector Mode of operation Padding