32.1-2Scalar Crypto I: The Zk* Extension Map

Part III Linux boot: optional Vol. I (Unprivileged) pp. 382–389 · ~2 min read

Scalar cryptography brings AES, SHA-2, SM4/SM3, and an entropy source to cores without vector units — every instruction using x-registers under the standard 2-read-1-write constraint, from IoT microcontrollers to application cores. The family tree:

The Zk* extensions
Contents
Zbkb / Zbkc / ZbkxThe crypto bitmanip substrate — rotates/pack/brev8/zip, clmul/clmulh, xperm4/8 — defined with the bitmanip chapter (u30). Present in BOTH algorithm suites.
Zkne — AES encryptionRV32: aes32esi/aes32esmi (byte-per-op, bs immediate); RV64: aes64es/aes64esm + the shared key-schedule pair aes64ks1i/aes64ks2.
Zknd — AES decryptionRV32: aes32dsi/aes32dsmi; RV64: aes64ds/aes64dsm/aes64im + the same key-schedule pair.
Zknh — SHA-2sha256sig0/1, sha256sum0/1 everywhere; SHA-512 natively on RV64 (sha512sig0/1, sum0/1) and as high/low half-operations on RV32 (sig0h/l, sig1h/l, sum0r/sum1r).
Zksed / Zksh — ShangMiSM4 block cipher (sm4ed/sm4ks — one extension, since SM4 encrypts and decrypts with the same core op) and SM3 hash (sm3p0/sm3p1).
Zkr — entropy sourceThe seed CSR (0x015): 16 physical entropy bits per successful read.
Zkn / Zks / ZkSuites: Zkn = bitmanip trio + AES + SHA2 (NIST); Zks = trio + SM4 + SM3 (ShangMi); Zk = Zkn + Zkr + Zkt.
Zkt — constant-time contractA LIST of instructions whose execution latency must be independent of data operand values.
Dotted-underlined cells have explanations — click one.

The deeper motive everywhere: SBoxes in instructions are constant-time by construction. A memory S-box lookup indexed by secret data leaks through cache timing; an S-box inside the ALU cannot. Zkt later turns that into an architectural contract.

Hardware Designer Notes

The scalar crypto pages that follow: the instruction reference (six pages), the entropy source, Zkt’s contract, and the rationale appendices. Everything is small silicon — the full Zkn adds roughly an integer multiplier’s worth of gates.

Minimal Linux-boot hart MUST

  • Pick suites by market: Zkn for global internet devices, Zks for China deployment, both where needed — the bitmanip trio is shared silicon
  • Plan the AES SBox as shared combinational logic (encrypt and inverse share structure; the literature on compact AES SBoxes is the reference)

MAY simplify / trap-and-emulate

  • Skip all of this for a Linux-boot v1 — kernel crypto falls back to soft implementations; add Zkn when TLS throughput matters (RVA23 asks for vector crypto OR scalar as options)
  • Implement Zkne without Zknd for encrypt-only (GCM) devices

Check yourself — scalar crypto overview

1.Why are AES encryption (Zkne) and decryption (Zknd) separate extensions?

2.What do the umbrella extensions Zkn, Zks, and Zk bundle?

3.Why do scalar AES instructions exist at all when the SBox could be a lookup table in memory?

3 questions