32.3.43-49Scalar Crypto VII: SM4 & the Reference Tail

Part III Linux boot: optional Vol. I (Unprivileged) pp. 430–436 · ~2 min read

The ShangMi block cipher and the last crypto-bitmanip entries.

SM4 (Zksed) and the reference tail
OperationIn
sm4ed rd, rs1, rs2, bsSM4 round: extract a byte of rs2 (bs), apply the SM4 SBox + the linear layer L (x ^ x<<2 ^ x<<10 ^ x<<18 ^ x<<24), rotate by bs·8, XOR into rs1 — a T-table cast as constant-time logic. Four per round word.Zksed
sm4ks rd, rs1, rs2, bsKey schedule: same SBox but the L′ key-expansion linear layer (different rotate constants).Zksed
unzip / zip / xnorRV32 bit de/interleave (64-bit permutation emulation) and inverted XOR — Zbkb.Zbkb (u30)
xperm8 / xperm4Byte/nibble crossbar lookups — the constant-time, DPA-resistant way to build any cipher’s SBox in registers.Zbkx (u30)
Dotted-underlined cells have explanations — click one.

Both AES and SM4 share the byte-select + rotate + XOR-accumulate structure — a “T-table in hardware” that fuses substitution and diffusion into one constant-time instruction, replacing the memory tables that leak through cache timing. xperm4/xperm8 generalize the same idea for ciphers the ISA doesn’t accelerate directly.

Hardware Designer Notes

That completes the instruction reference. The remaining crypto pages cover the two features that make these instructions trustworthy: the entropy source that seeds keys, and Zkt’s architectural constant-time guarantee.

Minimal Linux-boot hart MUST

  • Build the SM4 SBox as its own combinational block (distinct from AES — different field, different affine), constant-time
  • Implement the two linear layers (L for sm4ed, L′ for sm4ks) as fixed rotate-XOR spreads on the SBox output
  • Reuse the byte-select/rotate/accumulate datapath shared with the AES32 instructions

MAY simplify / trap-and-emulate

  • Omit Zksed/Zksh outside Chinese-market designs; the xperm/bitmanip tail still serves generic constant-time crypto
  • Share the T-table datapath skeleton across AES and SM4, swapping only the SBox and linear-layer constants

Check yourself — SM4 & the reference tail

1.Why does SM4 need only ONE encrypt/decrypt instruction (sm4ed) plus one key-schedule (sm4ks), unlike AES's separate Zkne/Zknd?

2.sm4ed applies 'a T-table in hardware' approach. What does that mean structurally?

3.The reference tail (unzip, xnor, xperm8, xperm4, zip) closes the alphabetical listing. What are these to the crypto suites?

3 questions