The Galois/Counter Mode authentication instructions (Zvkg) — the partner to vector AES for the internet’s dominant AEAD cipher — plus vrev8 and vctz.
| Operation | In | |
|---|---|---|
| vghsh.vv | GHASH multiply-accumulate: state ← (state ⊕ input) · H over GF(2^128), per element group. The core authentication step. | Zvkg |
| vgmul.vv | GHASH multiply only: state ← state · H over GF(2^128). | Zvkg |
| vrev8.v | Reverse byte order per element — GHASH needs specific bit/byte reflection; pairs with vbrev8. | Zvbb / Zvkb |
| vctz.v | Per-element count trailing zeros (completes the Zvbb count trio). | Zvbb |
Hardware Designer Notes
The GF(2^128) multiplier-plus-reducer is the area cost of dedicated GCM — bigger than a plain clmul but eliminating the reduction instructions. For a kTLS/IPsec server it pays for itself in instruction count; for a general core, Zvbc’s clmul is the flexible choice. Either way, AES + GHASH interleaved is the AES-GCM throughput story.
Minimal Linux-boot hart MUST
- vghsh/vgmul: a full GF(2^128) carry-less multiplier + reduction network per 128-bit lane group, data-independent latency
- Get the GHASH bit/byte reflection convention exact (vbrev8/vrev8 feed it) — a reflection bug silently breaks authentication
MAY simplify / trap-and-emulate
- Share the carry-less multiplier between vghsh and vclmul if implementing both Zvkg and Zvbc
- Implement Zvknc (clmul + software reduction) instead of Zvkg for a smaller, more general core
Check yourself — GCM/GMAC instructions
1.vghsh.vv and vgmul.vv (Zvkg) operate on 128-bit element groups. What's the GCM operation they implement?
2.How do the dedicated vghsh/vgmul compare to building GHASH from vclmul/vclmulh?