33.3.15-18Vector Crypto VII: GCM/GMAC & Byte-Reverse

Part III Linux boot: optional Vol. I (Unprivileged) pp. 517–523 · ~2 min read

The Galois/Counter Mode authentication instructions (Zvkg) — the partner to vector AES for the internet’s dominant AEAD cipher — plus vrev8 and vctz.

GCM/GMAC (Zvkg, 128-bit element groups) and helpers
OperationIn
vghsh.vvGHASH multiply-accumulate: state ← (state ⊕ input) · H over GF(2^128), per element group. The core authentication step.Zvkg
vgmul.vvGHASH multiply only: state ← state · H over GF(2^128).Zvkg
vrev8.vReverse byte order per element — GHASH needs specific bit/byte reflection; pairs with vbrev8.Zvbb / Zvkb
vctz.vPer-element count trailing zeros (completes the Zvbb count trio).Zvbb
Dotted-underlined cells have explanations — click one.

Hardware Designer Notes

The GF(2^128) multiplier-plus-reducer is the area cost of dedicated GCM — bigger than a plain clmul but eliminating the reduction instructions. For a kTLS/IPsec server it pays for itself in instruction count; for a general core, Zvbc’s clmul is the flexible choice. Either way, AES + GHASH interleaved is the AES-GCM throughput story.

Minimal Linux-boot hart MUST

  • vghsh/vgmul: a full GF(2^128) carry-less multiplier + reduction network per 128-bit lane group, data-independent latency
  • Get the GHASH bit/byte reflection convention exact (vbrev8/vrev8 feed it) — a reflection bug silently breaks authentication

MAY simplify / trap-and-emulate

  • Share the carry-less multiplier between vghsh and vclmul if implementing both Zvkg and Zvbc
  • Implement Zvknc (clmul + software reduction) instead of Zvkg for a smaller, more general core

Check yourself — GCM/GMAC instructions

1.vghsh.vv and vgmul.vv (Zvkg) operate on 128-bit element groups. What's the GCM operation they implement?

2.How do the dedicated vghsh/vgmul compare to building GHASH from vclmul/vclmulh?

2 questions