Instructions that have been added to the x86 instruction set in order to assist efficient calculation of cryptographic primitives, such as e.g. AES encryption, SHA hash calculation and random number generation.
See main article: AES instruction set. 6 new instructions.
| Instruction | Encoding | Description | |
|---|---|---|---|
AESENC xmm1,xmm2/m128 | 66 0F 38 DC /r | Perform one round of an AES encryption flow | |
AESENCLAST xmm1,xmm2/m128 | 66 0F 38 DD /r | Perform the last round of an AES encryption flow | |
AESDEC xmm1,xmm2/m128 | 66 0F 38 DE /r | Perform one round of an AES decryption flow | |
AESDECLAST xmm1,xmm2/m128 | 66 0F 38 DF /r | Perform the last round of an AES decryption flow | |
| Assist in AES round key generation | |||
AESIMC xmm1,xmm2/m128 | 66 0F 38 DB /r | Assist in AES Inverse Mix Columns |
See main article: CLMUL instruction set.
| Instruction | Opcode | Description | |
|---|---|---|---|
| Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF(2k). | |||
PCLMULLQLQDQ xmm1,xmm2/m128 | Multiply the low halves of the two 128-bit operands. | ||
PCLMULHQLQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 01 | Multiply the high half of the destination register by the low half of the source operand. | |
PCLMULLQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 10 | Multiply the low half of the destination register by the high half of the source operand. | |
PCLMULHQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 11 | Multiply the high halves of the two 128-bit operands. |
See main article: RDRAND.
| Instruction | Encoding | Description | Added in |
|---|---|---|---|
RDRAND r16RDRAND r32 | NFx 0F C7 /6 | Return a random number that has been generated with a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) compliant with | Ivy Bridge, Excavator, Puma, ZhangJiang, Gracemont |
RDSEED r16RDSEED r32 | NFx 0F C7 /7 | Return a random number that has been generated with a HRNG/TRNG (Hardware/"True" Random Number Generator) compliant with | Broadwell, ZhangJiang, Zen 1, Gracemont |
See main article: Intel SHA extensions. 7 new instructions.
| Instruction | Encoding | Description | |
|---|---|---|---|
| Perform Four Rounds of SHA1 Operation | |||
SHA1NEXTE xmm1,xmm2/m128 | NP 0F 38 C8 /r | Calculate SHA1 State Variable E after Four Rounds | |
SHA1MSG1 xmm1,xmm2/m128 | NP 0F 38 C9 /r | Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords | |
SHA1MSG2 xmm1,xmm2/m128 | NP 0F 38 CA /r | Perform a Final Calculation for the Next Four SHA1 Message Dwords | |
SHA256RNDS2 xmm1,xmm2/m128,<XMM0> | NP 0F 38 CB /r | Perform Two Rounds of SHA256 Operation | |
SHA256MSG1 xmm1,xmm2/m128 | NP 0F 38 CC /r | Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords | |
SHA256MSG2 xmm1,xmm2/m128 | NP 0F 38 CD /r | Perform a Final Calculation for the Next Four SHA256 Message Dwords |
These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.
| Instruction | Encoding | Description | Notes |
|---|---|---|---|
LOADIWKEY xmm1,xmm2 | Load internal wrapping key ("IWKey") from xmm1, xmm2 and XMM0. | The two explicit operands (which must be register operands) specify a 256-bit encryption key. The implicit operand in XMM0 specifies a 128-bit integrity key. EAX contains flags controlling operation of instruction.After being loaded, the IWKey cannot be directly read from software, but is used for the key wrapping done by
| |
ENCODEKEY128 r32,r32 | F3 0F 38 FA /r | Wrap a 128-bit AES key from XMM0 into a 384-bit key handle and output handle in XMM0-2. | Source operand specifies handle restrictions to build into the handle. Destination operand is initialized with information about the source and attributes of the key. These instruction may also modify XMM4-6 (zeroed out in existing implementations, but this should not be relied on). |
ENCODEKEY256 r32,r32 | F3 0F 3A FB /r | Wrap a 256-bit AES key from XMM1:XMM0 into a 512-bit key handle and output handle in XMM0-3. | |
AESENC128KL xmm,m384 | F3 0F 38 DC /r | Encrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | All of the Key Locker encode/decode instructions will check whether the handle is valid for the current IWKey and encode/decode data only if the handle is valid. These instructions will set the ZF flag to indicate whether the provided handle was valid (ZF=0) or not (ZF=1). |
F3 0F 38 DD /r | Decrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | ||
AESENC256KL xmm,m512 | F3 0F 38 DE /r | Encrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESDEC256KL xmm,m512 | F3 0F 38 DF /r | Decrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESENCWIDE128KL m384 | F3 0F 38 D8 /0 | Encrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | |
F3 0F 38 D8 /1 | Decrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | ||
AESENCWIDE256KL m512 | F3 0F 38 D8 /2 | Encrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. | |
AESDECWIDE256KL m512 | F3 0F 38 D8 /3 | Decrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. |
See main article: VIA PadLock. The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.
| Padlock subset | Instruction | Encoding | Description | Added in |
|---|---|---|---|---|
XSTORE | Store random bytes to ES:[rDI], and increment ES:rDI accordingly. XSTORE will store currently-available bytes, which may be from 0 to 8 bytes. REP XSTORE will write the number of random bytes specified by rCX, waiting for the random number generator when needed. EDX specifies a "quality factor". | Nehemiah | ||
REP XSTORE | ||||
REP XCRYPTECB | F3 0F A7 C8 | Encrypt/Decrypt data, using the AES cipher in various block modes (ECB, CBC, CFB, OFB and CTR, respectively). rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rAX a pointer to an initialization vector for block modes that need it, and rDX a pointer to a control word. | Nehemiah | |
F3 0F A7 D0 | ||||
REP XCRYPTCFB | F3 0F A7 E0 | |||
REP XCRYPTOFB | F3 0F A7 E8 | |||
REP XCRYPTCTR | F3 0F A7 D8 | |||
REP XSHA1 | F3 0F A6 C8 | Compute a cryptographic hash (using the SHA-1 and SHA-256 functions, respectively). ES:rSI points to data to compute a hash for, ES:rDI points to a message digest and rCX specifies the number of bytes. rAX should be set to 0 at the start of a calculation. | Esther | |
REP XSHA256 | F3 0F A6 D0 | |||
REP MONTMUL | F3 0F A6 C0 | Perform Montgomery Multiplication. Takes an operand width in ECX (given as a number of bits – must be in range 256..32768 and divisble by 128) and pointer to a data structure in ES:ESI. | Esther | |
CCS_HASH | F3 0F A6 E8 | Compute SM3 hash, similar to the REP XSHA* instructions. The rBX register is used to specify hash function (20h for SM3 being the only documented value). | ZhangJiang | |
CCS_ENCRYPT | F3 0F A7 F0 | Encrypt/Decrypt data, using the SM4 cipher in various block modes. rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rDX a pointer to an initialization vector for block modes that need it, and rAX contains a control word. | ||