Fixing H value reset for vghsh/vgmul

Signed-off-by: Nicolas Brunie <[email protected]>
riscv · Sep 20, 2024 · c4f3549 · c4f3549
1 parent 320d64f
commit c4f3549
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/vector-crypto-additional.adoc b/src/vector-crypto-additional.adoc
@@ -425,11 +425,14 @@ function clause execute (VGHSHVS(vs2, vs1, vd)) = {
 
   // H is common to all element groups
   let helem = 0;
-  let H = brev8(get_velem(vs2, EGW=128, helem)); // Hash subkey
+  let Hinit = brev8(get_velem(vs2, EGW=128, helem)); // Hash subkey 
 
   foreach (i from eg_start to eg_len-1) {
     let Y = get_velem(vd,EGW=128,i);  // current partial-hash
     let X = get_velem(vs1,EGW=128,i);  // block cipher output
+    // Since H is destroyed by the inner loop it must be reset
+    // on every element-group iteration (even if loop independent)
+    let H = Hinit;
 
     let Z : bits(128) = 0;
 
@@ -559,11 +562,15 @@ function clause execute (VGMUL(vs2, vs1, vd, suffix)) = {
   eg_start = (vstart/EGS)
   // H multiplicand is common for all loop iterations
   let helem = 0;
-  let H = brev8(get_velem(vs2,EGW=128, helem)); // Multiplicand
+  let Hinit = brev8(get_velem(vs2,EGW=128, helem)); // Multiplicand
+
 
   foreach (i from eg_start to eg_len-1) {
     let Y = brev8(get_velem(vd,EGW=128,i));  // Multiplier
-    let Z : bits(128) = 0;
+    let Z : bits(128) = 0;  
+    // Since H is destroyed by the inner loop it must be reset
+    // on every element-group iteration (even if loop independent)
+    let H = Hinit;
 
     for (int bit = 0; bit < 128; bit++) {
       if bit_to_bool(Y[bit])