From c4f35491e3d38964bfe793796206886efc94e78a Mon Sep 17 00:00:00 2001
From: Nicolas Brunie <nibrunie@gmail.com>
Date: Mon, 9 Sep 2024 21:51:36 -0600
Subject: [PATCH] Fixing H value reset for vghsh/vgmul

Signed-off-by: Nicolas Brunie <nibrunie@gmail.com>
---
 src/vector-crypto-additional.adoc | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/vector-crypto-additional.adoc b/src/vector-crypto-additional.adoc
index 827c9567..63b5054e 100644
--- a/src/vector-crypto-additional.adoc
+++ b/src/vector-crypto-additional.adoc
@@ -425,11 +425,14 @@ function clause execute (VGHSHVS(vs2, vs1, vd)) = {
 
   // H is common to all element groups
   let helem = 0;
-  let H = brev8(get_velem(vs2, EGW=128, helem)); // Hash subkey
+  let Hinit = brev8(get_velem(vs2, EGW=128, helem)); // Hash subkey 
 
   foreach (i from eg_start to eg_len-1) {
     let Y = get_velem(vd,EGW=128,i);  // current partial-hash
     let X = get_velem(vs1,EGW=128,i);  // block cipher output
+    // Since H is destroyed by the inner loop it must be reset
+    // on every element-group iteration (even if loop independent)
+    let H = Hinit;
 
     let Z : bits(128) = 0;
 
@@ -559,11 +562,15 @@ function clause execute (VGMUL(vs2, vs1, vd, suffix)) = {
   eg_start = (vstart/EGS)
   // H multiplicand is common for all loop iterations
   let helem = 0;
-  let H = brev8(get_velem(vs2,EGW=128, helem)); // Multiplicand
+  let Hinit = brev8(get_velem(vs2,EGW=128, helem)); // Multiplicand
+  
 
   foreach (i from eg_start to eg_len-1) {
     let Y = brev8(get_velem(vd,EGW=128,i));  // Multiplier
-    let Z : bits(128) = 0;
+    let Z : bits(128) = 0;  
+    // Since H is destroyed by the inner loop it must be reset
+    // on every element-group iteration (even if loop independent)
+    let H = Hinit;
 
     for (int bit = 0; bit < 128; bit++) {
       if bit_to_bool(Y[bit])