RISC-V Scalar Cryptography Extension reaches public review

This extension is great. If anyone is interested, my roommate and I partially implemented the previous revision of it on a RISC-V GPU called Vortex: <a href="https:&#x2F;&#x2F;carrv.github.io&#x2F;2021&#x2F;papers&#x2F;CARRV2021_paper_87_Adams.pdf" rel="nofollow">https:&#x2F;&#x2F;carrv.github.io&#x2F;2021&#x2F;papers&#x2F;CARRV2021_paper_87_Adams...</a><p>I&#x27;m excited to see that the RV32 AES instructions now have separate rs1 and rd fields, because the previous version combined them into just rt, which was kind of annoying from an implementation perspective, since you had some register that was both input and output (iirc, unlike any other RV32 instruction previously implemented on that hardware)

A quick summary of what is included for those who don&#x27;t feel like reading the spec:<p><pre><code> - Some miscellaneous bit twiddling instructions (rotate, permute, pack, ...) useful in various crypto schemes. - AES. - SHA2 (-256 and -512). - SM3 and SM4. - Physical entropy source (with some variants to accommodate low profile variants) </code></pre> The SM3&#x2F;4 were unfamiliar to me - apparently it is a hash function &amp; block cipher used in Chinese WiFi variant. Should I just assume this is backdoored?

Pretty much every instruction that doesn&#x27;t start with the name of some known crypto algorithm (and maybe some that do) are useful for general-purpose stuff. I&#x27;ve had a good deal of success making Intel&#x27;s GFNI do &quot;weird off-label things&quot; (bit-matrix transpose and a lot of the missing byte shift&#x2F;rotate operations just scratches the surface). CLMUL is a good one for all sorts of things, as it can be used for XOR-parallel-prefix (we used it to detect quote pairs in simdjson).<p>I don&#x27;t know whether I resent crypto because it gets the cool instructions at low latency because it&#x27;s so important, or whether I love it due to the fact that even the &quot;leavings at the crypto table&quot; are computationally useful.

What is the &quot;2-read-1-write register access constraint&quot; mentioned in the introduction?