List of x86 cryptographic instructions

Instructions that have been added to the x86 instruction set in order to assist efficient calculation of cryptographic primitives, such as e.g. AES encryption, SHA hash calculation and random number generation.

Intel AES instructions

6 new instructions.

Instruction	Encoding	Description	Added in
`AESENC xmm1,xmm2/m128`	`66 0F 38 DC /r`	Perform one round of an AES encryption flow. Performs the,, and steps of an AES encryption round, in that order. The first source argument provides a 128-bit data-block to perform an encryption round on, the second source argument provides a round key for the stage.
`AESENCLAST xmm1,xmm2/m128`	`66 0F 38 DD /r`	Perform the last round of an AES encryption flow. Performs the, and steps of an AES encryption round, in that order.
`AESDEC xmm1,xmm2/m128`	`66 0F 38 DE /r`	Perform one round of an AES decryption flow. Performs the,, and steps of an AES decryption round, in that order.
`AESDECLAST xmm1,xmm2/m128`	`66 0F 38 DF /r`	Perform the last round of an AES decryption flow. Performs the, and steps of an AES decryption round, in that order.
		Assist in AES round key generation. The operation performed is: temp := SubBytes // AES SubBytes step dest := temp dest := rotate_left XOR RCON dest := temp dest := rotate_left XOR RCON where RCON is the instruction's imm8 argument zero-extended to 32 bits.
`AESIMC xmm1,xmm2/m128`	`66 0F 38 DB /r`	Perform the step of an AES decryption round on one 128-bit block. Mainly used to help prepare an AES key for use with the `AESDEC` instruction.

CLMUL instructions

Instruction	Opcode	Description
		Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF.
`PCLMULLQLQDQ xmm1,xmm2/m128`		Multiply the low halves of the two 128-bit operands.
`PCLMULHQLQDQ xmm1,xmm2/m128`	`66 0F 3A 44 /r 01`	Multiply the high half of the destination register by the low half of the source operand.
`PCLMULLQHQDQ xmm1,xmm2/m128`	`66 0F 3A 44 /r 10`	Multiply the low half of the destination register by the high half of the source operand.
`PCLMULHQHQDQ xmm1,xmm2/m128`	`66 0F 3A 44 /r 11`	Multiply the high halves of the two 128-bit operands.

RDRAND and RDSEED

Instruction	Encoding	Description	Added in
`RDRAND r16` `RDRAND r32`	`NFx 0F C7 /6`	Return a random number that has been generated with a CSPRNG compliant with	Ivy Bridge, Silvermont, Excavator, Puma, ZhangJiang,
		Return a random number that has been generated with a CSPRNG compliant with	Ivy Bridge, Silvermont, Excavator, Puma, ZhangJiang,
`RDSEED r16` `RDSEED r32`	`NFx 0F C7 /7`	Return a random number that has been generated with a HRNG/TRNG compliant with	Broadwell, ZhangJiang, Zen 1, Gracemont
		Return a random number that has been generated with a HRNG/TRNG compliant with	Broadwell, ZhangJiang, Zen 1, Gracemont

Intel SHA and SM3 instructions

These instructions provide support for cryptographic hash functions such as SHA-1, SHA-256, SHA-512 and SM3. Each of these hash functions works on fixed-size data blocks, where the processing of each data-block mostly consists of two major phases:

First expand the data-block using a message schedule
Then perform a series of rounds of a compression function to combine the expanded data into a hash state.

For each of the supported hash functions, separate instructions are provided to help compute the message schedule and to help perform the compression function rounds.

Intel Key Locker instructions

These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.

VIA/Zhaoxin PadLock instructions

The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.