KMAC HWIP Technical Specification

Overview

This document specifies the Keccak Message Authentication Code (KMAC) and Secure Hashing Algorithm 3 (SHA3) hardware IP functionality. This module conforms to the OpenTitan guideline for peripheral device functionality. See that document for integration overview within the broader OpenTitan top level system.

Features

  • Support for SHA3-224, 256, 384, 512, SHAKE[128, 256] and cSHAKE[128, 256]
  • Support byte-granularity on input message
  • Support 128b, 192b, 256b, 384b, 512b of the secret key length in KMAC mode
  • Support arbitrary output length for SHAKE, cSHAKE, KMAC
  • Support customization input string S, and function-name N up to 36 bytes total
  • 64b x 9 depth Message FIFO
  • 1600b of internal state (internally represented in two shares for 1st-order masking)
  • Performance goals of >= 72 Mb/s @ 100MHz (when entropy is available always)
    • SHA3-512: roughly 88 MB/s at most
    • SHA3-224: 160 MB/s at most
  • Implement 1st-order masked Keccak permutations for Side-Channel Analysis (SCA) protection

Description

The KMAC module is a Keccak based message authentication code generator to check the integrity of an incoming message and a signature signed with the same secret key. The secret key length can vary up to 512 bits.

The KMAC generates at most 1600 bits of the digest value at a time which can be read from the STATE memory region. There’s a way for the software to read more digest values by manually running the Keccak rounds. The details of the operation are described in the SHA3 specification, FIPS 202 known as sponge construction.

The KMAC HWIP also performs the SHA3 hash functions without the authentication, whose purpose is to check the correctness of the received message. The KMAC IP supports various SHA3 hashing functions including SHA3 Extended Output Function (XOF) known as SHAKE functions.

The KMAC HWIP implements a defense mechanism to deter SCA attacks. It is expected to protect against 1st order SCA attacks by implementing masked storage and Domain Oriented Masking (DOM) AND logic inside the Keccak function.

Theory of Operation

Block Diagram

The above figure shows the KMAC/SHA3 HWIP block diagram. The KMAC has register interfaces for SW to configure the module, initiate the hashing process, and acquire the result digest from the STATE memory region. It also has interfaces tot he KeyMgr to get the secret key (masked) and the message data. The interface to the KeyMgr is mainly for Key Derivative Functions (KDF).

As similar with HMAC, KMAC HWIP also has a message FIFO (MSG_FIFO) whose depth was determined based on a few criteria such as the register interface width, and its latency, the latency of hashing algorithm (Keccak). Based on the given criteria, the MSG_FIFO depth was determined to store the incoming message while the SHA3 core is in computation.

The MSG_FIFO has a packer in front. It packs any partial writes into the size of inernal datapath (64bit) and stores in MSG_FIFO. It gives some freedome to the software not requiring to align the messages. It also doesn’t need the message length information.

The fed messages go into the KMAC core regardless of KMAC enabled or not. But the KMAC core just forwards the messages to SHA3 core in case of KMAC disabled. KMAC core prepends the encoded secret key as described in the SHA3 Derived Functions specification. It is expected that the software writes the encoded output length at the end of the message. For KDF triggered by KeyMgr, the encoded output length is appended inside the KeyMgr interface module in KMAC HWIP.

The SHA3 core is the main Keccak processing module. It supports SHA3 hashing functions, SHAKE128, SHAKE256 extended output functions, and also cSHAKE128, cSHAKE256 functions in order to support KMAC operation. To support multiple hashing functions, it has the padding logic inside. The padding logic mainly pads the predefined bits at the end of the message and also performs pad10*1() function. If cSHAKE mode is set, the padding logic also prepends the encoded function name N and the customization string S prior to the incoming messages according to the spec requirements.

Both the internal state width and the masking of the Keccak core are configurable via compile-time Verilog parameters. By default, 1600 bits of internal state are used and stored in two shares (1st order masking). The masked Keccak core takes 3 clock cycles per round if sufficient entropy is available. If desired, the masking can be disabled and the internal state width can be reduced to 25, 50, or 100 bits at compile time.

Hardware Interface

Referring to the Comportable guideline for peripheral device functionality, the module kmac has the following hardware interfaces defined.

Primary Clock: clk_i

Other Clocks: none

Bus Device Interface: tlul

Bus Host Interface: none

Peripheral Pins for Chip IO: none

Interrupts:

Interrupt NameDescription
kmac_doneKMAC/SHA3 absorbing has been completed
fifo_emptyMessage FIFO empty condition
kmac_errKMAC/SHA3 error occurred. ERR_CODE register shows the details

Security Alerts:

Alert NameDescription

Design Details

Keccak Round

A Keccak round implements the Keccak_f function described in the SHA3 specification. Keccak round logic in KMAC/SHA3 HWIP not only supports 1600 bit internal states but also all possible values {25, 50, 100, 200, 400, 800, 1600} based on a parameter Width. Keccak permutations in the specification allow arbitrary number of rounds. This module, however, supports Keccak_f which always runs 12 + 2*L rounds, where $$ L = log_2 {( {Width \over 25} )} $$ . For instance, 200 bits of internal state run 18 rounds. KMAC/SHA3 instantiates the Keccak round module with 1600 bit.

Keccak round logic has two phases inside. Theta, Rho, Pi functions are executed at the 1st phase. Chi and Iota functions run at the 2nd phase. If the compile-time Verilog parameter EnMasking is not set, the first phase and the second phase run at the same cycle.

If the masking feature is enabled, Keccak round logic stores the intermediate state after processing the 1st phase. The stored value are fed into the Chi function at the next cycle. Chi function implements Domain-Oriented Masking (DOM) ANDlogic inside to protect against the 1st order SCA attacks. The DOM AND logic needs entropy to disperse the power peaks. Chi function moves forward only when there is valid entropy.

The 2nd phase takes a least two cycles due to the intrinsic behavior of DOM AND logic. If the entropy is not ready, it may not complete the DOM AND. Processing a Keccak_f (1600 bit state) takes a total of 72 cycles (24 rounds X 3 cycles/round) including the 1st and 2nd phases.

If the masking compile time option is enabled, Keccak round logic requires an additional 1600 bit to store the state value partially inside DOM AND logic. In addition to that Keccak round logic needs two sets of the same Theta, Rho, and Pi functions. As a result, the masked Keccak round logic takes more than twice as much as area than the unmasked version of it.

Padding for Keccak

Padding logic supports SHA3/SHAKE/cSHAKE algorithms. cSHAKE needs the extra inputs for the Function-name N and the Customization string S. Other than that, SHA3, SHAKE, and cSHAKE share similar datapath inside the padding module except the last part added next to the end of the message. SHA3 adds 2'b 10, SHAKE adds 4'b 1111, cSHAKE adds 2'b00 then pad10*1() follows. All are little-endian values.

Interface between this padding logic and the MSG_FIFO follows the conventional FIFO interface. So prim_fifo_* can talk to the padding logic directly. This module talks to Keccak round logic with a more memory-like interface. The interface has an additional address signal on top of the valid, ready, and data signals.

The hashing process begins when the software issues the start command to !!CMD . If cSHAKE is enabled, the padding logic expands the prefix value (N || S above) into a block size. The block size is determined by the !!CFG.kstrength . If the value is 128, the block size will be 168 bytes. If it is 256, the block size will be 136 bytes. The expanded prefix value is transmitted to the Keccak round logic. After sending the block size, the padding logic triggers the Keccak round logic to run a full 24 rounds.

If the mode is not cSHAKE, or cSHAKE mode and the prefix block has been processed, the padding logic accepts the incoming message bitstream and forward the data to the Keccak round logic in a block granularity. The padding logic controls the data flow and makes the Keccak logic to run after sending a block size.

After the software writes the message bitstream, it should issue the Process command into !!CMD register. The padding logic, after receiving the Process command, appends proper ending bits with respect to the !!CFG.mode value. The logic writes 0 up to the block size to the Keccak round logic then ends with 1 at the end of the block.

After the Keccak round completes the last block, the padding logic asserts an absorbed signal to notify the software. The signal generates the kmac_done interrupt. At this point, the software is able to read the digest in !!STATE memory region. If the output length is greater than the Keccak block rate in SHAKE and cSHAKE mode, the software may run the Keccak round manually by issuing Run command to !!CMD register.

The software completes the operation by issuing Done command after reading the digest. The padding logic clears internal variables and goes back to Idle state.

Padding for KMAC

KMAC core prepends and appends additional bitstream on top of Keccak padding logic in SHA3 core. The NIST SP 800-185 defines KMAC[128,256](K, X, L, S) as a cSHAKE function. See the section 4.3 in NIST SP 800-185 for details. If KMAC is enabled, the software should configure !!CFG.mode to cSHAKE and the first six bytes of !!PREFIX to 0x01204B4D4143 (bigendian). The first six bytes of !!PREFIX represents the value of encode_string("KMAC").

The KMAC padding logic prepends a block containing the encoded secret key to the output message. The KMAC first sends the block of secret key then accepts the incoming message bitstream. At the end of the message, the software writes right_encode(output_length) to MSG_FIFO prior to issue Process command.

Message FIFO

The KMAC HWIP has a compile-time configurable depth message FIFO inside. The message FIFO receives incoming message bitstream regardless of its byte position in a word. Then it packs the partial message bytes into the internal 64 bit data width. After packing the data, the logic stores the data into the FIFO until the internal KMAC/SHA3 engine consumes the data.

The depth of the message FIFO is chosen to cover the throughput of the software or other producers such as DMA engine. The size of the message FIFO is enough to hold the incoming data while the SHA3 engine is processing the previous block. Details are in kmac_pkg::MsgFifoDepth parameter. Default design parameters assume the system characteristics as below:

  • kmac_pkg::RegLatency: The register write takes 5 cycles.
  • kmac_pkg::Sha3Latency: Keccak round latency takes 72 cycles, which is the masked version of the Keccak round.

The message FIFO does not generate the masked message data. Incoming message bistream is not sensitive to the leakage. So if the EnMasking parameter is set, the second share of the message bistream is zero. The secret key, however, is stored as masked form always.

Keccak State Access

After the Keccak round completes the KMAC/SHA3 operation, the contents of the Keccak state contain the digest value. The software can access the 1600 bit of the Keccak state directly through the window of the KMAC/SHA3 register.

If the compile-time parameter masking feature is enabled, the upper 256B of the window is the second share of the Keccak state. If not, the upper address space is zero value. The software reads both of the Keccak state shares and XORed in the software to get the unmasked digest value if masking feature is set.

The Keccak state is valid after the sponge absorbing process is completed. While in an idle state or in the sponge absorbing stage, the value is zero. This ensures that the logic does not expose the secret key XORed with the keccak_f results of the prefix to the software. In addition to that, the KMAC/SHA3 blocks the software access to the Keccak state when it processes the request from KeyMgr for Key Derivation Function (KDF).

KeyMgr Interface

KMAC/SHA3 HWIP has an option to receive the secret key from KeyMgr via sideload key interface. The software should set !!CFG.sideload to use the KeyMgr sideloaded key in SW-initiated KMAC operation. keymgr_pkg::hw_key_t defines the structure of the sideloaded key. KeyMgr provides the sideloaded key in two-share masked form regardless of the compile-time parameter EnMasking. If EnMasking is not defined, the KMAC merges the shared key to the unmasked form before uses the key.

KeyMgr may initiate the KMAC operation via the KeyMgr data interface keymgr_pkg::kmac_data_{req|rsp}_t. KeyMgr sends 64-bit data (MsgWidth) in a beat with the message strobe signal. The state machine inside the KeyMgr interface logic starts when it receives the first valid data. Because this logic sees the first valid data as an initiator, KeyMgr cannot run KDF with an empty message. After the logic switches to accept the message bitstream from KeyMgr, it forces the KMAC to use the sideloaded key as a secret key. Also it ignores the command issued from the software. Instead it generates the commands and sends them to the KMAC core.

The last beat of the KeyMgr data moves the state machine to append the encoded output length. The output length is the digest width, which is 256 bit. It means that the logic appends 0x020100 (little-endian) to the end of the message. The output data from this logic goes to MSG_FIFO. Because the MSG_FIFO handles un-aligned data inside, KeyMgr interface logic sends the encoded output length value in a separate beat.

After the encoded output length is pushed to the KMAC core, the interface logic issues a Process command to run the hashing logic.

After hashing operation is completed, KMAC does not raise a kmac_done interrupt; rather it triggers the done status in the KeyMgr data response channel. The result digest always comes in two shares. If the EnMasking parameter is not set, the second share is always zero.

Entropy Generator

TBD

Error Report

TBD

Programmers Guide

Initialization

The software can update the KMAC/SHA3 configurations only when the IP is in the idle state. The software should check !!STATUS.sha3_idle before updating the configurations. The software must first program !!CFG.msg_endianness and !!CFG.state_endianness at the initialization stage. These determine the byte order of incoming messages (msg_endianness) and the Keccak state output (state_endianness).

Software Initiated KMAC/SHA3 process

This section describes the expected software process to run the KMAC/SHA3 HWIP. At first, the software configures !!CFG.kmac_en for KMAC operation. If KMAC is enabled, the software should configure !!CFG.mode to cSHAKE and !!CFG.kstrength to 128 or 256 bit security strength. The software also updates !!PREFIX registers if cSHAKE mode is used. Current design does not convert cSHAKE mode to SHAKE even if !!PREFIX is empty string. It is the software’s responsiblity to change the !!CFG.mode to SHAKE in case of empty !!PREFIX. The KMAC/SHA3 HWIP uses !!PREFIX registers as it is. It means that the software should update !!PREFIX with encoded values.

If !!CFG.kmac_en is set, the software should update the secret key. The software prepares two shares of the secret key and selects its length in !!KEY_LEN then writes the shares of the secret key to !!KEY_SHARE0 and !!KEY_SHARE1 . The two shares of the secret key are the values that represent the secret key value when they are XORed together. The software can XOR the unmasked secret key with entropy. The XORed value is a share and the entropy used is the other share.

After configuring, the software notifies the KMAC/SHA3 engine to accept incoming messages by issuing Start command into !!CMD . If Start command is not issued, the incoming message is discarded. If KMAC is enabled, the software pushes the right_encode(output_length) value at the end of the message. For example, if the desired output length is 256 bit, the software writes 0x00020100 to MSG_FIFO.

After the software pushes all messages, it issues Process command to !!CMD for SHA3 engine to complete the sponge absorbing process. SHA3 hashing engine pads the incoming message as defined in the SHA3 specification.

After the SHA3 engine completes the sponge absorbing step, it generates kmac_done interrupt. Or the software can poll the !!STATUS.squeeze bit until it becomes 1. In this stage, the software may run the Keccak round manually.

If the desired digest length is greater than the Keccak rate, the software issues Run command for the Keccak round logic to run one full round after the software reads the current available Keccak state. At this stage, KMAC/SHA3 does not raise an interrupt when the Keccak round completes the software initiated manual run. The software should check !!STATUS.squeeze register field for the readiness of !!STATE value.

After the software reads all the digest values, it issues Done command to !!CMD register to clear the internal states. Done command clears the Keccak state, FSM in SHA3 and KMAC, and a few internal variables. Secret key and other software programmed values won’t be reset.

KMAC/SHA3 context switching

This version of KMAC/SHA3 HWIP does not support the software context switching. A context switching scheme would allow software to save the current hashing engine state and initiate a new high priority hashing operation. It could restore the previous hashing state later and continue the operation.

Registers

kmac.INTR_STATE @ + 0x0
Interrupt State Register
Reset default = 0x0, mask 0x7
31302928272625242322212019181716
 
1514131211109876543210
  kmac_err fifo_empty kmac_done
BitsTypeResetNameDescription
0rw1c0x0kmac_doneKMAC/SHA3 absorbing has been completed
1rw1c0x0fifo_emptyMessage FIFO empty condition
2rw1c0x0kmac_errKMAC/SHA3 error occurred. ERR_CODE register shows the details


kmac.INTR_ENABLE @ + 0x4
Interrupt Enable Register
Reset default = 0x0, mask 0x7
31302928272625242322212019181716
 
1514131211109876543210
  kmac_err fifo_empty kmac_done
BitsTypeResetNameDescription
0rw0x0kmac_doneEnable interrupt when INTR_STATE.kmac_done is set
1rw0x0fifo_emptyEnable interrupt when INTR_STATE.fifo_empty is set
2rw0x0kmac_errEnable interrupt when INTR_STATE.kmac_err is set


kmac.INTR_TEST @ + 0x8
Interrupt Test Register
Reset default = 0x0, mask 0x7
31302928272625242322212019181716
 
1514131211109876543210
  kmac_err fifo_empty kmac_done
BitsTypeResetNameDescription
0wo0x0kmac_doneWrite 1 to force INTR_STATE.kmac_done to 1
1wo0x0fifo_emptyWrite 1 to force INTR_STATE.fifo_empty to 1
2wo0x0kmac_errWrite 1 to force INTR_STATE.kmac_err to 1


kmac.CFG_REGWEN @ + 0xc
Controls the configurability of CFG register. This register ensures the contents of CFG register cannot be changed by the software while the KMAC/SHA3 is in operation mode.
Reset default = 0x1, mask 0x1
31302928272625242322212019181716
 
1514131211109876543210
  en
BitsTypeResetNameDescription
0ro0x1enConfiguration enable.


kmac.CFG @ + 0x10
KMAC Configuration register. This register is updated when the hashing engine is in Idle. If the software updates the register while the engine computes, the updated value will be discarded.
Reset default = 0x100, mask 0x133f
Register enable = CFG_REGWEN
31302928272625242322212019181716
 
1514131211109876543210
  sideload   state_endianness msg_endianness   mode kstrength kmac_en
BitsTypeResetNameDescription
0rw0x0kmac_enKMAC datapath enable. If this bit is 1, the incoming message is processed in KMAC with the secret key.
3:1rw0x0kstrengthHashing Strength 3 bit field to select the security strength of SHA3 hashing engine. If mode field is set to SHAKE or cSHAKE, only 128 and 256 strength can be selected. Other value will result error when hashing starts.
0L128128 bit strength. Keccak rate is 1344 bit
1L224224 bit strength. Keccak rate is 1152 bit
2L256256 bit strength. Keccak rate is 1088 bit
3L384384 bit strength. Keccak rate is 832 bit
4L512512 bit strength. Keccak rate is 576 bit
Other values are reserved.
5:4rw0x0modeKeccak hashing mode. This module supports SHA3 main hashing algorithm and the part of its derived functions, SHAKE and cSHAKE with limitations. This field is to select the mode.
0SHA3SHA3 hashing mode. It appends `2'b 10` to the end of msg
2SHAKESHAKE hashing mode. It appends `1111` to the end of msg
3cSHAKEcSHAKE hashing mode. It appends `00` to the end of msg
Other values are reserved.
7:6Reserved
8rw0x1msg_endiannessMessage and Secret Key Endianness. Convert TL-UL write data[31:0] to big-endian style {d[7:0], d[15:8], ...} 0: Little-endian. Keep input value as it is 1: Big-endian. Convert incoming value
9rw0x0state_endiannessOutput state (Digest) Endianness. Convert read-out state register to big-endian style. If 0, keep the internal value as it is when SW reads. If 1, convert the internal state value.
11:10Reserved
12rw0x0sideloadSideloaded Key. If 1, KMAC uses KeyMgr sideloaded key for SW initiated KMAC operation. KMAC uses the sideloaded key regardless of this configuration when KeyMgr initiates the KMAC operation for Key Derivation Function (KDF).


kmac.CMD @ + 0x14
KMAC/ SHA3 command register. This register is to control the KMAC to start accepting message, to process the message, and to manually run additional keccak rounds at the end. Only at certain stage, the CMD affects to the control logic. It follows the sequence of `start` --> `process` --> {`run` if needed --> } `done`
Reset default = 0x0, mask 0xf
31302928272625242322212019181716
 
1514131211109876543210
  cmd
BitsTypeResetNameDescription
3:0r0w1c0x0cmdIssue a command to the KMAC/SHA3 IP. To prevent sw from writing multiple bits at once, the field is defined as enum.
1startIf writes 1 into this field when KMAC/SHA3 is in idle, KMAC/SHA3 begins its operation. If the mode is cSHAKE, before receiving the message, the hashing logic processes Function name string N and customization input string S first. If KMAC mode is enabled, additionally it processes secret key block.
2processIf writes 1 into this field when KMAC/SHA3 began its operation and received the entire message, it computes the digest or signing.
4runThe `run` field is used in the sponge squeezing stage. It triggers the keccak round logic to run full 24 rounds. This is optional and used when software needs more digest bits than the keccak rate. It only affects when the kmac/sha3 operation is completed.
8doneIf writes 1 into this field when KMAC/SHA3 squeezing is completed. KMAC/SHA3 hashing engine clears internal variables and goes back to Idle state for next command.
Other values are reserved.


kmac.STATUS @ + 0x18
KMAC/SHA3 Status register.
Reset default = 0x4001, mask 0xdf07
31302928272625242322212019181716
 
1514131211109876543210
fifo_full fifo_empty   fifo_depth   sha3_squeeze sha3_absorb sha3_idle
BitsTypeResetNameDescription
0ro0x1sha3_idleIf 1, SHA3 hashing engine is in idle state.
1ro0x0sha3_absorbIf 1, SHA3 is receiving message stream and processing it
2ro0x0sha3_squeezeIf 1, SHA3 completes sponge absorbing stage. In this stage, SW can manually run the hashing engine.
7:3Reserved
12:8ro0x0fifo_depthMessage FIFO entry count
13Reserved
14ro0x1fifo_emptyMessage FIFO Empty indicator
15ro0x0fifo_fullMessage FIFO Full indicator


kmac.KEY_SHARE0_0 @ + 0x1c
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_0...
1514131211109876543210
...key_0
BitsTypeResetNameDescription
31:0woxkey_032-bit chunk of up-to 512-bit Secret Key


kmac.KEY_SHARE0_1 @ + 0x20
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_1...
1514131211109876543210
...key_1
BitsTypeResetNameDescription
31:0woxkey_1For KMAC1


kmac.KEY_SHARE0_2 @ + 0x24
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_2...
1514131211109876543210
...key_2
BitsTypeResetNameDescription
31:0woxkey_2For KMAC2


kmac.KEY_SHARE0_3 @ + 0x28
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_3...
1514131211109876543210
...key_3
BitsTypeResetNameDescription
31:0woxkey_3For KMAC3


kmac.KEY_SHARE0_4 @ + 0x2c
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_4...
1514131211109876543210
...key_4
BitsTypeResetNameDescription
31:0woxkey_4For KMAC4


kmac.KEY_SHARE0_5 @ + 0x30
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_5...
1514131211109876543210
...key_5
BitsTypeResetNameDescription
31:0woxkey_5For KMAC5


kmac.KEY_SHARE0_6 @ + 0x34
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_6...
1514131211109876543210
...key_6
BitsTypeResetNameDescription
31:0woxkey_6For KMAC6


kmac.KEY_SHARE0_7 @ + 0x38
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_7...
1514131211109876543210
...key_7
BitsTypeResetNameDescription
31:0woxkey_7For KMAC7


kmac.KEY_SHARE0_8 @ + 0x3c
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_8...
1514131211109876543210
...key_8
BitsTypeResetNameDescription
31:0woxkey_8For KMAC8


kmac.KEY_SHARE0_9 @ + 0x40
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_9...
1514131211109876543210
...key_9
BitsTypeResetNameDescription
31:0woxkey_9For KMAC9


kmac.KEY_SHARE0_10 @ + 0x44
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_10...
1514131211109876543210
...key_10
BitsTypeResetNameDescription
31:0woxkey_10For KMAC10


kmac.KEY_SHARE0_11 @ + 0x48
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_11...
1514131211109876543210
...key_11
BitsTypeResetNameDescription
31:0woxkey_11For KMAC11


kmac.KEY_SHARE0_12 @ + 0x4c
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_12...
1514131211109876543210
...key_12
BitsTypeResetNameDescription
31:0woxkey_12For KMAC12


kmac.KEY_SHARE0_13 @ + 0x50
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_13...
1514131211109876543210
...key_13
BitsTypeResetNameDescription
31:0woxkey_13For KMAC13


kmac.KEY_SHARE0_14 @ + 0x54
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_14...
1514131211109876543210
...key_14
BitsTypeResetNameDescription
31:0woxkey_14For KMAC14


kmac.KEY_SHARE0_15 @ + 0x58
KMAC Secret Key KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_15...
1514131211109876543210
...key_15
BitsTypeResetNameDescription
31:0woxkey_15For KMAC15


kmac.KEY_SHARE1_0 @ + 0x5c
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_0...
1514131211109876543210
...key_0
BitsTypeResetNameDescription
31:0woxkey_032-bit chunk of up-to 512-bit Secret Key


kmac.KEY_SHARE1_1 @ + 0x60
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_1...
1514131211109876543210
...key_1
BitsTypeResetNameDescription
31:0woxkey_1For KMAC1


kmac.KEY_SHARE1_2 @ + 0x64
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_2...
1514131211109876543210
...key_2
BitsTypeResetNameDescription
31:0woxkey_2For KMAC2


kmac.KEY_SHARE1_3 @ + 0x68
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_3...
1514131211109876543210
...key_3
BitsTypeResetNameDescription
31:0woxkey_3For KMAC3


kmac.KEY_SHARE1_4 @ + 0x6c
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_4...
1514131211109876543210
...key_4
BitsTypeResetNameDescription
31:0woxkey_4For KMAC4


kmac.KEY_SHARE1_5 @ + 0x70
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_5...
1514131211109876543210
...key_5
BitsTypeResetNameDescription
31:0woxkey_5For KMAC5


kmac.KEY_SHARE1_6 @ + 0x74
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_6...
1514131211109876543210
...key_6
BitsTypeResetNameDescription
31:0woxkey_6For KMAC6


kmac.KEY_SHARE1_7 @ + 0x78
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_7...
1514131211109876543210
...key_7
BitsTypeResetNameDescription
31:0woxkey_7For KMAC7


kmac.KEY_SHARE1_8 @ + 0x7c
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_8...
1514131211109876543210
...key_8
BitsTypeResetNameDescription
31:0woxkey_8For KMAC8


kmac.KEY_SHARE1_9 @ + 0x80
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_9...
1514131211109876543210
...key_9
BitsTypeResetNameDescription
31:0woxkey_9For KMAC9


kmac.KEY_SHARE1_10 @ + 0x84
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_10...
1514131211109876543210
...key_10
BitsTypeResetNameDescription
31:0woxkey_10For KMAC10


kmac.KEY_SHARE1_11 @ + 0x88
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_11...
1514131211109876543210
...key_11
BitsTypeResetNameDescription
31:0woxkey_11For KMAC11


kmac.KEY_SHARE1_12 @ + 0x8c
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_12...
1514131211109876543210
...key_12
BitsTypeResetNameDescription
31:0woxkey_12For KMAC12


kmac.KEY_SHARE1_13 @ + 0x90
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_13...
1514131211109876543210
...key_13
BitsTypeResetNameDescription
31:0woxkey_13For KMAC13


kmac.KEY_SHARE1_14 @ + 0x94
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_14...
1514131211109876543210
...key_14
BitsTypeResetNameDescription
31:0woxkey_14For KMAC14


kmac.KEY_SHARE1_15 @ + 0x98
KMAC Secret Key, 2nd share. KMAC secret key can be up to 512 bit. Order of the secret key is: key[512:0] = {KEY15, KEY14, ... , KEY0}; The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error. Current KMAC supports up to 512 bit secret key. It is the sw responsibility to keep upper bits of the secret key to 0.
Reset default = 0x0, mask 0x0
31302928272625242322212019181716
key_15...
1514131211109876543210
...key_15
BitsTypeResetNameDescription
31:0woxkey_15For KMAC15


kmac.KEY_LEN @ + 0x9c
Secret Key length in bit. This value is used to make encoded secret key in KMAC. KMAC supports certain lengths of the secret key. Currently it supports 128b, 192b, 256b, 384b, and 512b secret keys.
Reset default = 0x0, mask 0x0
Register enable = CFG_REGWEN
31302928272625242322212019181716
 
1514131211109876543210
  len
BitsTypeResetNameDescription
2:0woxlenKey length choice
0Key128Key length is 128 bit.
1Key192Key length is 192 bit.
2Key256Key length is 256 bit.
3Key384Key length is 384 bit.
4Key512Key length is 512 bit.
Other values are reserved.


kmac.PREFIX_0 @ + 0xa0
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_0...
1514131211109876543210
...prefix_0
BitsTypeResetNameDescription
31:0rw0x0prefix_032-bit chunk of Encoded NS Prefix


kmac.PREFIX_1 @ + 0xa4
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_1...
1514131211109876543210
...prefix_1
BitsTypeResetNameDescription
31:0rw0x0prefix_1For KMAC1


kmac.PREFIX_2 @ + 0xa8
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_2...
1514131211109876543210
...prefix_2
BitsTypeResetNameDescription
31:0rw0x0prefix_2For KMAC2


kmac.PREFIX_3 @ + 0xac
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_3...
1514131211109876543210
...prefix_3
BitsTypeResetNameDescription
31:0rw0x0prefix_3For KMAC3


kmac.PREFIX_4 @ + 0xb0
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_4...
1514131211109876543210
...prefix_4
BitsTypeResetNameDescription
31:0rw0x0prefix_4For KMAC4


kmac.PREFIX_5 @ + 0xb4
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_5...
1514131211109876543210
...prefix_5
BitsTypeResetNameDescription
31:0rw0x0prefix_5For KMAC5


kmac.PREFIX_6 @ + 0xb8
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_6...
1514131211109876543210
...prefix_6
BitsTypeResetNameDescription
31:0rw0x0prefix_6For KMAC6


kmac.PREFIX_7 @ + 0xbc
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_7...
1514131211109876543210
...prefix_7
BitsTypeResetNameDescription
31:0rw0x0prefix_7For KMAC7


kmac.PREFIX_8 @ + 0xc0
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_8...
1514131211109876543210
...prefix_8
BitsTypeResetNameDescription
31:0rw0x0prefix_8For KMAC8


kmac.PREFIX_9 @ + 0xc4
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_9...
1514131211109876543210
...prefix_9
BitsTypeResetNameDescription
31:0rw0x0prefix_9For KMAC9


kmac.PREFIX_10 @ + 0xc8
cSHAKE Prefix register. Prefix including Function Name N and Customization String S. The SHA3 assumes this register value is encoded as: `encode_string(N) || encode_string(S) || 0`. It means that the software can freely decide the length of N or S based on the given Prefix register size 320bit. 320bit is determined to have 32-bit of N and up to 256-bit of S + encode of their length. It is SW responsibility to fill the register with encoded value that is described at Section 2.3.2 String Encoding in NIST SP 800-185 specification. Order of Prefix is: prefix[end:0] := {PREFIX0, PREFIX1, ... } The registers are allowed to be updated when the engine is in Idle state. If the engine computes the hash, it discards any attempts to update the secret keys and report an error.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
prefix_10...
1514131211109876543210
...prefix_10
BitsTypeResetNameDescription
31:0rw0x0prefix_10For KMAC10


kmac.ERR_CODE @ + 0xcc
KMAC/SHA3 Error Code
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
err_code...
1514131211109876543210
...err_code
BitsTypeResetNameDescription
31:0ro0x0err_codeIf error interrupt occurs, this register has information of error cause. Please take a look at `hw/ip/kmac/rtl/kmac_pkg.sv:err_code_e enum type.


kmac.STATE @ + 0x400
128 item ro window
Byte writes are not supported
310
+0x400 
+0x404 
 ...
+0x5f8 
+0x5fc 
Keccak State (1600 bit) memory. The software can get the processed digest by reading this memory region. Unlike MSG_FIFO, STATE memory space sees the addr[9:0]. If Masking feature is enabled, the software reads two shares from this memory space. 0x400 - 0x4C7: State share 0x500 - 0x5C7: Mask share of the state, 0 if EnMasking = 0


kmac.MSG_FIFO @ + 0x800
512 item wo window
Byte writes are supported
310
+0x800 
+0x804 
 ...
+0xff8 
+0xffc 
Message FIFO. Any write to this window will be appended to the FIFO. Only lower 2 bits `[1:0]` of the address matter to writes within the window in order to handle with sub-word writes.