= List of x86 cryptographic instructions =

Instructions that have been added to the x86 instruction set in order to assist efficient calculation of cryptographic primitives, such as e.g. AES encryption, SHA hash calculation and random number generation.

== Intel AES instructions ==

6 new instructions.
| Instruction | Encoding | Description |
| AESENC xmm1,xmm2/m128 | 66 0F 38 DC /r | Perform one round of an AES encryption flow. Performs the , , and steps of an AES encryption round, in that order. The first source argument provides a 128-bit data-block to perform an encryption round on, the second source argument provides a round key for the stage. |
| AESENCLAST xmm1,xmm2/m128 | 66 0F 38 DD /r | Perform the last round of an AES encryption flow. Performs the , and steps of an AES encryption round, in that order. |
| AESDEC xmm1,xmm2/m128 | 66 0F 38 DE /r | Perform one round of an AES decryption flow. Performs the , , and steps of an AES decryption round, in that order. |
| AESDECLAST xmm1,xmm2/m128 | 66 0F 38 DF /r | Perform the last round of an AES decryption flow. Performs the , and steps of an AES decryption round, in that order. |
| | | Assist in AES round key generation. The operation performed is: |
| AESIMC xmm1,xmm2/m128 | 66 0F 38 DB /r | Perform the step of an AES decryption round on one 128-bit block. Mainly used to help prepare an AES key for use with the AESDEC instruction. |

== CLMUL instructions ==

| Instruction | Opcode | Description |
| | | Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF(2^{k}). |
| PCLMULLQLQDQ xmm1,xmm2/m128 | | Multiply the low halves of the two 128-bit operands. |
| PCLMULHQLQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 01 | Multiply the high half of the destination register by the low half of the source operand. |
| PCLMULLQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 10 | Multiply the low half of the destination register by the high half of the source operand. |
| PCLMULHQHQDQ xmm1,xmm2/m128 | 66 0F 3A 44 /r 11 | Multiply the high halves of the two 128-bit operands. |

== RDRAND and RDSEED ==

| Instruction | Encoding | Description | Added in |
| RDRAND r16 RDRAND r32 | NFx 0F C7 /6 | Return a random number that has been generated with a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) compliant with | Ivy Bridge, Silvermont, Excavator, Puma, ZhangJiang, |
| RDSEED r16 RDSEED r32 | NFx 0F C7 /7 | Return a random number that has been generated with a HRNG/TRNG (Hardware/"True" Random Number Generator) compliant with | Broadwell, ZhangJiang, Zen 1, Gracemont |

== Intel SHA and SM3 instructions ==

These instructions provide support for cryptographic hash functions such as SHA-1, SHA-256, SHA-512 and SM3. Each of these hash functions works on fixed-size data blocks, where the processing of each data-block mostly consists of two major phases:
- First expand the data-block using a message schedule (that is specific to each hash function)
- Then perform a series of rounds of a compression function to combine the expanded data into a hash state.
For each of the supported hash functions, separate instructions are provided to help compute the message schedule (instructions with "MSG" in their names) and to help perform the compression function rounds (instructions with "RND" in their names).
| Hash function extension | Instructions | Encoding |
| | | |
| SHA1NEXTE xmm1,xmm2/m128 | NP 0F 38 C8 /r | Calculate SHA-1 State Variable E after Four Rounds |
| SHA1MSG1 xmm1,xmm2/m128 | NP 0F 38 C9 /r | Perform an Intermediate Calculation for the Next Four SHA-1 Message Dwords |
| SHA1MSG2 xmm1,xmm2/m128 | NP 0F 38 CA /r | Perform a Final Calculation for the Next Four SHA-1 Message Dwords |
| SHA256RNDS2 xmm1,xmm2/m128 SHA256RNDS2 xmm1,xmm2/m128,XMM0 | NP 0F 38 CB /r | Perform Two Rounds of SHA256 Operation |
| SHA256MSG1 xmm1,xmm2/m128 | NP 0F 38 CC /r | Perform an Intermediate Calculation for the Next Four SHA-256 Message Dwords |
| SHA256MSG2 xmm1,xmm2/m128 | NP 0F 38 CD /r | Perform a Final Calculation for the Next Four SHA-256 Message Dwords |
| | VSHA512RNDS2 ymm1,ymm2,xmm3 | |
| VSHA512MSG1 ymm1,xmm2 | | Perform an Intermediate Calculation for the Next Four SHA-512 Message Qwords |
| VSHA512MSG2 ymm1,ymm2 | | Perform a Final Calculation for the Next Four SHA-512 Message Qwords |
| | | |
| VSM3MSG1 xmm1,xmm2,xmm3/m128 | | Perform Initial Calculation for the Next Four SM3 Message Words |
| VSM3MSG2 xmm1,xmm2,xmm3/m128 | | Perform Final Calculation for the Next Four SM3 Message Words |

== Intel Key Locker instructions ==
These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.
| Key Locker subset | Instruction | Encoding |
| | LOADIWKEY xmm1,xmm2 | |
| | ENCODEKEY128 r32,r32 | F3 0F 38 FA /r |
| ENCODEKEY256 r32,r32 | F3 0F 3A FB /r | Wrap a 256-bit AES key from XMM1:XMM0 into a 512-bit key handle - and output this handle to XMM0-3. |
| AESENC128KL xmm,m384 | F3 0F 38 DC /r | Encrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. |
| | F3 0F 38 DD /r | Decrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. |
| AESENC256KL xmm,m512 | F3 0F 38 DE /r | Encrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. |
| AESDEC256KL xmm,m512 | F3 0F 38 DF /r | Decrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. |
| | AESENCWIDE128KL m384 | F3 0F 38 D8 /0 |
| | F3 0F 38 D8 /1 | Decrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. |
| AESENCWIDE256KL m512 | F3 0F 38 D8 /2 | Encrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. |
| AESDECWIDE256KL m512 | F3 0F 38 D8 /3 | Decrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. |

== VIA/Zhaoxin PadLock instructions ==

The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.
| PadLock subset | Instruction mnemonics |
| | XSTORE, XSTORE-RNG |
| REP XSTORE, | |
| REP XRNG2 | F3 0F A7 F8 |
| | REP XCRYPT-ECB |
| | F3 0F A7 D0 |
| REP XCRYPT-CFB | F3 0F A7 E0 |
| REP XCRYPT-OFB | F3 0F A7 E8 |
| | REP XCRYPT-CTR |
| | REP XSHA1 |
| REP XSHA256 | F3 0F A6 D0 |
| REP XSHA384 | F3 0F A6 D8 |
| REP XSHA512 | F3 0F A6 E0 |
| | REP MONTMUL |
| REP MONTMUL2 | F3 0F A6 F0 |
| REP XMODEXP | F3 0F A6 F8 |
| | CCS_HASH, CCS_SM3 |
| CCS_ENCRYPT, CCS_SM4 | F3 0F A7 F0 |
| SM2 | F2 0F A6 C0 |
