danpage
commented
5 years ago I just checked through this, and I think you're right: it seems the mismatch might have stemmed from the fact the original paper used a big-endian, SPARC-based platform. So their left-rotate should be a right-rotate for a little-endian RISC-V?
It should be more useful if this xc.aessub.encrot performs SBOX and byte right rotation instead of left rotation. So that, it can be used effectively in key expansion function.