Skip to content

Commit

Permalink
[kmac] Add param to keccak_round/2share to only use external randomness
Browse files Browse the repository at this point in the history
Depending on the PRNG architecture and control, the externally provided
randomness can be guaranteed to be stable when the inputs to the DOM
multipliers don't change. Not using partial intermediate results to
cover these cases allows saving some silicon area (minus 800 MUX2).

However, it seems that PROLEAD currently cannot successfully analyze
the design with this new option enabled. For this reason, we keep the
multiplexers in the design.

Signed-off-by: Pirmin Vogel <[email protected]>
  • Loading branch information
vogelpi committed Feb 22, 2024
1 parent bdf8896 commit 9aaef6b
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 15 deletions.
25 changes: 18 additions & 7 deletions hw/ip/kmac/rtl/keccak_2share.sv
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,11 @@ module keccak_2share
localparam int RndW = $clog2(MaxRound+1), // Representing up to MaxRound

// Control parameters
parameter bit EnMasking = 0, // Enable secure hardening
localparam int Share = EnMasking ? 2 : 1
parameter bit EnMasking = 1'b0, // Enable secure hardening
parameter bit ForceRandExt = 1'b0, // 1: Always forward externally provided randomness.
// 0: Switch between external randomness and internal
// intermediate state according to dom_in_rand_ext_i.
localparam int Share = EnMasking ? 2 : 1
) (
input clk_i,
input rst_ni,
Expand Down Expand Up @@ -221,11 +224,19 @@ module keccak_2share
assign b1 = dom_in_low_i ? b1_l : b1_h;

// Randomness muxing
// Intermediate results are rotated across rows. The new Row x depends on
// data from Rows x + 1 and x + 2. Hence we don't want to use intermediate
// results from Rows x, x + 1, and x + 2 for remasking.
assign in_prd[x] = dom_in_rand_ext_i ? rand_i[x * WSheetHalf +: WSheetHalf] :
out_prd[rot_int(x, 5)];
if (!ForceRandExt) begin : gen_in_prd_mux
// Intermediate results are rotated across rows. The new Row x depends on
// data from Rows x + 1 and x + 2. Hence we don't want to use intermediate
// results from Rows x, x + 1, and x + 2 for remasking.
assign in_prd[x] = dom_in_rand_ext_i ? rand_i[x * WSheetHalf +: WSheetHalf] :
out_prd[rot_int(x, 5)];
end else begin : gen_no_in_prd_mux
// Always use the externally provided randomness.
assign in_prd[x] = rand_i[x * WSheetHalf +: WSheetHalf];
// Tie off unused signals.
logic unused_out_prd;
assign unused_out_prd = ^{dom_in_rand_ext_i, out_prd[rot_int(x, 5)]};
end

prim_dom_and_2share #(
.DW (WSheetHalf), // a half sheet
Expand Down
32 changes: 25 additions & 7 deletions hw/ip/kmac/rtl/keccak_round.sv
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,11 @@ module keccak_round
localparam int DInAddr = $clog2(DInEntry),

// Control parameters
parameter bit EnMasking = 1'b0, // Enable SCA hardening, requires Width >= 50
localparam int Share = EnMasking ? 2 : 1
parameter bit EnMasking = 1'b0, // Enable SCA hardening, requires Width >= 50
parameter bit ForceRandExt = 1'b0, // 1: Always forward externally provided randomness.
// 0: Switch between external randomness and internal
// intermediate state according to schedule.
localparam int Share = EnMasking ? 2 : 1
) (
input clk_i,
input rst_ni,
Expand Down Expand Up @@ -409,14 +412,28 @@ module keccak_round
low_then_high_q <= 1'b 0;
dom_out_low_q <= 1'b 0;
dom_in_low_q <= 1'b 0;
dom_in_rand_ext_q <= 1'b 0;
end else begin
low_then_high_q <= low_then_high_d;
dom_out_low_q <= dom_out_low_d;
dom_in_low_q <= dom_in_low_d;
dom_in_rand_ext_q <= dom_in_rand_ext_d;
end
end

if (!ForceRandExt) begin : gen_reg_dom_in_rand_ext
always_ff @(posedge clk_i or negedge rst_ni) begin
if (!rst_ni) begin
dom_in_rand_ext_q <= 1'b 0;
end else begin
dom_in_rand_ext_q <= dom_in_rand_ext_d;
end
end
end else begin : gen_force_dom_in_rand_ext
// Always forward the externally provided randomness.
assign dom_in_rand_ext_q = 1'b 1;
// Tie off unused signals.
logic unused_dom_in_rand_ext;
assign unused_dom_in_rand_ext = dom_in_rand_ext_d;
end
end else begin : gen_no_regs_dom_ctrl
logic unused_dom_ctrl;
assign unused_dom_ctrl =
Expand Down Expand Up @@ -504,8 +521,9 @@ module keccak_round
// Datapath //
//////////////
keccak_2share #(
.Width (Width),
.EnMasking (EnMasking)
.Width(Width),
.EnMasking(EnMasking),
.ForceRandExt(ForceRandExt)
) u_keccak_p (
.clk_i,
.rst_ni,
Expand All @@ -520,7 +538,7 @@ module keccak_round
.dom_in_rand_ext_i(dom_in_rand_ext_q),
.dom_update_i (dom_update),

.rand_i (keccak_rand_data),
.rand_i(keccak_rand_data),

.s_i(storage),
.s_o(keccak_out)
Expand Down
5 changes: 4 additions & 1 deletion hw/ip/kmac/rtl/kmac_entropy.sv
Original file line number Diff line number Diff line change
Expand Up @@ -730,7 +730,10 @@ module kmac_entropy
end

StRandGenerate: begin
// The current buffer output is used as auxiliary randomness. We don't
// The current buffer output is used as auxiliary randomness and -
// depending on whether keccak_round is parametrized to always forward
// the buffer output and not use intermediate randomness - forwarded
// to the DOM multipliers without them updating in this cycle. We don't
// need to advance the PRNG as there is no risk of accidentally
// re-using the same randomness twice since after the current cycle:
// - We either load and re-mask the message/key which will use
Expand Down

0 comments on commit 9aaef6b

Please sign in to comment.