Skip to content

Commit

Permalink
[crypto] Load variable addresses in functions (not in wrapper code)
Browse files Browse the repository at this point in the history
This commit puts `la` instructions for variable address loading
inside of functions, so that address loading doesn't need to be
done in wrapper functions.

Signed-off-by: Moritz Wettermann <[email protected]>
  • Loading branch information
wettermo authored and sameo committed Jun 10, 2024
1 parent 59f96ba commit ca83009
Show file tree
Hide file tree
Showing 20 changed files with 294 additions and 151 deletions.
26 changes: 21 additions & 5 deletions sw/otbn/crypto/p384_base_mult.s
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,8 @@
* Sets up context and calls the internal scalar multiplication routine.
* This routine runs in constant time.
*
* @param[in] x17: dptr_d0, pointer to location in dmem containing
* 1st private key share d0
* @param[in] x19: dptr_d1, pointer to location in dmem containing
* 2nd private key share d1
* @param[in] dmem[d0]: 1st private key share d0 in dmem
* @param[in] dmem[d1]: 2nd private key share d1 in dmem
* @param[out] dmem[x]: x-coordinate in dmem
* @param[out] dmem[y]: y-coordinate in dmem
*
Expand All @@ -32,7 +30,7 @@
* Flags: When leaving this subroutine, the M, L and Z flags of FG0 correspond
* to the computed affine y-coordinate.
*
* clobbered registers: x2, x3, x9 to x13, x18 to x21, x26 to x30
* clobbered registers: x2, x3, x9 to x13, x17 to x21, x26 to x30
* w0 to w30
* clobbered flag groups: FG0
*/
Expand All @@ -51,6 +49,12 @@ p384_base_mult:
/* set dmem pointer to scratchpad */
la x30, scratchpad

/* set dmem pointer to 1st private key share d0 */
la x17, d0

/* set dmem pointer to 1st private key share d0 */
la x19, d1

/* load domain parameter n (order of base point)
[w11, w10] = n = dmem[p384_n] */
li x2, 10
Expand Down Expand Up @@ -95,6 +99,18 @@ p384_base_mult:

.balign 32

/* 1st private key share d0 */
.globl d0
.weak d0
d0:
.zero 64

/* 2nd private key share d1 */
.globl d1
.weak d1
d1:
.zero 64

/* buffer for x-coordinate */
.globl x
.weak x
Expand Down
4 changes: 0 additions & 4 deletions sw/otbn/crypto/p384_curve_point_valid.s
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,6 @@ start:
unimp

validate_point:
/* Fill gpp registers with pointers to coordinates */
la x20, x
la x21, y

/* Call curve point validation function */
jal x1, p384_curve_point_valid

Expand Down
22 changes: 3 additions & 19 deletions sw/otbn/crypto/p384_ecdh.s
Original file line number Diff line number Diff line change
Expand Up @@ -69,19 +69,11 @@ start:
* clobbered flag groups: FG0
*/
keypair_random:
/* Fill gpp registers with pointers to key shares */
la x20, d0
la x21, d1

/* Generate secret key d in shares.
dmem[d0] <= d0
dmem[d1] <= d1 */
jal x1, p384_generate_random_key

/* Fill gpp registers with pointers to key shares */
la x17, d0
la x19, d1

/* Generate public key d*G.
dmem[x] <= (d*G).x
dmem[y] <= (d*G).y */
Expand Down Expand Up @@ -113,17 +105,9 @@ keypair_random:
* clobbered flag groups: FG0
*/
shared_key:
/* Fill gpp registers with pointers to coordinates */
la x20, x
la x21, y

/* Fill gpp registers with pointers to scalar shares */
la x17, k0
la x19, k1

/* Generate arithmetically masked shared key d*Q.
dmem[x] <= (d*Q).x - m mod p
dmem[y] <= m */
/* Generate arithmetically masked shared key d*Q.
dmem[x] <= (d*Q).x - m mod p
dmem[y] <= m */
jal x1, p384_scalar_mult

/* Arithmetic-to-boolean conversion*/
Expand Down
8 changes: 0 additions & 8 deletions sw/otbn/crypto/p384_ecdsa_keygen.s
Original file line number Diff line number Diff line change
Expand Up @@ -35,19 +35,11 @@ start:

*/
random_keygen:
/* Fill gpp registers with pointers to key shares */
la x20, d0
la x21, d1

/* Generate secret key d in shares.
dmem[d0] <= d0
dmem[d1] <= d1 */
jal x1, p384_generate_random_key

/* Fill gpp registers with pointers to key shares */
la x17, d0
la x19, d1

/* Generate public key d*G.
dmem[x] <= (d*G).x
dmem[y] <= (d*G).y */
Expand Down
17 changes: 2 additions & 15 deletions sw/otbn/crypto/p384_ecdsa_sca.s
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,6 @@ start:

.text
p384_ecdsa_sign:
/* Fill gpp registers with pointers to variables required for p384_sign */
/* scalar shares */
la x17, k0
la x19, k1
/* message */
la x6, msg
/* signature values */
la x14, r
la x15, s
/* secret key shares */
la x4, d0
la x5, d1

jal x1, p384_sign
ecall

Expand All @@ -65,13 +52,13 @@ k0:
.zero 64

/* random scalar k1*/
.global k1
.globl k1
.balign 64
k1:
.zero 64

/* randomness for blinding */
.global rnd
.globl rnd
.balign 64
rnd:
.zero 64
Expand Down
12 changes: 4 additions & 8 deletions sw/otbn/crypto/p384_ecdsa_sign.s
Original file line number Diff line number Diff line change
Expand Up @@ -34,26 +34,22 @@ start:
* @param[out] dmem[s]: s component of signature
*/
ecdsa_sign:
/* Fill gpp registers with pointers to scalar shares */
la x20, k0
la x21, k1

/* Generate a fresh random scalar for signing.
dmem[k0] <= first share of k
dmem[k1] <= second share of k */
jal x1, p384_generate_k

/* Fill gpp registers with pointers to variables required for p384_sign */
/* scalar shares */
la x17, k0
/*la x17, k0
la x19, k1
/* message */
la x6, msg
/*la x6, msg
/* signature values */
la x14, r
/*la x14, r
la x15, s
/* secret key shares */
la x4, d0
/*la x4, d0
la x5, d1

/* Generate the signature. */
Expand Down
12 changes: 0 additions & 12 deletions sw/otbn/crypto/p384_ecdsa_verify.s
Original file line number Diff line number Diff line change
Expand Up @@ -45,18 +45,6 @@ start:
*
*/
ecdsa_verify:
/* Fill gpp registers with pointers to variables required for p384_verify */
/* signature values */
la x6, r
la x7, s
/* reduced x1-coordinate */
la x8, rnd
/* message */
la x9, msg
/* public key coordinates*/
la x13, x
la x14, y

/* Verify the signature (compute x1). */
jal x1, p384_verify

Expand Down
26 changes: 22 additions & 4 deletions sw/otbn/crypto/p384_isoncurve.s
Original file line number Diff line number Diff line change
Expand Up @@ -131,10 +131,8 @@ p384_isoncurve:
* This routine raises a software error and halts operation if the curve point
* is invalid.
*
* @param[in] x20: dptr_x, pointer to dmem location containing affine
* x-coordinate of input point
* @param[in] x21: dptr_y, pointer to dmem location containing affine
* y-coordinate of input point
* @param[in] dmem[x]: affine x-coordinate of input point in dmem
* @param[in] dmem[y]: affine y-coordinate of input point in dmem
*
* Flags: Flags have no meaning beyond the scope of this subroutine.
*
Expand All @@ -146,6 +144,12 @@ p384_curve_point_valid:
/* Init all-zero register. */
bn.xor w31, w31, w31

/* set dmem pointer to point x-coordinate */
la x20, x

/* set dmem pointer to point y-coordinate */
la x21, y

/* load domain parameter p (modulus)
[w13, w12] = p = dmem[p384_p] */
li x2, 12
Expand Down Expand Up @@ -245,6 +249,20 @@ p384_curve_point_valid:

.data

/* x-coordinate */
.globl x
.weak x
.balign 32
x:
.zero 64

/* y-coordinate */
.globl y
.weak y
.balign 32
y:
.zero 64

/* Right side of Weierstrass equation */
.globl rhs
.weak rhs
Expand Down
52 changes: 46 additions & 6 deletions sw/otbn/crypto/p384_keygen.s
Original file line number Diff line number Diff line change
Expand Up @@ -151,17 +151,23 @@ p384_random_scalar:
*
* Flags: Flags have no meaning beyond the scope of this subroutine.
*
* @param[in] x20: dptr_d0, pointer to bufffer of 1st private key share d0
* @param[in] x21: dptr_d1, pointer to bufffer of 2nd private key share d1
* @param[out] dmem[d0]: 1st private key share d0
* @param[out] dmem[d1]: 2nd private key share d1
*
* clobbered registers: x2, x3, x20, w4 to w11, w14, w16 to w28
* clobbered registers: x2, x3, x20, x21, w4 to w11, w14, w16 to w28
* clobbered flag groups: FG0
*/
.globl p384_generate_random_key
p384_generate_random_key:
/* Init all-zero register. */
bn.xor w31, w31, w31

/* set dmem pointer to 1st private key share d0 */
la x20, d0

/* set dmem pointer to 1st private key share d1 */
la x21, d1

/* Generate a random scalar in two 448-bit shares.
[w7,w6] <= d0
[w9,w8] <= d1 */
Expand All @@ -185,17 +191,23 @@ p384_generate_random_key:
*
* Flags: Flags have no meaning beyond the scope of this subroutine.
*
* @param[in] x20: dptr_k0, pointer to bufffer of 1st scalar share k0
* @param[in] x21: dptr_k1, pointer to bufffer of 2nd scalar share k1
* @param[out] dmem[k0]: 1st scalar share k0
* @param[out] dmem[k1]: 2nd scalar share k1
*
* clobbered registers: x2, x3, x20, w4 to w11, w14, w16 to w28
* clobbered registers: x2, x3, x20, x21, w4 to w11, w14, w16 to w28
* clobbered flag groups: FG0
*/
.globl p384_generate_k
p384_generate_k:
/* Init all-zero register. */
bn.xor w31, w31, w31

/* set dmem pointer to 1st scalar share k0 */
la x20, k0

/* set dmem pointer to 1st scalar share k1 */
la x21, k1

/* Generate a random scalar in two 448-bit shares.
[w7,w6] <= k0
[w9,w8] <= k1 */
Expand All @@ -213,3 +225,31 @@ p384_generate_k:
bn.sid x2++, 32(x21)

ret

.section .data

.balign 32

/* 1st scalar share d0 */
.globl k0
.weak k0
k0:
.zero 64

/* 2nd scalar share d1 */
.globl k1
.weak k1
k1:
.zero 64

/* 1st private key share d0 */
.globl d0
.weak d0
d0:
.zero 64

/* 2nd private key share d1 */
.globl d1
.weak d1
d1:
.zero 64
Loading

0 comments on commit ca83009

Please sign in to comment.