From 9aaef6bcf833d75584595315c726c56a4de4ee33 Mon Sep 17 00:00:00 2001 From: Pirmin Vogel Date: Mon, 12 Feb 2024 13:50:41 +0100 Subject: [PATCH] [kmac] Add param to keccak_round/2share to only use external randomness Depending on the PRNG architecture and control, the externally provided randomness can be guaranteed to be stable when the inputs to the DOM multipliers don't change. Not using partial intermediate results to cover these cases allows saving some silicon area (minus 800 MUX2). However, it seems that PROLEAD currently cannot successfully analyze the design with this new option enabled. For this reason, we keep the multiplexers in the design. Signed-off-by: Pirmin Vogel --- hw/ip/kmac/rtl/keccak_2share.sv | 25 ++++++++++++++++++------- hw/ip/kmac/rtl/keccak_round.sv | 32 +++++++++++++++++++++++++------- hw/ip/kmac/rtl/kmac_entropy.sv | 5 ++++- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/hw/ip/kmac/rtl/keccak_2share.sv b/hw/ip/kmac/rtl/keccak_2share.sv index 1a01482c9d426..4823a0d2e7b88 100644 --- a/hw/ip/kmac/rtl/keccak_2share.sv +++ b/hw/ip/kmac/rtl/keccak_2share.sv @@ -19,8 +19,11 @@ module keccak_2share localparam int RndW = $clog2(MaxRound+1), // Representing up to MaxRound // Control parameters - parameter bit EnMasking = 0, // Enable secure hardening - localparam int Share = EnMasking ? 2 : 1 + parameter bit EnMasking = 1'b0, // Enable secure hardening + parameter bit ForceRandExt = 1'b0, // 1: Always forward externally provided randomness. + // 0: Switch between external randomness and internal + // intermediate state according to dom_in_rand_ext_i. + localparam int Share = EnMasking ? 2 : 1 ) ( input clk_i, input rst_ni, @@ -221,11 +224,19 @@ module keccak_2share assign b1 = dom_in_low_i ? b1_l : b1_h; // Randomness muxing - // Intermediate results are rotated across rows. The new Row x depends on - // data from Rows x + 1 and x + 2. Hence we don't want to use intermediate - // results from Rows x, x + 1, and x + 2 for remasking. - assign in_prd[x] = dom_in_rand_ext_i ? rand_i[x * WSheetHalf +: WSheetHalf] : - out_prd[rot_int(x, 5)]; + if (!ForceRandExt) begin : gen_in_prd_mux + // Intermediate results are rotated across rows. The new Row x depends on + // data from Rows x + 1 and x + 2. Hence we don't want to use intermediate + // results from Rows x, x + 1, and x + 2 for remasking. + assign in_prd[x] = dom_in_rand_ext_i ? rand_i[x * WSheetHalf +: WSheetHalf] : + out_prd[rot_int(x, 5)]; + end else begin : gen_no_in_prd_mux + // Always use the externally provided randomness. + assign in_prd[x] = rand_i[x * WSheetHalf +: WSheetHalf]; + // Tie off unused signals. + logic unused_out_prd; + assign unused_out_prd = ^{dom_in_rand_ext_i, out_prd[rot_int(x, 5)]}; + end prim_dom_and_2share #( .DW (WSheetHalf), // a half sheet diff --git a/hw/ip/kmac/rtl/keccak_round.sv b/hw/ip/kmac/rtl/keccak_round.sv index c033c88b1c8f2..69e4c39c4cd52 100644 --- a/hw/ip/kmac/rtl/keccak_round.sv +++ b/hw/ip/kmac/rtl/keccak_round.sv @@ -52,8 +52,11 @@ module keccak_round localparam int DInAddr = $clog2(DInEntry), // Control parameters - parameter bit EnMasking = 1'b0, // Enable SCA hardening, requires Width >= 50 - localparam int Share = EnMasking ? 2 : 1 + parameter bit EnMasking = 1'b0, // Enable SCA hardening, requires Width >= 50 + parameter bit ForceRandExt = 1'b0, // 1: Always forward externally provided randomness. + // 0: Switch between external randomness and internal + // intermediate state according to schedule. + localparam int Share = EnMasking ? 2 : 1 ) ( input clk_i, input rst_ni, @@ -409,14 +412,28 @@ module keccak_round low_then_high_q <= 1'b 0; dom_out_low_q <= 1'b 0; dom_in_low_q <= 1'b 0; - dom_in_rand_ext_q <= 1'b 0; end else begin low_then_high_q <= low_then_high_d; dom_out_low_q <= dom_out_low_d; dom_in_low_q <= dom_in_low_d; - dom_in_rand_ext_q <= dom_in_rand_ext_d; end end + + if (!ForceRandExt) begin : gen_reg_dom_in_rand_ext + always_ff @(posedge clk_i or negedge rst_ni) begin + if (!rst_ni) begin + dom_in_rand_ext_q <= 1'b 0; + end else begin + dom_in_rand_ext_q <= dom_in_rand_ext_d; + end + end + end else begin : gen_force_dom_in_rand_ext + // Always forward the externally provided randomness. + assign dom_in_rand_ext_q = 1'b 1; + // Tie off unused signals. + logic unused_dom_in_rand_ext; + assign unused_dom_in_rand_ext = dom_in_rand_ext_d; + end end else begin : gen_no_regs_dom_ctrl logic unused_dom_ctrl; assign unused_dom_ctrl = @@ -504,8 +521,9 @@ module keccak_round // Datapath // ////////////// keccak_2share #( - .Width (Width), - .EnMasking (EnMasking) + .Width(Width), + .EnMasking(EnMasking), + .ForceRandExt(ForceRandExt) ) u_keccak_p ( .clk_i, .rst_ni, @@ -520,7 +538,7 @@ module keccak_round .dom_in_rand_ext_i(dom_in_rand_ext_q), .dom_update_i (dom_update), - .rand_i (keccak_rand_data), + .rand_i(keccak_rand_data), .s_i(storage), .s_o(keccak_out) diff --git a/hw/ip/kmac/rtl/kmac_entropy.sv b/hw/ip/kmac/rtl/kmac_entropy.sv index 6fc4240fed4b3..08c306ab9ff34 100644 --- a/hw/ip/kmac/rtl/kmac_entropy.sv +++ b/hw/ip/kmac/rtl/kmac_entropy.sv @@ -730,7 +730,10 @@ module kmac_entropy end StRandGenerate: begin - // The current buffer output is used as auxiliary randomness. We don't + // The current buffer output is used as auxiliary randomness and - + // depending on whether keccak_round is parametrized to always forward + // the buffer output and not use intermediate randomness - forwarded + // to the DOM multipliers without them updating in this cycle. We don't // need to advance the PRNG as there is no risk of accidentally // re-using the same randomness twice since after the current cycle: // - We either load and re-mask the message/key which will use