Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aes] Masked GHASH implementation #8

Merged
merged 7 commits into from
Nov 19, 2024
Merged

[aes] Masked GHASH implementation #8

merged 7 commits into from
Nov 19, 2024

Conversation

vogelpi
Copy link
Owner

@vogelpi vogelpi commented Nov 18, 2024

This PR contains the initial RTL for the masked GHASH implementation.

The design is functionally correct and passes first masking verification experiments. This means we shouldn't consider the masking verification done yet but we can be reasonably confident that the design will not need to be radically changed.

@vogelpi
[aes/rtl] Implement masked version of the GHASH block
c623783 
Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Optimize GHASH state restoring
fc48397 
Previously, we restored a previously saved GHASH state by first
overwriting the initialized state with the masked cipher core input and
second subtracting Share 1 of S to the GHASH state afterwards.

This commit changes the design to overwrite only Share 0 of the
initialized state with the unmasked saved state and leave Share 1
untouched. As Share 1 of the state is already initialized to Share 1 of
S, no further operations have to be done. This allows saving one 128-bit
multiplexer input (or 300 GE).

Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Only allow moving into GCM_SAVE phase after first block
d2de22d 
Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Expose GF multiplier latency as GHASH module parameter
f956d6f 
This allows speeding up the masking verification.

Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Avoid SCA leakage during addition of correction terms in GHASH
d347faa 
Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Unmask GHASH state before finally adding Share 1 of S
e8de8b2 
This is preferrable from a side-channel perspective as it reduces SCA
leakage related to S.

Signed-off-by: Pirmin Vogel <[email protected]>
@vogelpi
[aes/rtl] Optimize GHASH state restoring, align masked and unmasked impl
8bb7f7e 
This commit aligns the unmasked and masked implementation of the GHASH
block regarding state saving and restoring. In both cases, the sum of
the GHASH state and S are saved. After restoring, S is again subtracted
also for the unmasked implementation. This allows saving one 128-bit
multiplexer input and it allows exchanging saved states between
unmasked and masked implementations which simplifies DV.

Signed-off-by: Pirmin Vogel <[email protected]>
nasahlpa
nasahlpa reviewed Nov 18, 2024
View reviewed changes
Copy link
Collaborator

@nasahlpa nasahlpa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you planning to add the documentation to this PR or will this be added later? It would help reviewing the PR, but from a first look it looks good to me.

@vogelpi
Copy link
Owner Author

vogelpi commented Nov 18, 2024

I am currently writing the documentation for this but it will be in a separate doc for the time being.

@vogelpi
Copy link
Owner Author

vogelpi commented Nov 18, 2024
edited
Loading

CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_control_fsm.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_core.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_ctrl_gcm_reg_shadowed.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_ghash.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_pkg.sv

This PR touches AES RTL files but this is expected.

nasahlpa
nasahlpa approved these changes Nov 19, 2024
View reviewed changes
Copy link
Collaborator

@nasahlpa nasahlpa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a more thorough look into the masking and I think it looks good.

@nasahlpa
Copy link
Collaborator

nasahlpa commented Nov 19, 2024
edited by vogelpi
Loading

CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_control_fsm.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_core.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_ctrl_gcm_reg_shadowed.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_ghash.sv
CHANGE AUTHORIZED: hw/ip/aes/rtl/aes_pkg.sv

This PR touches AES RTL files but this is expected.

@vogelpi
Copy link
Owner Author

vogelpi commented Nov 19, 2024

Thanks you both for your reviews. I'll share the spec as soon as it's ready. I am merging this now.

@vogelpi vogelpi merged commit ad72638 into aes-gcm-review Nov 19, 2024
14 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasahlpa nasahlpa nasahlpa approved these changes

@andrea-caforio andrea-caforio andrea-caforio approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vogelpi @nasahlpa @andrea-caforio