-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstate.vhdl
executable file
·435 lines (391 loc) · 17.9 KB
/
state.vhdl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
-------------------------------------------------------------------------------
-- Title : Ascon state with round transformation
-- Project :
-------------------------------------------------------------------------------
-- File : state.vhdl
-- Author : Hannes Gross
-- Company : Graz University of Technology
-- Created : 2016-11-18
-- Last update: 2016-12-21
-- Platform :
-- Standard : VHDL'93/02
-------------------------------------------------------------------------------
-- Description:
-------------------------------------------------------------------------------
-- Copyright (c) 2016
-------------------------------------------------------------------------------
-- Revisions :
-- Date Version Author Description
-- 2016-11-18 1.0 hgross Created
-------------------------------------------------------------------------------
library ieee;
use ieee.std_logic_1164.all;
use ieee.numeric_std.all;
use work.ascon_pkg.all;
-------------------------------------------------------------------------------
entity state is
generic (
DATA_BLOCK_SIZE : integer := 64; -- 64 for Ascon128, 128 for Ascon128a
KEY_SIZE : integer := 128; -- only 128 supported so far
ROUNDS_A : integer := 12; -- 12 is default
ROUNDS_B : integer := 6; -- 6 for Ascon128, 8 for Ascon128a
SBOX_INSTANCES : integer := 64; -- Parallel Sboxes = 1,2,4,8,16,32,64
IMPLICIT_AFFINE : string := "yes"; -- Sbox affine transform. shall be
-- done during round const addition?
PIPELINED : string := "yes" -- "yes", or "no"
);
port (
ClkxCI : in std_logic;
RstxBI : in std_logic;
-- State Inputs
KeyxDI : in t_shared_key_var(D downto 0);
NoncexDI : in std_logic_vector(127 downto 0);
DataxDI : in t_shared_data(D downto 0);
RoundConstxDI : in std_logic_vector(3 downto 0);
-- Fresh random Z masks
Z0xDI : in random_t(SBOX_INSTANCES-1 downto 0);
Z1xDI : in random_t(SBOX_INSTANCES-1 downto 0);
Z2xDI : in random_t(SBOX_INSTANCES-1 downto 0);
Z3xDI : in random_t(SBOX_INSTANCES-1 downto 0);
Z4xDI : in random_t(SBOX_INSTANCES-1 downto 0);
-- Control the state
DoInitializeStatexSI : in std_logic;
DoRoundTransfromationxSI : in std_logic;
isEncryptionxSI : in std_logic;
addedKeyAtInitxSI : in std_logic;
addedDomainSeparationxSI : in std_logic;
isFirstRoundOfTransformxSI : in std_logic;
FSMxDI : in ascon_fsm_t;
-- State Outputs
DataxDO : out t_shared_data(D downto 0);
DataReadyxSO : out std_logic;
TagxDO : out t_shared_tag (D downto 0);
doIncrementRoundCounterxSO : out std_logic;
StateBusyxSO : out std_logic
);
-----------------------------------------------------------------------------
-- Helper functions
-----------------------------------------------------------------------------
function SBOX_COUNTER_MAX
return integer is
begin
if SBOX_VARIANT = "DOM" then
-- DOM cycle calculations
if IMPLICIT_AFFINE = "yes" then
return 64/SBOX_INSTANCES;
else
return (64/SBOX_INSTANCES) + 1;
end if;
-- LOW_RANDOMNESS Sbox variant
else
if IMPLICIT_AFFINE = "yes" then
return NUM_PIPELINE_REGS(1) + (64/SBOX_INSTANCES) -1;
else
return NUM_PIPELINE_REGS(1) + (64/SBOX_INSTANCES);
end if;
end if;
end function;
end entity state;
-------------------------------------------------------------------------------
architecture str of state is
-----------------------------------------------------------------------------
-- Internal signal declarations
-----------------------------------------------------------------------------
-- State registers
signal X0xDN, X1xDN, X2xDN, X3xDN, X4xDN : t_shared_state_var(D downto 0);
signal X0xDP, X1xDP, X2xDP, X3xDP, X4xDP : t_shared_state_var(D downto 0);
-- Internal FSM
type state_fsm_t is (IDLE, ADD_ROUND_CONST, SBOX_LAYER, LINEAR_LAYER);
signal StateFSMxDN, StateFSMxDP : state_fsm_t;
-- Internal control signals
signal ResetCounterxS : std_logic; -- reset Sbox counter
signal SboxCounterxD : integer range 0 to 127;
-- Signals for Sboxes
signal X0SboxInxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X1SboxInxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X2SboxInxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X3SboxInxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X4SboxInxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X0SboxOutxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X1SboxOutxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X2SboxOutxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X3SboxOutxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
signal X4SboxOutxD : sbox_data_t(SBOX_INSTANCES-1 downto 0);
-- Use generics as logic vectors
constant CONST_KEY_SIZE : std_logic_vector(7 downto 0) := std_logic_vector(to_unsigned(KEY_SIZE, 8));
constant CONST_ROUNDS_A : std_logic_vector(7 downto 0) := std_logic_vector(to_unsigned(ROUNDS_A, 8));
constant CONST_ROUNDS_B : std_logic_vector(7 downto 0) := std_logic_vector(to_unsigned(ROUNDS_B, 8));
constant CONST_RATE : std_logic_vector(7 downto 0) := std_logic_vector(to_unsigned(DATA_BLOCK_SIZE, 8));
begin -- architecture str
-----------------------------------------------------------------------------
-- State FSM + control logic
-----------------------------------------------------------------------------
state_fsm_p : process (DoRoundTransfromationxSI, SboxCounterxD, StateFSMxDP) is
begin -- process state_fsm_p
StateFSMxDN <= StateFSMxDP; -- default
ResetCounterxS <= '1';
doIncrementRoundCounterxSO <= '0';
StateBusyxSO <= '1';
-----------------------
-- State transitions --
-----------------------
case StateFSMxDP is
-- *** IDLE ***
when IDLE =>
if (DoRoundTransfromationxSI = '1') then
StateFSMxDN <= ADD_ROUND_CONST;
end if;
StateBusyxSO <= '0'; -- ready for next input
-- *** ADD_ROUND_CONST ***
when ADD_ROUND_CONST =>
StateFSMxDN <= SBOX_LAYER;
doIncrementRoundCounterxSO <= '1'; -- RoundCounter + 1
-- *** SBOX_LAYER ***
when SBOX_LAYER =>
-- Implicite affine calculation saves one cycle
if SboxCounterxD >= SBOX_COUNTER_MAX then
StateFSMxDN <= LINEAR_LAYER;
StateBusyxSO <= '0'; -- ready for next input
end if;
ResetCounterxS <= '0'; -- Sbox steps counter + 1
-- *** LINEAR_LAYER ***
when LINEAR_LAYER =>
-- Directly perform state transfromation if already ready
if (DoRoundTransfromationxSI = '1') then
StateFSMxDN <= ADD_ROUND_CONST;
else
StateFSMxDN <= IDLE;
end if;
StateBusyxSO <= '0'; -- ready for next input
end case; -- State transitions
end process state_fsm_p;
-----------------------------------------------------------------------------
-- State transformation and data output logic
-----------------------------------------------------------------------------
state_transfromations_p : process (DoInitializeStatexSI, KeyxDI, NoncexDI,
RoundConstxDI, StateFSMxDP, X0SboxOutxD,
X0xDP, X1SboxOutxD, X1xDP, X2SboxOutxD,
X2xDP, X3SboxOutxD, X3xDP, X4SboxOutxD,
X4xDP, FSMxDI, isFirstRoundOfTransformxSI,
addedDomainSeparationxSI, DataxDI,
addedKeyAtInitxSI,isEncryptionxSI) is
-- For more complex state transfroamtion these variables are used
variable X0, X1, X2, X3, X4 : t_shared_state_var(D downto 0);
begin -- process state_transfromations_p
for i in D downto 0 loop
--default
X0xDN(i) <= X0xDP(i);
X1xDN(i) <= X1xDP(i);
X2xDN(i) <= X2xDP(i);
X3xDN(i) <= X3xDP(i);
X4xDN(i) <= X4xDP(i);
--------------------------
-- State transformation --
--------------------------
case StateFSMxDP is
-- *** IDLE ***
when IDLE =>
-- Initialize state
if DoInitializeStatexSI = '1' then
-- only for first share
if i = 0 then
X0xDN(0) <= CONST_KEY_SIZE & CONST_RATE & CONST_ROUNDS_A & CONST_ROUNDS_B & ZEROS(32);
-- Nonce is unshared (public value)
X3xDN(0) <= NoncexDI(127 downto 64);
X4xDN(0) <= NoncexDI(63 downto 0);
else
X0xDN(i) <= (others => '0');
X3xDN(i) <= (others => '0');
X4xDN(i) <= (others => '0');
end if;
-- Key is shared
X1xDN(i) <= KeyxDI(i)(127 downto 64);
X2xDN(i) <= KeyxDI(i)(63 downto 0);
end if;
-- *** ADD_ROUND_CONST ***
when ADD_ROUND_CONST =>
-- default
X0(i) := X0xDP(i);
X1(i) := X1xDP(i);
X2(i) := X2xDP(i);
X3(i) := X3xDP(i);
X4(i) := X4xDP(i);
-- add round constant to X2
X2(0)(7 downto 0) := X2(0)(7 downto 0) xor (not RoundConstxDI & RoundConstxDI);
-- add Associated data or PT or replace with CT
if isFirstRoundOfTransformxSI = '1' then -- first round?
-- XOR when associated data or PT
if FSMxDI = ASSOCIATED_DATA or
((FSMxDI = PTCT_DATA or FSMxDI = FINALIZE) and isEncryptionxSI = '1') then
if (VARIANT = Ascon128) then -- Ascon128
X0(i) := X0(i) xor DataxDI(i);
else
X0(i) := X0(i) xor DataxDI(i)(127 downto 64);
X1(i) := X1(i) xor DataxDI(i)(63 downto 0);
end if;
-- Replace when CT
elsif (FSMxDI = PTCT_DATA or FSMxDI = FINALIZE) and isEncryptionxSI = '0' then
if (VARIANT = Ascon128) then -- Ascon128
X0(i) := DataxDI(i);
else
X0(i) := DataxDI(i)(127 downto 64);
X1(i) := DataxDI(i)(63 downto 0);
end if;
end if;
end if;
-- add 0*||K after init
if (addedKeyAtInitxSI = '0') and (isFirstRoundOfTransformxSI = '1') then
X3(i) := X3(i) xor KeyxDI(i)(127 downto 64);
X4(i) := X4(i) xor KeyxDI(i)(63 downto 0);
end if;
-- add 0*||1 when processing first plaintext/ciphertext
if (FSMxDI = PTCT_DATA or FSMxDI = FINALIZE) and
addedDomainSeparationxSI = '0' and isFirstRoundOfTransformxSI = '1' then
-- invert only last bit of first share
X4(0)(0) := X4(0)(0) xor '1';
end if;
-- add K||0* when doing finalization
if (FSMxDI = FINALIZE) and (RoundConstxDI = "0000") then
if (VARIANT = Ascon128) then -- Ascon128
X1(i) := X1(i) xor KeyxDI(i)(127 downto 64);
X2(i) := X2(i) xor KeyxDI(i)(63 downto 0);
else -- Ascon128a
X2(i) := X2(i) xor KeyxDI(i)(127 downto 64);
X3(i) := X3(i) xor KeyxDI(i)(63 downto 0);
end if;
end if;
-- do affine transformation from Sbox
if (IMPLICIT_AFFINE = "yes") then
X0(i) := X0(i) xor X4(i);
X2(i) := X2(i) xor X1(i);
X4(i) := X4(i) xor X3(i);
end if;
-- Write back variables
X0xDN(i) <= X0(i);
X1xDN(i) <= X1(i);
X2xDN(i) <= X2(i);
X3xDN(i) <= X3(i);
X4xDN(i) <= X4(i);
-- *** SBOX_LAYER ***
when SBOX_LAYER =>
-- Shift state right according to number of sboxes in parallel
for bit_index in 63 downto 0 loop
-- Shift in bits from state
if bit_index < (64-SBOX_INSTANCES) then
X0xDN(i)(bit_index) <= X0xDP(i)(bit_index + SBOX_INSTANCES);
X1xDN(i)(bit_index) <= X1xDP(i)(bit_index + SBOX_INSTANCES);
X2xDN(i)(bit_index) <= X2xDP(i)(bit_index + SBOX_INSTANCES);
X3xDN(i)(bit_index) <= X3xDP(i)(bit_index + SBOX_INSTANCES);
X4xDN(i)(bit_index) <= X4xDP(i)(bit_index + SBOX_INSTANCES);
else
-- Shift in bits from sboxes
X0xDN(i)(bit_index) <= X0SboxOutxD(bit_index - 64 + SBOX_INSTANCES)(i);
X1xDN(i)(bit_index) <= X1SboxOutxD(bit_index - 64 + SBOX_INSTANCES)(i);
X2xDN(i)(bit_index) <= X2SboxOutxD(bit_index - 64 + SBOX_INSTANCES)(i);
X3xDN(i)(bit_index) <= X3SboxOutxD(bit_index - 64 + SBOX_INSTANCES)(i);
X4xDN(i)(bit_index) <= X4SboxOutxD(bit_index - 64 + SBOX_INSTANCES)(i);
end if;
end loop;
-- *** LINEAR_LAYER ***
when LINEAR_LAYER =>
X0xDN(i) <= X0xDP(i) xor ROTATE_STATE_WORD(X0xDP(i), 19) xor ROTATE_STATE_WORD(X0xDP(i), 28);
X1xDN(i) <= X1xDP(i) xor ROTATE_STATE_WORD(X1xDP(i), 61) xor ROTATE_STATE_WORD(X1xDP(i), 39);
X2xDN(i) <= X2xDP(i) xor ROTATE_STATE_WORD(X2xDP(i), 1) xor ROTATE_STATE_WORD(X2xDP(i), 6);
X3xDN(i) <= X3xDP(i) xor ROTATE_STATE_WORD(X3xDP(i), 10) xor ROTATE_STATE_WORD(X3xDP(i), 17);
X4xDN(i) <= X4xDP(i) xor ROTATE_STATE_WORD(X4xDP(i), 7) xor ROTATE_STATE_WORD(X4xDP(i), 41);
end case; -- State transitions
----------------
-- Sbox input --
----------------
-- Input of Sboxes is always the LSB's of the state shares
for sbox_i in SBOX_INSTANCES-1 downto 0 loop
X0SboxInxD(sbox_i)(i) <= X0xDP(i)(sbox_i);
X1SboxInxD(sbox_i)(i) <= X1xDP(i)(sbox_i);
X2SboxInxD(sbox_i)(i) <= X2xDP(i)(sbox_i);
X3SboxInxD(sbox_i)(i) <= X3xDP(i)(sbox_i);
X4SboxInxD(sbox_i)(i) <= X4xDP(i)(sbox_i);
end loop;
-------------------------------
-- Data and Tag output logic --
-------------------------------
-- Data can be read in ADD_ROUND_CONST state
-- or during READ_TAG state when last transfromation was done
if ((isFirstRoundOfTransformxSI = '1') and (StateFSMxDP = ADD_ROUND_CONST)) or
((StateFSMxDP = IDLE) and (FSMxDI = READ_TAG)) then
DataReadyxSO <= '1';
else
DataReadyxSO <= '0';
end if;
-- Data output
if (VARIANT = Ascon128) then
DataxDO(i) <= X0xDP(i) xor DataxDI(i);
else
DataxDO(i) <= (X0xDP(i) & X1xDP(i)) xor DataxDI(i);
end if;
-- Tag output
TagxDO(i) <= (X3xDP(i) & X4xDP(i)) xor KeyxDI(i);
end loop; -- i
end process state_transfromations_p;
-----------------------------------------------------------------------------
-- Generate S-boxes
-----------------------------------------------------------------------------
generate_sboxes_g: for sbox_i in SBOX_INSTANCES-1 downto 0 generate
generated_sbox: entity work.sbox
generic map (
SKIP_AFFINE => IMPLICIT_AFFINE,
PIPELINED => PIPELINED)
port map (
ClkxCI => ClkxCI,
RstxBI => RstxBI,
X0xDI => X0SboxInxD(sbox_i),
X1xDI => X1SboxInxD(sbox_i),
X2xDI => X2SboxInxD(sbox_i),
X3xDI => X3SboxInxD(sbox_i),
X4xDI => X4SboxInxD(sbox_i),
Z0xDI => Z0xDI(sbox_i),
Z1xDI => Z1xDI(sbox_i),
Z2xDI => Z2xDI(sbox_i),
Z3xDI => Z3xDI(sbox_i),
Z4xDI => Z4xDI(sbox_i),
X0xDO => X0SboxOutxD(sbox_i),
X1xDO => X1SboxOutxD(sbox_i),
X2xDO => X2SboxOutxD(sbox_i),
X3xDO => X3SboxOutxD(sbox_i),
X4xDO => X4SboxOutxD(sbox_i));
end generate generate_sboxes_g;
-----------------------------------------------------------------------------
-- Register processes
-----------------------------------------------------------------------------
register_p : process (ClkxCI, RstxBI) is
begin -- process register_p
for i in D downto 0 loop
if RstxBI = '0' then -- asynchronous reset (active low)
X0xDP(i) <= (others => '0');
X1xDP(i) <= (others => '0');
X2xDP(i) <= (others => '0');
X3xDP(i) <= (others => '0');
X4xDP(i) <= (others => '0');
StateFSMxDP <= IDLE;
elsif ClkxCI'event and ClkxCI = '1' then -- rising clock edge
X0xDP(i) <= X0xDN(i);
X1xDP(i) <= X1xDN(i);
X2xDP(i) <= X2xDN(i);
X3xDP(i) <= X3xDN(i);
X4xDP(i) <= X4xDN(i);
StateFSMxDP <= StateFSMxDN;
end if;
end loop; -- i
end process register_p;
-----------------------------------------------------------------------------
-- S-box steps counter
-----------------------------------------------------------------------------
sbox_counter_p: process (ClkxCI, ResetCounterxS, RstxBI) is
begin -- process sbox_counter_p
if RstxBI = '0' or ResetCounterxS = '1' then -- asynchronous reset (active low)
SboxCounterxD <= 0;
elsif ClkxCI'event and ClkxCI = '1' then -- rising clock edge
SboxCounterxD <= SboxCounterxD + 1;
end if;
end process sbox_counter_p;
end architecture str;
-------------------------------------------------------------------------------