[crypto/otbn/sca] ecc256 device software for SCA #17273
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is part of a large-scale hardening of ECDSA scalars; all procedures using k will be modified to accept the extra redundant bits. Signed-off-by: Jade Philipoom <[email protected]>
Modify the test to randomize k so that handling of the new extra bits is tested. Signed-off-by: Jade Philipoom <[email protected]>
Change the way the modular inverse of k is computed; rather than simply operate on k in plaintext, first multiply k with a random scalar alpha, compute the inverse (k * alpha)^-1, and multiply by alpha again to get k^-1. Signed-off-by: Jade Philipoom <[email protected]>
Similarly to k, all routines handling d will be modified to handle extra redundant bits. Signed-off-by: Jade Philipoom <[email protected]>
Randomize first share of d so that the handling of new extra bits is tested. Signed-off-by: Jade Philipoom <[email protected]>
Randomize both shares of scalars d and k in ECDSA sign test, not just the first share, to increase test coverage. Signed-off-by: Jade Philipoom <[email protected]>
Remove some instructions that turn out to be unnecessary due to bn.mulqacc setting the M flag. Signed-off-by: Jade Philipoom <[email protected]>
Update the cryptolib implementation and the SCA P-256 code to match new, longer P-256 scalar inputs. Also adjust all I/O buffers for scalars to have 512 bits so that reads don't produce runtime errors (since a 320-bit load on OTBN must be a 512-bit load). Signed-off-by: Jade Philipoom <[email protected]>
In preparation for changing scalar_mult_int to handle longer scalars, reduce the register pressure in the inner loop. Signed-off-by: Jade Philipoom <[email protected]>
Change the scalar_mult_int subroutine for ECDSA-P256 to support 320-bit hardened scalars. Signed-off-by: Jade Philipoom <[email protected]>
Modify the P-256 random scalar generation routine to produce extra-long scalars. Signed-off-by: Jade Philipoom <[email protected]>
Split loading of OTBN IMEM and DMEM from Ibex side. OTBN app is loaded for every trace, but only DMEM is really needed. This speeds up trace capture. Signed-off-by: Moritz Wettermann <[email protected]>
wettermo
requested review from
jon-flatley,
jadephilipoom,
vogelpi and
a team
|
After consultation with @jadephilipoom, this PR doesn't make any sense, as #16953 already contains a lot of code which is also in this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is related to lowRISC/ot-sca#115 in the ot-sca repository.
I fetched previous work from @jadephilipoom on ecc256 keygen and sign, which contains device software for SCA.
On top of that I edited the ecc256 keygen serial file to split loading of OTBN IMEM and DMEM, as discussed in the SCA WG meeting. This speeds up trace capture by ca. 10%.
In the future, when capturing traces for ecc256 sign, this modification probably has to be repeated.