[Cryptech Tech] SHA-3 and Ed25519

Bernd Paysan bernd at net2o.de
Fri Mar 6 01:17:39 UTC 2015

Previous message (by thread): [Cryptech Tech] SHA-3 and Ed25519
Next message (by thread): [Cryptech Tech] SHA-3 and Ed25519
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Donnerstag, 5. März 2015, 15:13:33 schrieb Bernd Paysan:
> > Bernd:
> > Have you implemented SHA-3 in HW?
>
> That's pretty easy, I'm going to submit something soon.

Ok, done. The block has been tested using Quartus 13.1 on the DE1 board.
Integration should be fairly easy, I prepared for the typical register access.

You can set the input of the sponge function, which will be xored with the
state at the start of the diffusion. Useful commands are

'h02: set state to zero (2 is "zero rounds of diffusion, set state to 0")
'hC3: set state to state ^ input and performs the standard 24 rounds.

and the command input should go away before ready goes high (otherwise, the
next diffusion is triggered).

For debugging reasons, the number of rounds is selectable ("sponge" function
input [7:3] is the round counter), so you can do just one or two rounds if you
like. The ready signal goes high when diffusion is over.

I've tested it using Keccak's standard small test bench, which is

"SX{9" at the start of 128 bytes, and $80 as last byte as input.

The actual and expected result of the first 64 bit of state after diffusion is
0x466624B803BF072F. Then, the input is cleared (all k_in=0), and three
further diffusions (24 rounds) are performed. The actual and expected results
of the first 64 bits of state (little endian) are

0x993340D7F9153F02
0x6EAAAE36BE8E36D3
0x1B4AEC08DA6A8BA6

The synthesis report gives me 5161 LUTs and 1610 registers. 1600 of those
LUTs are just to implement the input^state thing, which seems a bit obsessive
to me. If I wouldn't do input^state to facilitate hashing, but just state <=
input, I would use only ~3500 LUTs. Maybe using a direct bus input could
remove that overhead; I'll try tomorrow (so you would have two register
addresses writing to each 32 bit word of the state, one would give you a
direct write, the other an xor).

The implementation is derived from "readable Keccak", in a way that you just
can take your readable keccak source and audit that I'm doing the same.

https://github.com/coruus/saarinen-keccak/blob/master/readable_keccak/keccak.c

--
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keccak.v
Type: text/x-verilog
Size: 4930 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20150306/26ea4577/attachment.bin>

Previous message (by thread): [Cryptech Tech] SHA-3 and Ed25519
Next message (by thread): [Cryptech Tech] SHA-3 and Ed25519
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list