[Cryptech Tech] NaCL in hardware

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Pavel Shatov wrote:
> I agree, that DSP slices in Spartan-6 are fairly complex, but they
> are not black boxes, Xilinx offers a user guide, that describes
> their internal structure and modes of operation:
> 
> http://www.xilinx.com/support/documentation/user_guides/ug389.pdf

Well, depending on the amount of tinfoil you have on, having the user
guide available for the macro does not make the its albedo much brighter.

To be fair, all macros inside the FPGA is to some extent black boxes -
slices, memories, I/Os, DSPs, hard CPU cores.

But the less generic and more complex, the more possibilities for
undocumented functions and side effects. So using slices are ok,
multipliers probably also (but adjusting for side channel leakage
becomes harder.) A complete hard MCU, probably not.

This is similar to why we want to use as generic MCUs with as little
kitchen appliances as possible. And why we (imho) rather use a normal
RAM memory for MKM instead of those specially designed MKM chips no
matter how nifty and well documented they are. No source, then it is not
very white.


I totally agree that for reaching the performance needed we need to use
the multiplier macros. The modexp performance is a testament to why.
What I would prefer is that multipliers are inferred from fairly generic
code like what you wrote:

> always @(posedge clk) c[63:0] <= a[31:0] * b[31:0];

Not by instantiating a specific, technology dependant macro. Esp if
explicit instantiation implies that we use one source file for building
the FPGA and a separate file (supplied by the vendor) for simulations.
This would also allow us to have our own code with our own license only.
Right now we have several files in our source tree that Xilinx owns.

Having to add attributes in the code (like (*
equivalent_register_removal = "no" *) in the rosc entropy source) or by
setting constraints in a constraints file in order to help a specific
tool do the correct mapping is also fine by me. UG687 seems to be a good
document for this:

http://www.xilinx.com/support/documentation/sw_manuals/xilinx13_3/xst_v6s6.pdf

> Fun fact is that depending on current phase of moon (or weather on 
> Mars), ISE may eventually understand, you your generic wrapper is a 
> multiplier and still shove in DSP slice during synthesis without 
> explicitly telling you. Default implementation strategy has "Use DSP 
> Block" option set to "auto", and I think, very few people know for
> sure, how exactly this "auto" works.

According to UG687, you can use that flag to force it to use DSP
multipliers too. As long as the code is written in the correct way.


For some parts of the design, typically clocks an external interfaces,
it is really hard to avoid using vendor macros and code and that we have
to accept.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJWDTBDAAoJEF3cfFQkIuyNDlAP/3iNB/oa6qnADnY3Wq4mNSxo
sNbIvDCCo6lYoU8Bvd1Rt4Gq47ibhMAFb4NFzkOM6AYde8Dy2ZGmnHNJIsyhlZKr
PXsDgAP//qwMxmuABS63UWisvoBzhj35saFGzPuvl6fkZHo2DdQR+Y4+GSIi9ZK9
1XKfdrIHDhFwJ9MU5f4FGgTG4Km+cuYsvbZvMPq+yTlw+KokZyH0+wSgfMieZIY5
Wld9pvyvJ9qs+ksaPO5YTswaloEFqKXVr4wCO3pEqk9QfDFEPKJiYpgNpCfHfq5m
m94d90mf1ewIAbYM0LlHWQBukRJFrh7S7e5FavB2yPO8554RUe4sH8Ig7Dx4K+ym
U6CrGwtlyTN8MD8xcUlquiPCowEbnVtVWtuwyAnyqwC7juiHVoKRJ0VDBV3BNEtO
U3FajfjN9LGW6NVWaF1rOT+rya/aN5Tv6vfdxRzWV5iwZCpMWdeAtIihwibpQJl7
gVG/03VSB53eZzRvS+hQIXQfOifzD47UYp5ywcQGXNjKbeqiQJKZFq4YBMDm9sfk
cEqVRMS18n6eWQ4OXktEeyRtvo7jFxLZxzAKWVl5thLBrxamEbEQ0idtghEu6HxG
2tQ6CkvY64UCaQoCcG6r7nvBvaybT65joqOX3O72uzjwZGB40NlM3tlCfV0Za2ik
N3rCkFlRscuEoHnp+xtS
=Kqox
-----END PGP SIGNATURE-----