Google Git
Sign in
opensecura / 3p / lowrisc / opentitan / 413788da7227c90c076e262f8446bbd08d1f285c^! / .
commit413788da7227c90c076e262f8446bbd08d1f285c[log] [tgz]
authorPirmin Vogel <vogelpi@lowrisc.org>Wed Apr 14 13:04:20 2021 +0200
committerPirmin Vogel <vogelpi@lowrisc.org>Thu Apr 15 09:46:04 2021 +0200
treedafedc1d4eb6c07654c401a87cc43e18ea93559d
parent7ea01b70ecaef7bbee3c0b530a444baeb213673d [diff]
[aes] Clarify that the use both masked Canright S-Boxes is discouraged

It is widely known that both these S-Boxes suffer from SCA leakage, they
cannot be made to pass formal analysis in transient mode. This commit
corrects comments around this fact and makes clear that they are
included just for reference.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

diff --git a/hw/ip/aes/rtl/aes_sbox_canright_masked.sv b/hw/ip/aes/rtl/aes_sbox_canright_masked.sv
index c80d39c..db93d14 100644
--- a/hw/ip/aes/rtl/aes_sbox_canright_masked.sv
+++ b/hw/ip/aes/rtl/aes_sbox_canright_masked.sv

@@ -13,8 +13,8 @@
 // vulnerable to higher-order differential side-channel analysis, but it remains secure against
 // first-order attacks. This implementation is commonly referred to as THE Canright Masked SBox.
 //
-// A formal analysis using REBECCA (static mode) shows that this implementation is not secure.
-// It is thus recommended to use the "noreuse" variant of the masked Canright S-Box.
+// A formal analysis using REBECCA (stable and transient mode) shows that this implementation is
+// not secure. It's usage is thus discouraged. It's included here mainly for reference.
 //
 // For details on the REBECCA tool, see the following paper:
 // Bloem, "Formal verification of masked hardware implementations in the presence of glitches"

diff --git a/hw/ip/aes/rtl/aes_sbox_canright_masked_noreuse.sv b/hw/ip/aes/rtl/aes_sbox_canright_masked_noreuse.sv
index 9ba08f9..20b2f02 100644
--- a/hw/ip/aes/rtl/aes_sbox_canright_masked_noreuse.sv
+++ b/hw/ip/aes/rtl/aes_sbox_canright_masked_noreuse.sv

@@ -9,9 +9,11 @@
 // available at https://eprint.iacr.org/2009/011.pdf
 //
 // Note: This module implements the original masked inversion algorithm without re-using masks.
-// For details, see Section 2.2 of the paper. In addition, a formal analysis using REBECCA (static
+// For details, see Section 2.2 of the paper. In addition, a formal analysis using REBECCA (stable
 // mode) shows that the intermediate masks cannot be created by re-using bits from the input and
-// output masks. Instead, fresh random bits need to be used for these intermediate masks.
+// output masks. Instead, fresh random bits need to be used for these intermediate masks. Still,
+// the implmentation cannot be made to pass formal analysis in transient mode. It's usage is thus
+// discouraged. It's included here mainly for reference.
 //
 // For details on the REBECCA tool, see the following paper:
 // Bloem, "Formal verification of masked hardware implementations in the presence of glitches"