hw/ip/prim/rtl/prim_subst_perm.sv - 3p/lowrisc/opentitan - Git at Google

 // Copyright lowRISC contributors.
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 //
 // This is a simple data diffusion primitive that is constructed in a similar fashion
 // as the PRESENT cipher (i.e. it uses a substitution/permutation network). Note however
 // that this is **not** cryptographically secure. The main purpose of this primitive is to
 // provide a cheap diffusion mechanism for arbitrarily sized vectors.
 //
 // See also: prim_prince, prim_present, prim_cipher_pkg

 module prim_subst_perm #(
   parameter int DataWidth = 64,
   parameter int NumRounds = 31,
   parameter bit Decrypt   = 0    // 0: encrypt, 1: decrypt
 ) (
   input        [DataWidth-1:0] data_i,
   input        [DataWidth-1:0] key_i,
   output logic [DataWidth-1:0] data_o
 );

   //////////////
   // datapath //
   //////////////

   // The "split_var" hint that we pass to verilator here tells it to schedule the different parts of
   // data_state separately. This avoids an UNOPTFLAT error where it would otherwise see a dependency
   // chain
   //
   //    data_state -> data_state_sbox -> data_state
   //
   logic [NumRounds:0][DataWidth-1:0] data_state /* verilator split_var */;

   // initialize
   assign data_state[0] = data_i;

   for (genvar r = 0; r < NumRounds; r++) begin : gen_round
     logic [DataWidth-1:0] data_state_sbox, data_state_flipped;
     ////////////////////////////////
     // decryption pass, performs inverse permutation and sbox
     if (Decrypt) begin : gen_dec
       always_comb begin : p_dec
         data_state_sbox = data_state[r] ^ key_i;
         // Reverse odd/even grouping
         data_state_flipped = data_state_sbox;
         for (int k = 0; k < DataWidth/2; k++) begin
           data_state_flipped[k * 2]     = data_state_sbox[k];
           data_state_flipped[k * 2 + 1] = data_state_sbox[k + DataWidth/2];
         end
         // Flip vector
         for (int k = 0; k < DataWidth; k++) begin
           data_state_sbox[DataWidth - 1 - k] = data_state_flipped[k];
         end
         // Inverse SBox layer
         for (int k = 0; k < DataWidth/4; k++) begin
           data_state_sbox[k*4 +: 4] = prim_cipher_pkg::PRESENT_SBOX4_INV[data_state_sbox[k*4 +: 4]];
         end
         data_state[r + 1] = data_state_sbox;
       end
     ////////////////////////////////
     // encryption pass
     end else begin : gen_enc
       always_comb begin : p_enc
         data_state_sbox = data_state[r] ^ key_i;
         // This SBox layer is aligned to nibbles, so the uppermost bits may not be affected by this.
         // However, the permutation below ensures that these bits get shuffled to a different
         // position when performing multiple rounds.
         for (int k = 0; k < DataWidth/4; k++) begin
           data_state_sbox[k*4 +: 4] = prim_cipher_pkg::PRESENT_SBOX4[data_state_sbox[k*4 +: 4]];
         end
         // Flip the vector to move the MSB positions into the LSB positions
         for (int k = 0; k < DataWidth; k++) begin
           data_state_flipped[DataWidth - 1 - k] = data_state_sbox[k];
         end
         // Regroup bits such that all even indices are stacked up first, followed by all odd
         // indices. Note that if the Width is odd, this is still ok, since
         // the uppermost bit just stays in place in that case.
         data_state_sbox = data_state_flipped;
         for (int k = 0; k < DataWidth/2; k++) begin
           data_state_sbox[k]               = data_state_flipped[k * 2];
           data_state_sbox[k + DataWidth/2] = data_state_flipped[k * 2 + 1];
         end
         data_state[r + 1] = data_state_sbox;
       end
     end // gen_enc
     ////////////////////////////////
   end // gen_round

   // finalize
   assign data_o = data_state[NumRounds] ^ key_i;

 endmodule : prim_subst_perm
	// Copyright lowRISC contributors.
	// Licensed under the Apache License, Version 2.0, see LICENSE for details.
	// SPDX-License-Identifier: Apache-2.0
	//
	// This is a simple data diffusion primitive that is constructed in a similar fashion
	// as the PRESENT cipher (i.e. it uses a substitution/permutation network). Note however
	// that this is not cryptographically secure. The main purpose of this primitive is to
	// provide a cheap diffusion mechanism for arbitrarily sized vectors.
	//
	// See also: prim_prince, prim_present, prim_cipher_pkg

	module prim_subst_perm #(
	parameter int DataWidth = 64,
	parameter int NumRounds = 31,
	parameter bit Decrypt = 0 // 0: encrypt, 1: decrypt
	) (
	input [DataWidth-1:0] data_i,
	input [DataWidth-1:0] key_i,
	output logic [DataWidth-1:0] data_o
	);

	//////////////
	// datapath //
	//////////////

	// The "split_var" hint that we pass to verilator here tells it to schedule the different parts of
	// data_state separately. This avoids an UNOPTFLAT error where it would otherwise see a dependency
	// chain
	//
	// data_state -> data_state_sbox -> data_state
	//
	logic [NumRounds:0][DataWidth-1:0] data_state /* verilator split_var */;

	// initialize
	assign data_state[0] = data_i;

	for (genvar r = 0; r < NumRounds; r++) begin : gen_round
	logic [DataWidth-1:0] data_state_sbox, data_state_flipped;
	////////////////////////////////
	// decryption pass, performs inverse permutation and sbox
	if (Decrypt) begin : gen_dec
	always_comb begin : p_dec
	data_state_sbox = data_state[r] ^ key_i;
	// Reverse odd/even grouping
	data_state_flipped = data_state_sbox;
	for (int k = 0; k < DataWidth/2; k++) begin
	data_state_flipped[k * 2] = data_state_sbox[k];
	data_state_flipped[k * 2 + 1] = data_state_sbox[k + DataWidth/2];
	end
	// Flip vector
	for (int k = 0; k < DataWidth; k++) begin
	data_state_sbox[DataWidth - 1 - k] = data_state_flipped[k];
	end
	// Inverse SBox layer
	for (int k = 0; k < DataWidth/4; k++) begin
	data_state_sbox[k4 +: 4] = prim_cipher_pkg::PRESENT_SBOX4_INV[data_state_sbox[k4 +: 4]];
	end
	data_state[r + 1] = data_state_sbox;
	end
	////////////////////////////////
	// encryption pass
	end else begin : gen_enc
	always_comb begin : p_enc
	data_state_sbox = data_state[r] ^ key_i;
	// This SBox layer is aligned to nibbles, so the uppermost bits may not be affected by this.
	// However, the permutation below ensures that these bits get shuffled to a different
	// position when performing multiple rounds.
	for (int k = 0; k < DataWidth/4; k++) begin
	data_state_sbox[k4 +: 4] = prim_cipher_pkg::PRESENT_SBOX4[data_state_sbox[k4 +: 4]];
	end
	// Flip the vector to move the MSB positions into the LSB positions
	for (int k = 0; k < DataWidth; k++) begin
	data_state_flipped[DataWidth - 1 - k] = data_state_sbox[k];
	end
	// Regroup bits such that all even indices are stacked up first, followed by all odd
	// indices. Note that if the Width is odd, this is still ok, since
	// the uppermost bit just stays in place in that case.
	data_state_sbox = data_state_flipped;
	for (int k = 0; k < DataWidth/2; k++) begin
	data_state_sbox[k] = data_state_flipped[k * 2];
	data_state_sbox[k + DataWidth/2] = data_state_flipped[k * 2 + 1];
	end
	data_state[r + 1] = data_state_sbox;
	end
	end // gen_enc
	////////////////////////////////
	end // gen_round

	// finalize
	assign data_o = data_state[NumRounds] ^ key_i;

	endmodule : prim_subst_perm