[Libre-soc-dev] AES and SHA instructions

Jacob Lifshay programmerjake at gmail.com
Wed Nov 11 02:28:20 GMT 2020

On Tue, Nov 10, 2020, 16:11 Luke Kenneth Casson Leighton <lkcl at lkcl.net>

> On 11/10/20, Jacob Lifshay <programmerjake at gmail.com> wrote:
> > We *don't need* special constant-power accelerator hardware,
> ohh no, definitely not.  waaay too much effort.
> > we just need
> > constant timing, which is much easier to do.
> somewhere there will be decent properly evaluated implementations.
> it is a maaajor timesink and very hard to get right.

It's waay easier than you think, please take a look at the SHA instructions
in the Power ISA spec.

All the instructions just run one step of the encryption/decryption/hash
process, you don't need any special control logic to send it through just
the right number of times or other complex control, that all happens in the
software loop over the hardware instructions.

The AES instructions aren't much more complicated: just some wires, a few
simple gates and the 256-byte lookup tables. All we need to achieve
data-independent timing is just not look at the data bits when implementing
logic to decide if the pipeline should stall or how many stages to use
(most likely just a fixed-length pipeline, like integer add or multiply),
not much else is needed.


More information about the Libre-soc-dev mailing list