From 59173d653e7886e5929a7b7846473d22952249d6 Mon Sep 17 00:00:00 2001 From: Hakim Filali Date: Thu, 30 Oct 2025 15:51:06 +0100 Subject: [PATCH] [sw,cryptolib] Change expected values for tests with result 0 This commit changes the expected values for the tests that have an expected result of 0. This makes sure we don't run into issues where the tests are not executing properly and we still get a correct result due to the expected value of 0. Furthermore, this commit moves the tests to the hjson framework. The input and output values don't change from before this change. This commit merely skips the unnecessary calculations. Signed-off-by: Hakim Filali --- sw/otbn/crypto/tests/BUILD | 14 +-- .../p256_arithmetic_to_boolean_mod_test.exp | 2 - .../p256_arithmetic_to_boolean_mod_test.hjson | 22 ++++ .../p256_arithmetic_to_boolean_mod_test.s | 47 +------- .../tests/p256_arithmetic_to_boolean_test.exp | 3 - .../p256_arithmetic_to_boolean_test.hjson | 25 +++++ .../tests/p256_arithmetic_to_boolean_test.s | 72 +----------- .../p384_arithmetic_to_boolean_mod_test.exp | 3 - .../p384_arithmetic_to_boolean_mod_test.hjson | 25 +++++ .../p384_arithmetic_to_boolean_mod_test.s | 103 +----------------- .../tests/p384_arithmetic_to_boolean_test.exp | 3 - .../p384_arithmetic_to_boolean_test.hjson | 25 +++++ .../tests/p384_arithmetic_to_boolean_test.s | 74 +------------ .../tests/p384_boolean_to_arithmetic_test.exp | 3 - .../p384_boolean_to_arithmetic_test.hjson | 25 +++++ .../tests/p384_boolean_to_arithmetic_test.s | 71 +----------- .../tests/p384_keygen_from_seed_test.exp | 3 - .../tests/p384_keygen_from_seed_test.hjson | 29 +++++ .../crypto/tests/p384_keygen_from_seed_test.s | 34 ------ sw/otbn/crypto/tests/p384_keygen_test.exp | 3 - sw/otbn/crypto/tests/p384_keygen_test.hjson | 21 ++++ sw/otbn/crypto/tests/p384_keygen_test.s | 35 +++--- 22 files changed, 202 insertions(+), 440 deletions(-) delete mode 100644 sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.exp create mode 100644 sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.hjson delete mode 100644 sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.exp create mode 100644 sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.hjson delete mode 100644 sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.exp create mode 100644 sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.hjson delete mode 100644 sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.exp create mode 100644 sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.hjson delete mode 100644 sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.exp create mode 100644 sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.hjson delete mode 100644 sw/otbn/crypto/tests/p384_keygen_from_seed_test.exp create mode 100644 sw/otbn/crypto/tests/p384_keygen_from_seed_test.hjson delete mode 100644 sw/otbn/crypto/tests/p384_keygen_test.exp create mode 100644 sw/otbn/crypto/tests/p384_keygen_test.hjson diff --git a/sw/otbn/crypto/tests/BUILD b/sw/otbn/crypto/tests/BUILD index eb33684e4009e..4dadeeb78a121 100644 --- a/sw/otbn/crypto/tests/BUILD +++ b/sw/otbn/crypto/tests/BUILD @@ -409,7 +409,7 @@ otbn_sim_test( srcs = [ "p256_arithmetic_to_boolean_test.s", ], - exp = "p256_arithmetic_to_boolean_test.exp", + testcase = "p256_arithmetic_to_boolean_test.hjson", deps = [ "//sw/otbn/crypto:p256_base", "//sw/otbn/crypto:p256_isoncurve", @@ -423,7 +423,7 @@ otbn_sim_test( srcs = [ "p256_arithmetic_to_boolean_mod_test.s", ], - exp = "p256_arithmetic_to_boolean_mod_test.exp", + testcase = "p256_arithmetic_to_boolean_mod_test.hjson", deps = [ "//sw/otbn/crypto:p256_base", "//sw/otbn/crypto:p256_isoncurve", @@ -465,7 +465,7 @@ otbn_sim_test( srcs = [ "p384_boolean_to_arithmetic_test.s", ], - exp = "p384_boolean_to_arithmetic_test.exp", + testcase = "p384_boolean_to_arithmetic_test.hjson", deps = [ "//sw/otbn/crypto:p384_b2a", ], @@ -476,7 +476,7 @@ otbn_sim_test( srcs = [ "p384_arithmetic_to_boolean_test.s", ], - exp = "p384_arithmetic_to_boolean_test.exp", + testcase = "p384_arithmetic_to_boolean_test.hjson", deps = [ "//sw/otbn/crypto:p384_a2b", "//sw/otbn/crypto:p384_base", @@ -488,7 +488,7 @@ otbn_sim_test( srcs = [ "p384_arithmetic_to_boolean_mod_test.s", ], - exp = "p384_arithmetic_to_boolean_mod_test.exp", + testcase = "p384_arithmetic_to_boolean_mod_test.hjson", deps = [ "//sw/otbn/crypto:p384_a2b", "//sw/otbn/crypto:p384_base", @@ -601,7 +601,7 @@ otbn_sim_test( srcs = [ "p384_keygen_test.s", ], - exp = "p384_keygen_test.exp", + testcase = "p384_keygen_test.hjson", deps = [ "//sw/otbn/crypto:p384_base", "//sw/otbn/crypto:p384_keygen", @@ -614,7 +614,7 @@ otbn_sim_test( srcs = [ "p384_keygen_from_seed_test.s", ], - exp = "p384_keygen_from_seed_test.exp", + testcase = "p384_keygen_from_seed_test.hjson", deps = [ "//sw/otbn/crypto:p384_b2a", "//sw/otbn/crypto:p384_base", diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.exp b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.exp deleted file mode 100644 index 35dacd69b5f07..0000000000000 --- a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.exp +++ /dev/null @@ -1,2 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.hjson b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.hjson new file mode 100644 index 0000000000000..96fb62bbc4609 --- /dev/null +++ b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.hjson @@ -0,0 +1,22 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 +{ + "entrypoint": "p256_arithmetic_to_boolean_mod_test", + "input": { + "regs": { + # w31 is zero + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000" + # First arithmetic share of x. + "w11": "0x2328ce20226e4542f38f1ca699ce6272592fbe18c2d1a4f0eefd3e816b35c5e6", + # Second arithmetic share of x. + "w19": "0x53038ee6d4a25811969abf6f892fa008dc0f09fc3c6c760991349036bf81b6ba" + } + } + "output": { + "regs": { + # Unmasked result x. + "w20": "0x762c5d06f7109d548a29dc1622fe027b353ec814ff3e1afa8031ceb82ab77ca0", + } + } +} diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.s b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.s index 82f37fe1afc34..514687fe0213a 100644 --- a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.s +++ b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_mod_test.s @@ -12,10 +12,7 @@ .section .text.start -p256_arithmetic_to_boolean_test: - - /* init all-zero register */ - bn.xor w31, w31, w31 +p256_arithmetic_to_boolean_mod_test: /* Load domain parameter. w29 = dmem[p256_p] */ @@ -26,58 +23,18 @@ p256_arithmetic_to_boolean_test: /* Set MOD to p */ bn.wsrw MOD, w29 - /* Load values into WDRs */ - - /* w11 <= dmem[x] mod p */ - li x3, 11 - la x4, x - bn.lid x3, 0(x4) - bn.addm w11, w11, w31 - - /* w19 <= URND mod p */ - bn.wsrr w19, URND - bn.addm w19, w19, w31 - - /* Arithmetic masking */ - - /* w11 = A <= w11 - w19 = x - r */ - bn.subm w11, w11, w19 - /* Arithmetic to boolean conversion */ jal x1, arithmetic_to_boolean_mod - /* Unmask and compare values - after conversion */ + /* Unmask after conversion */ /* w20 <= w20 ^ w19 = x' ^ r = x */ bn.xor w20, w20, w19 - /* w10 <= dmem[x] mod p */ - li x3, 10 - la x4, x - bn.lid x3, 0(x4) - bn.addm w10, w10, w31 - - /* w0 <= w10 - w20 */ - bn.sub w0, w20, w10 - ecall - .data -.globl x -.balign 32 -x: - .word 0x2ab77ca0 - .word 0x8031ceb8 - .word 0xff3e1afa - .word 0x353ec814 - .word 0x22fe027b - .word 0x8a29dc16 - .word 0xf7109d54 - .word 0x762c5d06 - /* Public key z-coordinate. */ .globl z .balign 32 diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.exp b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.hjson b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.hjson new file mode 100644 index 0000000000000..8c39545959dfd --- /dev/null +++ b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.hjson @@ -0,0 +1,25 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 +{ + "entrypoint": "p256_arithmetic_to_boolean_test", + "input": { + "regs": { + # w31 is zero + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000", + # First arithmetic share of x. + "w11": "0x58b8977117dfeb954edfca6e9a7a6dc50957e6bd913a34a2d986834026276da7", + "w12": "0x0000000000000000000000000000000000000000000000000000000000000000", + # Second arithmetic share of x. + "w18": "0x1d73c595df30b1bf3b4a11a7888394b62be6e1576e03e657a6ab4b7804900ef9", + "w19": "0x0000000000000000000000000000000000000000000000000000000000000001" + } + } + "output": { + "regs": { + # Unmasked result x. + "w20": "0x762c5d06f7109d548a29dc1622fe027b353ec814ff3e1afa8031ceb82ab77ca0", + "w21": "0x0000000000000000000000000000000000000000000000000000000000000001", + } + } +} diff --git a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.s b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.s index dc224f414cb7c..ba095fb07e417 100644 --- a/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.s +++ b/sw/otbn/crypto/tests/p256_arithmetic_to_boolean_test.s @@ -14,9 +14,6 @@ p256_arithmetic_to_boolean_test: - /* init all-zero register */ - bn.xor w31, w31, w31 - /* Load domain parameter. w29 = dmem[p256_p] */ li x2, 29 @@ -26,87 +23,20 @@ p256_arithmetic_to_boolean_test: /* Set MOD to p */ bn.wsrw MOD, w29 - /* Load values into WDRs */ - - /* w11 <= dmem[x_l] */ - li x3, 11 - la x4, x_l - bn.lid x3, 0(x4) - - /* w12 <= dmem[x_u] */ - li x3, 12 - la x4, x_u - bn.lid x3, 0(x4) - - /* w18 <= URND - w19 <= URND (1 bit) */ - bn.wsrr w18, URND - bn.wsrr w19, URND - bn.rshi w19, w31, w19 >> 255 - - /* Arithmetic masking */ - - /* [w12,w11] = A <= [w12,w11] - [w19,w18] mod 2^257 = x - r mod 2^257 - This may result in bits above 2^257, but these will be stripped off. */ - bn.sub w11, w11, w18 - bn.subb w12, w12, w19 - bn.rshi w12, w12, w31 >> 1 - bn.rshi w12, w31, w12 >> 255 - /* Arithmetic to boolean conversion */ jal x1, arithmetic_to_boolean - /* Unmask and compare values - after conversion */ + /* Unmask after conversion */ /* w20 <= w20 ^ w18 = x' ^ r w21 <= w21 ^ w19 = x' ^ r */ bn.xor w20, w20, w18 bn.xor w21, w21, w19 - /* w11 <= dmem[x_l] */ - li x3, 11 - la x4, x_l - bn.lid x3, 0(x4) - - /* w12 <= dmem[x_u] */ - li x3, 12 - la x4, x_u - bn.lid x3, 0(x4) - - /* [w1,w0] <= [w12,w11] - [w21,w20] */ - bn.sub w0, w11, w20 - bn.subb w1, w12, w21 - ecall - .data -.globl x_u -.balign 32 -x_u: - .word 0x00000001 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - -.globl x_l -.balign 32 -x_l: - .word 0x2ab77ca0 - .word 0x8031ceb8 - .word 0xff3e1afa - .word 0x353ec814 - .word 0x22fe027b - .word 0x8a29dc16 - .word 0xf7109d54 - .word 0x762c5d06 - /* Public key z-coordinate. */ .globl z .balign 32 diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.exp b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.hjson b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.hjson new file mode 100644 index 0000000000000..89f611048f14b --- /dev/null +++ b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.hjson @@ -0,0 +1,25 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 +{ + "entrypoint": "p384_arithmetic_to_boolean_mod_test", + "input": { + "regs": { + # w31 is zero + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000" + # First arithmetic share of x. + "w11": "0x034084329b46f1f0d277b31ea21c79370defc8a41b42246d3f4aae8c76f51f07", + "w12": "0x000000000000000000000000000000007679a2adc67c5fc8dd94a7f9c7ebf0b3", + # Second arithmetic share of x. + "w18": "0xe6ed0dfd7175e4ce3b976dff369604fb339e0775ef413315f03ca38e57185a0b", + "w19": "0x00000000000000000000000000000000bec5256738c1bb31a29d26be62cb8bed" + } + } + "output": { + "regs": { + # Unmasked result x. + "w20": "0xea2d92300cbcd6bf0e0f211dd8b27e33418dd01b0a8357832f875219ce0d7913", + "w21": "0x00000000000000000000000000000000353ec814ff3e1afa8031ceb82ab77ca0" + } + } +} diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.s b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.s index 2c23e5cc547f2..2b3d56b67bd67 100644 --- a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.s +++ b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_mod_test.s @@ -12,67 +12,7 @@ .section .text.start -p256_arithmetic_to_boolean_test: - - /* init all-zero register */ - bn.xor w31, w31, w31 - - /* Load domain parameter. - [w13,w12] = dmem[p384_p] */ - li x2, 12 - la x4, p384_p - bn.lid x2++, 0(x4) - bn.lid x2++, 32(x4) - - /* Load values into WDRs */ - - /* [w20,w19,w18] <= dmem[x] */ - li x3, 18 - la x4, x - bn.lid x3++, 0(x4) - bn.lid x3++, 32(x4) - bn.mov w20, w31 - - /* Reduce x mod p - [w5,w4] <= [w20,w19,w18] mod [w13,w12] = x mod p - dmem[x] <= [w31,w5,w4] = x mod p */ - jal x1, p384_reduce_p - bn.mov w4, w16 - bn.mov w5, w17 - li x3, 4 - la x4, x - bn.sid x3++, 0(x4) - bn.sid x3++, 32(x4) - li x3, 31 - bn.sid x3, 64(x4) - - /* [w20,w19,w18] <= URND = r */ - bn.wsrr w18, URND - bn.wsrr w19, URND - bn.wsrr w20, URND - - /* Reduce r mod p - [w7,w6] <= [w20,w19,w18] mod [w13,w12] = r mod p */ - jal x1, p384_reduce_p - bn.mov w6, w16 - bn.mov w7, w17 - - /* Arithmetic masking. - [w12,w11] = A <= [w5,w4] - [w7,w6] mod [w13,w12] = x - r mod p */ - - /* [w19,w18] = A1 <= [w5,w4] - [w7,w6] = x - r */ - bn.sub w18, w4, w6 - bn.subb w19, w5, w7 - - /* [w17,w16] = A2 <= [w19,w18] + [w13,w12] = A1 + p = x - r + p */ - bn.add w16, w18, w12 - bn.addc w17, w19, w13 - - /* If x >= r: [w12,w11] <= A1, else: [w12,w11] <= A2 */ - bn.sub w0, w4, w6 - bn.subb w1, w5, w7 - bn.sel w11, w16, w18, FG0.C - bn.sel w12, w17, w19, FG0.C +p384_arithmetic_to_boolean_mod_test: /* Load domain parameter. [w14,w13] = dmem[p384_p] */ @@ -81,53 +21,14 @@ p256_arithmetic_to_boolean_test: bn.lid x2++, 0(x4) bn.lid x2++, 32(x4) - /* Move mask r to input registers. - [w19,18] <= [w7,w6] = r */ - bn.mov w18, w6 - bn.mov w19, w7 - /* Arithmetic to boolean conversion */ jal x1, p384_arithmetic_to_boolean_mod - /* Unmask and compare values - after conversion */ + /* Unmask after conversion */ /* w20 <= w20 ^ w18 = x' ^ r w21 <= w21 ^ w19 = x' ^ r */ bn.xor w20, w20, w18 bn.xor w21, w21, w19 - /* [w5,w4] <= dmem[x] = x mod p */ - li x3, 4 - la x4, x - bn.lid x3++, 0(x4) - bn.lid x3++, 32(x4) - - /* [w1,w0] <= [w12,w11] - [w21,w20] */ - bn.sub w0, w4, w20 - bn.subb w1, w5, w21 - ecall - - -.data - -.globl x -.balign 32 -x: - .word 0xab0f7698 - .word 0xc85b787e - .word 0x9d9c9644 - .word 0x9f740ded - .word 0xa1b6fca8 - .word 0x8cd4a7b3 - .word 0x9f7fdc63 - .word 0x74013528 - .word 0x2ab77ca0 - .word 0x8031ceb8 - .word 0xff3e1afa - .word 0x353ec814 - .word 0x22fe027b - .word 0x8a29dc16 - .word 0xf7109d54 - .word 0x762c5d06 diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.exp b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.hjson b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.hjson new file mode 100644 index 0000000000000..26e0b2639a294 --- /dev/null +++ b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.hjson @@ -0,0 +1,25 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 +{ + "entrypoint": "p384_arithmetic_to_boolean_test", + "input": { + "regs": { + # w31 is zero + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000" + # First arithmetic share of x. + "w11": "0xaf15e78e65701c471ba20b4549f621cd2dab040f4d410b8c5e228f47b3628833", + "w12": "0x00000000000000000000000000000001442418596da5df191fcd41d7a75c8022", + # Second arithmetic share of x. + "w18": "0xc716757891a0810d6e87d0d0d907e0ae0793c405b1fd0f6e220f3f707754f46d", + "w19": "0x000000000000000000000000000000005b4ff5942ff6b72ba88e36a703b2f675" + } + } + "output": { + "regs": { + # Unmasked result x. + "w20": "0x762c5d06f7109d548a29dc1622fe027b353ec814ff3e1afa8031ceb82ab77ca0", + "w21": "0x000000000000000000000000000000019f740ded9d9c9644c85b787eab0f7698" + } + } +} diff --git a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.s b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.s index 2af2cc3946a0e..643f91ea2d0f9 100644 --- a/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.s +++ b/sw/otbn/crypto/tests/p384_arithmetic_to_boolean_test.s @@ -14,86 +14,14 @@ p384_arithmetic_to_boolean_test: - /* init all-zero register */ - bn.xor w31, w31, w31 - - /* Load values into WDRs */ - - /* w11 <= dmem[x_l] */ - li x3, 11 - la x4, x_l - bn.lid x3, 0(x4) - - /* w12 <= dmem[x_u] */ - li x3, 12 - la x4, x_u - bn.lid x3, 0(x4) - - /* w18 <= URND - w19 <= URND (129 bits) */ - bn.wsrr w18, URND - bn.wsrr w19, URND - bn.rshi w19, w31, w19 >> 127 - - /* Arithmetic masking */ - - /* [w12,w11] = A <= [w12,w11] - [w19,w18] mod 2^385 = x - r mod 2^385 - This may result in bits above 2^385, but these will be stripped off (-> mod 2^385). */ - bn.sub w11, w11, w18 - bn.subb w12, w12, w19 - bn.rshi w12, w12, w31 >> 129 - bn.rshi w12, w31, w12 >> 127 - /* Arithmetic to boolean conversion */ jal x1, p384_arithmetic_to_boolean - /* Unmask and compare values - after conversion */ + /* Unmask after conversion */ /* w20 <= w20 ^ w18 = x' ^ r w21 <= w21 ^ w19 = x' ^ r */ bn.xor w20, w20, w18 bn.xor w21, w21, w19 - /* w11 <= dmem[x_l] */ - li x3, 11 - la x4, x_l - bn.lid x3, 0(x4) - - /* w12 <= dmem[x_u] */ - li x3, 12 - la x4, x_u - bn.lid x3, 0(x4) - - /* [w1,w0] <= [w12,w11] - [w21,w20] */ - bn.sub w0, w11, w20 - bn.subb w1, w12, w21 - ecall - - -.data - -.globl x_u -.balign 32 -x_u: - .word 0xab0f7698 - .word 0xc85b787e - .word 0x9d9c9644 - .word 0x9f740ded - .word 0x00000001 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - -.globl x_l -.balign 32 -x_l: - .word 0x2ab77ca0 - .word 0x8031ceb8 - .word 0xff3e1afa - .word 0x353ec814 - .word 0x22fe027b - .word 0x8a29dc16 - .word 0xf7109d54 - .word 0x762c5d06 diff --git a/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.exp b/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.hjson b/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.hjson new file mode 100644 index 0000000000000..8a1747dd47ccf --- /dev/null +++ b/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.hjson @@ -0,0 +1,25 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 +{ + "entrypoint": "p384_boolean_to_arithmetic_test", + "input": { + "regs": { + # w31 is zero + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000", + # First boolean share of x. + "w10": "0xc716757891a0810d6e87d0d0d907e0ae0793c405b1fd0f6e220f3f707754f46d", + "w11": "0x000000000000000000000000000000002da7faca17fb5b95d4471b5381d97b3a", + # Second boolean share of x. + "w20": "0xb13a287e66b01c59e4ae0cc6fbf9e2d532ad0c114ec31594a23ef1c85de388cd", + "w21": "0x00000000000000000000000000000000b2d3f7278a67cdd11c1c632d2ad60da2" + } + } + "output": { + "regs": { + # Unmasked result x. + "w20": "0x762c5d06f7109d548a29dc1622fe027b353ec814ff3e1afa8031ceb82ab77ca0", + "w21": "0x000000000000000000000000000000009f740ded9d9c9644c85b787eab0f7698" + } + } +} diff --git a/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.s b/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.s index 6878ae8b1f23a..c13873d577ed6 100644 --- a/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.s +++ b/sw/otbn/crypto/tests/p384_boolean_to_arithmetic_test.s @@ -14,82 +14,13 @@ p384_boolean_to_arithmetic_test: - /* init all-zero register */ - bn.xor w31, w31, w31 - - /* Load values into WDRs */ - - /* w20 <= dmem[x_l] */ - li x3, 20 - la x4, x_l - bn.lid x3, 0(x4) - - /* w21 <= dmem[x_u] */ - li x3, 21 - la x4, x_u - bn.lid x3, 0(x4) - - /* w10 <= URND - w11 <= URND (128 bits) */ - bn.wsrr w10, URND - bn.wsrr w11, URND - bn.rshi w11, w31, w11 >> 128 - - /* Boolean masking */ - - /* [w21,w20] = x' <= [w11,w10] ^ [w21,w20] = x ^ r */ - bn.xor w20, w10, w20 - bn.xor w21, w11, w21 - /* Arithmetic to boolean conversion */ jal x1, p384_boolean_to_arithmetic - /* Unmask and compare values - after conversion */ + /* Unmask after conversion */ /* [w21,w20] <= [w21,w20] + [w11,w10] = A + r */ bn.add w20, w20, w10 bn.addc w21, w21, w11 - /* w11 <= dmem[x_l] */ - li x3, 11 - la x4, x_l - bn.lid x3, 0(x4) - - /* w12 <= dmem[x_u] */ - li x3, 12 - la x4, x_u - bn.lid x3, 0(x4) - - /* [w1,w0] <= [w12,w11] - [w21,w20] */ - bn.sub w0, w11, w20 - bn.subb w1, w12, w21 - ecall - - -.data - -.globl x_u -.balign 32 -x_u: - .word 0xab0f7698 - .word 0xc85b787e - .word 0x9d9c9644 - .word 0x9f740ded - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - .word 0x00000000 - -.globl x_l -.balign 32 -x_l: - .word 0x2ab77ca0 - .word 0x8031ceb8 - .word 0xff3e1afa - .word 0x353ec814 - .word 0x22fe027b - .word 0x8a29dc16 - .word 0xf7109d54 - .word 0x762c5d06 diff --git a/sw/otbn/crypto/tests/p384_keygen_from_seed_test.exp b/sw/otbn/crypto/tests/p384_keygen_from_seed_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p384_keygen_from_seed_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p384_keygen_from_seed_test.hjson b/sw/otbn/crypto/tests/p384_keygen_from_seed_test.hjson new file mode 100644 index 0000000000000..cba61f0b71aa3 --- /dev/null +++ b/sw/otbn/crypto/tests/p384_keygen_from_seed_test.hjson @@ -0,0 +1,29 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +{ + "entrypoint": "p384_keygen_from_seed_test", + "input": { + "regs": { + # Lower part of seed s share 0. + "w10": "0xc716757891a0810d6e87d0d0d907e0ae0793c405b1fd0f6e220f3f707754f46d", + # Upper part of seed s share 0. + "w11": "0x00000000000000000000000000000000f8a869fba74b0714ba6aa4de328f9b8a", + # Lower part of seed s share 1. + "w20": "0x47d2bb8db0cba05e6002729b45f34e55d1833f6a080bfdc3459f8b9cc0ea5e89", + # Upper part of seed s share 1. + "w21": "0x00000000000000000000000000000000a3ca668d3ea216ce035a2dd60fe765ef", + # All zero reg w31. + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000" + } + } + "output": { + "regs": { + # Key d share 0. + "w16": "0x80c4cef5216b21530e85a24b9cf4aefbd610fb6fb9f6f2ad6790b4ecb7beaae4", + # Key d share 1. + "w17": "0x000000000000000000000000000000005b620f7699e911dab93089083d68fe65", + } + } +} diff --git a/sw/otbn/crypto/tests/p384_keygen_from_seed_test.s b/sw/otbn/crypto/tests/p384_keygen_from_seed_test.s index 36ee71f8702b7..a992326f96b49 100644 --- a/sw/otbn/crypto/tests/p384_keygen_from_seed_test.s +++ b/sw/otbn/crypto/tests/p384_keygen_from_seed_test.s @@ -20,8 +20,6 @@ .section .text.start p384_keygen_from_seed_test: - /* Init all-zero register. */ - bn.xor w31, w31, w31 /* Load the curve order n. [w13,w12] <= dmem[p384_n] = n */ @@ -35,39 +33,11 @@ p384_keygen_from_seed_test: w14 <= 2^256 - n[255:0] = (2^384 - n) mod (2^256) = 2^384 - n */ bn.sub w14, w31, w12 - /* Obtain 1024 bits of randomness from URND. */ - bn.wsrr w20, URND - bn.wsrr w21, URND - bn.wsrr w10, URND - bn.wsrr w11, URND - - /* Reduce to 384 bits of randomness per share. - [w21, w20] <= s0 mod 2^384 - [w11, w10] <= s1 mod 2^384 */ - bn.rshi w21, w21, w31 >> 128 - bn.rshi w21, w31, w21 >> 128 - bn.rshi w11, w11, w31 >> 128 - bn.rshi w11, w31, w11 >> 128 - - /* Calculate seed = s0 ^ s1 - [w9,w8] <= [w21,w20] ^ [w11,w10] */ - bn.xor w8, w20, w10 - bn.xor w9, w21, w11 - /* Generate key shares dmem[d0] <= d0 dmem[di] <= d1 */ jal x1, p384_key_from_seed - /* Calculate d = seed mod n - [w1,w0] <= [w19,w18] mod [w13,w12] */ - bn.mov w18, w8 - bn.mov w19, w9 - bn.mov w20, w31 - jal x1, p384_reduce_n - bn.mov w0, w16 - bn.mov w1, w17 - /* Load secred key shares from DMEM */ /* [w5,w4] <= d0 */ la x4, d0 @@ -87,8 +57,4 @@ p384_keygen_from_seed_test: bn.mov w20, w31 jal x1, p384_reduce_n - /* Compare if d == d' */ - bn.sub w0, w0, w16 - bn.subb w1, w1, w17 - ecall diff --git a/sw/otbn/crypto/tests/p384_keygen_test.exp b/sw/otbn/crypto/tests/p384_keygen_test.exp deleted file mode 100644 index 879f5d55ea82c..0000000000000 --- a/sw/otbn/crypto/tests/p384_keygen_test.exp +++ /dev/null @@ -1,3 +0,0 @@ -# Expected values: -w0 = 0x0000000000000000000000000000000000000000000000000000000000000000 -w1 = 0x0000000000000000000000000000000000000000000000000000000000000000 diff --git a/sw/otbn/crypto/tests/p384_keygen_test.hjson b/sw/otbn/crypto/tests/p384_keygen_test.hjson new file mode 100644 index 0000000000000..7bec3293c75ac --- /dev/null +++ b/sw/otbn/crypto/tests/p384_keygen_test.hjson @@ -0,0 +1,21 @@ +// Copyright lowRISC contributors (OpenTitan project). +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +{ + "entrypoint": "p384_keygen_test", + "input": { + "regs": { + # All zero reg w31. + "w31": "0x0000000000000000000000000000000000000000000000000000000000000000" + } + } + "output": { + "regs": { + # Success counter w0. + "w0": "0x0000000000000000000000000000000000000000000000000000000000000002" + # Success counter w1. + "w1": "0x0000000000000000000000000000000000000000000000000000000000000006" + } + } +} diff --git a/sw/otbn/crypto/tests/p384_keygen_test.s b/sw/otbn/crypto/tests/p384_keygen_test.s index 805792b345e96..0d4fb4f339b95 100644 --- a/sw/otbn/crypto/tests/p384_keygen_test.s +++ b/sw/otbn/crypto/tests/p384_keygen_test.s @@ -21,9 +21,6 @@ p384_keygen_test: - /* Init all-zero register. */ - bn.xor w31, w31, w31 - /* generate 4 random 448-bit values and write them to d0, d1 */ jal x1, p384_generate_random_key @@ -98,9 +95,9 @@ p384_keygen_test: or x2, x2, x3 /* If x2 != 0: w0 <= w0 + 1, else: w0 <= w0 + 0 */ - beq x2, x0, keep_w0_1 + bne x2, x0, fail_w0_1 bn.addi w0, w0, 1 - keep_w0_1: + fail_w0_1: /* [w17,w16] <= k = [w9,w8] + [w11,w10] mod n = k0 + k1 mod n */ bn.add w18, w8, w10 @@ -129,9 +126,9 @@ p384_keygen_test: or x2, x2, x3 /* If x2 != 0: w0 <= w0 + 1, else: w0 <= w0 + 0 */ - beq x2, x0, keep_w0_2 + bne x2, x0, fail_w0_2 bn.addi w0, w0, 1 - keep_w0_2: + fail_w0_2: /* Compare the values and check if they are distinct to each other. If one value pair is equal, then the zero flag will be set. @@ -163,9 +160,9 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_1 + bne x2, x0, fail_w1_1 bn.addi w1, w1, 1 - keep_w1_1: + fail_w1_1: /* [w21,w20] <= [w5,w4] - [w9,w8] = d0 - k0 if d0 - k0 == 0: w1 <= w1 + w3 = w1 + 1, else: w1 <= w1 + w31 = w1 + 0 */ @@ -193,9 +190,9 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_2 + bne x2, x0, fail_w1_2 bn.addi w1, w1, 1 - keep_w1_2: + fail_w1_2: /* [w21,w20] <= [w5,w4] - [w11,w10] = d0 - k1 if d0 - k1 == 0: w1 <= w1 + w3 = w1 + 1, else: w1 <= w1 + w31 = w1 + 0 */ @@ -223,9 +220,9 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_3 + bne x2, x0, fail_w1_3 bn.addi w1, w1, 1 - keep_w1_3: + fail_w1_3: /* [w21,w20] <= [w7,w6] - [w9,w8] = d1 - k0 if d1 - k0 == 0: w1 <= w1 + w3 = w1 + 1, else: w1 <= w1 + w31 = w1 + 0 */ @@ -253,9 +250,9 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_4 + bne x2, x0, fail_w1_4 bn.addi w1, w1, 1 - keep_w1_4: + fail_w1_4: /* [w21,w20] <= [w7,w6] - [w11,w10] = d1 - k1 if d1 - k1 == 0: w1 <= w1 + w3 = w1 + 1, else: w1 <= w1 + w31 = w1 + 0 */ @@ -283,9 +280,9 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_5 + bne x2, x0, fail_w1_5 bn.addi w1, w1, 1 - keep_w1_5: + fail_w1_5: /* [w21,w20] <= [w9,w8] - [w11,w10] = k0 - k1 if k0 - k1 == 0: w1 <= w1 + w3 = w1 + 1, else: w1 <= w1 + w31 = w1 + 0 */ @@ -313,8 +310,8 @@ p384_keygen_test: and x2, x2, x3 /* If x2 != 0: w1 <= w1 + 1, else: w1 <= w1 + 0 */ - beq x2, x0, keep_w1_6 + bne x2, x0, fail_w1_6 bn.addi w1, w1, 1 - keep_w1_6: + fail_w1_6: ecall