Line Coverage for Module :
prim_dom_and_2share
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Module :
prim_dom_and_2share
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
2147483647 |
221137285 |
0 |
0 |
| T1 |
16475 |
2400 |
0 |
0 |
| T2 |
14760 |
2640 |
0 |
0 |
| T3 |
3905 |
0 |
0 |
0 |
| T7 |
32395 |
720 |
0 |
0 |
| T10 |
20140 |
185 |
0 |
0 |
| T12 |
47550 |
2640 |
0 |
0 |
| T22 |
258715 |
13200 |
0 |
0 |
| T27 |
201980 |
9840 |
0 |
0 |
| T38 |
535080 |
17760 |
0 |
0 |
| T39 |
28165 |
2640 |
0 |
0 |
| T40 |
0 |
20880 |
0 |
0 |
Line Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[0].u_dom
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[0].u_dom
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
621131667 |
44227457 |
0 |
0 |
| T1 |
3295 |
480 |
0 |
0 |
| T2 |
2952 |
528 |
0 |
0 |
| T3 |
781 |
0 |
0 |
0 |
| T7 |
6479 |
144 |
0 |
0 |
| T10 |
4028 |
37 |
0 |
0 |
| T12 |
9510 |
528 |
0 |
0 |
| T22 |
51743 |
2640 |
0 |
0 |
| T27 |
40396 |
1968 |
0 |
0 |
| T38 |
107016 |
3552 |
0 |
0 |
| T39 |
5633 |
528 |
0 |
0 |
| T40 |
0 |
4176 |
0 |
0 |
Line Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[1].u_dom
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[1].u_dom
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
621131667 |
44227457 |
0 |
0 |
| T1 |
3295 |
480 |
0 |
0 |
| T2 |
2952 |
528 |
0 |
0 |
| T3 |
781 |
0 |
0 |
0 |
| T7 |
6479 |
144 |
0 |
0 |
| T10 |
4028 |
37 |
0 |
0 |
| T12 |
9510 |
528 |
0 |
0 |
| T22 |
51743 |
2640 |
0 |
0 |
| T27 |
40396 |
1968 |
0 |
0 |
| T38 |
107016 |
3552 |
0 |
0 |
| T39 |
5633 |
528 |
0 |
0 |
| T40 |
0 |
4176 |
0 |
0 |
Line Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[2].u_dom
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[2].u_dom
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
621131667 |
44227457 |
0 |
0 |
| T1 |
3295 |
480 |
0 |
0 |
| T2 |
2952 |
528 |
0 |
0 |
| T3 |
781 |
0 |
0 |
0 |
| T7 |
6479 |
144 |
0 |
0 |
| T10 |
4028 |
37 |
0 |
0 |
| T12 |
9510 |
528 |
0 |
0 |
| T22 |
51743 |
2640 |
0 |
0 |
| T27 |
40396 |
1968 |
0 |
0 |
| T38 |
107016 |
3552 |
0 |
0 |
| T39 |
5633 |
528 |
0 |
0 |
| T40 |
0 |
4176 |
0 |
0 |
Line Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[3].u_dom
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[3].u_dom
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
621131667 |
44227457 |
0 |
0 |
| T1 |
3295 |
480 |
0 |
0 |
| T2 |
2952 |
528 |
0 |
0 |
| T3 |
781 |
0 |
0 |
0 |
| T7 |
6479 |
144 |
0 |
0 |
| T10 |
4028 |
37 |
0 |
0 |
| T12 |
9510 |
528 |
0 |
0 |
| T22 |
51743 |
2640 |
0 |
0 |
| T27 |
40396 |
1968 |
0 |
0 |
| T38 |
107016 |
3552 |
0 |
0 |
| T39 |
5633 |
528 |
0 |
0 |
| T40 |
0 |
4176 |
0 |
0 |
Line Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[4].u_dom
| Line No. | Total | Covered | Percent |
|---|
| TOTAL | | 7 | 7 | 100.00 |
| CONT_ASSIGN | 56 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 57 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 60 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 61 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 110 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 111 | 1 | 1 | 100.00 |
| CONT_ASSIGN | 142 | 1 | 1 | 100.00 |
55 // Inner-domain terms
56 1/1 assign t_a0b0_d = a0_i & b0_i;
Tests: T1 T2 T3
57 1/1 assign t_a1b1_d = a1_i & b1_i;
Tests: T1 T2 T3
58
59 // Cross-domain terms
60 1/1 assign t_a0b1 = a0_i & b1_i;
Tests: T1 T2 T3
61 1/1 assign t_a1b0 = a1_i & b0_i;
Tests: T1 T2 T3
62
63 ///////////////
64 // Resharing //
65 ///////////////
66 // Resharing of cross-domain terms
67
68 // Preserve the logic sequence for XOR not to proceed cross-domain AND.
69 prim_xor2 #(
70 .Width ( DW*2 )
71 ) u_prim_xor_t01 (
72 .in0_i ( {t_a0b1, t_a1b0} ),
73 .in1_i ( {z_i, z_i} ),
74 .out_o ( {t0_d, t1_d} )
75 );
76
77 // Register stage
78 prim_flop_en #(
79 .Width ( DW*2 ),
80 .ResetValue ( '0 )
81 ) u_prim_flop_t01 (
82 .clk_i ( clk_i ),
83 .rst_ni ( rst_ni ),
84 .en_i ( z_valid_i ),
85 .d_i ( {t0_d, t1_d} ),
86 .q_o ( {t0_q, t1_q} )
87 );
88
89 /////////////////////////
90 // Optional Pipelining //
91 /////////////////////////
92
93 if (Pipeline == 1'b1) begin : gen_inner_domain_regs
94 // Add pipeline registers on inner-domain terms prior to integration. This allows accepting new
95 // input data every clock cycle and prevents SCA leakage occurring due to the integration of
96 // reshared cross-domain terms with inner-domain terms derived from different input data.
97
98 logic [DW-1:0] t_a0b0_q, t_a1b1_q;
99 prim_flop_en #(
100 .Width ( DW*2 ),
101 .ResetValue ( '0 )
102 ) u_prim_flop_tab01 (
103 .clk_i ( clk_i ),
104 .rst_ni ( rst_ni ),
105 .en_i ( z_valid_i ),
106 .d_i ( {t_a0b0_d, t_a1b1_d} ),
107 .q_o ( {t_a0b0_q, t_a1b1_q} )
108 );
109
110 1/1 assign t_a0b0 = t_a0b0_q;
Tests: T1 T2 T3
111 1/1 assign t_a1b1 = t_a1b1_q;
Tests: T1 T2 T3
112
113 end else begin : gen_no_inner_domain_regs
114 // Do not add the optional pipeline registers on the inner-domain terms. This allows to save
115 // some area in case the multiplier does not need to accept new data in every cycle. However,
116 // this can cause SCA leakage as during the clock cycle in which new data arrives, the new
117 // inner-domain terms are integrated with the previous, reshared cross-domain terms.
118
119 assign t_a0b0 = t_a0b0_d;
120 assign t_a1b1 = t_a1b1_d;
121 end
122
123 /////////////////
124 // Integration //
125 /////////////////
126
127 // Preserve the logic sequence for XOR not to proceed the inner-domain AND.
128 prim_xor2 #(
129 .Width ( DW*2 )
130 ) u_prim_xor_q01 (
131 .in0_i ( {t_a0b0, t_a1b1} ),
132 .in1_i ( {t0_q, t1_q} ),
133 .out_o ( {q0_o, q1_o} )
134 );
135
136 // Use intermediate results for remasking computations in another instance in the following
137 // clock cycle. Use one share only. Directly use output of flops updating with z_valid_i.
138 // t1_q is obtained by remasking t_a1b0 with z_i. Since z_i is uniformly distributed and
139 // independent of a1/b0_i, t1_q is also uniformly distributed and independent of a1/b0_i.
140 // For details, see Lemma 1 in Canright, "A very compact 'perfectly masked' S-box for AES
141 // (corrected)" available at https://eprint.iacr.org/2009/011.pdf
142 1/1 assign prd_o = t1_q;
Tests: T1 T2 T3
Assert Coverage for Instance : tb.dut.u_sha3.u_keccak.u_keccak_p.g_2share_chi.g_chi_w[4].u_dom
Assertion Details
UnmaskedAndMatched_A
| Name | Attempts | Real Successes | Failures | Incomplete |
| Total |
621131667 |
44227457 |
0 |
0 |
| T1 |
3295 |
480 |
0 |
0 |
| T2 |
2952 |
528 |
0 |
0 |
| T3 |
781 |
0 |
0 |
0 |
| T7 |
6479 |
144 |
0 |
0 |
| T10 |
4028 |
37 |
0 |
0 |
| T12 |
9510 |
528 |
0 |
0 |
| T22 |
51743 |
2640 |
0 |
0 |
| T27 |
40396 |
1968 |
0 |
0 |
| T38 |
107016 |
3552 |
0 |
0 |
| T39 |
5633 |
528 |
0 |
0 |
| T40 |
0 |
4176 |
0 |
0 |