Xilinx/Vitis_Libraries

[Security] Additional ECDSA curves

uecasm opened this issue · 1 comments

uecasm commented

Would it be possible to include support for additional ECDSA curves in the library?

I'm mostly after secp224r1, but it would be nice if there were a general method documented for adding extra curves if you know their parameters.

I was hoping I could just take the existing secp256k1 implementation and swap 256 to 224 and update the parameters in init(), but then there's the whole precompute table that's unclear how it's generated.

uecasm commented

FWIW, I found an older implementation that didn't use the precomputed tables, and I was able to successfully modify that to work with secp224r1 in simulation (although it wasn't easy, since Vitis HLS 2021.2 appears to be allergic to include paths).

Unfortunately it fails to synthesize with a pipelining timing violation, which is entirely Greek to me.

But then I went back and tried the supplied secp256k1 example, and that also fails to synthesize with the same error:

WARNING: [HLS 200-880] The II Violation in module 'modularInv_256_Pipeline_MON_PRODUCT_MOD' (loop 'MON_PRODUCT_MOD'): Unable to enforce a carried dependence constraint (II = 1, distance = 1, offset = 0) between 'store' operation ('p_Val2_s_write_ln55', ./xf_security/modular.hpp:55) of variable 'trunc_ln7', ./xf_security/modular.hpp:55 on local variable '__Val2__' and 'load' operation ('p_Val2_load_1') on local variable '__Val2__'.
WARNING: [HLS 200-880] The II Violation in module 'productMod_256_s' (loop 'PRODUCT_MOD'): Unable to enforce a carried dependence constraint (II = 1, distance = 1, offset = 0) between 'store' operation ('tmp_V_write_ln819') of variable 'tmp.V' on local variable 'this.V' and 'load' operation ('tmp_V_load_1') on local variable 'this.V'.
WARNING: [HLS 200-880] The II Violation in module 'productMod_256_s' (loop 'PRODUCT_MOD'): Unable to enforce a carried dependence constraint (II = 2, distance = 1, offset = 0) between 'store' operation ('tmp_V_write_ln819') of variable 'tmp.V' on local variable 'this.V' and 'load' operation ('tmp_V_load_1') on local variable 'this.V'.
WARNING: [HLS 200-871] Estimated clock period (7.5975ns) exceeds the target (target clock period: 10ns, clock uncertainty: 2.7ns, effective delay budget: 7.3ns).
WARNING: [HLS 200-1016] The critical path in module 'verify' consists of the following:	'load' operation ('Z2_V_load') on local variable 'Z2.V' [280]  (0 ns)
	'icmp' operation ('icmp_ln1064_2') [281]  (3.89 ns)
	multiplexor before 'phi' operation ('t1x', ./xf_security/ecdsa_secp256k1.hpp:274) with incoming values : ('ref_tmp8_i_i', ./xf_security/ecdsa_secp256k1.hpp:274) [293]  (1.29 ns)
	blocking operation 2.42 ns on control path)

Update: I managed to get these to synthesize by lowering the clock to 25MHz, although they still reported negative slack, which makes me nervous. I've yet to try them in actual implementation.

Update2: Implementation fails because it wants to use 40k LUTs all by itself, in a device that only has 48k and is already 55% utilized. And I couldn't find any obvious ways to tell it to sacrifice performance to reduce the number of LUTs.