[crypto] ML-DSA-87 verify (1/24)

[andrea-caforio]

First PR of the series adding package documentation and Bazel build files.

---

This is a series of PRs that in their composition result in FIPS-204-compliant OTBN implementation of ML-DSA-87 verify.

Resources

• https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf
• https://tches.iacr.org/index.php/TCHES/article/view/11158/10597
• https://github.com/pq-crystals/dilithium

Preamble

1. doc

Number-theoretic transform

2. NTT
3. INTT

Polynomial arithmetic

4. poly_add, poly_sub, poly_mul
5. poly_mul_add

XOF

6. xof_init, xof_poll, xof_finish
7. xof_absorb
8. xof_squeeze

Rounding

9. shift_left
10. decompose

Reduction

11. reduce

Infinity norm

12. norm_check

Sampling

13. rej_ntt_poly, expand_a
14. sample_in-ball
15. challenge_hash

Encoding

16. decode_z
17. decode_t1
18. decode_hint
19. encode_w1

Vector operations

20. sig_decode
21. norm_check_z
22. A*z, c * t1, Az - ct1
23. use_hint

Epilogue

24. app

[etterli]

Looks good to me except that the memory increase should probably be an atomic commit which also touches the RTL and DV. The reason is that otherwise the DV and potentially IBEX SW breaks.

I think increasing the memories should touch the same files as in this commit: etterli/opentitan-otbn-pqc-isa@b0ce32d

[etterli]

Suggested change

	TODO: Document the .bss and .scratchpad split
	Note that DMEM is actually 32kiB in size, but only the first XkiB of
	the memory is visible through this register interface.

[andrea-caforio]

Looks good to me except that the memory increase should probably be an atomic commit which also touches the RTL and DV. The reason is that otherwise the DV and potentially IBEX SW breaks.

I think increasing the memories should touch the same files as in this commit: etterli/opentitan-otbn-pqc-isa@b0ce32d

Correct.

[nasahlpa]

Thanks Andi, this looks good to me.

Could you please:

• Increase the memory sizes in the documentation as well
• Fix the linting issue in otbn_reg_pkg.sv

[nasahlpa]

Can you please also update the memory sizes here:
https://opentitan.org/book/hw/ip/otbn/doc/theory_of_operation.html#memories

[etterli]

This is actually autogenerated. I am working on a proper PR which increases the memories. It takes more than just adding the changes I previously mentioned.

[vogelpi]

Please note that if you move the start address of DMEM (or IMEM), you introduce a backwards incompatible change with respect to Ibex software. If we do this, we have to not just do a minor version increase to 1.2.0 but a major one 2.0.0. IIRC, we should be able to increase DMEM to 32 KiB and IMEM to 16 KiB without changing start addresses.

[etterli]

Yes, we can increase both memories to 32KiB without changing the offsets. This is implemented in #29318 .

[vogelpi]

Thanks @andrea-caforio for the PR, it's great to see this! I've left some comments

[vogelpi]

Should this go into a README.md instead?

[andrea-caforio]

It's a README.md now.

[vogelpi]

Please note that if you move the start address of DMEM (or IMEM), you introduce a backwards incompatible change with respect to Ibex software. If we do this, we have to not just do a minor version increase to 1.2.0 but a major one 2.0.0. IIRC, we should be able to increase DMEM to 32 KiB and IMEM to 16 KiB without changing start addresses.

[vogelpi]

Ideally we can make a sensible choice for this right from the beginning. It may require some internal discussion first though.

[etterli]

#29318 goes with a 16\16 KiB split. This should be sufficient to transfer any PQC related data.

[andrea-caforio]

I removed the commit that adjusts the DMEM/IMEM sizes.
It is handled in #29318.

[etterli]

@vogelpi Thanks for explaining the address offset and version problematic. I created a separate PR which increases the IMEM and DMEM. See #29318.

@andrea-caforio

[h-filali]

Thanks @andrea-caforio. I mainly double checked the documentation part. Looks very clean, I like it!

[h-filali]

A bit nitpicky but is "occupying one 32-bit memory word" always true?

[andrea-caforio]

Yes, always.

[h-filali]

Only SCA hardened AFAIK.

[andrea-caforio]

I'm projecting here. :-)

[nasahlpa]

Thanks for addressing the comments. The IMEM and DMEM size increase will be done in #29318.