[prim] xoshiro primitive

[vrozic]

This PR has two commits.
The first commit adds xoshiro256++ primitive PRNG.
The second commit replaces LFSR in OTBN's URNG with xoshiro256++.

Signed-off-by: Vladimir Rozic vrozic@lowrisc.org

[imphil]

Thanks for your work on this primitive, Vladimir! As I said in the meeting, can you make sure that there is only a single module in the source file? You can either use functions, or just inline the code into the generate block (they only have a single call site).

Further comments:

• Please configure your editor to add a newline to the end of the file.
• Add a core file for the new primitive.
• Expand the description in the header to include a description of the algorithm, e.g. a link to a paper.

[tjaychen]

are the selections of mid2 here always supposed to be fixed? OR is it based on the output width? Just curious since it all seems to be around 64 at the moment.

[vrozic]

Yes, these intermediate signals are always supposed to be 64 bits, regardless the output width.
Xoshiro is originally designed as a 64b PRNG. This implementation unrolls the state-update loop to provide larger output width (always a multiple of 64).

[tjaychen]

o interesting, so is it fair to say this is meant to be more of a replacement from prim_lfsr than a tacked on post processing stage?

If that's the case, i think it would make sense to create a prim_prng.core, and maybe both these modules can be placed under that core file.

And lastly, do we have any general sense how big this module is compared to prim_lfsr? I think even if we just had some rough data from yosys it would be really helpful to guide people's selection of this, especially against the full prim_lfsr that has both permutation and a non-linear portion.

[vrozic]

I've done a preliminary yosys area analysis of the module otbn_rnd.sv which includes a PRNG and some additional logic for reseeding the generator and storing the output. The results are:
Version using LFSR + Sboxes: 6.39 kGE
Version using xoshiro256++: 11.64 kGE

So the change adds a little more than 5kGE.

[tjaychen]

this looks pretty good, but i do have a couple of questions.

[GregAC]

Some small comments but otherwise LGTM, thanks @vrozic

[GregAC]

Making the operation of seed_en_i and xoshiro_en_i more explicit would be nice, e.g. explain that when seed_en_i is set the PRNG is reseeded with seed_i and when xoshiro_en_i is set the PRNG advances. Also explain what both being set does.

You could also add a waveform to illustrate using wavedrom: https://wavedrom.com/. The wavedrom description can be inserted directly into the document (e.g. see the AES docs here:

opentitan/hw/ip/aes/doc/_index.md

Lines 282 to 303 in 3cb62ec

	{{< wavejson >}}
	{
	signal: [
	{ name: 'clk', wave: 'p........|.......'},
	['TL-UL IF',
	{ name: 'write', wave: '01...0...|.......'},
	{ name: 'addr', wave: 'x2345xxxx|xxxxxxx', data: 'K0 K1 K2 K3'},
	{ name: 'wdata', wave: 'x2345xxxx|xxxxxxx', data: 'K0 K1 K2 K3'},
	],
	{},
	['AES Unit',
	{ name: 'Config op', wave: 'x4...............', data: 'DECRYPT'},
	{ name: 'AES op', wave: '2........|.4.....', data: 'IDLE DECRYPT'},
	{ name: 'KEM op', wave: '2....3...|.4.....', data: 'IDLE ENCRYPT DECRYPT'},
	{ name: 'round', wave: 'xxxxx2.22|22.2222', data: '0 1 2 9 0 1 2 3 4'},
	{ name: 'key_init', wave: 'xxxx5....|.......', data: 'K0-3'},
	{ name: 'key_full', wave: 'xxxxx5222|4.22222', data: 'K0-3 f(K) f(K) f(K) K0-3\' f(K) f(K) f(K) f(K) f(K)'},
	{ name: 'key_dec', wave: 'xxxxxxxxx|4......', data: 'K0-3\''},
	]
	]
	}
	{{< /wavejson >}}

)

[vrozic]

Good idea. I've added the more explanation and the waveforms to the document.

[GregAC]

Does this need to be a priority mux?

[GregAC]

Is an all zero state a possibility under normal operation?

We should add an output that signals a lockup has occured. If its possible, but rare, it should probably be a recoverable error for OTBN. If it's only possible when an attack is occurring we should trigger a fatal error.

[vrozic]

All-zero state is possible (but still extremely unlikely) only when input entropy_i for additional entropy mixing is used.
However, in otbn_rnd.sv, this feature is not used (this input is always tied to zero), so reaching the all-zero state is impossible during the normal operation.
So I think that a fatal error would make sense.

[GregAC]

Ok for now let's just add an output that indicates a lockup has occurred and we'll add a fatal error based on it with another PR, I'll create an issue to track.

[vrozic]

OK, I've added the all_zero_o output to the primitive. Currently it is left unused in the otbn_rnd.sv.

[msfschaffner]

LGTM overall, just a few small comments.

[msfschaffner]

Does it make sense to extend this (in a follow up) with more SVAs so we can verify this primitive with FPV?

[msfschaffner]

LGTM from my side, thanks.