NL.net proposal 2021-02-052

top-level bugreport: https://bugs.libre-soc.org/show_bug.cgi?id=589

Project name

The Libre-SOC Gigabit Router

Website / wiki

https://libre-riscv.org/nlnet_2021_crypto_router

Please be short and to the point in your answers; focus primarily on the what and how, not so much on the why. Add longer descriptions as attachments (see below). If English isn't your first language, don't worry - our reviewers don't care about spelling errors, only about great ideas. We apologise for the inconvenience of having to submit in English. On the up side, you can be as technical as you need to be (but you don't have to). Do stay concrete. Use plain text in your reply only, if you need any HTML to make your point please include this as attachment.

Abstract: Can you explain the whole project and its expected outcome(s).

Blockchain and cryotographic primitives are extremely complex mathematics where performance and power consumption contend with understandability, correctness and auditability. Implementations of cryptographic alorithms in OpenSSL for example are hard-coded hand-optimised assembler, which makes review and trust extremely challenging, particularly when "best practices" (SSL Certificates) result in some algorithms being retired as obsolete with increasing frequency.

Even just the implementations of cryptographic and blockchain algorithms have to be so heavily optimised for a particular instruction set, in order to get high performance, that it is almost impossible to read the original whitepaper and see how it is relevant or correct (the lack of funding for review of OpenSSL rocked the internet back in 2012, with HeartBleed).

Simple-V Vectorisation has some extremely unusual data manipulation properties that negate the need for such heavy optimisation. We would like to explore this in-depth, for example examining Galois Field arithmetic, the basis of Elliptic Curve, AES, Error-correction algorithms and more, at the fundamental mathematical level and providing Vector Matrix Multiply and other abstractions, the combination of which lead to auditors to be able to see extremely clearly and quickly what the relationship is between the math and the actual implementation in hardware. The focus will be on investigation and implementation of cryptographic primitives for use in Blockchain, OpenSSL, on keeping the implementation simple and leveraging Formal Correctness Proofs to verify them.

The target worked example will be not to simply put this into an FPGA but to put together a 130nm ASIC under the Google Skywater Open PDK ASIC Programme, as a proof-of-concept Gigabit Router chip capable of securely handling network traffic and, having the underlying cryptographic primitives in place, being the basis of peer networking and blockchain applications which can be trusted with those tasks by its full HDL and source code being publicly available for independent review.

Ultimately we want a demonstration ASIC of an independently-auditable hardware implementation which can be trusted by end-users.

Have you been involved with projects or organisations relevant to this project before? And if so, can you tell us a bit about your contributions?

NLnet is backing the Libre-SOC project with a number of PET Grants (ending this year). So far we have, thanks to NLnet:

  • Implemented the integer OpenPOWER ISA in a libre-compatible Lattice FPGA (ECP5)
  • Provided Formal Correctness proofs for all OpenPOWER pipelines implemented so far
  • Implemented a parameteriseable IEEE754 HDL library including SQRT, RSQRT and CORDIC pipelines and run several hundred thousand unit tests.
  • Implemented a "data primitives" library called nmutil which provides the basis of reconfigurable pipelines suitable for Reservation Stations in OoO microarchitectures
  • Started a dynamically-reconfigureable SIMD arithmetic HDL class that transparently computes parallel results but has an API as if it were a single Signal, to nmigen

These are all spin-off resulting from the overall NLnet funding to complete the creation of a hybrid 3D GPU and VPU.

Requested Amount

EUR $50,000.

Explain what the requested budget will be used for?

  • Detailed review and documentation of the analysis of cryptographic hashing and encryption algorithms used in cryptonote and other blockchain technologies to ascertain the fundamental principles and mathematical primitives
    • So far the list includes Rijndael (AES), SHA2, Graestl, Blake256, Chacga8, Keccak and more
    • From Asymmetric Cryptography comes RSA, DSA, Diffie-Helmann and Elliptic Curve
    • From these it is clear that the primitives involve Matrix Multiply operations and Galois Field arithmetic, as well as ternary bitmanipulation and Carry-capable Vector "long arithmetic".
  • Hardware implementation of the underlying instruction primitives and Vector-Matrix concepts needed to support the crypto-primitives used in blockchain algorithms
  • Proof of Concept software implementation of the hashing algorithms identified, showing how Vectorised Matrix manipulation at the ISA level can greatly simplify the readability and clarity of cryptography, for audit purposes.
  • Formal Correctness proofs of the underlying hardware instruction primitives
  • Implementation of RGMII and USB-ULPI in nmigen
  • Implementation in nmigen of a DMA Engine suitable for Ethernet Frame packet transfer
  • Porting of FlexLib ASIC Cell Library to google Skywater 130nm PDK
  • Creation of an FPGA proof of concept Gigabit Router using a LibreSOC SimpleV core
  • Layout of Gigabit Router ASIC using coriolis2 using google Skywater 130nm PDK

Does the project have other funding sources, both past and present?

We had a Public Benefit Corporation as a sponsor in 2019 kindly donate to the project through NLnet for about 10 months. Other than that our developers have been 100% reliant on NLnet donations for some time.

Compare your own project with existing or historical efforts.

There exist many academic implementations of cryptographic primitives, as well as Open Source RTL blocks. There also exist many heavily-optimised algorithms targetted at proprietary processors.

  • Hardcoded HDL (typically verilog or VHDL) for specific algorithms defeats the purpose of the intended exercise (crpyto primitives)
  • Crypto-primitives are not entirely useful on their own unless made accessible through an ISA
  • Proprietary ISAs typically provide certain aspects (GF8MULB - a byte-wise GF8 multiply that is only suitable for Rijndael) but do not provide general-purpose operations. OpenPOWER provides hardcoded primitives for Rijndael MixColumns and SHA256 but not much else.
  • Proprietary ISAs also provide SIMD bitmanipulation, suitable for cryptographic algorithms, but the optimised algorithms have to be written just above assembler level and are extremely hard to understand.

The approach taken for this proposal is to go back to the underlying mathematical principles behind the crypto-primitives and target Cray-style Vector (not SIMD) ISA, with Matrix capability, directly at the mathematical operations. This has not been done before.

What are significant technical challenges you expect to solve during the project, if any?

Despite involving cryptography the project is relatively straightforward. One particular challenge that we are keenly aware of though is that power analysis mitigation is sufficiently hard to achieve that we have declared it firmly "out of scope".

Likewise: data-dependent time-analysis is also an active area of research that, if included, results in sufficient complexity that it could easily jeapordise the chances of completion of this proposal. Even if attempted partially, it would hamper the internal microarchitecture considerably. We therefore also declare data-dependent time-analysis "out of scope" for the purposes of this research, yet due to the nature of being a Libre Project welcome expert contribution in this complex challenging area.

Describe the ecosystem of the project, and how you will engage with relevant actors and promote the outcomes?

We operate entirely on Libre-licensed infrastructure that is independently managed by our team. We operate all technical development entirely transparently and release all source code and documentation under GNU licenses.

We attend conferences online (FOSDEM, XDC and others) which helps us to reach technically-aware individuals.

Extra info to be submitted

  • https://github.com/cryptonotefoundation/cryptonote/blob/master/src/crypto/