Integrate 1.1 features into main (#429)

* Add ECC Radix48 feature (#321) * updated mont multiplier to radix 64 * updated mont mult for radix 48 * distinguished radix from data_width --------- Co-authored-by: Mojtaba Bisheh Niasar <mojtabab@fe72.svceng.com> * Add SHA256 Winternitz core and test updates (#322) * Squash merge from user/dev/kupadhyayula/winternitz * Pull text/desc update to RDL file * fixed hmac leakage (#325) Co-authored-by: Mojtaba Bisheh Niasar <mojtabab@fe72.svceng.com> * documented LMS accelerator * updated docs * updated docs for fixing ECC leakage * updated docs for fixing ECC leakage * Merge latest sha256 RTL and test updates * Merge latest firmware test updates * Merge latest test_suite regression updates and scripts * Merge SVA and TB updates for caliptra_top * Merge removal of sha256_org * Fix typo and merge improved description for interrupt trigger reg * Merge KV UVM update and sha256 tb update missed in prev merges * Remove old unneeded LMS fw tests * removed ready_reg delay * removed delayed wntz starting and fixed FPV bug * covered all states for wntz_fsm_next * Block wntz fsm when ready is low, update prefix width, add init error condition, reset wntz_iter_reg * Add error handling for bit 1 (init/next error condition) * Restore LMS verification as a randomly enabled flow in ROM UVM test --------- Co-authored-by: Mojtaba Bisheh Niasar <mojtabab@fe72.svceng.com> Co-authored-by: Mojtaba Bisheh-Niasar <mojtaba.bisheh89@gmail.com> Co-authored-by: Mojtaba Bisheh Niasar <mojtabab@fe718.svceng.com> Co-authored-by: Kiran Upadhyayula <kupadhyayula@fe716.svceng.com>
chipsalliance · Feb 25, 2024 · e9b7e9e · e9b7e9e
1 parent 281c45f
commit e9b7e9e
Show file tree

Hide file tree

Showing 143 changed files with 3,091 additions and 532 deletions.
diff --git a/docs/CaliptraHardwareSpecification.md b/docs/CaliptraHardwareSpecification.md
@@ -845,11 +845,16 @@ The SHA256 architecture inputs and outputs are described as follows.
 | next            | input           | The core processes the rest of the message blocks using the result from the previous blocks. |
 | mode            | input           | Indicates the hash type of the function. This can be: <br> - SHA256/224 <br> - SHA256        |
 | zeroize         | input           | The core clears all internal registers to avoid any SCA information leakage.                 |
+| WNTZ_MODE*      | input           | SHA256 core is configured in Winternitz verification mode.                                   |
+| WNTZ_W\[3:0\]*  | input           | Winternitz W value.                                                                          |
+| WNTZ_N_MODE*    | input           | Winternitz n value(SHA192/SHA256 --> n = 24/32)                                              |
 | block\[511:0\]  | input           | The input padded block of message.                                                           |
 | ready           | output          | When HIGH, the signal indicates the core is ready.                                           |
 | digest\[255:0\] | output          | The hashed value of the given block.                                                         |
 | digest_valid    | output          | When HIGH, the signal indicates the result is ready.                                         |
 
+\* For more imformation about these inputs, please refer to LMS accelerator section.
+
 ### Address map
 
 The SHA256 address map is shown here: [sha256\_reg — clp Reference (chipsalliance.github.io)](https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.sha256_reg).
@@ -1301,13 +1306,12 @@ In practice, observing a t-value greater than a specific threshold (mainly 4.5)
 
 ##### KeyGen TVLA
 
-We detected a leakage using TVLA in the HMAC_DRBG algorithm during ECC key generation, based on 150,000 power traces. The leakage originated from a part of the SHA512 function (w_data) that was not fully protected by masking. The same leakage is expected for HMAC operations. 
+The TVLA results for performing seed/nonce-dependent leakage detection using 200,000 traces is shown in the following figure. Based on this figure, there is no leakage in ECC keygen by changing the seed/nonce after 200,000 operations.
 
-*Figure 40: seed/nonce-dependent leakage detection using TVLA for ECC keygen after 150,000 traces*
 
-![](./images/tvla_keygen.png)
+*Figure 40: seed/nonce-dependent leakage detection using TVLA for ECC keygen after 200,000 traces*
 
-This leakage is very unlikely to occur in practice, even though it exists in TVLA results. Therefore, we will address it in the next release.
+![](./images/tvla_keygen.png)
 
 ##### Signing TVLA
 
@@ -1350,6 +1354,73 @@ In this architecture, the ECC interface and controller are implemented in hardwa
 | Keygen    | 909,648             | 2.274                 | 439                 |
 | Signing   | 932,990             | 2.332                 | 428                 |
 | Verifying | 1,223,938           | 3.060                 | 326                 |
+
+
+## LMS Accelerator
+
+LMS cryptography is a type of hash-based digital signature scheme that was standardized by NIST in 2020. It is based on the Leighton-Micali Signature (LMS) system, which uses a Merkle tree structure to combine many one-time signature (OTS) keys into a single public key. LMS cryptography is resistant to quantum attacks and can achieve a high level of security without relying on large integer mathematics. 
+
+Caliptra supports only LMS verification using a software/hardware co-design approach. Hence, the LMS accelerator reuses the SHA256 engine to speedup the Winternitz chain by removing software-hardware interface overhead. The LMS-OTS verification algorithm is shown in follwoing figure:
+
+*Figure 43: LMS-OTS Verification algorithm*
+
+![](./images/LMS_verifying_alg.png)
+
+The high-level architecture of LMS is shown in the following figure.
+
+*Figure 44: LMS high-level architecture*
+
+![](./images/LMS_high_level.png)
+
+### LMS parameters
+
+LMS parameters are shown in the following table:
+
+| Parameter | Description                                                            | Value               |
+| :-------- | :--------------------------------------------------------------------- | :------------------ |
+| n         | The number of bytes of the output of the hash function.                | {24, 32}            |
+| w         | The width (in bits) of the Winternitz coefficients.                    | {1, 2, 4, 8}        |
+| p         | The number of n-byte string elements that make up the LM-OTS signature.| {265, 133, 67, 34}  |
+| H         | A cryptographic hash function.                                         | SHA256              |
+| h         | The height of the tree.	                                        	| {5, 10, 15, 20, 25} |
+
+- SHA256 is used for n=32 and SHA256/192 is used for n=24.
+- SHAKE256 is not supported in this architecture.
+- Value of p is determined based on w. If w=1, p is equal to 265, and so on.
+
+### Winternitz Chain Accelerator
+
+The Winternitz hash chain can be accelerated in hardware to enhance the performance of the design. For that, a configurable architecture is proposed that can reuse SHA256 engine. The LMS accelerator architecture is shown in the following figure, while H is SHA256 engine.
+
+*Figure 45: Winternitz chain architecture*
+
+![](./images/LMS_wntz_arch.png)
+
+
+### Signal descriptions
+
+The LMS accelerator integrated into SHA256 architecture inputs and outputs are described as follows.
+
+| Name            | Input or output | Description                                                                                  |
+| :-------------- | :-------------- | :------------------------------------------------------------------------------------------- |
+| clk             | input           | All signal timings are related to the rising edge of clk.                                    |
+| reset_n         | input           | The reset signal is active LOW and resets the core. This is the only active LOW signal.      |
+| init            | input           | The core is initialized and processes the first block of message.                            |
+| next            | input           | The core processes the rest of the message blocks using the result from the previous blocks. |
+| mode            | input           | Indicates the hash type of the function. This can be: <br> - SHA256/224 <br> - SHA256        |
+| zeroize         | input           | The core clears all internal registers to avoid any SCA information leakage.                 |
+| WNTZ_MODE       | input           | SHA256 core is configured in Winternitz verification mode.                                   |
+| WNTZ_W\[3:0\]   | input           | Winternitz W value.                                                                          |
+| WNTZ_N_MODE     | input           | Winternitz n value(SHA192/SHA256 --> n = 24/32)                                              |
+| block\[511:0\]  | input           | The input padded block of message.                                                           |
+| ready           | output          | When HIGH, the signal indicates the core is ready.                                           |
+| digest\[255:0\] | output          | The hashed value of the given block.                                                         |
+| digest_valid    | output          | When HIGH, the signal indicates the result is ready.                                         |
+
+### Address map
+
+The address map for LMS accelerator integrated into SHA256 is shown here: [sha256\_reg — clp Reference (chipsalliance.github.io)](https://chipsalliance.github.io/caliptra-rtl/main/internal-regs/?p=clp.sha256_reg).
+
 ## PCR vault
 
 * Platform Configuration Register (PCR) vault is a register file that stores measurements to be used by the microcontroller.

diff --git a/docs/images/LMS_high_level.png b/docs/images/LMS_high_level.png
diff --git a/docs/images/LMS_verifying_alg.png b/docs/images/LMS_verifying_alg.png
diff --git a/docs/images/LMS_wntz_arch.png b/docs/images/LMS_wntz_arch.png
diff --git a/docs/images/tvla_keygen.png b/docs/images/tvla_keygen.png
diff --git a/src/ecc/config/ecc_montgomerymultiplier_tb.vf b/src/ecc/config/ecc_montgomerymultiplier_tb.vf
@@ -47,15 +47,15 @@ ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_w_mem.v
 ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_reg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_core.sv
-${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_lfsr.sv
+${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_w_mem.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_param_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_ctrl.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_core.v
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg.sv
+${CALIPTRA_ROOT}/src/hmac/rtl/hmac_lfsr.sv
 ${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg.sv
-${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg_lfsr.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_params_pkg.sv

diff --git a/src/ecc/config/ecc_top.vf b/src/ecc/config/ecc_top.vf
@@ -45,15 +45,15 @@ ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_w_mem.v
 ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_reg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_core.sv
-${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_lfsr.sv
+${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_w_mem.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_param_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_ctrl.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_core.v
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg.sv
+${CALIPTRA_ROOT}/src/hmac/rtl/hmac_lfsr.sv
 ${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg.sv
-${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg_lfsr.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_params_pkg.sv

diff --git a/src/ecc/config/ecc_top_tb.vf b/src/ecc/config/ecc_top_tb.vf
@@ -50,15 +50,15 @@ ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_w_mem.v
 ${CALIPTRA_ROOT}/src/sha512/rtl/sha512_reg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_core.sv
-${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_lfsr.sv
+${CALIPTRA_ROOT}/src/sha512_masked/rtl/sha512_masked_w_mem.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_param_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_ctrl.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac.sv
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_core.v
 ${CALIPTRA_ROOT}/src/hmac/rtl/hmac_reg.sv
+${CALIPTRA_ROOT}/src/hmac/rtl/hmac_lfsr.sv
 ${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg.sv
-${CALIPTRA_ROOT}/src/hmac_drbg/rtl/hmac_drbg_lfsr.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_reg_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_defines_pkg.sv
 ${CALIPTRA_ROOT}/src/ecc/rtl/ecc_params_pkg.sv

diff --git a/src/ecc/rtl/ecc_dsa_ctrl.sv b/src/ecc/rtl/ecc_dsa_ctrl.sv
@@ -90,15 +90,15 @@ module ecc_dsa_ctrl
     //----------------------------------------------------------------
 
     localparam [RND_SIZE-1 : 0]  zero_pad               = '0;
-    localparam REG_NUM_DWORDS = REG_SIZE / RADIX;
+    localparam REG_NUM_DWORDS = REG_SIZE / DATA_WIDTH;
     //----------------------------------------------------------------
     // Registers including update variables and write enable.
     //----------------------------------------------------------------
-    logic [DSA_PROG_ADDR_W-1 : 0]           prog_cntr;
+    logic [DSA_PROG_ADDR_W-1 : 0]                prog_cntr;
 
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0] read_reg;
-    logic [(REG_SIZE+RND_SIZE)-1 : 0]       write_reg;
-    logic [1 : 0]                           cycle_cnt;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0] read_reg;
+    logic [(REG_SIZE+RND_SIZE)-1 : 0]            write_reg;
+    logic [1 : 0]                                cycle_cnt;
 
     logic zeroize_reg;
 
@@ -128,17 +128,17 @@ module ecc_dsa_ctrl
 
     logic [1  : 0]          cmd_reg;
     logic [2  : 0]          pm_cmd_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  msg_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  msg_reduced_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  privkey_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  kv_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  pubkeyx_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  pubkeyy_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  seed_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  nonce_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  r_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  s_reg;
-    logic [REG_NUM_DWORDS-1 : 0][RADIX-1:0]  IV_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  msg_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  msg_reduced_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  privkey_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  kv_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  pubkeyx_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  pubkeyy_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  seed_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  nonce_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  r_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  s_reg;
+    logic [REG_NUM_DWORDS-1 : 0][DATA_WIDTH-1:0]  IV_reg;
     logic [REG_SIZE-1 : 0]  lambda;
     logic [REG_SIZE-1 : 0]  lambda_reg;
     logic [REG_SIZE-1 : 0]  masking_rnd;
@@ -228,7 +228,7 @@ module ecc_dsa_ctrl
     ecc_arith_unit #(
         .REG_SIZE(REG_SIZE),
         .RND_SIZE(RND_SIZE),
-        .RADIX(RADIX),
+        .RADIX(MULT_RADIX),
         .ADDR_WIDTH(DSA_OPR_ADDR_WIDTH),
         .p_prime(PRIME),
         .p_mu(PRIME_mu),
@@ -276,7 +276,7 @@ module ecc_dsa_ctrl
     ecc_scalar_blinding #(
         .REG_SIZE(REG_SIZE),
         .RND_SIZE(RND_SIZE),
-        .RADIX(RADIX),
+        .RADIX(SCALAR_BLIND_RADIX),
         .GROUP_ORDER(GROUP_ORDER)
         )
         ecc_scalar_blinding_i(

diff --git a/src/ecc/rtl/ecc_hmac_drbg_interface.sv b/src/ecc/rtl/ecc_hmac_drbg_interface.sv
@@ -39,7 +39,7 @@
 module ecc_hmac_drbg_interface#(
     parameter                  REG_SIZE       = 384,
     parameter [REG_SIZE-1 : 0] GROUP_ORDER    = 384'hffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973,
-    parameter [147 : 0]        LFSR_INIT_SEED = 148'h6_04E7_A407_54F1_4487_A021_11AC_D0DF_8C55_57A0   // a random value
+    parameter [REG_SIZE-1 : 0] LFSR_INIT_SEED = 384'hc48555929cd58779f4819c1e6570c2ef20bccd503284e2d366f3273a66e9719b07ac999c80740d6277af88ceb4c3029c   // a random value
     )
     (
     // Clock and reset.
@@ -66,8 +66,8 @@ module ecc_hmac_drbg_interface#(
     //----------------------------------------------------------------
     // Registers including update variables and write enable.
     //----------------------------------------------------------------
-    logic [147 : 0]         lfsr_seed_reg;
-    logic [147 : 0]         hmac_lfsr_seed;
+    logic [REG_SIZE-1 : 0]  lfsr_seed_reg;
+    logic [REG_SIZE-1 : 0]  hmac_lfsr_seed;
 
     logic                   hmac_mode;
     logic                   hmac_drbg_init;
@@ -210,7 +210,7 @@ module ecc_hmac_drbg_interface#(
         else
             if (hmac_done_edge) begin
                 unique case (state_reg) inside
-                    LFSR_ST:        lfsr_seed_reg   <= hmac_drbg_result[147 : 0];
+                    LFSR_ST:        lfsr_seed_reg   <= hmac_drbg_result;
                     LAMBDA_ST:      lambda_reg      <= hmac_drbg_result;
                     SCALAR_RND_ST:  scalar_rnd_reg  <= hmac_drbg_result;
                     MASKING_RND_ST: masking_rnd_reg <= hmac_drbg_result;
@@ -278,9 +278,8 @@ module ecc_hmac_drbg_interface#(
         end
     end // counter_nonce_update
 
-    always_comb counter_nonce[REG_SIZE-1 : 64] = '0;
-    always_comb counter_nonce[63 : 0] = counter_reg;
-    always_comb hmac_lfsr_seed = lfsr_seed_reg ^ counter_nonce[147 : 0];
+    always_comb counter_nonce = {counter_reg, counter_reg, counter_reg, counter_reg, counter_reg, counter_reg};
+    always_comb hmac_lfsr_seed = lfsr_seed_reg ^ counter_nonce;
 
     //----------------------------------------------------------------
     // FSM_flow

diff --git a/src/ecc/rtl/ecc_params_pkg.sv b/src/ecc/rtl/ecc_params_pkg.sv
@@ -39,9 +39,11 @@ package ecc_params_pkg;
   parameter [9 : 0] REG_SIZE     = 10'd384;
   parameter [9 : 0] RND_SIZE     = 10'd192;  // half of REG_SIZE based on Schindler W, Wiemers A (2015) Efficient side-channel attacks on
                                              // scalar blinding on elliptic curves with special structure. In: NIST Workshop on ECC standards
-  parameter REG_NUM_DWORDS       = REG_SIZE/32;
+  parameter DATA_WIDTH           = 32;
+  parameter REG_NUM_DWORDS       = REG_SIZE/DATA_WIDTH;
   parameter REG_OFFSET_W         = $clog2(REG_NUM_DWORDS);
-  parameter RADIX                = 32;
+  parameter MULT_RADIX           = 48;
+  parameter SCALAR_BLIND_RADIX   = 32;
   parameter ADD_NUM_ADDS         = 1;
   parameter ADD_BASE_SZ          = 384;
 
@@ -50,21 +52,21 @@ package ecc_params_pkg;
   parameter [REG_SIZE-1 : 0] GROUP_ORDER = 384'hffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973;
 
   // prime parameters in Montgomery domain
-  parameter [REG_SIZE-1 : 0] ZERO_CONST  = 384'h0;
-  parameter [REG_SIZE-1 : 0] ONE_CONST   = 384'h1;
-  parameter [REG_SIZE-1 : 0] E_a_MONT    = 384'hfffffffffffffffffffffffffffffffffffffffffffffffffffffffcfffffffbffffffff00000002fffffffdffffffff;
-  parameter [REG_SIZE-1 : 0] E_b_MONT    = 384'h604fbff9b62b21f41f022094e3374bee94938ae277f2209b1920022fc431bf244754443708118870d0391c81cd08114b;
-  parameter [REG_SIZE-1 : 0] E_3b_MONT   = 384'h20ef3fed228165dc5d0661bea9a5e3cbbdbaa0a767d661d14b60068f4c953d6dd5fccca61834995270ab5584671833e2;
-  parameter [REG_SIZE-1 : 0] ONE_p_MONT  = 384'h100000000ffffffffffffffff0000000100000000;
-  parameter [REG_SIZE-1 : 0] R2_p_MONT   = 384'h10000000200000000fffffffe000000000000000200000000fffffffe000000010000000000000000;
-  parameter [REG_SIZE-1 : 0] G_X_MONT    = 384'h299e1513812ff723614ede2b6454868459a30eff879c3afc541b4d6e6e1e26a4ee117bfa3dd07565fc8607664d3aadc2;
-  parameter [REG_SIZE-1 : 0] G_Y_MONT    = 384'h5a15c5e9dd8002263969a840c6c3521968f4ffd98bade7562e83b050cd385481a72d556e23043dad1f8af93c2b78abc2;
-  parameter [RADIX-1 : 0]    PRIME_mu    = 32'h00000001;
+  parameter [REG_SIZE-1   : 0] ZERO_CONST  = 384'h0;
+  parameter [REG_SIZE-1   : 0] ONE_CONST   = 384'h1;
+  parameter [REG_SIZE-1   : 0] E_a_MONT    = 384'hfffffffffffffffffffffffffffffffffffffffffffffffffffcfffffffcfffeffffffff0002fffffffd0000ffffffff;
+  parameter [REG_SIZE-1   : 0] E_b_MONT    = 384'hbff9b62b21f41f022094e3374bee94938ae277f2209b1920022fc431bf24a7a3443768608870d0391c816cb9114b604f;
+  parameter [REG_SIZE-1   : 0] E_3b_MONT   = 384'h3fed228165dc5d0661bea9a5e3cbbdbaa0a767d661d14b60068f4c953d6df6ebcca63923995270ab5584462933e220ef;
+  parameter [REG_SIZE-1   : 0] ONE_p_MONT  = 384'h100000000ffffffffffffffff00000001000000000000;
+  parameter [REG_SIZE-1   : 0] R2_p_MONT   = 384'h10000000200000000fffffffe000000000000000200000000fffffffe00000001000000000000000000000000;
+  parameter [REG_SIZE-1   : 0] G_X_MONT    = 384'h1513812ff723614ede2b6454868459a30eff879c3afc541b4d6e6e1e26a517af7bfa676e7565fc860766239cadc2299e;
+  parameter [REG_SIZE-1   : 0] G_Y_MONT    = 384'hc5e9dd8002263969a840c6c3521968f4ffd98bade7562e83b050cd3854820142556e7d193dad1f8af93bd163abc25a15;
+  parameter [MULT_RADIX-1 : 0] PRIME_mu    = 64'h100000001;
 
   // group order parameters in Montgomery domain
-  parameter [REG_SIZE-1 : 0] R2_q_MONT   = 384'h3fb05b7a28266895d40d49174aab1cc5bf030606de609f43be80721782118942bfd3ccc974971bd0d8d34124f50ddb2d;
-  parameter [REG_SIZE-1 : 0] ONE_q_MONT  = 384'h389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d00000000;
-  parameter [RADIX-1 : 0] GROUP_ORDER_mu = 32'he88fdc45;
+  parameter [REG_SIZE-1   : 0] R2_q_MONT      = 384'h28266895d40d49174aab1cc5bf030606de609f43cc9601f9ebbfed4b3ffe90bfead8c2590449c1c55daf7abd883e5e32;
+  parameter [REG_SIZE-1   : 0] ONE_q_MONT     = 384'h389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d000000000000;
+  parameter [MULT_RADIX-1 : 0] GROUP_ORDER_mu = 64'h6089e88fdc45;
 
 endpackage