[aes] Correct some comments regarding the masking PRNG implementation

Signed-off-by: Pirmin Vogel <[email protected]>

hw/ip/aes/data/aes.hjson

@@ -137,7 +137,7 @@
     { name:    "RndCnstMaskingLfsrPerm",
       type:    "aes_pkg::masking_lfsr_perm_t",
       desc:    '''
-        Permutation applied to the concatenated LFSRs of the PRNG used for masking.
+        Permutation applied to the output of the PRNG used for masking.
       '''
       randcount: "160",
       randtype:  "perm"

hw/ip/aes/rtl/aes_cipher_core.sv

@@ -345,12 +345,11 @@ module aes_cipher_core import aes_pkg::*;
   // The masking PRNG is used for generating both the PRD for the S-Boxes/SubBytes operation as
   // well as for the input data masks. When using any of the masked Canright S-Box implementations,
   // it is important that the SubBytes input masks (generated by the PRNG in Round X-1) and the
-  // SubBytes output masks (generated by the PRNG in Round X) are independent. Inside the PRNG,
-  // this is achieved by using multiple, separately re-seeded LFSR chunks and by selecting the
-  // separate LFSR chunks in alternating fashion. Since the input data masks become the SubBytes
-  // input masks in the first round, we select the same 8 bit lanes for the input data masks which
-  // are also used to form the SubBytes output mask for the masked Canright S-Box implementations,
-  // i.e., the 8 LSBs of the per S-Box PRD. In particular, we have:
+  // SubBytes output masks (generated by the PRNG in Round X) are independent. This can be achieved
+  // by using e.g. an unrolled Bivium stream cipher primitive inside the PRNG. Since the input data
+  // masks become the SubBytes input masks in the first round, we select the same 8 bit lanes for
+  // the input data masks which are also used to form the SubBytes output mask for the masked
+  // Canright S-Box implementations, i.e., the 8 LSBs of the per S-Box PRD. In particular, we have:
   //
   // prd_masking = { prd_key_expand, ... , sb_prd[4], sb_out_mask[4], sb_prd[0], sb_out_mask[0] }
   //
@@ -360,14 +359,14 @@ module aes_cipher_core import aes_pkg::*;
   //
   // When using a masked S-Box implementation other than Canright, we still select the 8 LSBs of
   // the per-S-Box PRD to form the input data mask of the corresponding byte. We do this to
-  // distribute the input data masks over all LFSR chunks of the masking PRNG. We do the extraction
-  // on a row basis.
+  // distribute the input data masks over all output bits the masking PRNG. We do the extraction on
+  // a row basis.
   localparam int unsigned WidthPRDRow = 4*WidthPRDSBox;
   for (genvar i = 0; i < 4; i++) begin : gen_in_mask
     assign data_in_mask[i] = aes_prd_get_lsbs(prd_masking[i * WidthPRDRow +: WidthPRDRow]);
   end
 
-  // Rotate the data input masks by two LFSR chunks to ensure the data input masks are independent
+  // Rotate the data input masks by 64 bits to ensure the data input masks are independent
   // from the PRD fed to the S-Boxes/SubBytes operation.
   assign data_in_mask_o = {data_in_mask[1], data_in_mask[0], data_in_mask[3], data_in_mask[2]};
 

hw/ip/aes/rtl/aes_pkg.sv

@@ -554,12 +554,11 @@ endfunction
 // The masking PRNG is used for generating both the PRD for the S-Boxes/SubBytes operation as
 // well as for the input data masks. When using any of the masked Canright S-Box implementations,
 // it is important that the SubBytes input masks (generated by the PRNG in Round X-1) and the
-// SubBytes output masks (generated by the PRNG in Round X) are independent. Inside the PRNG,
-// this is achieved by using multiple, separately re-seeded LFSR chunks and by selecting the
-// separate LFSR chunks in alternating fashion. Since the input data masks become the SubBytes
-// input masks in the first round, we select the same 8 bit lanes for the input data masks which
-// are also used to form the SubBytes output mask for the masked Canright S-Box implementations,
-// i.e., the 8 LSBs of the per S-Box PRD. In particular, we have:
+// SubBytes output masks (generated by the PRNG in Round X) are independent. This can be achieved
+// by using e.g. an unrolled Bivium stream cipher primitive inside the PRNG. Since the input data
+// masks become the SubBytes input masks in the first round, we select the same 8 bit lanes for the
+// input data masks which are also used to form the SubBytes output mask for the masked Canright
+// S-Box implementations, i.e., the 8 LSBs of the per S-Box PRD. In particular, we have:
 //
 // prng_output = { prd_key_expand, ... , sb_prd[4], sb_out_mask[4], sb_prd[0], sb_out_mask[0] }
 //
@@ -569,7 +568,7 @@ endfunction
 //
 // When using a masked S-Box implementation other than Canright, we still select the 8 LSBs of
 // the per-S-Box PRD to form the input data mask of the corresponding byte. We do this to
-// distribute the input data masks over all LFSR chunks of the masking PRNG.
+// distribute the input data masks over all output bits the masking PRNG.
 
 // For one row of the state matrix, extract the 8 LSBs of the per-S-Box PRD from the PRNG output.
 // These bits are used as:

hw/top_earlgrey/data/autogen/top_earlgrey.gen.hjson

@@ -5702,7 +5702,7 @@
         }
         {
           name: RndCnstMaskingLfsrPerm
-          desc: Permutation applied to the concatenated LFSRs of the PRNG used for masking.
+          desc: Permutation applied to the output of the PRNG used for masking.
           type: aes_pkg::masking_lfsr_perm_t
           randcount: 160
           randtype: perm

hw/top_earlgrey/rtl/autogen/top_earlgrey_rnd_cnst_pkg.sv

@@ -158,7 +158,7 @@ package top_earlgrey_rnd_cnst_pkg;
     256'hCCE64CEA_FD282C0E_33FD2C07_986C2A51_1755F072_EE7A8E2F_C45E111D_F07FA067
   };
 
-  // Permutation applied to the concatenated LFSRs of the PRNG used for masking.
+  // Permutation applied to the output of the PRNG used for masking.
   parameter aes_pkg::masking_lfsr_perm_t RndCnstAesMaskingLfsrPerm = {
     256'h5227992E_22693A16_3F8B5D8D_58914A1E_3283106A_866C4C2D_760E4978_31847C29,
     256'h67377924_0A710D95_81424147_06663948_8702639F_7A144F17_8009209D_0834447B,