Re: Not sure how "open sorce" the hardware is.
"Anything that ships out of the US above the VHDL level must be viewed as suspect."
I'm not clear on exactly what you are getting at here.
First, this is an Australian project. If you are referring to the sourcing of components themselves; it is possible they are designed in the U.S., yes, but most physical components ship from countries like China. Even for non-U.S. chip designers; who's to say the hardware hasn't been compromised at the manufacturing level? It's no secret that China is deeply into espionage, and that the government there has very close ties with corporations. And how can you say that any other country's government is not doing the same thing as the NSA, but just hasn't been outed? Perhaps other countries are simply better at keeping quiet than the US.
As for using open-source cores at the VHDL/Verilog level; if the secret to cracking encryption might involve something like making random numbers a little less random, who's to say that someone messing with the VHDL code might not introduce a subtle "bug"? Or that your FPGA manufacturer isn't going to inject something? I doubt there is a huge population of non-government VHDL experts (who are also encryption experts) with the time to pour over the code for open-source cores. Even if there were, a "bug" could still be subtle enough to elude even the most observant.
And when do we know for sure that a self-professed "good guy" is really on your side? Where do you think the most intelligent folks in the world are working?
In reality, complete computer security is *always* going to be an illusion, regardless of how "safe" you think you are. Security is all about probability. In the world economy, you've got to trust someone, somewhere. If not, you may as well go back to using smoke signals.