Efficient Curve25519 implementation for ARM microcontrollers

Fujii, Haruhisa

doi:10.47749/t/unicamp.2018.1062516

Cited by 3 publications

(3 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fast X25519 on the Cortex-M4. Multiple earlier papers describe optimized implementations of X25519 on the Arm Cortex-M4 [FA19,FA18]. One of the fastest implementations is by Haase and Labrique [HL19]; which needs only 625 358 cycles for one scalar multiplication on an STM32F407 running at 16 MHz.…”

Section: The Arm Cortex-m4 Microcontrollermentioning

confidence: 99%

SoK: SCA-secure ECC in software – mission impossible?

Batina

Chmielewski

Haase

et al. 2022

TCHES

View full text Add to dashboard Cite

This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.

show abstract

Section: The Arm Cortex-m4 Microcontrollermentioning

confidence: 99%

SoK: SCA-secure ECC in software – mission impossible?

Batina

Chmielewski

Haase

et al. 2022

TCHES

View full text Add to dashboard Cite

show abstract

“…However, the previous works avoided undisclosed data-dependent branches as well as secretly indexed the memory access to safeguard against timing attacks but could not fully counter side channel and horizontal attacks. [56] also implemented curve25519 targeted for ARM Cortex-M4 microcontroller using ECC based a digital signature (qDSA). [27] proposed mutual authentication scheme between a user, device and a gateway.…”

Section: ) Elliptic Curve Based Lightweight Cryptography In Resource ...mentioning

confidence: 99%

Types of Lightweight Cryptographies in Current Developments for Resource Constrained Machine Type Communication Devices: Challenges and Opportunities

et al. 2022

View full text Add to dashboard Cite

Machine-type communication devices have become a vital part of the autonomous industrial internet of things and industry 4.0. These autonomous resource-constrained devices share sensitive data, and are primarily acquired for automation and to operate consistently in remote environments under severe conditions. The requirements to secure the sensitive data shared between these devices consist of a resilient encryption technique with affordable operational costs. Consequently, devices, data, and networks are made secure by adopting a lightweight cryptosystem that should achieve robust security with sufficient computational and communication costs and counter modern security threats. This paper offers in-depth studies on different types and techniques of hardware and software-based lightweight cryptographies for machine-type communication devices in machine-to-machine communication networks.

show abstract

“…One function we added was fe25519 mul u32 asm, used for multiplication with small constants. It was based on Fujii's code [25,Listing 3.2], which was in turn based on [43].…”

Section: Arm Cortex M4mentioning

confidence: 99%

The Complete Cost of Cofactor $$h=1$$

Schwabe

Sprenkels

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves using the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different microarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex-M4. We use a 255-bit elliptic curve over F 2 255 −19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an understanding of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor.

show abstract

Efficient Curve25519 implementation for ARM microcontrollers

Cited by 3 publications

References 32 publications

SoK: SCA-secure ECC in software – mission impossible?

SoK: SCA-secure ECC in software – mission impossible?

Types of Lightweight Cryptographies in Current Developments for Resource Constrained Machine Type Communication Devices: Challenges and Opportunities

The Complete Cost of Cofactor $$h=1$$

Contact Info

Product

Resources

About