Lines Matching +full:stm32 +full:- +full:rng
11 Copyright (C) 2017-2023
20 * Jean-Pierre FLORI (<mailto:jpflori@gmail.com>)
30 in the [ISO 14888-3:2018](https://www.iso.org/standard/76382.html)
34 * Core ISO 14888-3:2018 algorithms: ECDSA, ECKCDSA, ECGDSA, ECRDSA, EC{,O}SDSA, ECFSDSA, SM2.
36 …* BIGN (as standardized in [STB 34.101.45-2013](https://github.com/bcrypto/bign)). We allow a more…
38 … "Schnorr" Bitcoin proposal, as specified in [bip-0340](https://github.com/bitcoin/bips/blob/maste…
39 …tandard as we allow any curve and any hash function (the standard mandates SECP256K1 with SHA-256).
42 …-CDH (Elliptic Curve Cryptography Cofactor Diffie-Hellman) as described in [section 5.7.1.2 of the…
45 …STR3410-2001-CryptoPro{A,B,C,XchA,XchB,Test}-ParamSet, GOSTR3410-2012-{256,512}-ParamSet{A,B,C}, G…
47 * **Hash functions**: SHA-2 and SHA-3 hash functions (224, 256, 384, 512), SM3, RIPEMD-160,
48 GOST 34.11-2012 as described in [RFC 6986](https://datatracker.ietf.org/doc/html/rfc6986)
49 (also known as [Streebog](https://tc26.ru/en/events/research-projects-competition/streebog-competit…
50 SHAKE256 in its restricted version with 114 bytes output (mainly for Ed448), BELT-HASH (as standard…
51 [STB 34.101.31-2011](https://github.com/bcrypto/belt)), and BASH-{224,256,384,512} (as standardized…
52 [STB 34.101.77-2020](http://apmi.bsu.by/assets/files/std/bash-spec24.pdf)).
55 ECDSA comes in two variants: the classical non-deterministic one, and the **deterministic** ECDSA
57 generates nonces using a HMAC-DRBG process, and is suitable for situations where there is
58 no RNG or where entropy sources are considered weak (please note that any leak on these nonces
62 attack context (i.e. which of side-channel attacks or fault attacks are easier to perform).
63 The same applies to BIGN that comes in two flavours as standardized in [STB 34.101.45-2013](https:/…
64 non-deterministic and deterministic (following an iterative generation process using the BELT hash …
67 all their variants (with context, pre-hashed).
70 …genies** as described in the [lwig-curve-representations](https://datatracker.ietf.org/doc/html/dr…
77 and keep the defense-in-depth (regarding software security and side-channels) focused on
81 [fault attacks](https://eprint.iacr.org/2017/1014.pdf) without having a non-deterministic
86 …FRG thread](https://mailarchive.ietf.org/arch/browse/cfrg/?gbt=1&index=5l3XCLHLCVfOmnkcv4mo2-pEV94)
87 for more insight on why deterministic versus non-deterministic EC signature schemes is still an ope…
91 **Batch verification** is implemented for the signature algorithms that support it - the signature …
93 This is the case for some "Schnorr" based schemes, namely ECFSDSA ("full Schnorr" from ISO14888-3),…
94 Batch verification allows (thanks to the Bos-Coster algorithm) to bring speedups between 2 to 6.5 t…
97 the batch verification makes heavy use of square root residues and the Tonelli-Shanks algorithm com…
99 batch verification comes at an increased memory cost: the Bos-Coster algorithm requires a scratchpa…
104 …tf.org/doc/html/rfc7091) and [draft-deremin-rfc4491-bis](https://datatracker.ietf.org/doc/html/dra…
106 This version of the algorithm **differs** from the ISO/IEC 14888-3 description and test vectors,
109 representation is used. This seems (to be confirmed) to be a discrepancy of ISO/IEC 14888-3 algorit…
117 **ECDH (Elliptic Curve Diffie-Hellman)** variants are also implemented in the
119 of ECC-CDH (Elliptic Curve Cryptography Cofactor Diffie-Hellman) as described
120 in [section 5.7.1.2 of the NIST SP 800-56A Rev. 3](https://csrc.nist.gov/publications/detail/sp/800…
132 * Pollard-Rho, Miller-Rabin and square residues over finite fields.
135 functions such as MD2, MD4, MD5, SHA-0, SHA-1, MDC-2, GOSTR34-11-94 and so on in order to be compli…
139 …* The DSA cryptosystem as defined in [FIPS 186-4](https://csrc.nist.gov/publications/detail/fips/1…
140 * The SDSA (Schnorr DSA) as defined in ISO14888-3
141 * The KCDSA (Korean DSA) as defined in ISO14888-3
142 * The GOSTR34-10-94 function as defined in [RFC4491](https://www.rfc-editor.org/rfc/rfc4491)
152 and DSA and other El-Gamal based algorithms): these primitives are only included as
156 time using the `-DUSER_NN_BIT_LEN=4096` toggle in the `CFLAGS` or `EXTRA_CFLAGS` as explained
157 in [the dedicated section](https://github.com/ANSSI-FR/libecc#modifying-the-big-numbers-size).
164 with no dynamic allocation and includes pre/post-asserts in the code.
174 and fit "common" platforms, see the [dedicated section](#constrained-devices)).
177 [section about portability](#compatibility-and-portability) for more information.
204 * **libsign.a**: this library is based on libec.a and contains all our ISO 14888-3 signature
207 * **ec\_self\_tests**: the self tests for signature/verification algorithm of ISO 14888-3
216 [+] ECDSA-SHA224/secp224r1 selftests: known test vectors sig/verif ok
217 [+] ECDSA-SHA256/secp256r1 selftests: known test vectors sig/verif ok
218 [+] ECDSA-SHA512/secp256r1 selftests: known test vectors sig/verif ok
227 [+] ECDSA-SHA224/FRP256V1 randtests: random import/export with sig(0)/verif(0) ok
228 [+] ECDSA-SHA224/SECP224R1 randtests: random import/export with sig(0)/verif(0) ok
237 [+] ECDSA-SHA224/FRP256V1 perf: 462 sign/s and 243 verif/s
238 [+] ECDSA-SHA224/SECP224R1 perf: 533 sign/s and 276 verif/s
249 - **ec\_utils**: a tool for signing and verifying user defined files, with a user
288 this mode). The rationale behind these commands is to ease the production/verification of self-cont…
302 …[Miller-Rabin](https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test) composition (or …
310 …the [Tonelli-Shanks](https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm) algorithm for…
320 …how to implement an [Elliptic Curve Diffie-Hellman](https://en.wikipedia.org/wiki/Elliptic_curve_D…
333 …n to libecc core algorithms, in [src/examples/hash](src/examples/hash) (MD2, MD4, MD5, MDC2, SHA-0,
334 SHA-1, and TDES for supporting MDC2). Please **be careful** when using them, it is advised to use t…
337 * Pre-ECC Signature schemes (based on Fp finite fields discrete logarithm) in [src/examples/sig](sr…
338 GOSTR34-10-94). Beware that for these signatures, you will have to expand the NN size to bigger val…
341 side-channel attack and so on).
377 $ meson setup -Dwith_wordsize=32 -Dwith_debug=true builddir && cd builddir && meson dist
409 ECFSDA using SHA3-256 on BrainpoolP256R1, this can be done by keeping only the
430 Please refer to the [portability guide](#libecc-portability-guide) for details on this.
443 5300 bits for 64-bit words, around 2650 bits for 32-bit words, and around 1300 bits for 16-bit word…
447 with `-DUSER_NN_BIT_LEN=` (see [the dedicated section](#overloading-makefile-variables) for more on…
491 $ python scripts/expand_libecc.py -h
499 **test vectors** for the new curve with the `--add-test-vectors` toggle.
505 $ openssl ecparam -param_enc explicit -outform DER -name brainpoolP320r1 -out brainpoolP320r1.der
508 This creates a DER file 'brainpoolP320r1.der' embedding the parameters (beware of the `-param_enc e…
511 …$ python scripts/expand_libecc.py --name="mynewcurve" --ECfile=brainpoolP320r1.der --add-test-vect…
533 [+] ECDSA-SHA224/USER_DEFINED_MYNEWCURVE randtests: random import/export with sig/verif ok
537 [+] ECDSA-SHA224/USER_DEFINED_MYNEWCURVE perf: 269 sign/s and 141 verif/s
556 $ python scripts/expand_libecc.py --remove --name mynewcurve
563 $ python scripts/expand_libecc.py --remove-all
570 libecc, there is no real use of generating them - the script is only here to serve as a showcase fo…
593 example of how to do this with SHA-224.
628 This means for instance that curves using pseudo-Mersenne primes (such as NIST's SECP curves) won't…
629 curves using generic random primes (such as Brainpool curves), though pseudo-Mersenne primes can be…
631 [here](https://tls.mbed.org/kb/cryptography/elliptic-curve-performance-nist-vs-brainpool) for furth…
635 [fixed-base comb](https://link.springer.com/chapter/10.1007/3-540-45537-X_21) precomputations.
649 * **Core i7-5500U** (Broadwell family) is a typical x86 mid-range current laptop CPU.
650 * **Xeon E3-1535M** (Skylake family) is a typical x86 high-end CPU.
651 * **Power-7** is a typical server CPU of the previous generation (2010) with
654 For all the platforms in this subsection, the CPUs have been tested in 64-bit mode.
657 | **libecc** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
658 |-----------------|:----------------------------|:------------------------------|:-----------------…
659 | BP256R1 | 583 sign/s - 300 verif/s | 700 sign/s - 355 verif/s | 213 sign/s - 110 …
660 | BP384R1 | 231 sign/s - 118 verif/s | 283 sign/s - 150 verif/s | 98 sign/s - 50 v…
661 | BP512R1 | 111 sign/s - 56 verif/s | 133 sign/s - 68 verif/s | 51 sign/s - 26 v…
663 | **mbedTLS** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
664 |-----------------|:----------------------------|:------------------------------|:-----------------…
665 | BP256R1 | 426 sign/s - 106 verif/s | 552 sign/s - 141 verif/s | 178 sign/s - 45 v…
666 | BP384R1 | 239 sign/s - 56 verif/s | 322 sign/s - 77 verif/s | 44 sign/s - 23 v…
667 | BP512R1 | 101 sign/s - 26 verif/s | 155 sign/s - 34 verif/s | 38 sign/s - 12 v…
669 | **OpenSSL** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
670 |-----------------|:----------------------------|:------------------------------|:-----------------…
671 | BP256R1 | 2463 sign/s - 1757 verif/s | 2873 sign/s - 2551 verif/s | 1879 sign/s - 165…
672 | BP384R1 | 1091 sign/s - 966 verif/s | 1481 sign/s - 1265 verif/s | 792 sign/s - 70…
673 | BP512R1 | 727 sign/s - 643 verif/s | 1029 sign/s - 892 verif/s | 574 sign/s - 52…
678 This SoC is built around a Cortex-A9 ARMv7-A 32-bit architecture.
679 * **BCM2837** is a Broadcom SoC built around the recent 64-bit ARMv8-A architecture, with a
680 Cortex-A53 core. This SoC can be found in the Raspberry Pi 3, and also represents what can
683 coloration, it uses a 64-bit mode that we have tested here.
686 |-----------------|:----------------------|----------------------------|:-----------------------|
687 | BP256R1 | 64 sign/s - 33 verif/s| 43 sign/s - 22 verif/s | 68 sign/s - 35 verif/s |
688 | BP384R1 | 24 sign/s - 12 verif/s| 17 sign/s - 9 verif/s | 25 sign/s - 13 verif/s |
689 | BP512R1 | 11 sign/s - 5 verif/s | 8 sign/s - 4 verif/s | 12 sign/s - 6 verif/s |
691 | **mbedTLS** | Marvell A388 @ 1.6GHz | BCM2837 (aarch64) @ 1.2GHz | Atom D2700 @ 2.13GHz -|
692 |-----------------|:----------------------|----------------------------|:------------------------|
693 | BP256R1 | 33 sign/s - 8 verif/s | 14 sign/s - 4 verif/s | 87 sign/s - 22 verif/s|
694 | BP384R1 | 20 sign/s - 4 verif/s | 8 sign/s - 2 verif/s | 50 sign/s - 11 verif/s|
695 | BP512R1 | 10 sign/s - 2 verif/s | 4 sign/s - 1 verif/s | 23 sign/s - 5 verif/s |
698 |-----------------|:------------------------|----------------------------|:------------------------|
699 | BP256R1 | 369 sign/s - 332 verif/s| 124 sign/s - 112 verif/s | 372 sign/s - 334 verif/s|
700 | BP384R1 | 102 sign/s - 94 verif/s | 54 sign/s - 49 verif/s | 163 sign/s - 149 verif/s|
701 | BP512R1 | 87 sign/s - 81 verif/s | 31 sign/s - 29 verif/s | 92 sign/s - 83 verif/s |
704 ### <a name="constrained-devices"></a> Very constrained embedded devices
705 The library, when configured for a 256-bit curve (SECP256R1, FRP256), SHA-256 and ECDSA signature f…
707 chosen WORDSIZE (16, 32, 64), the compilation options (optimization for space `-Os` or speed `-O3`)…
709 A 521-bit curve with SHA-256 hash function and ECDSA signature should fit in 38 Kilo Bytes of flash…
718 can have big limitations when accessing so called "program memory" as data. The 8-bit
721 and/or provide [non-standard ways](http://www.atmel.com/webdoc/avrlibcreferencemanual/pgmspace_1pgm…
728 …tware stack containing a known test vector scenario has been compiled and tested on a **Cortex-M0**
730 It has also been compiled and tested on a **Cortex-M3** ([STM32F103C8T6](http://www.st.com/en/micro…
734 **Note**: The Cortex-M0 case is a bit special in the ARM family. Since this MCU lacks a 32-bit x 32…
740 | **libecc** | STM32F103C8T6 (Cortex-M3 @ 72MHz) | STM32F030R8T6 (Cortex-M0 @ 48MHz) |
741 |-----------------|:----------------------------------|:----------------------------------|
748 Cortex-M3 taken from a [recent study by ARM](http://csrc.nist.gov/groups/ST/lwc-workshop2015/presen…
752 | **mbedTLS** | LPC1768 (Cortex-M3 @ 92MHz)<sup>1</sup> |
753 |-----------------|:------------------------------|
765 ## <a name="compatibility-and-portability"></a> Compatibility and Portability
774 * A target **OS** (Linux, Windows, Mac OS, ...) or more low level firmware (including a **bare-meta…
775 programming model or exotic real-time OS for microcontrollers for instance).
776 * A proper compilation **(cross-)toolchain** producing binaries for the platform. This toolchain wi…
781 * libecc is in pure C-99 (no assembly), so it should compile on **any platform** with a decent C-99
784 * The Makefile has been tested with clang and gcc under Linux, as well as gcc cross-compilation var…
787 * The library supports 16-bit/32-bit/64-bit word sizes, which should ensure compatibility with most…
788 for 8-bit MCUs to 64-bit CPUs. If the toolchain does not have a [`stdint.h`](http://pubs.opengroup.…
806 ### <a name="compiling-libecc-for-arm-cortex-m-with-GNU-gcc-arm"></a> Compiling libecc for ARM Cort…
808 Compiling for Cortex-M targets should be straightforward using the arm-gcc none-eabi (for bare meta…
809 well as the specific Cortex-M target platform SDK. In order to compile the core libsign.a static li…
812 $ CROSS_COMPILE=arm-none-eabi- CC=gcc CFLAGS="$(TARGET_OPTS) -W -Wextra -Wall -Wunreachable-code \
813 -pedantic -fno-builtin -std=c99 -Os \
814 -ffreestanding -fno-builtin -nostdlib -DWORDSIZE=64" \
818 …_OPTS)` are the flags specific to the considered target: `-mcpu=cortex-m3 -mthumb` for Cortex-M3 f…
819 flag should be adapted to `-DWORDSIZE=32` for the specific case of Cortex-M0/M0+ as discussed in th…
820 (because of the lacking of 32-bit to 64-bit native multiplication instruction). The library can the…
823 a firmware suitable for the target (ST for STM32, NXP for LPC, Atmel for SAM, ...).
825 …ncies have been implemented by the user, it is also possible to build a self-tests binary by addin…
828 $ CROSS_COMPILE=arm-none-eabi- CFLAGS="$(TARGET_OPTS) -W -Wextra -Wall -Wunreachable-code \
829 -pedantic -fno-builtin -std=c99 -Os \
830 -ffreestanding -fno-builtin -nostdlib -DWORDSIZE=64" \
831 LDFLAGS="-T linker_script.ld" \
836 (sometimes necessary, specifically on devices with very constrained RAM, such as Cortex-M0 with 8KB…
846 **NOTE3**: libecc has also been successfully tested with other non-GNU compilation SDK and toolchai…
849 ### <a name="libecc-portability-guide"></a> libecc portability guide
851 This section is dedicated to giving some more details on how to compile libecc when non-GNU compile…
853 do not provide a **GNU make** compilation style (this is generally the case for all-in-one IDEs suc…
856 #### 1 - Compilers and C99 standard compliance
879 #### 2 - Compiling with environments without GNU make
909 …src/hash/sha384.o src/hash/sha3-512.o src/hash/sha512.o src/hash/sha3-256.o src/hash/sha3-224.o sr…
910 …src/hash/sha3-384.o src/hash/sha224.o src/hash/hash_algs.o src/sig/ecsdsa.o src/sig/ecdsa.o src/si…
917 #### 3 - Dealing with the standard library and stdint
938 #### <a name="overloading-makefile-variables"></a> 4 - Overloading Makefile variables
952 …mpile libecc with an old version of gcc that does not support the `-fstack-protector-strong` option
957 …$ CFLAGS="-W -Werror -Wextra -Wall -Wunreachable-code -pedantic -fno-builtin -std=c99 -D_FORTIFY_S…
958 -fstack-protector-all -O3 -DWITH_STDLIB -fPIC" make
961 …we keep the other `CFLAGS` from default compilation while replacing `-fstack-protector-strong` with
962 the **less efficient but more compatible** `-fstack-protector-all`.
970 …ce_arch32` and `make force_arch64` will force 32-bit and 64-bit architectures compilation (`-m32` …
971 flags under gcc). These targets allow cross-compilation for a 32-bit (respectively 64-bit) target u…
972 32-bit) host: a typical example is compiling for i386 under x86\_64.
975 a: `CFLAGS="-fstack-protector-all" make debug16`
976 …ile all the binaries for debug, with a word size of 16 bits and a `-fstack-protector-all` stack pr…
979 #### 5 - A concrete example with SDCC
986 other compilers (`-c` flag to generate object files, `-o` flag to define output file).
1002 * Overload `CFLAGS="-mbgz80 --std-sdcc99"` to specify the target, and ask for the C99 compatibility…
1007 $ CC=sdcc AR=sdar RANLIB=sdranlib CFLAGS="-mgbz80 --std-sdcc99" LDFLAGS=" " make
1014 do it by overloading `WORDSIZE=16`: the Z80 is an 8-bit CPU, so it seems reasonable to fit the word
1015 size to 16-bit (8-bit half words). The second attempt will go further but will fail at some point w…
1018 $ CC=sdcc AR=sdar RANLIB=sdranlib CFLAGS="-mgbz80 --std-sdcc99 -DWORDSIZE=16" LDFLAGS=" " make
1039 $ sdcc -mgbz80 -DWORDSIZE=16 --std-sdcc99 src/tests/ec_self_tests.c build/libsign.lib
1052 …r base as described in the [previous sections](#compiling-libecc-for-arm-cortex-m-with-GNU-gcc-arm…
1081 …(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2018/rohnp-return-of-the-hidd…
1091 …ding is as simple as using the ``BLINDIG=1`` environment variable (or the ``-DUSE_SIG_BLINDING`` C…
1114 * ADPA (Address-bit DPA) is limited using Itoh et al. Double and Add Always
1116 Address-Bit Differential Power Analysis" by Itoh, Izu and Takenaka for more information.
1128 might depend on the low-level compilation process and are difficult to handle
1129 at high-level in pure C.
1185 >Hash functions (SHA-2 and SHA-3 based algorithms
1252 +-------------------------+
1254 |algorithms | <------------------+
1255 |(ISO 14888-3) [6] | |
1256 +-----------+-------------+ |
1259 +-----------+-------------+ +----------+------------+
1263 +-----------+-------------+ +-----------------------+
1266 +-----------+-------------+ @ +------------------------+@
1268 | core (scalar mul, ...) | @ +------------------------+@
1269 +-----------+-------------+ @ | Sig Self tests [9] |@
1272 | @ +------------------------+@
1274 +-----------+-------------+ @ +------------------------+@
1276 | arithmetic | @ +------------------------+@
1277 +-----------+-------------+ @ | Scripts [14] |@
1278 ^ @ +------------------------+@
1280 +-----------+-------------+ +------------------------+
1281 | NN natural [2] | <------+ Machine related |
1283 +-------------------------+ +------------------------+
1290 with the [IPECC](https://github.com/ANSSI-FR/IPECC) hardware accelerator
1299 $ git checkout -b IPECC
1302 Then fetch the dedicated driver on the [IPECC repository](https://github.com/ANSSI-FR/IPECC)
1312 …$ make clean && CC=arm-linux-gnueabihf-gcc EXTRA_CFLAGS="-Wall -Wextra -O3 -g3 -mcpu=cortex-a9 -mf…
1318 We also override the `CC` compiler to `arm-linux-gnueabihf-gcc` for the Zynq platform (adapt at you…
1319 target), and add some necessary extra CFLAGS for the platform (as well as a `-static` binary compil…
1320 … is used here for thread safety during hardware access: this flag is necessary for multi-threading.
1322 …tested on a [Zynq Arty Z7](https://digilent.com/reference/programmable-logic/arty-z7/start) board …
1326 az7-ecc-axi:/home/petalinux# ./ec_self_tests_sw perf
1328 [+] ECDSA-SHA224/FRP256V1 perf: 6 sign/s and 6 verif/s
1329 [+] ECDSA-SHA224/SECP192R1 perf: 9 sign/s and 9 verif/s
1330 [+] ECDSA-SHA224/SECP224R1 perf: 7 sign/s and 7 verif/s
1331 [+] ECDSA-SHA224/SECP256R1 perf: 6 sign/s and 6 verif/s
1334 az7-ecc-axi:/home/petalinux# ./ec_self_tests_hw perf
1336 [+] ECDSA-SHA224/FRP256V1 perf: 34 sign/s and 32 verif/s
1337 [+] ECDSA-SHA224/SECP192R1 perf: 57 sign/s and 52 verif/s
1338 [+] ECDSA-SHA224/SECP224R1 perf: 44 sign/s and 39 verif/s
1339 [+] ECDSA-SHA224/SECP256R1 perf: 34 sign/s and 32 verif/s
1340 [+] ECDSA-SHA224/SECP384R1 perf: 16 sign/s and 15 verif/s
1341 [+] ECDSA-SHA224/SECP521R1 perf: 8 sign/s and 8 verif/s
1342 [+] ECDSA-SHA224/BRAINPOOLP192R1 perf: 57 sign/s and 52 verif/s
1343 [+] ECDSA-SHA224/BRAINPOOLP224R1 perf: 44 sign/s and 40 verif/s