[Cryptech Tech] EC benchmarks on the STM32

Hannes Tschofenig hannes.tschofenig at gmx.net
Fri Sep 11 14:52:06 UTC 2015

Previous message (by thread): [Cryptech Tech] EC benchmarks on the STM32
Next message (by thread): [Cryptech Tech] EC benchmarks on the STM32
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Warren, Hi Joachim,

it would be great if someone could verify the performance data.

Regarding fault-injection attacks: the code I have used does not make
any attempts to prevent those types of attacks. It aims to prevent
remote timing side channel attacks though.

The typical approach for dealing with fault-inject attacks is to
replicate computations and verifications so that those faults get
detected. Needless to say that this increases code size.

Ciao
Hannes

On 09/11/2015 03:52 PM, Warren Kumari wrote:
> 
> 
> On Friday, September 11, 2015, Joachim Strömbergson <joachim at secworks.se
> <mailto:joachim at secworks.se>> wrote:
> 
> Aloha!
> 
> FYI: I stumbled upon some interesting EC-benchmarks on different ARM MCU
> architectures (M0 -> M4). Some of them are basically the same as the one
> we are targeting on the Alpha board (albeit with lower clock freq).
> 
> https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
> 
> 
> 
>> Huh, so I haven't thought this through fully, but if we have the same
>> performance in the CPU, perhaps it makes sense to do some of the
>> operations there *as well*, and compare the results? I'm thinking things
>> that don't touch secret keys, and we compare the outputs of the FPGA and
>> CPU, and this all sorts of alerts if they differ. This may help counter
>> fault injection attacks and help provide additional faith in our
>> implementation as well...
> 
>> Or, the added complexity may make things much more fragile and this may
>> be a bad idea... 
>> ?
>> W
> 
> 
> There some weirdness in the preso. The performance from the same SW as
> measuered on the same architecture (but chips from different chips)
> differs closer to 2x with the difference in clock speed. But there are
> quite a lot of good stuff in the preso.
> 
> And yes, Curve25519 is waay faster. The Donna implementation is what
> I've used on a Cortex-M0.
>     _______________________________________________
>     Tech mailing list
>     Tech at cryptech.is
>     https://lists.cryptech.is/listinfo/tech
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>    ---maf
> 
> 
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 530 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/tech/attachments/20150911/4b33e388/attachment.sig>

Previous message (by thread): [Cryptech Tech] EC benchmarks on the STM32
Next message (by thread): [Cryptech Tech] EC benchmarks on the STM32
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list