[Cryptech Tech] EC benchmarks on the STM32

[Павел Шатов]

On 11.09.2015 10:16, Joachim Strömbergson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Aloha!
>
> FYI: I stumbled upon some interesting EC-benchmarks on different ARM MCU
> architectures (M0 -> M4). Some of them are basically the same as the one
> we are targeting on the Alpha board (albeit with lower clock freq).
>
> https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
>
> There some weirdness in the preso. The performance from the same SW as
> measuered on the same architecture (but chips from different chips)
> differs closer to 2x with the difference in clock speed. But there are
> quite a lot of good stuff in the preso.

As far as I understand, since our primary use case is DNSSEC, curves 
P-256 and P-384 are the most interesting ones for us. I think, this 
presentation gives a good reference for expected performance: ~120 ms to 
sign for P-256 and ~200 ms to sign for P-384. Of course this will vary 
depending on actual implementation, but we at least know expected order 
of magnitude.

Speaking of why the same core from different vendors shows different 
performance, I think, it is due to different "perks" vendors invent to 
beat each other. For example, our particular STM32 has a proprietary 
feature from STMicroelectronics called "Aptive Real-Time Memory 
Accelerator (ART Accelerator™)", that is claimed to boost CPU core 
performance.

> And yes, Curve25519 is waay faster. The Donna implementation is what
> I've used on a Cortex-M0.

Btw, I wonder, how fast Rob's software implementation is on Novena's CPU.

--
With best regards,
Pavel Shatov