Authors: Didier Donsez, Aymeric Brochier, Olivier Alphand.
Status : Draft
c25519 is the default RIOT package used for verifying SUIT manifests for FUOTS (Firmware Update Over The Space), for signing and verifying XBeacons in the Thingsat cubesat mission.
This benchmarks suite measures the performance of various implementations of ECC algorithms for signing and verifying on various MCU boards.
For FlashRAM and RAM footprints, have a glance on the SUIT paper in tables 6 and 7.
| Name | Private Key Size | Public Key Size | Signature Size | Security Level |
|---|---|---|---|---|
| secp112r1 | 14 bytes | 28 bytes | 28 bytes | |
| secp128r1 | 16 bytes | 32 bytes | 32 bytes | |
| secp160r1 | 20 bytes | 40 bytes | 40 bytes | 80 bits |
| secp192r1 | 24 bytes | 48 bytes | 48 bytes | |
| secp224r1 | 28 bytes | 56 bytes | 56 bytes | 112 bits |
| secp256r1 | 32 bytes | 64 bytes | 64 bytes | 128 bits |
| secp256k1 | 32 bytes | 64 bytes | 64 bytes | 128 bits |
| ed25519 | 32 bytes | 64 bytes | 64 bytes | 128 bits |
See https://neuromancer.sk/std/
Security equivalence can be found in Kerry Maletsky, RSA vs. ECC Comparison for Embedded Systems, Microchip, https://ww1.microchip.com/downloads/en/DeviceDoc/00003442A.pdf
| Board | MCU | Frequency and DMIPS | RAM | FlashRAM | Support |
|---|---|---|---|---|---|
| Thingsat | STM32F405RG (Cortex M4) | 180 MHz, 210 DMIPS | 192 Kbytes | 1024 Kbytes + M24C01-FDW 1Mbit external EEPROM | RIOT, FreeRTOS, STM32CubeMX |
| Nucleo L432KC | STM32L432KC (Cortex M4) | 80 MHz, 100 DMIPS | 64 Kbytes | 256 Kbytes | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX |
| Nucleo F466RE | STM32F446RE (Cortex M4) | 180 MHz, 225 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| Nucleo F103RB | STM32F103RB (Cortex M3) | 72 MHz, 90 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| ST Nucleo F446RE | STM32F446RE (Cortex M4) | 180 MHz, 225 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| Nucleo F103RB | STM32F103RB (Cortex M3) | 72 MHz, 90 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| Nucleo L073RZ | STM32L073RZ (Cortex M0+) | 32 MHz, 30.4 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| Nucleo L053R8 | STM32L053R8 (Cortex M0+) | 32 MHz, 30.4 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| STM32F746NG Discovery | STM32F746NG (Cortex M7) | 160 MHz, 240 DMIPS | 340 Kbytes of RAM, 128-Mbit SDRAM (64 Mbits accessible) | 1 Mbyte of Flash memory, 128-Mbit Quad-SPI Flash memory | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX |
| ST B-U585I-IOT02A | STM32U585AI (Cortex M33) | 216 MHz, 462 DMIPS | 786 Kbytes of SRAM | 2 Mbytes of Flash memory, 512-Mbit Quad-SPI Flash memory, 64-Mbit Octo-SPI PSRAM, 256-Kbit I2C EEPROM | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX |
| IMST iM880b | STM32L151CB-A (Cortex M3) | 32 MHz, 1.25 DMIPS/MHz | 32 Kbytes of RAM | 256 Kbytes of Flash memory with ECC, 8 Kbytes of true EEPROM with ECC | RIOT |
| Wyres Base | STM32L151CC (Cortex M3) | 32 MHz, 1.25 DMIPS/MHz | 32 Kbytes of RAM | 256 Kbytes of Flash memory with ECC, 8 Kbytes of true EEPROM with ECC | RIOT |
| ESP32-WROOM-32U | ESP32 WROOM 32U (dual-core Xtensa® 32-bit LX6 MCU) | 40 MHz, 100 DMIPS | Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX | ||
| SparkFun RP2040 mikroBUS Development Board | RP2040 | Dual Cortex M0+ processors, up to 133 MHz | 264kB | 16MB QSPI Flash Memory supporting execute in place (XIP) + µSD Card Slot | Arduino, RIOT, MicroPython/C/C++ |
| STM32N6 | STM32N6 (Cortex-M55) | Neural-Art Accelerator™ |
- DMIPS for Dhrystone 2.1 on STM32 MCU
Implementations are available as packages in RIOT/pkg directory.
- c25519 on RIOT OS https://www.dlbeer.co.nz/oss/c25519.html
- micro-ecc (uECC_secp160r1) on RIOT OS : https://github.com/kmackay/micro-ecc/blob/master/test/test_ecdsa.c
- monocypher https://monocypher.org/manual
- qdsa https://www.cs.ru.nl/~jrenes
- wolfcrypt https://github.com/wolfSSL/wolfssl
Hash functions in RIOT : https://api.riot-os.org/group__sys__hashes__unkeyed.html
Highly-optimized ECC implementations for 8-bit AVR processors : WM-ECC, Nano-ECC, MIRACL, RELIC
- Signing and verifying time in micro-seconds per call
- Curve25519 makes use of a special x-coordinate only form to achieve faster multiplication. Ed25519 uses Edwards curve for similar speedups, but includes a sign bit
| Board | Algo | Implementation | Message size | Signing | Verifying |
|---|---|---|---|---|---|
| ST Nucleo F446RE | ED25519 | c25519 | 16 | 298718 | 692123 |
| ST Nucleo F446RE | ED25519 | c25519 | 32 | 298720 | 692124 |
| ST Nucleo F446RE | ED25519 | c25519 | 128 | 298968 | 692248 |
| ST Nucleo F446RE | ED25519 | c25519 | 1024 | 300692 | 693110 |
| ThingSat STM32F405RG | ED25519 | c25519 | 16 | 320036 | 741542 |
| ThingSat STM32F405RG | ED25519 | c25519 | 32 | 320038 | 741543 |
| ThingSat STM32F405RG | ED25519 | c25519 | 128 | 320303 | 741675 |
| ThingSat STM32F405RG | ED25519 | c25519 | 1024 | 322147 | 742596 |
| Nucleo F103RB | ED25519 | c25519 | 16 | 1284209 | 2935644 |
| Nucleo F103RB | ED25519 | c25519 | 32 | 1284219 | 2935649 |
| Nucleo F103RB | ED25519 | c25519 | 128 | 1284905 | 2935990 |
| Nucleo F103RB | ED25519 | c25519 | 1024 | 1289673 | 2938374 |
| ST B-U585I-IOT02A | ED25519 | c25519 | 16 | 376222 | 878826 |
| ST B-U585I-IOT02A | ED25519 | c25519 | 32 | 376224 | 878827 |
| ST B-U585I-IOT02A | ED25519 | c25519 | 128 | 376455 | 878942 |
| ST B-U585I-IOT02A | ED25519 | c25519 | 1024 | 378066 | 879747 |
| Wyres Base | ED25519 | c25519 | 16 | 2322980 | 5446012 |
| Wyres Base | ED25519 | c25519 | 32 | 2322997 | 5446020 |
| Wyres Base | ED25519 | c25519 | 128 | 2324425 | 5446730 |
| Board | Algo | Implementation | Message size | Signing | Verifying |
|---|---|---|---|---|---|
| ST Nucleo F446RE | Curve25519 | libhydrogen | 16 | 32108 | 53686 |
| ST Nucleo F446RE | Curve25519 | libhydrogen | 32 | 32124 | 53701 |
| ST Nucleo F446RE | Curve25519 | libhydrogen | 128 | 32219 | 53796 |
| ST Nucleo F446RE | Curve25519 | libhydrogen | 1024 | 33106 | 54683 |
| STM32F746NG Discovery | Curve25519 | libhydrogen | 16 | 67123 | 111692 |
| STM32F746NG Discovery | Curve25519 | libhydrogen | 32 | 67153 | 111723 |
| STM32F746NG Discovery | Curve25519 | libhydrogen | 128 | 67339 | 111909 |
| STM32F746NG Discovery | Curve25519 | libhydrogen | 1024 | 69069 | 113639 |
| ST B-U585I-IOT02A | Curve25519 | libhydrogen | 16 | 31451 | 52602 |
| ST B-U585I-IOT02A | Curve25519 | libhydrogen | 32 | 31466 | 52617 |
| ST B-U585I-IOT02A | Curve25519 | libhydrogen | 128 | 31557 | 52708 |
| ST B-U585I-IOT02A | Curve25519 | libhydrogen | 1024 | 32402 | 53553 |
| Wyres Base | Curve25519 | libhydrogen | 16 | 222623 | 373435 |
| Wyres Base | Curve25519 | libhydrogen | 32 | 222722 | 373531 |
| Wyres Base | Curve25519 | libhydrogen | 128 | 223303 | 374135 |
| Wyres Base | Curve25519 | libhydrogen | 1024 | 228785 | 379620 |
| Board | Algo | Implementation | Public Key Size | Signing | Verifying |
|---|---|---|---|---|---|
| ST Nucleo F446RE | secp160r1 | Micro ECC | 40 | 19008 | 20003 |
| ST Nucleo F446RE | secp192r1 | Micro ECC | 48 | 17795 | 19080 |
| ST Nucleo F446RE | secp224r1 | Micro ECC | 56 | 24773 | 26335 |
| ST Nucleo F446RE | secp256r1 | Micro ECC | 64 | 47170 | 52012 |
| ST Nucleo F446RE | secp256k1 | Micro ECC | 64 | 39790 | 40286 |
| ThingSat STM32F405RG | secp160r1 | Micro ECC | 40 | 20285 | 21362 |
| ThingSat STM32F405RG | secp192r1 | Micro ECC | 48 | 18979 | 20320 |
| ThingSat STM32F405RG | secp224r1 | Micro ECC | 56 | 26081 | 27787 |
| ThingSat STM32F405RG | secp256r1 | Micro ECC | 64 | 49310 | 54364 |
| ThingSat STM32F405RG | secp256k1 | Micro ECC | 64 | 41691 | 42105 |
| Nucleo F103RB | secp160r1 | Micro ECC | 40 | 67316 | 72010 |
| Nucleo F103RB | secp192r1 | Micro ECC | 48 | 63340 | 69155 |
| Nucleo F103RB | secp224r1 | Micro ECC | 56 | 85427 | 93501 |
| Nucleo F103RB | secp256r1 | Micro ECC | 64 | 150669 | 167259 |
| Nucleo F103RB | secp256k1 | Micro ECC | 64 | 146573 | 150771 |
For wyres-base board
mkdir -p ~/github/campusiot
git clone git@github.com:CampusIoT/RIOT-wyres.git ~/github/campusiot/RIOT-wyrescd riot/pkg_c25519
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash termcd riot/pkg_micro-ecc
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash termcd riot/pkg_libhydrogen
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash termTBD
TBD
- NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General
- Kerry Maletsky, RSA vs. ECC Comparison for Embedded Systems, Microchip, https://ww1.microchip.com/downloads/en/DeviceDoc/00003442A.pdf
- G Neven, N. P. Smart and B.Warinschi, Hash function requirements for Schnorr signatures, Jour- nal of Mathematical Cryptology, vol .3, issue 1, pp. 69-87, 2009.
- Thommas Pornin, Truncated EdDSA/ECDSA Signatures, https://eprint.iacr.org/2022/938.pdf
- Embench™: An Evolving Benchmark Suite for Embedded IoT Computers from an Academic-Industrial Cooperative: Towards the Long Overdue and Deserved Demise of Dhrystone : source code
- Add Lib Hydrogen in benchmark
- Add liblithium in benchmark
- Add monocypher in benchmark
- Investigate why f4 faster than f7 ! f7-is-slower-than-my-f4 perf
- PSA Crypto package