Elliptic Curve Cryptography (ECC) benchmarks for MCU

Authors: Didier Donsez, Aymeric Brochier, Olivier Alphand.

Status : Draft

Motivations

c25519 is the default RIOT package used for verifying SUIT manifests for FUOTS (Firmware Update Over The Space), for signing and verifying XBeacons in the Thingsat cubesat mission.

This benchmarks suite measures the performance of various implementations of ECC algorithms for signing and verifying on various MCU boards.

For FlashRAM and RAM footprints, have a glance on the SUIT paper in tables 6 and 7.

Usual ECC algorithms

Name	Private Key Size	Public Key Size	Signature Size	Security Level
secp112r1	14 bytes	28 bytes	28 bytes
secp128r1	16 bytes	32 bytes	32 bytes
secp160r1	20 bytes	40 bytes	40 bytes	80 bits
secp192r1	24 bytes	48 bytes	48 bytes
secp224r1	28 bytes	56 bytes	56 bytes	112 bits
secp256r1	32 bytes	64 bytes	64 bytes	128 bits
secp256k1	32 bytes	64 bytes	64 bytes	128 bits
ed25519	32 bytes	64 bytes	64 bytes	128 bits

See https://neuromancer.sk/std/

Security equivalence can be found in Kerry Maletsky, RSA vs. ECC Comparison for Embedded Systems, Microchip, https://ww1.microchip.com/downloads/en/DeviceDoc/00003442A.pdf

Common hash functions

Boards

Board	MCU	Frequency and DMIPS	RAM	FlashRAM	Support
Thingsat	STM32F405RG (Cortex M4)	180 MHz, 210 DMIPS	192 Kbytes	1024 Kbytes + M24C01-FDW 1Mbit external EEPROM	RIOT, FreeRTOS, STM32CubeMX
Nucleo L432KC	STM32L432KC (Cortex M4)	80 MHz, 100 DMIPS	64 Kbytes	256 Kbytes	Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
Nucleo F466RE	STM32F446RE (Cortex M4)	180 MHz, 225 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
Nucleo F103RB	STM32F103RB (Cortex M3)	72 MHz, 90 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
ST Nucleo F446RE	STM32F446RE (Cortex M4)	180 MHz, 225 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
Nucleo F103RB	STM32F103RB (Cortex M3)	72 MHz, 90 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
Nucleo L073RZ	STM32L073RZ (Cortex M0+)	32 MHz, 30.4 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
Nucleo L053R8	STM32L053R8 (Cortex M0+)	32 MHz, 30.4 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
STM32F746NG Discovery	STM32F746NG (Cortex M7)	160 MHz, 240 DMIPS	340 Kbytes of RAM, 128-Mbit SDRAM (64 Mbits accessible)	1 Mbyte of Flash memory, 128-Mbit Quad-SPI Flash memory	Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
ST B-U585I-IOT02A	STM32U585AI (Cortex M33)	216 MHz, 462 DMIPS	786 Kbytes of SRAM	2 Mbytes of Flash memory, 512-Mbit Quad-SPI Flash memory, 64-Mbit Octo-SPI PSRAM, 256-Kbit I2C EEPROM	Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
IMST iM880b	STM32L151CB-A (Cortex M3)	32 MHz, 1.25 DMIPS/MHz	32 Kbytes of RAM	256 Kbytes of Flash memory with ECC, 8 Kbytes of true EEPROM with ECC	RIOT
Wyres Base	STM32L151CC (Cortex M3)	32 MHz, 1.25 DMIPS/MHz	32 Kbytes of RAM	256 Kbytes of Flash memory with ECC, 8 Kbytes of true EEPROM with ECC	RIOT
ESP32-WROOM-32U	ESP32 WROOM 32U (dual-core Xtensa® 32-bit LX6 MCU)	40 MHz, 100 DMIPS			Arduino, RIOT, MBed, FreeRTOS, STM32CubeMX
SparkFun RP2040 mikroBUS Development Board	RP2040	Dual Cortex M0+ processors, up to 133 MHz	264kB	16MB QSPI Flash Memory supporting execute in place (XIP) + µSD Card Slot	Arduino, RIOT, MicroPython/C/C++
STM32N6	STM32N6 (Cortex-M55)	Neural-Art Accelerator™

DMIPS for Dhrystone 2.1 on STM32 MCU

Supported by MBed

Available implementations

Implementations available in RIOT OS

Implementations are available as packages in RIOT/pkg directory.

c25519 on RIOT OS https://www.dlbeer.co.nz/oss/c25519.html
micro-ecc (uECC_secp160r1) on RIOT OS : https://github.com/kmackay/micro-ecc/blob/master/test/test_ecdsa.c
monocypher https://monocypher.org/manual
qdsa https://www.cs.ru.nl/~jrenes
wolfcrypt https://github.com/wolfSSL/wolfssl

Hash functions in RIOT : https://api.riot-os.org/group__sys__hashes__unkeyed.html

MBed

Arduino

Highly-optimized ECC implementations for 8-bit AVR processors : WM-ECC, Nano-ECC, MIRACL, RELIC

Results

Signing and verifying time in micro-seconds per call
Curve25519 makes use of a special x-coordinate only form to achieve faster multiplication. Ed25519 uses Edwards curve for similar speedups, but includes a sign bit

`c25519`

Board	Algo	Implementation	Message size	Signing	Verifying
ST Nucleo F446RE	ED25519	c25519	16	298718	692123
ST Nucleo F446RE	ED25519	c25519	32	298720	692124
ST Nucleo F446RE	ED25519	c25519	128	298968	692248
ST Nucleo F446RE	ED25519	c25519	1024	300692	693110

ThingSat STM32F405RG	ED25519	c25519	16	320036	741542
ThingSat STM32F405RG	ED25519	c25519	32	320038	741543
ThingSat STM32F405RG	ED25519	c25519	128	320303	741675
ThingSat STM32F405RG	ED25519	c25519	1024	322147	742596

Nucleo F103RB	ED25519	c25519	16	1284209	2935644
Nucleo F103RB	ED25519	c25519	32	1284219	2935649
Nucleo F103RB	ED25519	c25519	128	1284905	2935990
Nucleo F103RB	ED25519	c25519	1024	1289673	2938374

ST B-U585I-IOT02A	ED25519	c25519	16	376222	878826
ST B-U585I-IOT02A	ED25519	c25519	32	376224	878827
ST B-U585I-IOT02A	ED25519	c25519	128	376455	878942
ST B-U585I-IOT02A	ED25519	c25519	1024	378066	879747

Wyres Base	ED25519	c25519	16	2322980	5446012
Wyres Base	ED25519	c25519	32	2322997	5446020
Wyres Base	ED25519	c25519	128	2324425	5446730

`libhydrogen`

Board	Algo	Implementation	Message size	Signing	Verifying
ST Nucleo F446RE	Curve25519	libhydrogen	16	32108	53686
ST Nucleo F446RE	Curve25519	libhydrogen	32	32124	53701
ST Nucleo F446RE	Curve25519	libhydrogen	128	32219	53796
ST Nucleo F446RE	Curve25519	libhydrogen	1024	33106	54683

STM32F746NG Discovery	Curve25519	libhydrogen	16	67123	111692
STM32F746NG Discovery	Curve25519	libhydrogen	32	67153	111723
STM32F746NG Discovery	Curve25519	libhydrogen	128	67339	111909
STM32F746NG Discovery	Curve25519	libhydrogen	1024	69069	113639

ST B-U585I-IOT02A	Curve25519	libhydrogen	16	31451	52602
ST B-U585I-IOT02A	Curve25519	libhydrogen	32	31466	52617
ST B-U585I-IOT02A	Curve25519	libhydrogen	128	31557	52708
ST B-U585I-IOT02A	Curve25519	libhydrogen	1024	32402	53553

Wyres Base	Curve25519	libhydrogen	16	222623	373435
Wyres Base	Curve25519	libhydrogen	32	222722	373531
Wyres Base	Curve25519	libhydrogen	128	223303	374135
Wyres Base	Curve25519	libhydrogen	1024	228785	379620

`micro-ecc`

Board	Algo	Implementation	Public Key Size	Signing	Verifying
ST Nucleo F446RE	secp160r1	Micro ECC	40	19008	20003
ST Nucleo F446RE	secp192r1	Micro ECC	48	17795	19080
ST Nucleo F446RE	secp224r1	Micro ECC	56	24773	26335
ST Nucleo F446RE	secp256r1	Micro ECC	64	47170	52012
ST Nucleo F446RE	secp256k1	Micro ECC	64	39790	40286

ThingSat STM32F405RG	secp160r1	Micro ECC	40	20285	21362
ThingSat STM32F405RG	secp192r1	Micro ECC	48	18979	20320
ThingSat STM32F405RG	secp224r1	Micro ECC	56	26081	27787
ThingSat STM32F405RG	secp256r1	Micro ECC	64	49310	54364
ThingSat STM32F405RG	secp256k1	Micro ECC	64	41691	42105

Nucleo F103RB	secp160r1	Micro ECC	40	67316	72010
Nucleo F103RB	secp192r1	Micro ECC	48	63340	69155
Nucleo F103RB	secp224r1	Micro ECC	56	85427	93501
Nucleo F103RB	secp256r1	Micro ECC	64	150669	167259
Nucleo F103RB	secp256k1	Micro ECC	64	146573	150771

Running the benchmarks suite

On RIOT

For wyres-base board

mkdir -p ~/github/campusiot
git clone git@github.com:CampusIoT/RIOT-wyres.git ~/github/campusiot/RIOT-wyres

cd riot/pkg_c25519
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash term

cd riot/pkg_micro-ecc
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash term

cd riot/pkg_libhydrogen
gmake BOARD=thingsat-up4 -j 16 flash term
gmake BOARD=nucleo-f446re -j 16 flash term
gmake BOARD=nucleo-f401re -j 16 flash term
gmake BOARD=nucleo-f411re -j 16 flash term
gmake BOARD=nucleo-f103rb -j 16 flash term
gmake BOARD=nucleo-l073rz -j 16 flash term
gmake BOARD=nucleo-l152re -j 16 flash term
gmake BOARD=nucleo-l476rg -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=lora-e5-dev -j 16 flash term
gmake BOARD=esp32-wroom-32 -j 16 flash term
gmake BOARD=stm32f746g-disco -j 16 flash term
gmake BOARD=wyres-base -j 16 flash term
gmake BOARD=im880b -j 16 flash term
gmake BOARD=b-u585i-iot02a -j 16 flash term

On MBed

TBD

On Arduino

TBD

Annexes

NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General
Kerry Maletsky, RSA vs. ECC Comparison for Embedded Systems, Microchip, https://ww1.microchip.com/downloads/en/DeviceDoc/00003442A.pdf
G Neven, N. P. Smart and B.Warinschi, Hash function requirements for Schnorr signatures, Jour- nal of Mathematical Cryptology, vol .3, issue 1, pp. 69-87, 2009.
Thommas Pornin, Truncated EdDSA/ECDSA Signatures, https://eprint.iacr.org/2022/938.pdf
Embench™: An Evolving Benchmark Suite for Embedded IoT Computers from an Academic-Industrial Cooperative: Towards the Long Overdue and Deserved Demise of Dhrystone : source code

TODO

Add Lib Hydrogen in benchmark
Add liblithium in benchmark
Add monocypher in benchmark
Investigate why f4 faster than f7 ! f7-is-slower-than-my-f4 perf

thingsat / ecc_mcu_benchmarks