SEGGER - Jobs
emWin upgrade     Trade-In program     Web shop

 

Protects sensitive privacy data
A must-have on the internet

emCrypt for secure applications

emCrypt provides the building blocks for today's secure protocols. Security has never been so important with the explosion of devices that are now connected to the Internet. emCrypt has proven itself within SEGGER and is the foundation that emSSL, emSSH and emSecure-RSA, emSecure-ECDSA are built upon.

Features

  • Supports modern cryptography standards
  • NIST-validated implementations of many algorithms

  • Secure, fast, and cleanly-written code

  • Extensive 2,000 page manual covering all API features and functions

  • Decoupled implementation links only what you need

  • Public key cryptography (RSA, DSA, ECDSA, EdDSA)

  • Fast, tunable ciphers, hash algorithms, and message authentication codes (MACs)

  • Key derivation, key wrapping, key encapsulation

  • Random bit generation, cryptographically secure pseudo-random numbers

 

Notification Subscribe to emCrypt software notifications
Documentation download

 


Why should I use emCrypt?

  • emCrypt offers a wide range of cryptographic capabilities that are the basis of many security protocols.

  • emCrypt can be configured for minimal memory footprint for constrained devices but can also scale to faster performance on systems that have more resources.

  • emCrypt is a high-quality product designed to be used easily but without limitations.

  • emCrypt is not covered by an open-source or required-attribution license and can be integrated in any free, commercial, or proprietary product without the obligation to disclose the combined source.

  • emCrypt is provided as source code and offers transparency for all included modules, allowing inspection by auditors.

  • emCrypt is portable. The complete software is written in ANSI C and is compiler and target independent. It can be implemented in PC applications and in embedded designs.

  • emCrypt is configurable. It is created for high performance and a low memory footprint. The library can be configured for size or speed. Unused features can be excluded, additional features can easily be added.

  • emCrypt supports pluggable cryptographic algorithms and hardware acceleration. Hardware acceleration for popular microcontrollers is available as an option.


The emCrypt Package

emCrypt is a complete package and comes with everything needed to secure communication.

It includes all modules which implement the required functionality to use SSH. They are provided in source code, to allow complete control of the code that is used in the product and create transparency to avoid worries about possible back doors or weakness in code, which cannot be checked in precompiled libraries.

emCrypt comes with a simple, yet powerful API to make using emCrypt in your product as simple as possible.

It also includes sample applications in source form which demonstrate how to use the emCrypt API.


Supported Capabilities

Ciphers for bulk encryption

The following ciphers are supported by emCrypt, with optional hardware acceleration:

  • AES-128, AES-192, AES-256

  • DES and TripleDES (also known as 3DES or TDES) with all keying options

  • CAST

  • ARIA

  • SEED

  • Camellia

  • Twofish

  • Blowfish

All cipher algorithms support ECB, CBC, OFB, and CTR modes take advantage of the underlying cipher accelerator when available. In addition, 128-bit ciphers, such as AES, support CCM and GCM authenticated encryption modes with optional hardware acceleration.

 

Hash algorithms

Hash algorithms are also known as message digest algorithms or compression functions: they provide a means to produce a digital fingerprint of some data, such as a document, and make it infeasible to produce another document with an identical fingerprint.

  • MD5, RIPEMD-160, SHA-1

  • SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

  • SHA3-224, SHA3-256, SHA3-384, SHA3-512

All hash algorithms take advantage of the underlying hash accelerator when available.

 

MAC algorithms

Message authentication codes (MACs) guard against transmission errors and malicious data tampering.

  • CMAC-AES, CMAC-TDES, CMAC-SEED, CMAC-ARIA, CMAC-Camellia, CMAC-Twofish

  • GMAC-AES, GMAC-SEED, GMAC-ARIA, GMAC-Camellia, GMAC-Twofish

  • HMAC-MD5, HMAC-RIPEMD-160, HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA-512/224, HMAC-SHA-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512

  • KMAC

All MAC algorithms take advantage of the underlying cipher or hash accelerator when available.

 

Key derivation

Key derivation functions calculate symmetric keys to use from an agreed secret.

  • KDF1-SHA-1, KDF1-SHA-224, KDF1-SHA-255, KDF1-SHA-384, KDF1-SHA-512, KDF1-SHA-512/224, KDF1-SHA-512/256

  • KDF2-SHA-1, KDF2-SHA-224, KDF2-SHA-255, KDF2-SHA-384, KDF2-SHA-512, KDF2-SHA-512/224, KDF2-SHA-512/256

  • X9.63-KDF-SHA-1, X9.63-KDF-SHA-224, X9.63-KDF-SHA-256, X9.63-KDF-SHA-384, X9.63-KDF-SHA-512, X9.63-KDF-SHA-512/224, X9.63-KDF-SHA-512/256

  • HKDF-MD5, HKDF-RIPEMD-160, HKDF-SHA-1, HKDF-SHA-224, HKDF-SHA-255, HKDF-SHA-384, HKDF-SHA-512, HKDF-SHA-512/224, HKDF-SHA-512/256

  • PBKDF2-SHA-1, PBKDF2-SHA-224, PBKDF2-SHA-256, PBKDF2-SHA-384, PBKDF2-SHA-512, PBKDF2-SHA-512/224, PBKDF2-SHA-512/256

All key derivation algorithms take advantage of the underlying hash accelerator when available.

 

Random bit generators 

High-quality random data is essential for many crytpographic protocols and algorithms. emCrypt supports NIST random bit generators and the Fortuna cryptographically secure random number generator.

  • Fortuna

  • Hash-DRBG-SHA-1, Hash-DRBG-SHA-224, Hash-DRBG-SHA-256, Hash-DRBG-SHA-384, Hash-DRBG-SHA-512, Hash-DRBG-SHA-512/224, Hash-DRBG-SHA-512/256

  • HMAC-DRBG-SHA-1, HMAC-DRBG-SHA-224, HMAC-DRBG-SHA-256, HMAC-DRBG-SHA-384, HMAC-DRBG-SHA-512, HMAC-DRBG-SHA-512/224, HMAC-DRBG-SHA-512/256

  • CTR-DRBG-TDES, CTR-DRBG-AES-128, CTR-DRBG-AES-192, CTR-DRBG-AES-256

All DRBG algorithms take advantage of the underlying cipher or hash accelerator when available.

 

Digital signatures

Digital signatures provide an assurance that a document, or a collection of data, is authentic and unmodified.

  • RSASSA-PSS with approved and configurable hash algorithms

  • RSASSA-PKCS1 with approved and configurable hash algorithms

  • ECDSA using all NIST prime curves and Brainpool curves and with approved and configurable hash algorithms

  • Ed25519

 


Benchmarks

Modular exponentiation benchmark

(c) 2014-2017 SEGGER Microcontroller GmbH & Co. KG    www.segger.com
Modular Exponentiation Benchmark compiled Apr 21 2017 15:54:06

Compiler: clang 3.9.1 (tags/RELEASE_391/final)
System:   Processor speed          = 168.000 MHz
Config:   Static heap size         = 39600 bytes
Config:   CRYPTO_MPI_BITS_PER_LIMB = 32

Modular Arithmetic Performance
==============================

CRT private key, exponent length = modulus length, all times in ms

+---------------------------+---------------+---------------+---------------+
| Algorithm                 |           512 |          1024 |          2048 |
+---------------------------+---------------+---------------+---------------+
| Basic, ladder             |   67.87  1.0x |  287.25  1.0x | 1497.00  1.0x |
| Basic, fast               |   50.55  1.3x |  202.80  1.4x |  955.00  1.6x |
| Basic, 2b, FW             |   47.41  1.4x |  192.50  1.5x |  923.50  1.6x |
| Basic, 3b, FW             |   44.35  1.5x |  182.50  1.6x |  909.50  1.6x |
| Basic, 4b, FW             |   43.33  1.6x |  176.17  1.6x |  887.00  1.7x |
| Basic, 5b, FW             |   44.13  1.5x |  174.83  1.6x |  872.00  1.7x |
| Basic, 6b, FW             |   47.41  1.4x |  178.67  1.6x |  865.00  1.7x |
+---------------------------+---------------+---------------+---------------+
| Basic, 2b, RM             |   46.73  1.5x |  189.33  1.5x |  911.00  1.6x |
| Basic, 3b, RM             |   43.87  1.5x |  180.17  1.6x |  889.50  1.7x |
| Basic, 4b, RM             |   42.58  1.6x |  173.67  1.7x |  870.00  1.7x |
| Basic, 5b, RM             |   42.33  1.6x |  171.00  1.7x |  856.50  1.7x |
| Basic, 6b, RM             |   43.38  1.6x |  171.00  1.7x |  847.00  1.8x |
+---------------------------+---------------+---------------+---------------+
| Barrett, ladder           |   53.84  1.3x |  202.00  1.4x | 1021.00  1.5x |
| Barrett, fast             |   40.08  1.7x |  145.14  2.0x |  666.50  2.2x |
| Barrett, 2b, FW           |   38.73  1.8x |  139.12  2.1x |  645.50  2.3x |
| Barrett, 3b, FW           |   35.59  1.9x |  129.00  2.2x |  620.50  2.4x |
| Barrett, 4b, FW           |   34.48  2.0x |  123.78  2.3x |  599.50  2.5x |
| Barrett, 5b, FW           |   35.10  1.9x |  122.56  2.3x |  587.50  2.5x |
| Barrett, 6b, FW           |   37.78  1.8x |  125.50  2.3x |  583.00  2.6x |
+---------------------------+---------------+---------------+---------------+
| Barrett, 2b, RM           |   37.11  1.8x |  133.75  2.1x |  628.00  2.4x |
| Barrett, 3b, RM           |   34.79  2.0x |  126.50  2.3x |  606.00  2.5x |
| Barrett, 4b, RM           |   33.73  2.0x |  121.78  2.4x |  588.50  2.5x |
| Barrett, 5b, RM           |   33.57  2.0x |  119.56  2.4x |  577.50  2.6x |
| Barrett, 6b, RM           |   34.43  2.0x |  119.56  2.4x |  570.50  2.6x |
+---------------------------+---------------+---------------+---------------+
| Montgomery, fast          |   21.17  3.2x |   92.64  3.1x |  486.33  3.1x |
| Montgomery, 2b, FW        |   21.40  3.2x |   93.73  3.1x |  484.67  3.1x |
| Montgomery, 3b, FW        |   19.35  3.5x |   84.17  3.4x |  433.00  3.5x |
| Montgomery, 4b, FW        |   18.61  3.6x |   80.08  3.6x |  409.00  3.7x |
| Montgomery, 5b, FW        |   18.94  3.6x |   79.08  3.6x |  398.67  3.8x |
| Montgomery, 6b, FW        |   20.36  3.3x |   81.15  3.5x |  398.00  3.8x |
+---------------------------+---------------+---------------+---------------+
| Montgomery, 2b, RM        |   19.84  3.4x |   85.50  3.4x |  446.00  3.4x |
| Montgomery, 3b, RM        |   18.65  3.6x |   81.08  3.5x |  419.00  3.6x |
| Montgomery, 4b, RM        |   18.14  3.7x |   78.23  3.7x |  401.33  3.7x |
| Montgomery, 5b, RM        |   18.07  3.8x |   76.92  3.7x |  392.67  3.8x |
| Montgomery, 6b, RM        |   18.59  3.7x |   77.08  3.7x |  387.00  3.9x |
+---------------------------+---------------+---------------+---------------+

Public key, exponent length = 17 bits, all times in ms

+---------------------------+---------------+---------------+---------------+
| Algorithm                 |           512 |          1024 |          2048 |
+---------------------------+---------------+---------------+---------------+
| Basic, ladder             |    4.38  1.0x |    9.62  1.0x |   25.77  1.0x |
| Basic, fast               |    2.23  2.0x |    4.68  2.1x |   12.14  2.1x |
| Basic, 2b, FW             |    2.41  1.8x |    4.87  2.0x |   12.42  2.1x |
| Basic, 3b, FW             |    2.62  1.7x |    5.00  1.9x |   12.44  2.1x |
| Basic, 4b, FW             |    3.14  1.4x |    5.67  1.7x |   13.09  2.0x |
| Basic, 5b, FW             |    4.17  1.1x |    6.99  1.4x |   15.07  1.7x |
| Basic, 6b, FW             |    5.88  0.7x |    9.18  1.0x |   18.70  1.4x |
+---------------------------+---------------+---------------+---------------+
| Basic, 2b, RM             |    2.29  1.9x |    4.73  2.0x |   12.20  2.1x |
| Basic, 3b, RM             |    2.52  1.7x |    4.87  2.0x |   12.27  2.1x |
| Basic, 4b, RM             |    2.99  1.5x |    5.48  1.8x |   12.82  2.0x |
| Basic, 5b, RM             |    3.89  1.1x |    6.66  1.4x |   14.64  1.8x |
| Basic, 6b, RM             |    5.69  0.8x |    9.02  1.1x |   18.22  1.4x |
+---------------------------+---------------+---------------+---------------+
| Barrett, ladder           |    3.46  1.3x |    7.83  1.2x |   22.22  1.2x |
| Barrett, fast             |    1.78  2.5x |    3.82  2.5x |   10.42  2.5x |
| Barrett, 2b, FW           |    2.15  2.0x |    4.24  2.3x |   11.02  2.3x |
| Barrett, 3b, FW           |    2.32  1.9x |    4.38  2.2x |   11.00  2.3x |
| Barrett, 4b, FW           |    2.87  1.5x |    5.23  1.8x |   11.95  2.2x |
| Barrett, 5b, FW           |    3.96  1.1x |    6.91  1.4x |   14.85  1.7x |
| Barrett, 6b, FW           |    5.93  0.7x |    9.96  1.0x |   20.34  1.3x |
+---------------------------+---------------+---------------+---------------+
| Barrett, 2b, RM           |    1.88  2.3x |    3.89  2.5x |   10.50  2.5x |
| Barrett, 3b, RM           |    2.06  2.1x |    4.07  2.4x |   10.60  2.4x |
| Barrett, 4b, RM           |    2.45  1.8x |    4.69  2.0x |   11.31  2.3x |
| Barrett, 5b, RM           |    3.18  1.4x |    5.90  1.6x |   13.44  1.9x |
| Barrett, 6b, RM           |    4.63  0.9x |    8.30  1.2x |   17.70  1.5x |
+---------------------------+---------------+---------------+---------------+
| Montgomery, fast          |    1.41  3.1x |    3.37  2.9x |    9.98  2.6x |
| Montgomery, 2b, FW        |    2.06  2.1x |    5.12  1.9x |   15.38  1.7x |
| Montgomery, 3b, FW        |    2.13  2.1x |    5.29  1.8x |   15.89  1.6x |
| Montgomery, 4b, FW        |    2.69  1.6x |    6.77  1.4x |   20.34  1.3x |
| Montgomery, 5b, FW        |    3.61  1.2x |    9.20  1.0x |   27.73  0.9x |
| Montgomery, 6b, FW        |    5.41  0.8x |   13.97  0.7x |   42.13  0.6x |
+---------------------------+---------------+---------------+---------------+
| Montgomery, 2b, RM        |    1.60  2.7x |    3.87  2.5x |   11.47  2.2x |
| Montgomery, 3b, RM        |    1.72  2.5x |    4.19  2.3x |   12.46  2.1x |
| Montgomery, 4b, RM        |    2.09  2.1x |    5.14  1.9x |   15.43  1.7x |
| Montgomery, 5b, RM        |    2.58  1.7x |    6.41  1.5x |   19.40  1.3x |
| Montgomery, 6b, RM        |    3.48  1.3x |    8.66  1.1x |   26.37  1.0x |
+---------------------------+---------------+---------------+---------------+

Benchmark complete

 

AES benchmark

Benchmarked on a SEGGER emPower board

(c) 2014-2017 SEGGER Microcontroller GmbH & Co. KG    www.segger.com
AES Benchmark V1.16 compiled Apr 21 2017 16:00:55

Compiler: clang 3.9.1 (tags/RELEASE_391/final)
System:   Processor speed               = 168.000 MHz
Config:   CRYPTO_CONFIG_AES_OPTIMIZE    = 15
Config:   CRYPTO_CONFIG_AES_HW_OPTIMIZE = 1

+--------------+------+-----------------+-----------------+
|              |      | ECB        MB/s | CBC        MB/s |
| Cipher       | Bits |     Enc     Dec |     Enc     Dec |
+--------------+------+-----------------+-----------------+
| AES          |  128 |    2.03    2.18 |    1.64    1.61 |
| AES (HW)     |  128 |    8.14    7.70 |    7.52    6.72 |
| AES          |  192 |    1.74    1.88 |    1.44    1.44 |
| AES (HW)     |  192 |    6.83    6.52 |    6.30    5.66 |
| AES          |  256 |    1.53    1.64 |    1.29    1.30 |
| AES (HW)     |  256 |    6.05    5.89 |    5.63    5.00 |
+--------------+------+-----------------+-----------------+
|              |      | GCM        MB/s | CCM        MB/s |
| Cipher       | Bits |     Enc     Dec |     Enc     Dec |
+--------------+------+-----------------+-----------------+
| AES          |  128 |    0.05    0.05 |    0.83    0.83 |
| AES (HW)     |  128 |    0.05    0.05 |    1.23    1.24 |
| AES          |  192 |    0.05    0.05 |    0.73    0.73 |
| AES (HW)     |  192 |    0.05    0.05 |    1.16    1.16 |
| AES          |  256 |    0.06    0.06 |    0.65    0.65 |
| AES (HW)     |  256 |    0.06    0.06 |    1.10    1.11 |
+--------------+------+-----------------+-----------------+

Benchmark complete

 

ECDSA benchmark

Benchmarked on a SEGGER emPower board

(c) 2014-2017 SEGGER Microcontroller GmbH & Co. KG    www.segger.com
ECDSA Sign and Verify Benchmark compiled Apr 21 2017 16:03:45

Compiler: clang 3.9.1 (tags/RELEASE_391/final)
System:   Processor speed                   = 168.000 MHz
Config:   Static heap size                  = 4440 bytes
Config:   CRYPTO_MPI_BITS_PER_LIMB          = 32
Config:   CRYPTO_CONFIG_ECDSA_TWIN_MULTIPLY = 1

+------------------+-----------+-----------+-----------+-----------+
|                  |      Sign |     Sign  |    Verify |    Verify |
| Curve            |        ms |     bytes |        ms |     bytes |
+------------------+-----------+-----------+-----------+-----------+
| secp192r1        |     40.54 |      1152 |     37.64 |      1920 |
| secp224r1        |     50.85 |      1296 |     48.27 |      2160 |
| secp256r1        |     79.07 |      1440 |     75.86 |      2400 |
| secp384r1        |    129.00 |      2016 |    122.00 |      3360 |
| secp521r1        |    238.67 |      2664 |    218.50 |      4440 |
| brainpoolP160r1  |     68.87 |      1008 |     66.81 |      1680 |
| brainpoolP160t1  |     62.88 |      1008 |     60.50 |      1680 |
| brainpoolP192r1  |     98.67 |      1152 |     90.92 |      1920 |
| brainpoolP192t1  |     89.42 |      1152 |     80.86 |      1920 |
| brainpoolP224r1  |    130.87 |      1296 |    122.40 |      2160 |
| brainpoolP224t1  |    119.50 |      1296 |    111.20 |      2160 |
| brainpoolP256r1  |    171.33 |      1440 |    162.00 |      2400 |
| brainpoolP256t1  |    158.00 |      1440 |    145.62 |      2400 |
| brainpoolP320r1  |    260.75 |      1728 |    242.83 |      2880 |
| brainpoolP320t1  |    241.00 |      1728 |    216.00 |      2880 |
| brainpoolP384r1  |    399.00 |      2016 |    372.00 |      3360 |
| brainpoolP384t1  |    376.25 |      2016 |    327.75 |      3360 |
| brainpoolP512r1  |    754.50 |      2592 |    694.00 |      4320 |
| brainpoolP512t1  |    649.00 |      2592 |    613.50 |      4320 |
+------------------+-----------+-----------+-----------+-----------+

Benchmark complete 

Resource use

The following tables show required context size, lookup table (LUT) size, and code size in kilobytes for each configuration value. All values are approximate and for a Cortex-M3 processor.

 

MD5

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.16 KB  Flash  0.3 KB  0.4 KB  0.7 KB
 1  0.16 KB  -    2.0 KB  2.0 KB

 

RIPEMD-160

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.16 KB  Flash  0.3 KB  0.7 KB  1.0 KB
 1  0.16 KB  -    4.6 KB  4.6 KB

 

SHA-1

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.16 KB  Flash    0.6 KB  0.6 KB
 1  0.16 KB  -    3.6 KB  3.6 KB

 

SHA-256

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.17 KB  Flash  0.3 KB  0.5 KB  0.8 KB
 1  0.17 KB  -  -  7.7 KB  7.7 KB

 

SHA-512

 Setting

Context size

LUT

LUT size

Code size

Total size

 0

 0.20 KB  Flash  0.7 KB  1.1 KB  1.8 KB

 1

 0.20 KB

 Flash

 0.7 KB  10.3 KB  11.0 KB

 2

 0.20 KB  Flash  0.1 KB  41.5 KB  41.6 KB

 

DES

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.38 KB  Flash  2.1 KB  1.3 KB  3.4 KB
 1  0.38 KB  Flash  2.1 KB  2.1 KB  4.2 KB
 2  0.38 KB  Flash  2.1 KB  5.3 KB  7.4 KB
 3  0.38 KB  RAM  2.1 KB  1.3 KB  3.4 KB
 4  0.38 KB  RAM  2.1 KB  2.1 KB  4.2 KB
 5  0.38 KB  RAM  2.1 KB  5.3 KB  7.4 KB

 

AES

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.24 KB  Flash  2.0  3.2  5.2
 1  0.24 KB  Flash  2.0  2.7  4.7
 2  0.24 KB  Flash  8.5  2.4  10.9
 3  0.24 KB  Flash  1.9  12.5  14.4
 4  0.24 KB  RAM  2.0  3.2  5.2
 5  0.24 KB  RAM  2.0  2.7  4.7
 6  0.24 KB  RAM  8.5  2.4  10.9
 7  0.24 KB  RAM  1.9  12.5  14.4

 

SEED

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.14  Flash  0.5  0.5  1.0
 1  0.14  Flash  4.0  0.4  4.4
 2  0.14  RAM  0.5  0.5  1.0
 3  0.14  RAM  4.0  0.4  4.4

 

ARIA

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.28  Flash  1.0 KB  1.9 KB  2.9 KB
 1  0.28  RAM  1.0 KB  1.9 KB  2.9 KB

 

CAST

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.10  F lash  8.0 KB  3.5  11.5
 1  0.10  RAM  8.0 KB  3.7  11.7

 

Camelia

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.27 KB  Flash  1.0 KB  28.8 KB  29.8 KB
 1  0.27 KB  Flash  4.0 KB  20.7 KB  24.7 KB
 2  0.27 KB  RAM  1.0 KB  28.8 KB  29.8 KB
 3  0.27 KB  RAM  4.0 KB  20.7 KB  24.7 KB

 

Blowfish

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  4.0 KB  Flash 4.0 KB 0.7 KB  4.7 KB
 1  4.0 KB  RAM  4.0 KB  1.1 KB  5.1 KB

 

Twofish

 Setting

Context size

LUT

LUT size

Code size

Total size

 0  0.2  Flash  0.6 KB  3.4  4.0
 1  0.2  Flash  4.6  3.1  7.7
 2  0.2  Flash  8.5  3.2  11.7
 3  0.2  Flash  12.5  2.8  15.3
 4  4.2  Flash  0.6  3.4  4.0
 5  4.2  Flash  4.6  3.1  7.7
 6   4.2  Flash  8.5  3.2  11.7
 7   4.2  Flash  12.5  2.8  15.3
 8   0.2  RAM  0.6  3.4  4.0
 9   0.2  RAM  4.6  3.1  7.7
 10   0.2  RAM  8.5  3.2  11.7
 11   0.2  RAM  12.5  2.8  15.3
 12   4.2  RAM  0.6  3.4  4.0
 13   4.2  RAM  4.6  3.1  7.7
 14   4.2  RAM  8.5  3.2  11.7
 15   4.2  RAM  12.5  2.8  15.3

  


Example application

/*********************************************************************
*               (c) SEGGER Microcontroller GmbH & Co. KG             *
*                        The Embedded Experts                        *
*                           www.segger.com                           *
**********************************************************************

-------------------------- END-OF-HEADER -----------------------------

File        : CRYPTO_Bench_ECDSA.c
Purpose     : Benchmark ECDSA sign and verify.

*/

/*********************************************************************
*
*       #include section
*
**********************************************************************
*/

#include "CRYPTO_Int.h"
#include "SEGGER_MEM.h"
#include "SEGGER_SYS.h"

/*********************************************************************
*
*       Defines, configurable
*
**********************************************************************
*/

#define MAX_CHUNKS            30  // For twin multiplication

/*********************************************************************
*
*       Local types
*
**********************************************************************
*/

// Maximum prime size is 521 bits, but require additional 63 bits
// for underlying fast prime field reduction.
typedef CRYPTO_MPI_LIMB MPI_UNIT[CRYPTO_MPI_LIMBS_REQUIRED(2*521+63)+2];

/*********************************************************************
*
*       Static data
*
**********************************************************************
*/

static MPI_UNIT                 _aUnits[MAX_CHUNKS];
static SEGGER_MEM_CONTEXT       _MemContext;
static SEGGER_MEM_SELFTEST_HEAP _Heap;

/*********************************************************************
*
*       Static code
*
**********************************************************************
*/

/*********************************************************************
*
*       _ConvertTicksToSeconds()
*
*  Function description
*    Convert ticks to seconds.
*
*  Parameters
*    Ticks - Number of ticks reported by SEGGER_SYS_OS_GetTimer().
*
*  Return value
*    Number of seconds corresponding to tick.
*/
static float _ConvertTicksToSeconds(U64 Ticks) {
  return SEGGER_SYS_OS_ConvertTicksToMicros(Ticks) / 1000000.0f;
}

/*********************************************************************
*
*       _BenchmarkECDSASign()
*
*  Function description
*    Benchmark ECDSA sign.
*
*  Parameters
*    pCurve - Pointer to elliptic curve.
*/
static void _BenchmarkECDSASign(const CRYPTO_EC_CURVE *pCurve) {
  CRYPTO_ECDSA_PRIVATE_KEY Private;
  CRYPTO_ECDSA_PUBLIC_KEY  Public;
  CRYPTO_ECDSA_SIGNATURE   Signature;
  U8                       aDigest[32] = { " SEGGER  SEGGER  SEGGER  SEGGER " };
  U64                      OneSecond;
  U64                      T0;
  U64                      Elapsed;
  int                      Loops;
  int                      Status;
  unsigned                 PeakBytes;
  float                    Time;
  //
  // Make PC-lint quiet, it's dataflow analysis provides false positives.
  //
  Loops     = 0;
  Elapsed   = 0;
  PeakBytes = 0;
  //
  CRYPTO_ECDSA_InitPrivateKey(&Private,   &_MemContext);
  CRYPTO_ECDSA_InitPublicKey (&Public,    &_MemContext);
  CRYPTO_ECDSA_InitSignature (&Signature, &_MemContext);
  //
  CRYPTO_ECDSA_GenKeys       (pCurve, &Private, &Public, &_MemContext);
  //
  OneSecond = SEGGER_SYS_OS_ConvertMicrosToTicks(1000000);
  T0 = SEGGER_SYS_OS_GetTimer();
  do {
    //
    _Heap.Stats.NumInUseMax = _Heap.Stats.NumInUse;
    //
    CRYPTO_CHECK(CRYPTO_ECDSA_SignDigest(pCurve, &Private, &aDigest[0], sizeof(aDigest), &Signature, &_MemContext));
    if (Status == 0) {
      SEGGER_SYS_IO_Printf("ERROR - Did not sign digest\n");
      SEGGER_SYS_OS_Halt(100);
    }
    //
    PeakBytes = SEGGER_MAX(PeakBytes, _Heap.Stats.NumInUseMax * CRYPTO_MPI_LimbAllocUnit * CRYPTO_MPI_BYTES_PER_LIMB);
    //
    CRYPTO_ECDSA_KillSignature(&Signature);
    //
    Elapsed = SEGGER_SYS_OS_GetTimer() - T0;
    ++Loops;
  } while (Status >= 0 && Elapsed < OneSecond);
  //
cleanup:
  CRYPTO_ECDSA_KillPrivateKey(&Private);
  CRYPTO_ECDSA_KillPublicKey (&Public);
  CRYPTO_ECDSA_KillSignature (&Signature);
  //
  if (Status < 0 || Loops == 0) {
    SEGGER_SYS_IO_Printf("%10s |", "-Fail-");
  } else {
    Loops *= 2;  // Two agreements per loop
    Time = 1000.0f * _ConvertTicksToSeconds(Elapsed) / Loops;
    SEGGER_SYS_IO_Printf("%10.2f |", Time);
    SEGGER_SYS_IO_Printf("%10d |", PeakBytes);
  }
}

/*********************************************************************
*
*       _BenchmarkECDSAVerify()
*
*  Function description
*    Benchmark ECDSA verify.
*
*  Parameters
*    pCurve - Pointer to elliptic curve.
*/
static void _BenchmarkECDSAVerify(const CRYPTO_EC_CURVE *pCurve) {
  CRYPTO_ECDSA_PRIVATE_KEY Private;
  CRYPTO_ECDSA_PUBLIC_KEY  Public;
  CRYPTO_ECDSA_SIGNATURE   Signature;
  U8                       aDigest[32] = { " SEGGER  SEGGER  SEGGER  SEGGER " };
  U64                      OneSecond;
  U64                      T0;
  U64                      Elapsed;
  int                      Loops;
  int                      Status;
  unsigned                 PeakBytes;
  float                    Time;
  //
  // Make PC-lint quiet, it's dataflow analysis provides false positives.
  //
  Loops     = 0;
  Elapsed   = 0;
  PeakBytes = 0;
  //
  CRYPTO_ECDSA_InitPrivateKey(&Private,   &_MemContext);
  CRYPTO_ECDSA_InitPublicKey (&Public,    &_MemContext);
  CRYPTO_ECDSA_InitSignature (&Signature, &_MemContext);
  //
  CRYPTO_ECDSA_GenKeys       (pCurve, &Private, &Public, &_MemContext);
  //
  CRYPTO_CHECK(CRYPTO_ECDSA_SignDigest(pCurve, &Private, &aDigest[0], sizeof(aDigest), &Signature, &_MemContext));
  if (Status == 0) {
    SEGGER_SYS_IO_Printf("ERROR - Did not sign digest\n");
    SEGGER_SYS_OS_Halt(100);
  }
  //
  OneSecond = SEGGER_SYS_OS_ConvertMicrosToTicks(1000000);
  T0 = SEGGER_SYS_OS_GetTimer();
  do {
    //
    _Heap.Stats.NumInUseMax = _Heap.Stats.NumInUse;
    //
    CRYPTO_CHECK(CRYPTO_ECDSA_VerifyDigest(pCurve, &Public, &aDigest[0], sizeof(aDigest), &Signature, &_MemContext));
    if (Status == 0) {
      SEGGER_SYS_IO_Printf("ERROR - Did not verify digest\n");
      SEGGER_SYS_OS_Halt(100);
    }
    //
    PeakBytes = SEGGER_MAX(PeakBytes, _Heap.Stats.NumInUseMax * CRYPTO_MPI_LimbAllocUnit * CRYPTO_MPI_BYTES_PER_LIMB);
    //
    Elapsed = SEGGER_SYS_OS_GetTimer() - T0;
    ++Loops;
  } while (Status >= 0 && Elapsed < OneSecond);
  //
cleanup:
  CRYPTO_ECDSA_KillPrivateKey(&Private);
  CRYPTO_ECDSA_KillPublicKey (&Public);
  CRYPTO_ECDSA_KillSignature (&Signature);
  //
  if (Status < 0 || Loops == 0) {
    SEGGER_SYS_IO_Printf("%10s |", "-Fail-");
  } else {
    Loops *= 2;  // Two agreements per loop
    Time = 1000.0f * _ConvertTicksToSeconds(Elapsed) / Loops;
    SEGGER_SYS_IO_Printf("%10.2f |", Time);
    SEGGER_SYS_IO_Printf("%10d |", PeakBytes);
  }
}

/*********************************************************************
*
*       _BenchmarkECDSA()
*
*  Function description
*    Benchmark ECDSA sign and verify.
*
*  Parameters
*    pCurve - Pointer to elliptic curve.
*/
static void _BenchmarkECDSA(const CRYPTO_EC_CURVE *pCurve) {
  CRYPTO_MPI_SetChunkSize(CRYPTO_MPI_BYTES_REQUIRED(2*CRYPTO_MPI_BitCount(&pCurve->P)+63) + 2*CRYPTO_MPI_BYTES_PER_LIMB);
  SEGGER_SYS_IO_Printf("| %-16s |", pCurve->aCurveName);
  _BenchmarkECDSASign  (pCurve);
  _BenchmarkECDSAVerify(pCurve);
  SEGGER_SYS_IO_Printf("\n");
}

/*********************************************************************
*
*       Public code
*
**********************************************************************
*/

/*********************************************************************
*
*       MainTask()
*
*  Function description
*    Main entry point for application to run all the tests.
*/
void MainTask(void);
void MainTask(void) {
  CRYPTO_Init();
  CRYPTO_MPI_SetChunkSize(sizeof(MPI_UNIT));
  SEGGER_SYS_Init();
  SEGGER_MEM_SELFTEST_HEAP_Init(&_MemContext, &_Heap, _aUnits, MAX_CHUNKS, sizeof(MPI_UNIT));
  //
  SEGGER_SYS_IO_Printf("\n");
  SEGGER_SYS_IO_Printf("(c) 2014-2017 SEGGER Microcontroller GmbH & Co. KG    www.segger.com\n");
  SEGGER_SYS_IO_Printf("ECDSA Sign and Verify Benchmark compiled " __DATE__ " " __TIME__ "\n\n");
  //
  SEGGER_SYS_IO_Printf("Compiler: %s\n", SEGGER_SYS_GetCompiler());
  if (SEGGER_SYS_GetProcessorSpeed() > 0) {
    SEGGER_SYS_IO_Printf("System:   Processor speed                   = %.3f MHz\n", (double)SEGGER_SYS_GetProcessorSpeed() / 1000000.0f);
  }
  SEGGER_SYS_IO_Printf("Config:   Static heap size                  = %u bytes\n", sizeof(_aUnits));
  SEGGER_SYS_IO_Printf("Config:   CRYPTO_MPI_BITS_PER_LIMB          = %u\n", CRYPTO_MPI_BITS_PER_LIMB);
  SEGGER_SYS_IO_Printf("Config:   CRYPTO_CONFIG_ECDSA_TWIN_MULTIPLY = %u\n", CRYPTO_CONFIG_ECDSA_TWIN_MULTIPLY);
  SEGGER_SYS_IO_Printf("\n");
  //
  SEGGER_SYS_IO_Printf("+------------------+-----------+-----------+-----------+-----------+\n");
  SEGGER_SYS_IO_Printf("|                  |      Sign |     Sign  |    Verify |    Verify |\n");
  SEGGER_SYS_IO_Printf("| Curve            |        ms |     bytes |        ms |     bytes |\n");
  SEGGER_SYS_IO_Printf("+------------------+-----------+-----------+-----------+-----------+\n");
  //
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_P192);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_P224);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_P256);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_P384);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_P521);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP160r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP160t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP192r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP192t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP224r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP224t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP256r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP256t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP320r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP320t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP384r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP384t1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP512r1);
  _BenchmarkECDSA(&CRYPTO_EC_CURVE_brainpoolP512t1);
  //
  SEGGER_SYS_IO_Printf("+------------------+-----------+-----------+-----------+-----------+\n");
  SEGGER_SYS_IO_Printf("\n");
  //
  SEGGER_SYS_IO_Printf("Benchmark complete\n");
  SEGGER_SYS_OS_PauseBeforeHalt();
  SEGGER_SYS_OS_Halt(0);
}

/*************************** End of file ****************************/