From c0470980ded9ba4e95b679fd0a670e1bbb452a21 Mon Sep 17 00:00:00 2001
From: Rhys Weatherley <rhys.weatherley@gmail.com>
Date: Sun, 19 Apr 2015 15:26:27 +1000
Subject: [PATCH] Crypto performance figures for Arduino Due

---
 doc/crypto.dox                   | 45 ++++++++++++++++++++++++++++++++
 libraries/Crypto/BigNumberUtil.h |  7 +++++
 2 files changed, 52 insertions(+)
diff --git a/doc/crypto.dox b/doc/crypto.dox
index 2aef5ed6..bd71e448 100644
--- a/doc/crypto.dox
+++ b/doc/crypto.dox
@@ -58,6 +58,8 @@ speed is critical but exact bit-compatibility of hash values is not.
 
 \section crypto_performance Performance
 
+\subsection crypto_performance_avr Performance on AVR
+
 All figures are for the Arduino Uno running at 16 MHz.  Figures for the
 Ardunino Mega 2560 running at 16 MHz are similar:
 
@@ -105,4 +107,47 @@ Where a cipher supports more than one key size (such as ChaCha), the values
 are typically almost identical for 128-bit and 256-bit keys so only the
 maximum is shown above.
 
+\subsection crypto_performance_arm Performance on ARM
+
+All figures are for the Arduino Due running at 84 MHz:
+
+<table>
+<tr><td>Encryption Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td>Key Setup</td><td>State Size (bytes)</td></tr>
+<tr><td>AES128 (ECB mode)</td><td align="right">6.65us</td><td align="right">11.00us</td><td align="right">35.15us</td><td align="right">220</td></tr>
+<tr><td>AES192 (ECB mode)</td><td align="right">8.02us</td><td align="right">13.31us</td><td align="right">36.59us</td><td align="right">252</td></tr>
+<tr><td>AES256 (ECB mode)</td><td align="right">9.39us</td><td align="right">15.63</td><td align="right">50.19us</td><td align="right">284</td></tr>
+<tr><td>ChaCha (20 rounds)</td><td align="right">0.87us</td><td align="right">0.88us</td><td align="right">4.96us</td><td align="right">136</td></tr>
+<tr><td>ChaCha (12 rounds)</td><td align="right">0.70us</td><td align="right">0.71us</td><td align="right">4.96us</td><td align="right">136</td></tr>
+<tr><td>ChaCha (8 rounds)</td><td align="right">0.62us</td><td align="right">0.62us</td><td align="right">4.96us</td><td align="right">136</td></tr>
+<tr><td colspan="5"> </td></tr>
+<tr><td>AEAD Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td>Key Setup</td><td>State Size (bytes)</td></tr>
+<tr><td>ChaChaPoly</td><td align="right">1.66us</td><td align="right">1.66us</td><td align="right">45.02us</td><td align="right">280</td></tr>
+<tr><td>GCM&lt;AES128&gt;</td><td align="right">11.01us</td><td align="right">10.92us</td><td align="right">247.90us</td><td align="right">344</td></tr>
+<tr><td>GCM&lt;AES192&gt;</td><td align="right">12.40us</td><td align="right">12.31us</td><td align="right">294.07us</td><td align="right">376</td></tr>
+<tr><td>GCM&lt;AES256&gt;</td><td align="right">13.73us</td><td align="right">13.64us</td><td align="right">347.40us</td><td align="right">408</td></tr>
+<tr><td colspan="5"> </td></tr>
+<tr><td>Hash Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td> </td><td>State Size (bytes)</td></tr>
+<tr><td>SHA1</td><td align="right">0.94us</td><td align="right">62.55us</td><td align="right"> </td><td align="right">112</td></tr>
+<tr><td>SHA256</td><td align="right">1.15us</td><td align="right">76.60us</td><td align="right"> </td><td align="right">120</td></tr>
+<tr><td>SHA512</td><td align="right">2.87us</td><td align="right">370.37us</td><td align="right"> </td><td align="right">224</td></tr>
+<tr><td>SHA3_256</td><td align="right">5.36us</td><td align="right">697.65us</td><td align="right"> </td><td align="right">424</td></tr>
+<tr><td>SHA3_512</td><td align="right">9.89us</td><td align="right">697.81us</td><td align="right"> </td><td align="right">424</td></tr>
+<tr><td>BLAKE2s</td><td align="right">0.76us</td><td align="right">50.88us</td><td align="right"> </td><td align="right">184</td></tr>
+<tr><td>BLAKE2b</td><td align="right">1.33us</td><td align="right">170.93us</td><td align="right"> </td><td align="right">352</td></tr>
+<tr><td colspan="5"> </td></tr>
+<tr><td>Authentication Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td>Key Setup</td><td>State Size (bytes)</td></tr>
+<tr><td>SHA1 (HMAC mode)</td><td align="right">0.94us</td><td align="right">193.92us</td><td align="right">65.09us</td><td align="right">112</td></tr>
+<tr><td>SHA256 (HMAC mode)</td><td align="right">1.15us</td><td align="right">238.98us</td><td align="right">80.44us</td><td align="right">120</td></tr>
+<tr><td>BLAKE2s (HMAC mode)</td><td align="right">0.76us</td><td align="right">165.64us</td><td align="right">59.92us</td><td align="right">184</td></tr>
+<tr><td>Poly1305</td><td align="right">0.85us</td><td align="right">19.25us</td><td align="right">2.35us</td><td align="right">96</td></tr>
+<tr><td>GHASH</td><td align="right">4.37us</td><td align="right">1.50us</td><td align="right">4.37us</td><td align="right">36</td></tr>
+<tr><td colspan="5"> </td></tr>
+<tr><td>Public Key Operation</td><td align="right">Time (per operation)</td><td colspan="3">Comment</td></tr>
+<tr><td>Curve25519::eval()</td><td align="right">103ms</td><td colspan="3">Raw curve evaluation</td></tr>
+<tr><td>Curve25519::dh1()</td><td align="right">103ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
+<tr><td>Curve25519::dh2()</td><td align="right">104ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
+<tr><td>Ed25519::sign()</td><td align="right">195ms</td><td colspan="3">Digital signature generation</td></tr>
+<tr><td>Ed25519::verify()</td><td align="right">306ms</td><td colspan="3">Digital signature verification</td></tr>
+<tr><td>Ed25519::derivePublicKey()</td><td align="right">194ms</td><td colspan="3">Derive a public key from a private key</td></tr>
+</table>
 */
diff --git a/libraries/Crypto/BigNumberUtil.h b/libraries/Crypto/BigNumberUtil.h
index 286ebd81..83f6d63f 100644
--- a/libraries/Crypto/BigNumberUtil.h
+++ b/libraries/Crypto/BigNumberUtil.h
@@ -28,9 +28,16 @@
 
 // Define exactly one of these to 1 to set the size of the basic limb type.
 // 16-bit limbs seem to give the best performance on 8-bit AVR micros.
+#if defined(__AVR__)
 #define BIGNUMBER_LIMB_8BIT  0
 #define BIGNUMBER_LIMB_16BIT 1
 #define BIGNUMBER_LIMB_32BIT 0
+#else
+// On all other platforms, assume 32-bit is best (e.g. ARM).
+#define BIGNUMBER_LIMB_8BIT  0
+#define BIGNUMBER_LIMB_16BIT 0
+#define BIGNUMBER_LIMB_32BIT 1
+#endif
 
 // Define the limb types to use on this platform.
 #if BIGNUMBER_LIMB_8BIT

Encryption Algorithm	Encryption (per byte)	Decryption (per byte)	Key Setup	State Size (bytes)
AES128 (ECB mode)	6.65us	11.00us	35.15us	220
AES192 (ECB mode)	8.02us	13.31us	36.59us	252
AES256 (ECB mode)	9.39us	15.63	50.19us	284
ChaCha (20 rounds)	0.87us	0.88us	4.96us	136
ChaCha (12 rounds)	0.70us	0.71us	4.96us	136
ChaCha (8 rounds)	0.62us	0.62us	4.96us	136

AEAD Algorithm	Encryption (per byte)	Decryption (per byte)	Key Setup	State Size (bytes)
ChaChaPoly	1.66us	1.66us	45.02us	280
GCM<AES128>	11.01us	10.92us	247.90us	344
GCM<AES192>	12.40us	12.31us	294.07us	376
GCM<AES256>	13.73us	13.64us	347.40us	408

Hash Algorithm	Hashing (per byte)	Finalization		State Size (bytes)
SHA1	0.94us	62.55us		112
SHA256	1.15us	76.60us		120
SHA512	2.87us	370.37us		224
SHA3_256	5.36us	697.65us		424
SHA3_512	9.89us	697.81us		424
BLAKE2s	0.76us	50.88us		184
BLAKE2b	1.33us	170.93us		352

Authentication Algorithm	Hashing (per byte)	Finalization	Key Setup	State Size (bytes)
SHA1 (HMAC mode)	0.94us	193.92us	65.09us	112
SHA256 (HMAC mode)	1.15us	238.98us	80.44us	120
BLAKE2s (HMAC mode)	0.76us	165.64us	59.92us	184
Poly1305	0.85us	19.25us	2.35us	96
GHASH	4.37us	1.50us	4.37us	36

Public Key Operation	Time (per operation)	Comment
Curve25519::eval()	103ms	Raw curve evaluation
Curve25519::dh1()	103ms	First half of Diffie-Hellman key agreement
Curve25519::dh2()	104ms	Second half of Diffie-Hellman key agreement
Ed25519::sign()	195ms	Digital signature generation
Ed25519::verify()	306ms	Digital signature verification
Ed25519::derivePublicKey()	194ms	Derive a public key from a private key