mirror of
https://github.com/taigrr/arduinolibs
synced 2025-01-18 04:33:12 -08:00
305 lines
27 KiB
Plaintext
305 lines
27 KiB
Plaintext
/*
|
|
* Copyright (C) 2015 Southern Storm Software, Pty Ltd.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included
|
|
* in all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
* DEALINGS IN THE SOFTWARE.
|
|
*/
|
|
|
|
/**
|
|
\file crypto.dox
|
|
\page crypto Arduino Cryptography Library
|
|
|
|
\section crypto_algorithms Supported algorithms
|
|
|
|
The library is split into four main sections: core, light-weight, legacy,
|
|
and other.
|
|
|
|
\subsection crypto_core_algorithms Core algorithms
|
|
|
|
Core algorithms are found within the "libraries/Crypto" directory
|
|
in the repository:
|
|
|
|
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
|
|
\li Block ciphers: AES128, AES192, AES256
|
|
\li Block cipher modes: CTR, EAX, GCM, XTS
|
|
\li Stream ciphers: ChaCha
|
|
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
|
|
\li Extendable output functions (XOF's): SHAKE128, SHAKE256
|
|
\li Message authenticators: Poly1305, GHASH, OMAC
|
|
\li Public key algorithms: Curve25519, Ed25519, P521
|
|
\li Random number generation: \link RNGClass RNG\endlink
|
|
|
|
Reduced memory versions of some algorithms (encryption is slower, but the
|
|
RAM required for the key schedule is less):
|
|
|
|
\li AESTiny128, AESSmall128, AESTiny256, AESSmall256
|
|
|
|
The "tiny" versions only support encryption which makes them suitable for
|
|
the CTR, CFB, OFB, EAX, and GCM block cipher modes but not CBC. The "small"
|
|
versions use a little more memory but support both encryption and decryption.
|
|
|
|
\subsection crpto_lw_algorithms Light-weight algorithms
|
|
|
|
The algorithms in the "libraries/CryptoLW" directory are new algorithms
|
|
that have been designed for "light-weight" environments where memory and
|
|
CPU resources are constrained:
|
|
|
|
\li Authenticated encryption with associated data (AEAD): Acorn128, Ascon128
|
|
\li Block ciphers: Speck, SpeckSmall, SpeckTiny
|
|
|
|
These algorithms are fairly new, but they are ideal for Arduino devices.
|
|
They don't appear in any internationally adopted standards yet but any
|
|
algorithms that are adopted into standards later will be moved to the
|
|
core library. Maybe you'll be the one to create that new standard!
|
|
|
|
\subsection crypto_legacy_algorithms Legacy algorithms
|
|
|
|
Legacy algorithms in the "libraries/CryptoLegacy" directory are those that
|
|
should probably not be used in new protocol designs, but may be required for
|
|
backwards-compatibility with older protocols:
|
|
|
|
\li Block cipher modes: CFB, CBC, OFB
|
|
\li Hash algorithms: SHA1
|
|
|
|
CBC is included in the legacy list because cryptography experts no longer
|
|
recommend it for use in newer designs. It was an important mode in the past
|
|
but newer designs should be using authenticated encryption with associated
|
|
data (AEAD) instead. If you were looking to use CBC in your project,
|
|
then please consider transitioning to one of the AEAD schemes listed above.
|
|
|
|
Over time, other algorithms may be moved from the core library to legacy.
|
|
|
|
\subsection crypto_other_algorithms Other algorithms
|
|
|
|
Other algorithms are provided in the remaining directories under "libraries",
|
|
and consist of algorithms that are either too big for the main library,
|
|
or are dedicated to a special purpose that only some applications will need:
|
|
|
|
\li Post-quantum algorithms: NewHope
|
|
\li Random number generation: TransistorNoiseSource, RingOscillatorNoiseSource
|
|
|
|
\section crypto_optimizations Optimizations
|
|
|
|
All cryptographic algorithms have been optimized for 8-bit Arduino platforms
|
|
like the Uno. Memory usage is also reduced, particularly for SHA256
|
|
and SHA512 which save 192 and 512 bytes respectively over traditional
|
|
implementations. For all algorithms, static sbox tables and the like are
|
|
placed into program memory to further reduce data memory usage.
|
|
|
|
ChaCha with 20 rounds and 256-bit keys is the recommended
|
|
symmetric encryption algorithm because it is twice as fast as AES128,
|
|
constant-time, and much more secure. AES128, AES192, and AES256 are
|
|
provided for use in applications where compatibility with other systems
|
|
is desirable.
|
|
|
|
If code size is an issue for your application (for example on very low end
|
|
Arduino variants), then Speck on AVR is less than half the code size of
|
|
ChaCha, at the cost of more data memory for the state and longer key
|
|
setup times. The SpeckTiny and SpeckSmall classes are even smaller at
|
|
the cost of some performance when encrypting.
|
|
|
|
BLAKE2s and BLAKE2b are variations on the ChaCha stream cipher, designed for
|
|
hashing, with 256-bit and 512-bit hash outputs respectively. They are
|
|
intended as high performance replacements for SHA256 and SHA512 for when
|
|
speed is critical but exact bit-compatibility of hash values is not.
|
|
BLAKE2s and BLAKE2b support regular hashing, BLAKE2 keyed hashing,
|
|
and HMAC modes.
|
|
|
|
\section crypto_other Examples and other topics
|
|
|
|
\li \ref crypto_rng "Generating random numbers"
|
|
\li \ref crypto_esp "Using the cryptography library with ESP8266"
|
|
|
|
\section crypto_performance Performance
|
|
|
|
\subsection crypto_performance_avr Performance on AVR
|
|
|
|
All figures are for the Arduino Uno running at 16 MHz. Figures for the
|
|
Ardunino Mega 2560 running at 16 MHz are similar:
|
|
|
|
<table>
|
|
<tr><td>Encryption Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>AES128 (ECB mode)</td><td align="right">33.28us</td><td align="right">63.18us</td><td align="right">158.68us</td><td align="right">181</td></tr>
|
|
<tr><td>AES192 (ECB mode)</td><td align="right">39.94us</td><td align="right">76.48us</td><td align="right">165.34us</td><td align="right">213</td></tr>
|
|
<tr><td>AES256 (ECB mode)</td><td align="right">46.61us</td><td align="right">89.78us</td><td align="right">217.79us</td><td align="right">245</td></tr>
|
|
<tr><td>AESTiny128 (ECB mode)</td><td align="right">40.37us</td><td align="right"> </td><td align="right">10.16us</td><td align="right">18</td></tr>
|
|
<tr><td>AESTiny256 (ECB mode)</td><td align="right">56.84us</td><td align="right"> </td><td align="right">17.20us</td><td align="right">34</td></tr>
|
|
<tr><td>AESSmall128 (ECB mode)</td><td align="right">40.37us</td><td align="right">71.36us</td><td align="right">134.22us</td><td align="right">34</td></tr>
|
|
<tr><td>AESSmall256 (ECB mode)</td><td align="right">56.84us</td><td align="right">100.55us</td><td align="right">177.73us</td><td align="right">66</td></tr>
|
|
<tr><td>ChaCha (20 rounds)</td><td align="right">14.87us</td><td align="right">14.88us</td><td align="right">43.74us</td><td align="right">132</td></tr>
|
|
<tr><td>ChaCha (12 rounds)</td><td align="right">10.38us</td><td align="right">10.38us</td><td align="right">43.74us</td><td align="right">132</td></tr>
|
|
<tr><td>ChaCha (8 rounds)</td><td align="right">8.13us</td><td align="right">8.14us</td><td align="right">43.74us</td><td align="right">132</td></tr>
|
|
<tr><td>Speck (128-bit key, ECB mode)</td><td align="right">9.74us</td><td align="right">10.12us</td><td align="right">253.94us</td><td align="right">275</td></tr>
|
|
<tr><td>Speck (192-bit key, ECB mode)</td><td align="right">10.03us</td><td align="right">10.41us</td><td align="right">264.63us</td><td align="right">275</td></tr>
|
|
<tr><td>Speck (256-bit key, ECB mode)</td><td align="right">10.31us</td><td align="right">10.71us</td><td align="right">275.26us</td><td align="right">275</td></tr>
|
|
<tr><td>SpeckSmall (128-bit key, ECB mode)</td><td align="right">33.93us</td><td align="right">34.82us</td><td align="right">207.66us</td><td align="right">67</td></tr>
|
|
<tr><td>SpeckSmall (192-bit key, ECB mode)</td><td align="right">35.20us</td><td align="right">35.88us</td><td align="right">220.55us</td><td align="right">67</td></tr>
|
|
<tr><td>SpeckSmall (256-bit key, ECB mode)</td><td align="right">36.46us</td><td align="right">36.93us</td><td align="right">233.32us</td><td align="right">67</td></tr>
|
|
<tr><td>SpeckTiny (128-bit key, ECB mode)</td><td align="right">33.93us</td><td align="right"> </td><td align="right">10.22us</td><td align="right">35</td></tr>
|
|
<tr><td>SpeckTiny (192-bit key, ECB mode)</td><td align="right">35.20us</td><td align="right"> </td><td align="right">13.62us</td><td align="right">35</td></tr>
|
|
<tr><td>SpeckTiny (256-bit key, ECB mode)</td><td align="right">36.46us</td><td align="right"> </td><td align="right">16.89us</td><td align="right">35</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>AEAD Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>ChaChaPoly</td><td align="right">41.20us</td><td align="right">41.19us</td><td align="right">902.36us</td><td align="right">221</td></tr>
|
|
<tr><td>GCM<AES128></td><td align="right">109.71us</td><td align="right">109.26us</td><td align="right">1265.69us</td><td align="right">284</td></tr>
|
|
<tr><td>GCM<AES192></td><td align="right">116.38us</td><td align="right">115.92us</td><td align="right">1485.56us</td><td align="right">316</td></tr>
|
|
<tr><td>GCM<AES256></td><td align="right">123.04us</td><td align="right">122.59us</td><td align="right">1760.28us</td><td align="right">348</td></tr>
|
|
<tr><td>GCM<Speck> (256-bit key)</td><td align="right">86.74us</td><td align="right">86.29us</td><td align="right">646.88us</td><td align="right">378</td></tr>
|
|
<tr><td>GCM<SpeckTiny> (256-bit key)</td><td align="right">112.90us</td><td align="right">112.44us</td><td align="right">1225.48us</td><td align="right">138</td></tr>
|
|
<tr><td>EAX<AES128></td><td align="right">71.14us</td><td align="right">71.14us</td><td align="right">1311.97us</td><td align="right">268</td></tr>
|
|
<tr><td>EAX<AES256></td><td align="right">97.80us</td><td align="right">97.80us</td><td align="right">1806.57us</td><td align="right">332</td></tr>
|
|
<tr><td>EAX<Speck> (256-bit key)</td><td align="right">25.89us</td><td align="right">25.88us</td><td align="right">690.63us</td><td align="right">362</td></tr>
|
|
<tr><td>EAX<SpeckTiny> (256-bit key)</td><td align="right">78.20us</td><td align="right">78.20us</td><td align="right">1269.19us</td><td align="right">122</td></tr>
|
|
<tr><td>Acorn128</td><td align="right">20.39us</td><td align="right">20.06us</td><td align="right">4817.82us</td><td align="right">60</td></tr>
|
|
<tr><td>Ascon128</td><td align="right">42.71us</td><td align="right">43.07us</td><td align="right">738.68us</td><td align="right">60</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Hash Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td> </td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHA1</td><td align="right">21.86us</td><td align="right">1421.86us</td><td align="right"> </td><td align="right">95</td></tr>
|
|
<tr><td>SHA256</td><td align="right">43.85us</td><td align="right">2841.04us</td><td align="right"> </td><td align="right">107</td></tr>
|
|
<tr><td>SHA512</td><td align="right">122.82us</td><td align="right">15953.42us</td><td align="right"> </td><td align="right">211</td></tr>
|
|
<tr><td>SHA3_256</td><td align="right">60.69us</td><td align="right">8180.24us</td><td align="right"> </td><td align="right">205</td></tr>
|
|
<tr><td>SHA3_512</td><td align="right">113.88us</td><td align="right">8196.34us</td><td align="right"> </td><td align="right">205</td></tr>
|
|
<tr><td>BLAKE2s</td><td align="right">20.65us</td><td align="right">1335.25us</td><td align="right"> </td><td align="right">107</td></tr>
|
|
<tr><td>BLAKE2b</td><td align="right">65.22us</td><td align="right">8375.34us</td><td align="right"> </td><td align="right">211</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Authentication Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHA1 (HMAC mode)</td><td align="right">21.86us</td><td align="right">4290.62us</td><td align="right">1418.49us</td><td align="right">95</td></tr>
|
|
<tr><td>SHA256 (HMAC mode)</td><td align="right">43.85us</td><td align="right">8552.61us</td><td align="right">2836.49us</td><td align="right">107</td></tr>
|
|
<tr><td>BLAKE2s (Keyed mode)</td><td align="right">20.65us</td><td align="right">1335.25us</td><td align="right">1339.51us</td><td align="right">107</td></tr>
|
|
<tr><td>BLAKE2s (HMAC mode)</td><td align="right">20.65us</td><td align="right">4055.56us</td><td align="right">1350.00us</td><td align="right">107</td></tr>
|
|
<tr><td>BLAKE2b (Keyed mode)</td><td align="right">65.22us</td><td align="right">8375.34us</td><td align="right">8357.25us</td><td align="right">211</td></tr>
|
|
<tr><td>Poly1305</td><td align="right">26.26us</td><td align="right">489.11us</td><td align="right">17.06us</td><td align="right">53</td></tr>
|
|
<tr><td>GHASH</td><td align="right">74.59us</td><td align="right">15.91us</td><td align="right">14.79us</td><td align="right">33</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>XOF Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Extending (per byte)</td><td>Encryption (per byte)</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHAKE128</td><td align="right">49.43us</td><td align="right">49.02us</td><td align="right">49.59us</td><td align="right">206</td></tr>
|
|
<tr><td>SHAKE256</td><td align="right">60.77us</td><td align="right">60.37us</td><td align="right">60.93us</td><td align="right">206</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Public Key Operation</td><td align="right">Time (per operation)</td><td colspan="3">Comment</td></tr>
|
|
<tr><td>Curve25519::eval()</td><td align="right">2716ms</td><td colspan="3">Raw curve evaluation</td></tr>
|
|
<tr><td>Curve25519::dh1()</td><td align="right">2718ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>Curve25519::dh2()</td><td align="right">2717ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>Ed25519::sign()</td><td align="right">5148ms</td><td colspan="3">Digital signature generation</td></tr>
|
|
<tr><td>Ed25519::verify()</td><td align="right">8196ms</td><td colspan="3">Digital signature verification</td></tr>
|
|
<tr><td>Ed25519::derivePublicKey()</td><td align="right">5102ms</td><td colspan="3">Derive a public key from a private key</td></tr>
|
|
<tr><td>P521::eval()</td><td align="right">46290ms</td><td colspan="3">Raw curve evaluation</td></tr>
|
|
<tr><td>P521::dh1()</td><td align="right">46293ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>P521::dh2()</td><td align="right">46304ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>P521::sign()</td><td align="right">60514ms</td><td colspan="3">Digital signature generation</td></tr>
|
|
<tr><td>P521::verify()</td><td align="right">109078ms</td><td colspan="3">Digital signature verification</td></tr>
|
|
<tr><td>P521::derivePublicKey()</td><td align="right">46290ms</td><td colspan="3">Derive a public key from a private key</td></tr>
|
|
<tr><td>NewHope::keygen(), Ref</td><td align="right">639ms</td><td colspan="3">Generate key pair for Alice, Ref version</td></tr>
|
|
<tr><td>NewHope::sharedb(), Ref</td><td align="right">1237ms</td><td colspan="3">Generate shared secret and public key for Bob, Ref version</td></tr>
|
|
<tr><td>NewHope::shareda(), Ref</td><td align="right">496ms</td><td colspan="3">Generate shared secret for Alice, Ref version</td></tr>
|
|
<tr><td>NewHope::keygen(), Torref</td><td align="right">777ms</td><td colspan="3">Generate key pair for Alice, Torref version</td></tr>
|
|
<tr><td>NewHope::sharedb(), Torref</td><td align="right">1376ms</td><td colspan="3">Generate shared secret and public key for Bob, Torref version</td></tr>
|
|
<tr><td>NewHope::shareda(), Torref</td><td align="right">496ms</td><td colspan="3">Generate shared secret for Alice, Torref version</td></tr>
|
|
</table>
|
|
|
|
Where a cipher supports more than one key size (such as ChaCha), the values
|
|
are typically almost identical for 128-bit and 256-bit keys so only the
|
|
maximum is shown above.
|
|
|
|
Due to the memory requirements, P521 and NewHope performance was measured on
|
|
an Arduino Mega 2560 running at 16 MHz. They are too big to fit in the
|
|
RAM size of the Uno.
|
|
|
|
\subsection crypto_performance_arm Performance on ARM
|
|
|
|
All figures are for the Arduino Due running at 84 MHz:
|
|
|
|
<table>
|
|
<tr><td>Encryption Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>AES128 (ECB mode)</td><td align="right">6.58us</td><td align="right">11.40us</td><td align="right">38.15us</td><td align="right">188</td></tr>
|
|
<tr><td>AES192 (ECB mode)</td><td align="right">7.94us</td><td align="right">13.83us</td><td align="right">39.79us</td><td align="right">220</td></tr>
|
|
<tr><td>AES256 (ECB mode)</td><td align="right">9.30us</td><td align="right">16.25us</td><td align="right">49.68us</td><td align="right">252</td></tr>
|
|
<tr><td>AESTiny128 (ECB mode)</td><td align="right">7.23us</td><td align="right"> </td><td align="right">1.25us</td><td align="right">20</td></tr>
|
|
<tr><td>AESTiny256 (ECB mode)</td><td align="right">10.62us</td><td align="right"> </td><td align="right">1.43us</td><td align="right">36</td></tr>
|
|
<tr><td>AESSmall128 (ECB mode)</td><td align="right">7.23us</td><td align="right">12.33us</td><td align="right">23.44us</td><td align="right">36</td></tr>
|
|
<tr><td>AESSmall256 (ECB mode)</td><td align="right">10.62us</td><td align="right">16.92us</td><td align="right">31.88us</td><td align="right">68</td></tr>
|
|
<tr><td>ChaCha (20 rounds)</td><td align="right">0.87us</td><td align="right">0.88us</td><td align="right">4.96us</td><td align="right">136</td></tr>
|
|
<tr><td>ChaCha (12 rounds)</td><td align="right">0.70us</td><td align="right">0.71us</td><td align="right">4.96us</td><td align="right">136</td></tr>
|
|
<tr><td>ChaCha (8 rounds)</td><td align="right">0.62us</td><td align="right">0.62us</td><td align="right">4.96us</td><td align="right">136</td></tr>
|
|
<tr><td>Speck (128-bit key, ECB mode)</td><td align="right">0.97us</td><td align="right">0.96us</td><td align="right">36.80us</td><td align="right">288</td></tr>
|
|
<tr><td>Speck (192-bit key, ECB mode)</td><td align="right">1.00us</td><td align="right">0.98us</td><td align="right">38.14us</td><td align="right">288</td></tr>
|
|
<tr><td>Speck (256-bit key, ECB mode)</td><td align="right">1.03us</td><td align="right">1.01us</td><td align="right">39.31us</td><td align="right">288</td></tr>
|
|
<tr><td>SpeckSmall (128-bit key, ECB mode)</td><td align="right">2.72us</td><td align="right">2.30us</td><td align="right">26.89us</td><td align="right">80</td></tr>
|
|
<tr><td>SpeckSmall (192-bit key, ECB mode)</td><td align="right">2.80us</td><td align="right">2.39us</td><td align="right">27.80us</td><td align="right">80</td></tr>
|
|
<tr><td>SpeckSmall (256-bit key, ECB mode)</td><td align="right">2.90us</td><td align="right">2.48us</td><td align="right">29.08us</td><td align="right">80</td></tr>
|
|
<tr><td>SpeckTiny (128-bit key, ECB mode)</td><td align="right">2.72us</td><td align="right"> </td><td align="right">1.47us</td><td align="right">48</td></tr>
|
|
<tr><td>SpeckTiny (192-bit key, ECB mode)</td><td align="right">2.81us</td><td align="right"> </td><td align="right">1.54us</td><td align="right">48</td></tr>
|
|
<tr><td>SpeckTiny (256-bit key, ECB mode)</td><td align="right">2.90us</td><td align="right"> </td><td align="right">1.83us</td><td align="right">48</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>AEAD Algorithm</td><td align="right">Encryption (per byte)</td><td align="right">Decryption (per byte)</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>ChaChaPoly</td><td align="right">1.71us</td><td align="right">1.71us</td><td align="right">45.08us</td><td align="right">240</td></tr>
|
|
<tr><td>GCM<AES128></td><td align="right">10.90us</td><td align="right">10.90us</td><td align="right">248.83us</td><td align="right">312</td></tr>
|
|
<tr><td>GCM<AES192></td><td align="right">12.30us</td><td align="right">12.31us</td><td align="right">296.83us</td><td align="right">344</td></tr>
|
|
<tr><td>GCM<AES256></td><td align="right">13.66us</td><td align="right">13.67us</td><td align="right">350.25us</td><td align="right">376</td></tr>
|
|
<tr><td>GCM<Speck> (256-bit key)</td><td align="right">5.27us</td><td align="right">5.28us</td><td align="right">75.31us</td><td align="right">408</td></tr>
|
|
<tr><td>GCM<SpeckTiny> (256-bit key)</td><td align="right">7.06us</td><td align="right">7.07us</td><td align="right">94.20us</td><td align="right">168</td></tr>
|
|
<tr><td>EAX<AES128></td><td align="right">12.33us</td><td align="right">12.33us</td><td align="right">234.91us</td><td align="right">280</td></tr>
|
|
<tr><td>EAX<AES256></td><td align="right">16.99us</td><td align="right">16.99us</td><td align="right">322.92us</td><td align="right">344</td></tr>
|
|
<tr><td>EAX<Speck> (256-bit key)</td><td align="right">2.80us</td><td align="right">2.80us</td><td align="right">81.63us</td><td align="right">384</td></tr>
|
|
<tr><td>EAX<SpeckTiny> (256-bit key)</td><td align="right">6.69us</td><td align="right">6.69us</td><td align="right">110.91us</td><td align="right">144</td></tr>
|
|
<tr><td>Acorn128</td><td align="right">0.75us</td><td align="right">0.75us</td><td align="right">175.70us</td><td align="right">64</td></tr>
|
|
<tr><td>Ascon128</td><td align="right">3.52us</td><td align="right">3.50us</td><td align="right">51.67us</td><td align="right">72</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Hash Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td> </td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHA1</td><td align="right">0.94us</td><td align="right">62.34us</td><td align="right"> </td><td align="right">112</td></tr>
|
|
<tr><td>SHA256</td><td align="right">1.15us</td><td align="right">76.60us</td><td align="right"> </td><td align="right">120</td></tr>
|
|
<tr><td>SHA512</td><td align="right">2.87us</td><td align="right">370.37us</td><td align="right"> </td><td align="right">224</td></tr>
|
|
<tr><td>SHA3_256</td><td align="right">5.64us</td><td align="right">735.29us</td><td align="right"> </td><td align="right">224</td></tr>
|
|
<tr><td>SHA3_512</td><td align="right">10.42us</td><td align="right">735.49us</td><td align="right"> </td><td align="right">224</td></tr>
|
|
<tr><td>BLAKE2s</td><td align="right">0.80us</td><td align="right">53.39us</td><td align="right"> </td><td align="right">120</td></tr>
|
|
<tr><td>BLAKE2b</td><td align="right">1.28us</td><td align="right">164.66us</td><td align="right"> </td><td align="right">224</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Authentication Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Finalization</td><td align="right">Key Setup</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHA1 (HMAC mode)</td><td align="right">0.94us</td><td align="right">196.74us</td><td align="right">68.06us</td><td align="right">112</td></tr>
|
|
<tr><td>SHA256 (HMAC mode)</td><td align="right">1.15us</td><td align="right">238.98us</td><td align="right">80.44us</td><td align="right">120</td></tr>
|
|
<tr><td>BLAKE2s (Keyed mode)</td><td align="right">0.80us</td><td align="right">53.39us</td><td align="right">55.10us</td><td align="right">120</td></tr>
|
|
<tr><td>BLAKE2s (HMAC mode)</td><td align="right">0.80us</td><td align="right">168.20us</td><td align="right">57.60us</td><td align="right">120</td></tr>
|
|
<tr><td>BLAKE2b (Keyed mode)</td><td align="right">1.28us</td><td align="right">164.66us</td><td align="right">166.68us</td><td align="right">224</td></tr>
|
|
<tr><td>Poly1305</td><td align="right">0.81us</td><td align="right">19.01us</td><td align="right">2.57us</td><td align="right">60</td></tr>
|
|
<tr><td>GHASH</td><td align="right">4.47us</td><td align="right">1.52us</td><td align="right">2.60us</td><td align="right">36</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>XOF Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Extending (per byte)</td><td>Encryption (per byte)</td><td>State Size (bytes)</td></tr>
|
|
<tr><td>SHAKE128</td><td align="right">4.60us</td><td align="right">4.45us</td><td align="right">4.59us</td><td align="right">232</td></tr>
|
|
<tr><td>SHAKE256</td><td align="right">5.64us</td><td align="right">5.49us</td><td align="right">5.63us</td><td align="right">232</td></tr>
|
|
<tr><td colspan="5"> </td></tr>
|
|
<tr><td>Public Key Operation</td><td align="right">Time (per operation)</td><td colspan="3">Comment</td></tr>
|
|
<tr><td>Curve25519::eval()</td><td align="right">103ms</td><td colspan="3">Raw curve evaluation</td></tr>
|
|
<tr><td>Curve25519::dh1()</td><td align="right">103ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>Curve25519::dh2()</td><td align="right">104ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>Ed25519::sign()</td><td align="right">195ms</td><td colspan="3">Digital signature generation</td></tr>
|
|
<tr><td>Ed25519::verify()</td><td align="right">306ms</td><td colspan="3">Digital signature verification</td></tr>
|
|
<tr><td>Ed25519::derivePublicKey()</td><td align="right">194ms</td><td colspan="3">Derive a public key from a private key</td></tr>
|
|
<tr><td>P521::eval()</td><td align="right">1503ms</td><td colspan="3">Raw curve evaluation</td></tr>
|
|
<tr><td>P521::dh1()</td><td align="right">1503ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>P521::dh2()</td><td align="right">1503ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
|
|
<tr><td>P521::sign()</td><td align="right">1860ms</td><td colspan="3">Digital signature generation</td></tr>
|
|
<tr><td>P521::verify()</td><td align="right">3423ms</td><td colspan="3">Digital signature verification</td></tr>
|
|
<tr><td>P521::derivePublicKey()</td><td align="right">1503ms</td><td colspan="3">Derive a public key from a private key</td></tr>
|
|
<tr><td>NewHope::keygen(), Ref</td><td align="right">29ms</td><td colspan="3">Generate key pair for Alice, Ref version</td></tr>
|
|
<tr><td>NewHope::sharedb(), Ref</td><td align="right">41ms</td><td colspan="3">Generate shared secret and public key for Bob, Ref version</td></tr>
|
|
<tr><td>NewHope::shareda(), Ref</td><td align="right">9ms</td><td colspan="3">Generate shared secret for Alice, Ref version</td></tr>
|
|
<tr><td>NewHope::keygen(), Torref</td><td align="right">42ms</td><td colspan="3">Generate key pair for Alice, Torref version</td></tr>
|
|
<tr><td>NewHope::sharedb(), Torref</td><td align="right">53ms</td><td colspan="3">Generate shared secret and public key for Bob, Torref version</td></tr>
|
|
<tr><td>NewHope::shareda(), Torref</td><td align="right">9ms</td><td colspan="3">Generate shared secret for Alice, Torref version</td></tr>
|
|
</table>
|
|
*/
|