arduinolibs/doc/crypto.dox

/*
 * Copyright (C) 2015 Southern Storm Software, Pty Ltd.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 */

/**
\file crypto.dox
\page crypto Cryptographic Library

\section crypto_algorithms Supported Algorithms

\li Block ciphers: AES128, AES192, AES256
\li Block cipher modes: CTR, CFB, CBC, OFB
li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly
\li Hash algorithms: SHA1, SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
\li Message authenticators: Poly1305, GHASH
\li Public key algorithms: Curve25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource

All cryptographic algorithms have been optimized for 8-bit Arduino platforms
like the Uno.  Memory usage is also reduced, particularly for SHA1, SHA256,
and SHA512 which save 256, 192, and 512 bytes respectively over traditional
implementations.  For all algorithms, static sbox tables and the like are
placed into program memory to further reduce data memory usage.

ChaCha with 20 rounds and 256-bit keys is the recommended
symmetric encryption algorithm because it is twice as fast as AES128,
constant-time, and much more secure.  AES128, AES192, and AES256 are
provided for use in applications where compatibility with other systems
is desirable.

BLAKE2s and BLAKE2b are variations on the ChaCha stream cipher, designed for
hashing, with 256-bit and 512-bit hash outputs respectively.  They are
intended as high performance replacements for SHA256 and SHA512 for when
speed is critical but exact bit-compatibility of hash values is not.

\section crypto_other Examples and other topics

\li \ref crypto_rng "Generating random numbers"

\section crypto_performance Performance

All figures are for the Arduino Uno running at 16 MHz.  Figures for the
Ardunino Mega 2560 running at 16 MHz are similar:

<table>
<tr><td>Algorithm</td><td>Encryption / Hashing (per byte)</td><td>Decryption (per byte)</td><td>Key Setup</td><td>State Size (bytes)</td></tr>
<tr><td>AES128 (ECB mode)</td><td align="right">36.90us</td><td align="right">66.48us</td><td align="right">160.00us</td><td align="right">213</td></tr>
<tr><td>AES192 (ECB mode)</td><td align="right">44.20us</td><td align="right">80.35us</td><td align="right">166.54us</td><td align="right">245</td></tr>
<tr><td>AES256 (ECB mode)</td><td align="right">51.50us</td><td align="right">94.22us</td><td align="right">227.97us</td><td align="right">277</td></tr>
<tr><td>ChaCha (20 rounds)</td><td align="right">14.87us</td><td align="right">14.88us</td><td align="right">43.74us</td><td align="right">132</td></tr>
<tr><td>ChaCha (12 rounds)</td><td align="right">10.38us</td><td align="right">10.38us</td><td align="right">43.74us</td><td align="right">132</td></tr>
<tr><td>ChaCha (8 rounds)</td><td align="right">8.13us</td><td align="right">8.14us</td><td align="right">43.74us</td><td align="right">132</td></tr>
<tr><td>ChaChaPoly</td><td align="right">41.23us</td><td align="right">41.23us</td><td align="right">902.55us</td><td align="right">255</td></tr>
<tr><td>SHA1</td><td align="right">21.90us</td><td> </td><td align="right"> </td><td align="right">95</td></tr>
<tr><td>SHA256</td><td align="right">43.85us</td><td> </td><td align="right"> </td><td align="right">107</td></tr>
<tr><td>SHA512</td><td align="right">123.24us</td><td> </td><td align="right"> </td><td align="right">211</td></tr>
<tr><td>SHA3_256</td><td align="right">121.69us</td><td> </td><td align="right"> </td><td align="right">405</td></tr>
<tr><td>SHA3_512</td><td align="right">229.12us</td><td> </td><td align="right"> </td><td align="right">405</td></tr>
<tr><td>BLAKE2s</td><td align="right">18.54us</td><td> </td><td align="right"> </td><td align="right">171</td></tr>
<tr><td>BLAKE2b</td><td align="right">50.58us</td><td> </td><td align="right"> </td><td align="right">339</td></tr>
<tr><td>Poly1305</td><td align="right">26.29us</td><td> </td><td align="right"> </td><td align="right">87</td></tr>
<tr><td>GHASH</td><td align="right">148.14us</td><td> </td><td align="right"> </td><td align="right">33</td></tr>
</table>

Where a cipher supports more than one key size (such as ChaCha), the values
are typically almost identical for 128-bit and 256-bit keys so only the
maximum is shown above.

Public key algorithms have the following results on an Arduino Uno:

<table>
<tr><td>Algorithm</td><td>Operation</td><td>Time</td><td>Comment</td></tr>
<tr><td>Curve25519</td><td>\link Curve25519::eval() eval()\endlink</td><td>3738 ms</td><td>Raw curve evaluation</td></tr>
<tr><td>Curve25519</td><td>\link Curve25519::dh1() dh1()\endlink</td><td>3740 ms</td><td>First half of Diffie-Hellman key agreement</td></tr>
<tr><td>Curve25519</td><td>\link Curve25519::dh2() dh2()\endlink</td><td>3738 ms</td><td>Second half of Diffie-Hellman key agreement</td></tr>
</table>

*/