Speed means low cost and low-power operation

The speed of cryptographic code is important for maximizing throughput and for minimizing latencies in protocols that use the code. This can be relevant for meeting timing constraints or to obtain a good user experience. However, having faster code – i.e., code that performs the same work in fewer processor cycles – could also allow you to select slower microcontrollers and thereby reduce the BOM costs of your hardware. Moreover, as CMOS circuits mainly consume power when switching states, using fewer processor cycles means fewer state switches and therefore less power drain, which is particularly relevant for battery-powered devices.

See our benchmarks for performance and energy scores compared to other popular crypto libraries for resource-constrained hardware.

Algorithmic innovations

We have developed, analyzed and optimized the cryptographic code of ocrypto since 2013. During that time, we have introduced several unique algorithmic innovations, in order to achieve state-of-the-art performance while ensuring constant-time code execution:

  • Combination of known algorithms for multiplication in a prime field including modular reduction. It reduces the number of expensive instructions. For example, it brings down the number of multiplications for SRP from 64 to 8 million.
  • New bitslice implementation for AES. A new field-theoretical approach for the S-box calculation allows an efficient and table-free implementation of AES without the overhead and complications of handling multiple blocks in parallel.
  • New mathematical approach for NIST P-256 curves. Our enhanced co-Z implementation of the NIST P-256 curves is unique in that it is complete, correct, efficient, table-free, and executes in constant time even in all edge cases.

Assembly-language optimizations

Going beyond algorithmic innovations, we have carefully written the most critical parts of the code in assembly language for popular microcontroller cores. ocrypto thus makes advanced communication protocols and advanced firmware security features feasible even on low-power, low-cost 32-bit microcontrollers without hardware accelerators. Or even for processors with hardware acceleration: in situations where the hardware accelerator does not cover all relevant algorithms, is not available to all microcontroller cores, or in systems where real-time threads compete for the accelerator hardware (e.g., where the application code competes with a BLE stack, or multiple encrypted connections run in parallel).