Cifra is a collection of cryptographic primitives targeted at embedded use.
In order of descending emphasis, cifra aims for:
- Clarity and simplicity.
- Countermeasures for side channel leaks inherent in some algorithms.
- Suitability for embedded use. Particularly: cifra uses an absolute minimum of the standard C library and is reasonably efficient with respect to code and data space.
- AES in the GCM, CCM and EAX authenticated encryption modes.
- SHA224, SHA256, SHA384 and SHA512 hash functions (including HMAC and PBKDF2).
- SHA3-224, SHA3-256, SHA3-384, SHA3-512 hash functions (FIPS 202 draft compatible).
- ChaCha20 and Salsa20 stream ciphers.
- Poly1305 one time MAC.
- 100% code coverage by line, zero static analysis defects, valgrind-clean.
Additionally cifra imports curve25519 from elsewhere (nacl, tweetnacl, Adam Langley's donna) for comparison between various implementations on embedded targets.
Available at Read the Docs.
There is quite a lot of testing available:
- Host builds: run
make testin thesrcdirectory. This builds and runs assorted test programs. - Emulated embedded builds: run
make testin thesrc/armdirectory. This expects to findqemu-system-gnuarmeclipseon the path. These tests assume a Cortex-M0 target. - Cortex-M0 on-target tests: run
make test.stm32f0in thesrc/armdirectory. This expects to findopenocdon the path, with an STM32F0xx attached via stlinkv2. It uses ARM semihosting to report results. - Cortex-M3/4 on-target tests: run
make test.stm32f1ormake test.stm32f3as above.
Additionally all embedded targets expect to find the arm-none-eabi toolchain
to be on the path.
All measurements performed at -Os (optimise for space), on the following MCUs:
| Core | Part number | Price (1s) | Max clock | Flash | SRAM |
|---|---|---|---|---|---|
| Cortex-M0 | STM32F030F4P6 | 1.17EUR | 48MHz | 16KB | 4KB |
| Cortex-M3 | STM32F103C8T6 | 2.87EUR | 72MHz | 64KB | 20KB |
| Cortex-M4F | STM32F303K6T6 | 4.53EUR | 72MHz | 32KB | 12KB |
This test does a key schedule, then encrypts one block.
| Core | Cycles (key schedule + block) | Cycles (key schedule) | Cycles (block) | Stack | Code size |
|---|---|---|---|---|---|
| Cortex-M0 | 7156 | 2147 | 5009 | 312B | 1020B |
| Cortex-M3 | 4692 | 1591 | 3101 | 300B | 960B |
| Cortex-M4F | 4591 | 1571 | 3020 | 300B | 960B |
| Core | Cycles (key schedule + block) | Cycles (key schedule) | Cycles (block) | Stack | Code size |
|---|---|---|---|---|---|
| Cortex-M0 | 10611 | 3650 | 6961 | 396B | 1100B |
| Cortex-M3 | 6735 | 2450 | 4285 | 380B | 1048B |
| Cortex-M4F | 6588 | 2416 | 4172 | 380B | 1048B |
This test encrypts and authenticates a 16 byte message, with 16 bytes additionally authenticated data. It includes the initial key schedule.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 56959 | 828B | 2612B |
| Cortex-M3 | 43130 | 836B | 2672B |
| Cortex-M4F | 43239 | 836B | 2672B |
This test encrypts and authenticates a 16 byte message, with 16 bytes additionally authenticated data. It includes the initial key schedule.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 50175 | 928B | 2572B |
| Cortex-M3 | 32738 | 924B | 2548B |
| Cortex-M4F | 32052 | 924B | 2548B |
This test encrypts and authenticates a 16 byte message, with 16 bytes additionally authenticated data. It includes the initial key schedule.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 40364 | 808B | 2284B |
| Cortex-M3 | 26674 | 796B | 2236B |
| Cortex-M4F | 26120 | 796B | 2236B |
This test encrypts a 64 byte message.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 5631 | 568B | 1328B |
| Cortex-M3 | 3449 | 568B | 1360B |
| Cortex-M4F | 3342 | 568B | 1360B |
(For comparison with AES, add an AES256 key schedule plus 4 blocks. That's about 33K cycles.)
This test encrypts a 64 byte message.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 5780 | 568B | 1336B |
| Cortex-M3 | 3222 | 572B | 1272B |
| Cortex-M4F | 3137 | 572B | 1272B |
This test hashes the empty string (one compression function invocation).
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 21804 | 460B | 1476B |
| Cortex-M3 | 15591 | 456B | 1508B |
| Cortex-M4F | 15432 | 456B | 1508B |
This test hashes the empty string (one compression function invocation).
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 55709 | 780B | 2544B |
| Cortex-M3 | 43258 | 836B | 2676B |
| Cortex-M4F | 42884 | 836B | 2676B |
This test hashes the empty string (one sponge permutation).
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 86857 | 1024B | 1960B |
| Cortex-M3 | 77621 | 1008B | 1944B |
| Cortex-M4F | 73663 | 1008B | 1944B |
This test hashes the empty string (one sponge permutation).
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 86210 | 1056B | 1960B |
| Cortex-M3 | 77206 | 1040B | 1944B |
| Cortex-M4F | 73256 | 1040B | 1944B |
This test computes a MAC with a 32 byte key over the message "hello world".
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 60610 | 1364B | 1916B |
| Cortex-M3 | 40660 | 1360B | 1928B |
| Cortex-M4F | 40186 | 1360B | 1928B |
This test computes a MAC with a 32 byte key over the message "hello world". It includes the AES nonce processing.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 16728 | 732B | 1944B |
| Cortex-M3 | 11523 | 712B | 1928B |
| Cortex-M4F | 11209 | 712B | 1900B |
This test is one point multiplicat 7002 ion.
| Core | Cycles | Stack | Code size |
|---|---|---|---|
| Cortex-M0 | 88696559 | 1720B | 1600B |
| Cortex-M3 | 30659678 | 1684B | 1556B |
| Cortex-M4F | 27143515 | 1684B | 1556B |
See curve25519-shootout for comparison between the included curve25519 implementations.
Cifra requires memcpy, memset, abort and assert.
Keccak hash function (aka SHA3).Poly1305 one-time MAC.- Constant time curve25519 for Cortex-M4F using the FPU.
- Constant time curve25519 for Cortex-M3 (avoiding the variable-time multiplier).
CC0.
Please attribute the author. This is a request only, and not a license term.
Joseph Birr-Pixton jpixton@gmail.com