Focusing on elliptic-curve cryptography (ECC), Oberon has developed a set of algorithms that take advantage of a single-cycle multiplier but which also use a set of what the company reckons are novel optimizations to reduce execution times. As well as speeding up execution on constrained microcontrollers, RAM requirements were brought down to just 2.5Kbyte.
Cuno Pfister, Oberon managing director, said: “Our target is to address Bluetooth LE-enabled devices that have very constrained memory. We knew it would be difficult to convince people of its correctness, so we developed a formal proof.”
OberonHAP implements these cryptographic algorithms for pairing, authentication and encryption: Secure Remote Password (SRP); Ed25519; Curve25519; HKDF-SHA-512; ChaCha20-Poly1305.
According to Oberon, cryptographic processing of the SRP algorithm – which is required once in the lifetime of a home automation device – takes less than five seconds. A typical implementation on an ARM Cortex-M0 processor can significantly longer, Pfister said, because of the structure of its multiplier. The algorithm, which performs modulo arithmetic to a depth of 300 bits, works Better if a 32 x 32bit fixed-point multiplier feeds into a 64bit register. The M0 provides a 32bit result, which means Oberon can only use it to handle 16bit chunks.
The code developed by Oberon takes advantage of a single-cycle multiply to improve resistance to a number of side-channel attack techniques, particularly those that monitor execution time.
Pfister said the ECC algorithms developed by Daniel Bernstein’s team such as Ed25519 “have been designed to make it easier to mitigate the risk of side-channel attacks. But you still have to be careful, especially when using assembly language to make sure every operation takes the same amount of time or you leak information.”
Together with the single-cycle multiplier, the Cortus APS3RP has a Harvard architecture with a comparatively simple three-stage pipeline to minimize gate count.