Cryptology ePrint Archive: Report 2015/343
High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers
Michael Düll and Björn Haase and Gesine Hinterwälder and Michael Hutter and Christof Paar and Ana Helena Sánchez and Peter Schwabe
Abstract: This paper presents new speed records for 128-bit secure elliptic-curve Diffie-Hellman key-exchange
software on three different popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein
known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange
protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers,
and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13 900 397 cycles
for the computation of a Diffe-Hellman shared secret, and is the first to perform this computation in less than
a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret
in 5 301 792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7 933 296 cycles
on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH
software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our
implementation on the Cortex-M0 runs in only 3 589 850 cycles and outperforms previous 128-bit secure ECDH
software by a factor of 3.
Category / Keywords: public-key cryptography / elliptic curve cryptography, Curve25519, ECDH key-exchange, microcontroller, AVR ATmega, MSP430, ARM Cortex-M0, implementation
Original Publication (in the same form): Design Codes and Cryptography
DOI: bd41e6b96370dea91c5858f1b809b581
Date: received 16 Apr 2015, last revised 17 Apr 2015
Contact author: bjoern m haase at web de
Available format(s): PDF | BibTeX Citation
Note: Typo in the abstract.
Version: 20150420:015205 (All versions of this report)
Short URL: ia.cr/2015/343
[ Cryptology ePrint archive ]