Cryptography on Cortex-M4: Rust + Assembly = 💕

Transcript

1. Cryptography on Cortex-M4: Rust + Assembly = love Nicolas Stalder

   GitHub @nickray, Twitter: @nickraystalder [email protected] Oxidize 1k March 20, 2020 (v1)

2. Background / Motivation • Nicolas Stalder (@nickray) is a mathematician

   (arithmetic geometry) • SoloKeys is an open source hardware
 key company (e.g. FIDO2) • Just like > 20 billion IoT devices, need: • establish secure communication • proof of device identity • O Cortex-M cryptography, where art thou?

3. Oh look, it's us! really bad SEO? lack of interest?

4. Two Types of Crypto (grossly simplified) Symmetric (+ Hashes) Asymmetric

   • secret key • combinatorics • manipulation of 32-bit words • RustCrypto! h/t @tarcieri • public/private keypair • arithmetic • very large integers • platform specific! ycrypto :)

5. Pyramid of Requirements correct, understandable, API constant time physical attacks

   ... table stakes to
 at least try hard! can't live without! https://www.bearssl.org/constanttime.html

6. Thesis • Rust is (mostly...) amazing at expressing the mathematical

   structure in terms of traits • With some effort, can trick the compiler into not being too smart (breaking constant time) at high and intermediate level (subtle, zeroize, ...) • At the lowest level (inner loop), need assembly to make optimal use of platform capabilities in constant time. Play a "game of lego".

7. Illustrative Example salty: a library for Ed25519 signatures on Cortex-M4

   • structure from TweetNaCl • API from ed25519-dalek • field implementation from
 Björn M. Haase #salty:matrix.org #solokeys:matrix.org

8. Rust Example #1 • Not every [u32; 8] array is

   a valid public key!
 The point represented needs to be on the curve • Attacks possible if not • Idiomatic Rust offers TryFrom trait for constructors
 that can fail • API offers only safe ways to construct PublicKey

9. The Maths (grossly simplified) • Coordinates of points are integers

   modulo • Can represent as array [u32; 8] of 32-bit words
 (like numbers are usually written as array of digits) • Addition/Multiplication is word-by-word, with carry,
 and reduction modulo prime q • For example, bit 31 of word 7 is replaced with 19

10. Rust Example #2 Express the mathematical expectations on a field

    implementation Implementation flexibility: • TweetNaCl uses [i64; 16] • Björn Haase uses [u32; 8]

11. Why Cortex-M4? (and above: M33, M35-P, M55, ...) Source: ARM®

    Cortex®-M{3,4} Technical Reference Manual M3 M4 M4 only (DSP)

12. The Instructions lo, hi, a, b are 32-bit words, all

    instructions take one cycle only • UMULL ( lo, hi, a, b ): Unsigned Long Multiply
 (hi, lo) = a * b • UMLAL ( lo, hi, c, d ): Unsigned Long Multiply, with Accumulate
 (hi, lo) += a * b • UMAAL ( lo, hi, a, b ): ..., with Accumulate Accumulate :)
 (hi, lo) = lo + hi + a * b it fits!

13. UMAAL maybe in Action? Could be implemented
 in many different

    ways,
 possibly branching on
 the (secret) data

14. UMAAL in Action! Use case:
 sum of three words

15. Next Steps • End-to-end timing and power consumption testing •

    WIP: crypto-service offering compile-time selection of cryptographic algorithms, with encrypted storage • RPC API over heapless queues, designed to run in secure Trustzone-M domain. Non-secure domain can only access handles and wrapped key material • default implementations (salty, nisty, RustCrypto) for Cortex-M4, configurable and pluggable use of hardware acceleration • SoloKeys "model Bee" firmware public soon!

16. Links • docs.rs/salty • github.com/ycrypto: community for Cortex-M4 • github.com/BjoernMHaase/fe25519

    • github.com/RustCrypto, docs.rs/ed25519-dalek • tweetnacl.cr.yp.to/papers.html • bearssl.org/constanttime.html Nicolas Stalder Github @nickray, Twitter @nickraystalder [email protected] #solokeys:matrix.org Thank you!