Cryptography on Cortex-M4: Rust + Assembly = 💕

Cryptography on Cortex-M4:
Rust + Assembly = love
Nicolas Stalder
GitHub @nickray, Twitter: @nickraystalder
[email protected]
Oxidize 1k
March 20, 2020 (v1)

View Slide

Background / Motivation
• Nicolas Stalder (@nickray) is a
mathematician (arithmetic geometry)
• SoloKeys is an open source hardware 
key company (e.g. FIDO2)
• Just like > 20 billion IoT devices, need:
• establish secure communication
• proof of device identity
• O Cortex-M cryptography, where art thou?

View Slide

Oh look, it's us!
really bad SEO?
lack of interest?

View Slide

Two Types of Crypto
(grossly simpliﬁed)
Symmetric (+ Hashes) Asymmetric
• secret key
• combinatorics
• manipulation of 32-bit words
• RustCrypto! h/t @tarcieri
• public/private keypair
• arithmetic
• very large integers
• platform speciﬁc! ycrypto :)

View Slide

Pyramid of Requirements
correct, understandable, API
constant time
physical attacks
...
table stakes to 
at least try hard!
can't live without!
https://www.bearssl.org/constanttime.html

View Slide

Thesis
• Rust is (mostly...)
amazing at expressing the
mathematical structure in terms of traits
• With some effort, can trick the compiler into not
being too smart (breaking constant time) at
high and intermediate level (subtle, zeroize, ...)
• At the lowest level (inner loop), need assembly
to make optimal use of platform capabilities in
constant time. Play a "game of lego".

View Slide

Illustrative Example
salty: a library for Ed25519
signatures on Cortex-M4
• structure from TweetNaCl
• API from ed25519-dalek
• ﬁeld implementation from 
Björn M. Haase
#salty:matrix.org
#solokeys:matrix.org

View Slide

Rust Example #1
• Not every [u32; 8] array is a valid public key! 
The point represented needs to be on the curve
• Attacks possible if not
• Idiomatic Rust offers TryFrom trait for constructors 
that can fail
• API offers only safe ways to construct PublicKey

View Slide

The Maths
(grossly simpliﬁed)
• Coordinates of points are integers modulo
• Can represent as array [u32; 8] of 32-bit words 
(like numbers are usually written as array of digits)
• Addition/Multiplication is word-by-word, with carry, 
and reduction modulo prime q
• For example, bit 31 of word 7 is replaced with 19

View Slide

Rust Example #2
Express the
mathematical
expectations on a
ﬁeld implementation
Implementation
ﬂexibility:
• TweetNaCl uses
[i64; 16]
• Björn Haase uses
[u32; 8]

View Slide

Why Cortex-M4?
(and above: M33, M35-P, M55, ...)
Source: ARM® Cortex®-M{3,4} Technical Reference Manual
M3 M4
M4 only (DSP)

View Slide

The Instructions
lo, hi, a, b are 32-bit words, all instructions take one cycle only
• UMULL ( lo, hi, a, b ): Unsigned Long Multiply 
(hi, lo) = a * b
• UMLAL ( lo, hi, c, d ): Unsigned Long Multiply, with Accumulate 
(hi, lo) += a * b
• UMAAL ( lo, hi, a, b ): ..., with Accumulate Accumulate :) 
(hi, lo) = lo + hi + a * b
it ﬁts!

View Slide

UMAAL maybe in Action?
Could be implemented 
in many different ways, 
possibly branching on 
the (secret) data

View Slide

UMAAL in Action!
Use case: 
sum of three words

View Slide

Next Steps
• End-to-end timing and power consumption testing
• WIP: crypto-service offering compile-time selection of
cryptographic algorithms, with encrypted storage
• RPC API over heapless queues, designed to run in secure
Trustzone-M domain. Non-secure domain can only access
handles and wrapped key material
• default implementations (salty, nisty, RustCrypto) for Cortex-M4,
conﬁgurable and pluggable use of hardware acceleration
• SoloKeys "model Bee" ﬁrmware public soon!

View Slide

Links
• docs.rs/salty
• github.com/ycrypto: community for Cortex-M4
• github.com/BjoernMHaase/fe25519
• github.com/RustCrypto, docs.rs/ed25519-dalek
• tweetnacl.cr.yp.to/papers.html
• bearssl.org/constanttime.html
Nicolas Stalder
Github @nickray, Twitter @nickraystalder
[email protected]
#solokeys:matrix.org
Thank you!

View Slide

Cryptography on Cortex-M4: Rust + Assembly = 💕

Cryptography on Cortex-M4: Rust + Assembly = 💕

Nicolas Stalder

Other Decks in Programming

Featured

Transcript