Setting the Benchmark for HomeKit Cryptography

Apple HomeKit relies on advanced cryptographic algorithms, better known for their use on high-performance servers than on the resource-constrained microcontrollers that are more typical for home automation. OberonHAP is a fast, tiny and trustworthy implementation of Apple’s HomeKit Accessory Protocol (HAP) – the most important software component of any HomeKit device. Thanks to its excellent implementation, Oberon microsystems has been featured as one of the key partners of Apple in the HomeKit ecosystem, along with accessory and semiconductor vendors:

Tim Cook shows key partners of Apple for HomeKit

The cryptography part of OberonHAP is now available separately from the HomeKit protocol implementation. This OberonCrypto library has been developed, and is continuously being further improved, by our seasoned Swiss engineering team. Our goal is to make it as easy as possible for you to create secure IoT products even when using low-cost hardware.

Speed

We have developed, analyzed and optimized the cryptographic code of OberonCrypto since 2013. We have leveraged advanced mathematical transformations, and have carefully written critical parts in assembly language for popular microcontroller cores. The result is typically more than three times as fast as a good imple­mentation in C. OberonHAP thus makes HomeKit feasible even on low-power, low-cost 32-bit microcontrollers:

Core Cortex-M0 Cortex-M3 Cortus APS3RP Cortex-M4F microAptiv UP
Instruction set architecture ARMv6-M ARMv7-M Cortus V2 ARMv7E-M with FPv4-SP extension MIPS32 with DSP enhancements
Clock frequency 16 MHz 48 MHz 50 MHz 64 MHz 200 MHz
Set up accessory – first phase with static setup code (with dynamic setup code: 3 times as long) 3.9 s 1.1 s 0.6 s 0.4 s 0.1 s
Set up accessory – second phase with static or dynamic setup code 15.0 s 4.3 s 2.2 s 1.4 s 0.4 s
Open session 940 ms 260 ms 130 ms 60 ms 20 ms

The above numbers only include the time for cryptographic processing. The communication protocol, accessory logic, and iOS at the other end will add to the experienced round-trip times. Note that accessory setup usually occurs only once in the lifetime of an accessory and happens in two phases (before the setup code is entered on the iOS device, and after the setup code has been entered).

Size

RAM is often the most critical resource of a microcontroller. A complete HomeKit proof-of-concept with a BLE chip, implementing the light bulb profile, works with less than 14 KB of RAM and about 72 KB of flash. The chip vendor’s transport protocol stack (BLE in this case) and its internal buffers are not included in these numbers.

Implementation

OberonCrypto is implemented in portable C code. Optimized assembly language variants of the time-critical cryptographic operations are available for several cores: ARM Cortex-M0/M0+/M23, ARM Cortex-M3, ARM Cortex-M4/M4F/M7/M33, MIPS32 microAptiv UP and Cortus APS3RP. For Linux hardware, a fully portable C implementation can be provided. For some of the mentioned platforms, we also provide optimized implementations of NIST P-256 (aka prime256v1 and secp256r1).

The performance of our cryptographic code is also due to a novel algorithmic approach to multiplication in a prime field including modular reduction. We have created formal correctness proofs and had them reviewed by independent experts (Prof. W. Meier & Prof. C. Nicola), who found our proofs “in all parts mathematically and formally correct” (proof and review documents are available to licensees).

For uncompromising security, the execution times of the relevant OberonCrypto operations do not depend on the secret data being processed. This mitigates the risk of common side-channel attacks such as timing attacks. This is even true for microcontrollers with data caches, e.g. products based on a Cortex-M7 core, and for the NIST curve, which is difficult to implement in this way.

An extensive test suite is being used for validating OberonCrypto, with standard test vectors, additional test vectors for border cases, negative tests and random tests.

OberonCrypto is used e.g. in Nordic Semiconductor’s HomeKit SDK for their Cortex-M0 and Cortex-M4F BLE chips – see also the Candy House demo video. Thanks to its extreme optimizations, OberonCrypto is the choice for such scenarios.

Supported Algorithms

The following algorithms are supported in OberonCrypto, not all of which are needed in HomeKit itself:

  • SRP-6/SHA512
  • Curve25519
  • Ed25519
  • ChaCha20
  • Poly1305
  • ChaCha20_Poly1305
  • HKDF_SHA512
  • NIST P-256 (aka prime256v1 and secp256r1)
  • SHA-1, SHA-256, SHA-512
  • AES (CTR, GCM, AEX)
  • RSA PKCS1 V1.5, encrypt/decrypt, 1024bit/2048bit, with or without CRT keys
  • RSA PKCS1 V1.5 SHA256, sign/verify, 1024bit/2048bit, with or without CRT keys (no RSA key generation)
  • PBKDF2-SHA1
  • SRTP AES-CTR HMAC-SHA1, 128-256bit

Supported Processor Cores and Instruction Sets

The following algorithms are supported in OberonCrypto, not all of which are needed in HomeKit itself:

  • Cortex-M0/M0+
  • Cortex-M3
  • Cortex-M4/M7
  • Cortex-M4F/M7F
  • MIPS microAptiv UP without DSP
  • MIPS microAptiv UP with DSP
  • Cortus APS3RP
  • ARM-v6
  • ARM-v7A

Algorithm Innovations

  • New combination of known algorithms for multiplication in a prime field including modular reduction
    Reducing the number of expensive instructions. For example, bringing down the number of multiplications for SRP from 64 to 8 millions.
  • New mathematical approach for NIST P-256 curves
    Enhanced co-Z implementation of the NIST p-256 curves that is correct and executes in constant time even in all edge cases
  • New bitslice implementation for AES
    A new field-theoretical approach for the S-box calculation allows an efficient and table-free implementation of AES without the overhead and complications of handling multiple blocks in parallel

Contact

For more information, please contact Cuno Pfister at pfister@oberon.ch. Oberon microsystems, Inc. is a Swiss engineering firm located in Zurich. We have helped our customers develop unique, state-of-the-art connected products for more than 20 years: from huge Internet-connected hydro power plants to tiny Internet-connected hearing aids.

To receive news about OberonCrypto, please register on our OberonHAP mailing list.


HomeKit is a trademark of Apple Inc. Cortex is a trademark of ARM Limited. microAptiv is a trademark of Imagination Technologies. Cortus is a trademark of Cortus S.A.S. Bluetooth Low Energy is a trademark of the Bluetooth SIG and also known as BLE.