ocrypto – When Security Matters

To achieve the highest degree of security in home automation, Apple HomeKit relies on advanced cryptographic algorithms. The algorithms chosen by Apple are best known for their use on high-performance servers. On the low-cost, resource-constrained microcontrollers that are more typical for home automation, implementation of these algorithms is a major challenge. The ocrypto library is the best-in-class implementation of the cryptographic functions needed for HomeKit – and for many other kinds of IoT devices. Thanks to its outstanding software, Oberon microsystems has become one of the key partners of Apple in the HomeKit ecosystem, along with accessory and semiconductor manufacturers:

Tim Cook shows key partners of Apple for HomeKit

ocrypto has been developed over many years, and is continuously being further improved, by our seasoned Swiss engineering team. Our goal is to make your IoT products secure, even on low-cost hardware.

Security

For uncompromising security, the execution times of the relevant ocrypto operations do not depend on the secret data being processed. This mitigates the risk of common side-channel attacks such as timing attacks. This is even true for microcontrollers with data caches, e.g., products based on a Cortex-M7 core, and for the NIST curve, which is highly difficult to implement in this way.

To achieve execution times independent of the processed data – while at the same time achieving state-of-the-art performance and sometimes even beating hardware accelerators – we have invented a novel algorithmic approach to multiplication in a prime field including modular reduction. We have created formal correctness proofs and had them reviewed by independent experts (Prof. W. Meier & Prof. C. Nicola), who found our proofs “in all parts mathematically and formally correct” (proof and review documents are available to licensees).

An extensive test suite is being used for validating ocrypto, with standard test vectors, test vectors for border cases, negative tests and random tests.

ocrypto is partially implemented in portable C code. Optimized assembly language variants of the most security- and time-critical cryptographic operations are available for several cores: ARM Cortex-M0/M0+/M23, ARM Cortex-M3, ARM Cortex-M4/M4F/M7/M33 and MIPS32 microAptiv UP. For Linux hardware, a fully portable C implementation can be provided. For some of the mentioned platforms, we also provide optimized implementations of NIST P-256 (aka prime256v1 and secp256r1).

ocrypto is used for example in Nordic Semiconductor’s HomeKit SDK for their Cortex-M4F BLE chips – see also this demo video. Thanks to its quality implementation and extreme optimizations, ocrypto is the choice for such scenarios.

Speed

We have developed, analyzed and optimized the cryptographic code of ocrypto since 2013. We have leveraged advanced mathematical transformations, and have carefully written critical parts in assembly language for popular microcontroller cores. The result is typically more than three times as fast as a good imple­mentation in C. ocrypto thus makes advanced protocols such as HomeKit feasible even on low-power, low-cost 32-bit microcontrollers:

Core Cortex-M0 Cortex-M3 Cortex-M4F microAptiv UP
Instruction set architecture ARMv6-M ARMv7-M ARMv7E-M with FPv4-SP extension MIPS32 with DSP enhancements
Clock frequency 16 MHz 48 MHz 64 MHz 200 MHz
Set up accessory – first phase with static setup code (with dynamic setup code: 3 times as long) 3.9 s 1.1 s 0.4 s 0.1 s
Set up accessory – second phase with static or dynamic setup code 15.0 s 4.3 s 1.4 s 0.4 s
Open session 940 ms 260 ms 60 ms 20 ms

The above HomeKit-related numbers only include the time for cryptographic processing. The communication protocol, accessory logic, and operating system at the other end will add to the experienced round-trip times. Note that accessory setup usually occurs only once in the lifetime of a HomeKit accessory and happens in two phases (before the setup code is entered on the iOS device, and after the setup code has been entered).

Size

RAM is often the most critical resource of a microcontroller. A complete HomeKit proof-of-concept with a BLE chip, implementing the light bulb profile, is feasible in less than 14 KB of RAM and 72 KB of flash. The chip vendor’s transport protocol stack (BLE in this case) and its internal buffers are not included in these numbers.

Supported Algorithms

The following algorithms are supported in ocrypto:

  • SRP-6/SHA512
  • Curve25519
  • Ed25519
  • ChaCha20
  • Poly1305
  • ChaCha20_Poly1305
  • HKDF_SHA512
  • NIST P-256 (aka prime256v1 and secp256r1)
  • SHA-1, SHA-256, SHA-512
  • AES (CTR, GCM, AEX)
  • RSA PKCS1 V1.5, encrypt/decrypt, 1024bit/2048bit, with or without CRT keys
  • RSA PKCS1 V1.5 SHA256, sign/verify, 1024bit/2048bit, with or without CRT keys (no RSA key generation)
  • PBKDF2-SHA1
  • SRTP AES-CTR HMAC-SHA1, 128-256bit

Supported Processor Cores and Instruction Sets

The following processor cores and instruction sets are supported by ocrypto:

  • Cortex-M0/M0+/M23
  • Cortex-M3
  • Cortex-M4/M7/M33
  • Cortex-M4F/M7F
  • MIPS microAptiv UP without DSP
  • MIPS microAptiv UP with DSP
  • ARM-v6
  • ARM-v7A

Algorithm Innovations

  • New combination of known algorithms for multiplication in a prime field including modular reduction
    Reducing the number of expensive instructions. For example, bringing down the number of multiplications for SRP from 64 to 8 millions.
  • New mathematical approach for NIST P-256 curves
    Enhanced co-Z implementation of the NIST p-256 curves that is correct and executes in constant time even in all edge cases
  • New bitslice implementation for AES
    A new field-theoretical approach for the S-box calculation allows an efficient and table-free implementation of AES without the overhead and complications of handling multiple blocks in parallel

Contact

For more information, please contact Cuno Pfister at pfister@oberon.ch. Oberon microsystems, Inc. is a Swiss software company located in Zurich. We have helped our customers develop unique, state-of-the-art connected products for more than 25 years: from huge Internet-connected hydro power plants to tiny Internet-connected hearing aids.

To receive news about ocrypto, please register on our OberonHAP mailing list.


HomeKit is a trademark of Apple Inc. Cortex is a trademark of ARM Limited. microAptiv is a trademark of Imagination Technologies. Bluetooth Low Energy is a trademark of the Bluetooth SIG and also known as BLE.