ECC Operations on nrf52840dongle

Help
#1

Hi All,

I am using the nrf52840dongle on RIOT OS. In my application, I need to do some cryptographic operations for eg. signing and verifying using elliptic curve cryptography. I am using the Micro-ECC for RIOT for this.

  1. Suppose I want to verify a signature using the verify function from uECC. The verifying function takes around 190 milliseconds in the nrf52840dongle. Is it possible to somehow reduce the time required for these operations ?

  2. I can see from Nordic Website that the nrf52840 series has ARM® TrustZone® Cryptocell. Is RIOT OS already using this Cryptocell when the dongle does cryptographic operations ? Or is it something different and has to be accessed separately? I meant something like specifying to use the Cryptocell in Makefile.

  3. If RIOT is not already using the Crypto cell, will the cryptographic operations be fast after using it?

Any leads are highly appreciated :slight_smile:

Regards,

Adarsh

#2

Hi Adarsh,

  1. Unfortunately, this is the time Micro-ECC takes. We measured this for a paper a while ago and got the same amount of time. As far as I know it can’t be faster. It is actually the fastest of the software implementations we measured, so I can’t really recommend and alternative.

  2. As of today, RIOT does not support the Cryptocell accelerator, but we are working on it (I am currently preparing a PR that will add Crypto funcionality to RIOT and allow for the integration of hardware drivers). If you need it quickly and don’t mind using the (quite complex) API directly, you can find an example application here: EWSN-2021/section-6/cryptocell_ecdsa at master · inetrg/EWSN-2021 · GitHub It uses a RIOT branch that integrates a Cryptocell driver for the Nordic nRF52840dk. The RIOT version is out of date, but if you put a little work into it, you might be able to reuse the code.

  3. It’s speed will increase by a factor of ten, so it’s definitely worth it (here are our measurements, if you’re interested: https://www.ewsn.org/file-repository/ewsn2021/Article8.pdf).

I hope this helps! If you have more questions, please ask =) Regards Lena

2 Likes
#3

Hi Lena,

Thanks for the reply. Its so cool that it will increase the speed by 10 times ! I will certainly have a look and get back to you.

Cheers, Adarsh

#4

Hi Lena,

I was able to build and flash your sample in the nrf52840dongle. But the Key gen,signing and verification always fails.

Screenshot from 2022-06-23 14-14-16
Screenshot from 2022-06-23 14-14-16867×210 49.5 KB

I can see in the source code that a extern CRYS_RND_State_t rndState_ptr;* is defined.Is it supposed to be like that ? Or is it declared in some other file ?

My plan is to create public and private keys separately(without using the key_gen function from crypto cell) and store the keys in CRYS_ECPKI_UserPrivKey_t and CRYS_ECPKI_UserPublKey_t for signing and verifying.Is it possible to do that or must the keys be generated using CRYS_ECPKI_GenKeyPair() function ?

/*! The EC private key's user structure prototype. This structure must be saved by the user, and is used as input to the ECC functions
(such as ::CRYS_ECDSA_Sign etc.). */
typedef struct   CRYS_ECPKI_UserPrivKey_t
{
    /*! Validation tag. */
    uint32_t    valid_tag;
    /*! Private key data. */
    uint32_t    PrivKeyDbBuff[(sizeof(CRYS_ECPKI_PrivKey_t)+3)/4];

}  CRYS_ECPKI_UserPrivKey_t;

Do I need to set the valid_tag in the structure ?

1 Like
#5

Hi Adarsh, The example uses the RIOT version that is included as a submodule in the repository.

The random state pointer is declared here: RIOT/armcc_setup.c at 4fa096530e4aeede87a4ea8315c006c422de73c5 · inetrg/RIOT · GitHub and initialized in the setup function further down. Before using the driver, this setup function must be called. If you’re using the RIOT version of the example, it should automatically called in the board_init function here: RIOT/board.c at 4fa096530e4aeede87a4ea8315c006c422de73c5 · inetrg/RIOT · GitHub

If you use your own RIOT version, you need to add those setup steps somewhere.

#6

You can use your own keys, but you need to turn them into User Key types first. There are functions for that. You can find the documentation in the Nordic Infocenter: nRF5 SDK v17.1.0: CryptoCell key build for ECC APIs

2 Likes
#7

Hi Lena ,

At present I am on the EWSN-2021 branch of RIOT in your repo.But I will use my own RIOT version later. Thanks for the info :+1:

#8

Hi Lena,

I was able to run the Application successfully for nrf52840dongle on your RIOT branch. I needed to make some changes in RIOT/boards/nrf52840dongle/board.c. I needed to add some headers and function to support crypto cell for the dongle.I made the board.c of the dongle similar to RIOT/boards/common/nrf52xxxdk/board.c.I believe you have tested the application for nrf52840dk, not for the nrf52840dongle.

I could also set the public key and private key using the ECC APIs,then sign and verify using the User Key types.

Later on I tried to adapt the crypto cell library for 2022.01 release of RIOT. I made 2 changes for that. First I checked the diff between 2022.01 RIOT/cpu/nrf52 and EWSN-2021 RIOT/cpu/nrf52 and updated the cpu for nrf52.

Then I changed board.c of nrf52840dongle and added the same lines that I have added in board.c in EWSN RIOT branch(same as explained in the first paragraph).

#include "cpu.h"
#include "board.h"
#include "kernel_defines.h"

#include "periph/gpio.h"

#if IS_ACTIVE(MODULE_LIB_CRYPTOCELL)
#include "armcc_setup.h"
#endif

void board_init(void)
{
    /* initialize the board's single LED */
    gpio_init(LED0_PIN, GPIO_OUT);
    gpio_set(LED0_PIN);

    /* initialize the board's RGB LED */
    gpio_init(LED1_PIN, GPIO_OUT);
    gpio_set(LED1_PIN);
    gpio_init(LED2_PIN, GPIO_OUT);
    gpio_set(LED2_PIN);
    gpio_init(LED3_PIN, GPIO_OUT);
    gpio_set(LED3_PIN);
    
    /* initialize the CPU */
    cpu_init();
    #if IS_ACTIVE(MODULE_LIB_CRYPTOCELL)
    cryptocell_setup();
    #endif  
}

I also noted that the cpu_int() function is not present in board.c in 2022.01 release. Then I tried to compile ecdsa_crypro cell sample for 2022.01 release.Then I got the following error

Screenshot from 2022-06-24 11-13-08
Screenshot from 2022-06-24 11-13-081366×307 63.5 KB

If I comment out the cpu_init() function from board.c,I get another set of errors.

Screenshot from 2022-06-24 11-16-29
Screenshot from 2022-06-24 11-16-291366×768 175 KB

I get undefined reference to the ECC functions.

Could you tell me if I need to make changes in any other files other than board.c and cpu/nrf52? For eg. specifying the crypto cell library in any other config or makefiles inside RIOT ?

Regards, Adarsh

#9

Hi Adarsh, I’m sorry that I’m answering so late, I didn’t get a notification. What are you using for the build-time configuration? Kconfig or make?

#10

Also, did you link the library archive file somewhere?

Should look like this:

ARCHIVES += /path/to/library/libnrf_cc310_0.9.12.a
1 Like
#11

Hi @Einhornhool ,

Now I am using Make file…later on I need to use kconfig.

I was able to port 2022.01 release of RIOT and everything works fine. I did not link the Archive library before,now I have added

ARCHIVES += /path/to/library/libnrf_cc310_0.9.12.a

in my makefile.I also needed to make some changes in armcc_setup.c.After adapting the CPU for nrf52,I was not able to build other applications which does not need crypto cell.

Screenshot from 2022-06-29 23-24-03
Screenshot from 2022-06-29 23-24-031678×182 46.6 KB

I got this error,even though I do not use crypto cell library. So I have made like this

#if IS_ACTIVE(MODULE_LIB_CRYPTOCELL)
void isr_cryptocell(void)
{
    CRYPTOCELL_IRQHandler();
}
#endif

The conditional compilation part was not there in armcc_setup.c

After these changes the signing and verification were successful with using using my own keys :slight_smile:
The signing and verification takes around 20 ms each.Waaaay better than 190 ms from µECC. :handshake:

Thank you so much :metal:

Regards, Adarsh

#12

Great! I’m glad I could help!

1 Like