SWRA667 January   2020 CC1312PSIP , CC1312R , CC1314R10 , CC1352P , CC1352P7 , CC1352R , CC2642R , CC2642R-Q1 , CC2652P , CC2652R , CC2652R7 , CC2652RB , CC2652RSIP

 

  1.   Cryptographic Performance and Energy Efficiency on SimpleLink™ CC13x2/CC26x2 Wireless MCUs
    1.     Trademarks
    2. 1 Abbreviations and Acronyms
    3. 2 Introduction
    4. 3 Benefits of Cryptographic Acceleration in Embedded Security Solutions
    5. 4 TI Drivers for SimpleLink MCUs
      1. 4.1 Power Management Overview
      2. 4.2 Return Behavior
        1. 4.2.1 Runtime Overhead
      3. 4.3 Efficient Power Management
    6. 5 CC13x2/CC26x2 Crypto Peripherals
      1. 5.1 AES and Hash Crypto Accelerator
      2. 5.2 Public Key Accelerator
        1. 5.2.1 ECDH Power Management Driver Example
      3. 5.3 TRNG
    7. 6 Benchmarks
      1. 6.1 AES and Hash Crypto Accelerator Based Drivers
        1. 6.1.1 AES CBC
        2. 6.1.2 AES CCM
        3. 6.1.3 AES GCM
        4. 6.1.4 AES CTR DRBG
        5. 6.1.5 SHA-224
        6. 6.1.6 SHA-256
        7. 6.1.7 SHA-384
        8. 6.1.8 SHA-512
      2. 6.2 PKA Engine Based Drivers
        1. 6.2.1 ECDH
        2. 6.2.2 ECDSA
        3. 6.2.3 ECJPAKE
      3. 6.3 TRNG Based Drivers
        1. 6.3.1 TRNG
    8. 7 Conclusion
    9. 8 References
    10.     Appendix: Plots of Blocking vs Polling Performance

3 Benefits of Cryptographic Acceleration in Embedded Security Solutions

Cryptographic acceleration offers many benefits including:

  • Increased performance: On embedded systems with limited CPU performance, cryptographic accelerators can speed up the crypto operations. This improves throughput and eases latency requirements in the application.
  • Concurrency: It lets applications offload the processing of cryptographic operations from the CPU to the accelerator so the CPU can focus on other operational tasks. This can improve CPU availability for other tasks.
  • Reduced energy consumption: It reduces the energy consumption of cryptographic operations compared to software implementations of the cryptographic operations. That is, the overall power and time needed for the crypto operations are less compared to a software implementation. For embedded applications that are battery powered, this can help extend battery life.

Here are some examples of security solutions in resource-constrained embedded systems that benefit from cryptographic acceleration:

  1. Reduce latency and optimize energy for implementing networking security
    1. Commissioning devices into a network with security credentials typically prescribes asymmetric cryptography operations (for example, Bluetooth® Low Energy Secure Connections pairing or Thread network commissioning) to mitigate risks of eavesdropping and man-in-the-middle attacks during the commissioning process. The handshakes use asymmetric cryptography based key exchanges and, as a result, are often computationally intensive. It is not uncommon for these asymmetric cryptography operations to be on the order of hundreds of milliseconds to seconds if implemented in software alone. By using hardware cryptographic accelerators, the overall handshake can be sped up by a factor of 10x and greater. This enables a more responsive user experience for end-users commissioning devices onto network.
    2. The data communicated over the network is typically encrypted at different network protocol layers (for example, MAC or link layer, network layer, session layer, application layer) and requires encryption and decryption of these messages at corresponding layers. Cryptographic accelerators not only help meeting critical latency requirements (for example, packet ACK turnaround times within the MAC layer) but can also optimize the overall energy consumed for cryptographic operations implementing networking security. This improves energy efficiency and can extend the battery life of applications depending on network data traffic to and from device.
  2. Speed up secure boot operation to reduce overall device boot time
    1. Secure boot is a fundamental security task performed upon device boot to validate if the firmware to be executed by the device is valid. This involves computing the hash of the new firmware image and using this hash to verify the firmware image’s signature (stored along with the firmware image) with the root of trust secure boot authentication key stored on-chip.
    2. Using asymmetric cryptography for firmware image authentication only requires storing the public key for signature verification and is therefore a preferred method for secure boot operations. See Reference [1] for secure boot in SimpleLink CC13x2/CC26x2 Wireless MCUs. Using symmetric key based firmware image authentication on the other hand requires storing the symmetric key used for signing the image on the device. If the symmetric key is not properly secured, arbitrary signed images can be used to execute invalid SW images on the device. If the same symmetric key is used in multiple devices, compromising one device may be leveraged into compromising all devices using this key.
    3. The time required to compute the hash is dependent on the size of the firmware image to be verified and the throughput of the hash algorithm implementation. Hardware acceleration of the hash algorithm can help shorten the duration (esp. for larger image sizes). In MIPS constrained microcontrollers, asymmetric signature verification is typically on the order of hundreds of milliseconds to multiple seconds with software-based implementations. Cryptographic accelerators can speed up this operation in embedded microcontrollers. In applications, where the boot up time is critical, cryptographic accelerators are beneficial to reduce the overall boot time.
  3. Reduce application downtime during secure firmware updates
    1. During device firmware update, regular application operation is halted to perform image verification and programming of a new firmware image. This results in application downtime. Many applications have restrictions on application downtime; that is, the maximum acceptable period of time the application may be down during firmware updates. A device firmware update is comprised of new image verification, followed by programming the new image into the device’s non-volatile memory. This order may be reversed depending on whether the new firmware image received is stored on-chip or off-chip. Depending on the image size of the new firmware image to be updated and flash programming time (comprised of flash erase and write times – see the device-specific data sheet for flash timing), the image verification step could contribute significantly towards the overall application downtime. Cryptographic acceleration can help reduce the application downtime during firmware updates and also optimize overall energy consumed during firmware updates.
    2. Secure firmware updates require validating the new firmware image before programming and/or executing the new image on the device. Similar to secure boot, this involves computing the hash of the new firmware image to verify the firmware image signature (sent along with the new firmware image) using the root of trust firmware update authentication key stored on-chip. Asymmetric cryptography for firmware image authentication is preferred over combined asymmetric/symmetric cryptography schemes when only image integrity and authenticity are required as this only requires storing the public key on-chip for signature verification.
    3. As discussed in 2(c), cryptographic accelerators can speed up image verification operation involving hash computation and signature verification. This enables reducing the overall application downtime during firmware updates.