RECENT BLOG NEWS
Partner Webinar: wolfBoot security on the STM32H5 with PQC
Learn about the advanced security features of the STM32H5 microcontroller and how wolfBoot enhances these capabilities, including support for Post Quantum Cryptography.
Check it out today for “wolfBoot security on the STM32H5 with PQC.”
wolfSSL is excited to announce that wolfBoot, our secure bootloader, now supports the STM32H5 microcontroller series. This integration brings robust secure boot features and efficient update mechanisms to the STM32H5, following RFC9019 guidelines for a reliable secure boot solution.
The STM32H5 series excels within the STM32 family with superior performance and security. Built around the Arm Cortex-M33 core, it provides a notable boost in computational power and efficiency. Featuring TrustZone-M technology, it offers hardware-assisted isolation between secure and non-secure domains, enhancing security and simplifying secure application development. The series includes up to 2 MB of flash memory and 640 KB of SRAM, ideal for complex applications. Its dual-bank flash architecture enables quick firmware updates. Equipped with advanced cryptographic accelerators and a cryptographic-grade TRNG, the STM32H5 series is perfect for secure, high-performance embedded applications.
wolfBoot extends its support within the STM32 family by including target-specific security features offered by the STM32H5 series. Explore these features and their role in a system secured using wolfBoot, wolfCrypt, and wolfPKCS11.
During this webinar, attendees will learn about:
- STM32H5 Security Features
- wolfBoot Secure Boot Solution
- TrustZone with PKCS11
- Post Quantum Cryptography
- Dual Bank Swap, OTP for RoT, HW TRNG
- Live Demonstration
As always, our webinar includes Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSL on RISC-V Benchmarks (HiFive Unleashed)
We are excited to share the latest benchmark results of wolfSSL v5.7.0 running on the HiFive Unleashed at 1.4GHz. We implemented AES for ECB, CBC, CTR, GCM, and CCM using assembly for RISC-V. This benchmark demonstrates the performance capabilities of wolfSSL on RISC-V architecture, highlighting our commitment to providing high-performance, lightweight, and secure SSL/TLS solutions across diverse platforms.
The benchmark results prove that the new assembly optimizations are much faster.
With RISC-V assembly optimizations:
./configure --enable-riscv-asm && make root@HiFiveU:~/wolfssl-riscv# ./wolfcrypt/benchmark/benchmark -aes-cbc -aes-gcm------------------------------------------------------------------------------ wolfSSL version 5.7.0 ------------------------------------------------------------------------------ Math: Multi-Precision: Wolf(SP) word-size=64 bits=3072 sp_int.c wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each) AES-128-CBC-enc 20 MiB took 1.076 seconds, 18.588 MiB/s AES-128-CBC-dec 20 MiB took 1.083 seconds, 18.473 MiB/s AES-192-CBC-enc 20 MiB took 1.245 seconds, 16.062 MiB/s AES-192-CBC-dec 20 MiB took 1.246 seconds, 16.047 MiB/s AES-256-CBC-enc 15 MiB took 1.057 seconds, 14.189 MiB/s AES-256-CBC-dec 15 MiB took 1.055 seconds, 14.212 MiB/s AES-128-GCM-enc 15 MiB took 1.300 seconds, 11.543 MiB/s AES-128-GCM-dec 15 MiB took 1.300 seconds, 11.535 MiB/s AES-192-GCM-enc 15 MiB took 1.425 seconds, 10.526 MiB/s AES-192-GCM-dec 15 MiB took 1.425 seconds, 10.523 MiB/s AES-256-GCM-enc 10 MiB took 1.032 seconds, 9.687 MiB/s AES-256-GCM-dec 10 MiB took 1.032 seconds, 9.691 MiB/s GMAC Table 4-bit 31 MiB took 1.025 seconds, 30.251 MiB/s Benchmark complete
Without RISC-V assembly optimizations:
./configure —enable-all && make root@HiFiveU:~/wolfssl# ./wolfcrypt/benchmark/benchmark -aes-cbc -aes-gcm ------------------------------------------------------------------------------ wolfSSL version 5.7.0 ------------------------------------------------------------------------------ Math: Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each) AES-128-CBC-enc 5 MiB took 12.798 seconds, 0.391 MiB/s AES-128-CBC-dec 5 MiB took 12.672 seconds, 0.395 MiB/s AES-192-CBC-enc 5 MiB took 15.301 seconds, 0.327 MiB/s AES-192-CBC-dec 5 MiB took 15.181 seconds, 0.329 MiB/s AES-256-CBC-enc 5 MiB took 17.820 seconds, 0.281 MiB/s AES-256-CBC-dec 5 MiB took 17.669 seconds, 0.283 MiB/s AES-128-GCM-enc 5 MiB took 12.870 seconds, 0.388 MiB/s AES-128-GCM-dec 5 MiB took 12.870 seconds, 0.388 MiB/s AES-192-GCM-enc 5 MiB took 15.375 seconds, 0.325 MiB/s AES-192-GCM-dec 5 MiB took 15.376 seconds, 0.325 MiB/s AES-256-GCM-enc 5 MiB took 17.878 seconds, 0.280 MiB/s AES-256-GCM-dec 5 MiB took 17.896 seconds, 0.279 MiB/s AES-128-GCM-STREAM-enc 5 MiB took 12.878 seconds, 0.388 MiB/s AES-128-GCM-STREAM-dec 5 MiB took 12.878 seconds, 0.388 MiB/s AES-192-GCM-STREAM-enc 5 MiB took 15.379 seconds, 0.325 MiB/s AES-192-GCM-STREAM-dec 5 MiB took 15.385 seconds, 0.325 MiB/s AES-256-GCM-STREAM-enc 5 MiB took 17.881 seconds, 0.280 MiB/s AES-256-GCM-STREAM-dec 5 MiB took 17.888 seconds, 0.280 MiB/s GMAC Table 4-bit 30 MiB took 1.006 seconds, 29.831 MiB/s Benchmark complete
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
The Top 5 Build Options for Security in wolfSSL
Here at wolfSSL, we love giving the community and our customers lots of choices and options. That said, for the vast majority of our user base, all the options we are discussing in this post should be enabled to maximize your security and minimize your adversary’s opportunities.
#define WOLFSSL_HARDEN_TLS 112 or –enable-harden-tls=112
enables the following algorithms at the following key lengths
DH: at least 2048 bit keys
RSA: at least 2048 bit keys
ECC: at least 224 bit keys
#define WOLFSSL_HARDEN_TLS 128 or –enable-harden-tls=128
Disables 3DES ciphersuites
DH: at least 3072 bit keys
RSA: at least 3072 bit keys
ECC: at least 256 bit keys
#define NO_OLD_TLS or –diable-oldtls
This disables older protocols that are inherently insecure. The only protocols that are built are (D)TLS 1.2 and 1.3.
#define HAVE_ALPN or –enable-alpn
This helps to ensure that the right application is processing the connection. Please see RFC document for more details about how to use this TLS extension.
#define WOLFSSL_CIPHER_TEXT_CHECK or –enable-maxstrength
Add in extra checks after the processing of ciphertext input in order to mitigate glitching attacks.
#define WC_RSA_BLINDING or –enable-harden
RSA blinding involves transforming the input just before the RSA private key operations using some random data. After the operation, the reverse of the transform is performed giving the desired output. This prevents an adversary from gaining knowledge about the private key as they don’t know the random data that was used to determine the transform and therefore do not know the true input into the RSA private key operation.
#define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT or –enable-harden
These allow for constant time implementations of the math used in private key operations to mitigate timing attacks.
Oops, looks like we went a bit over 5! Want even more? Thinking about turning some of these off to get performance gains or reduce memory usage? Send a message to support@wolfSSL.com to start a conversation about it!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL Supports Nucleus Legacy Customers
wolfSSL has partnered with Siemens to provide cyber-security solutions in the Nucleus RTOS stack for over a decade. Now that Nucleus ReadyStart has been discontinued, wolfSSL will continue to provide support and software updates for the wolfSSL, wolfCrypt, wolfMQTT, and wolfSSH components. This will help ensure that Nucleus customers’ applications are safe and secure.
wolfSSL supports the latest versions of TLS and DTLS for newer and older versions of Nucleus. wolfCrypt also supports the latest cryptography standards, including post quantum cryptography.
Direct support plans are available for our security tools, so please contact us with any questions about keeping your Nucleus project secure!
Check out our Support and Maintenance
Lastly, if you are considering migrating to another RTOS solution, wolfSSL can continue to provide the optimized security you have been accustomed to when using Nucleus. The wolfSSL projects are highly portable, and we would be happy to assist you with the migration process.
If you have any questions about keeping your Nucleus ReadyStart up to date with the latest wolfSSL code, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
TLS and Secure Boot in the EU Cyber Resilience Act
As of June 2024, the EU Cyber Resilience Act (CRA) is a pending piece of legislation that has been approved by the European Parliament and is waiting on adoption by the Council of the European Union. Once the act comes into force, manufacturers will have 36 months to apply the rules. It aims to tackle the challenges of cyber security in the EU and “safeguard consumers and businesses buying or using products or software with a digital component”. The act will require that any product sold in the EU with a digital component will adhere to stricter cyber security regulations. Products will have to be secure by default, have a way to apply security updates, have a clear vulnerability process, and define a product life cycle among other requirements.
The CRA requires that all communications are secure. We recommend using secure protocols such as SSL/TLS and SSH instead of trying to develop your own solution. These protocols provide privacy, integrity, and authentication across unsecure networks. They protect against unauthorized access and protect the confidentiality of the transmitted information.
To provide security updates to devices in the field, we recommend using wolfBoot’s Over-The-Air (OTA) update feature. This allows you to provide security updates in compliance with the CRA. wolfBoot provides a highly reliable, transport-agnostic firmware update mechanism.
Over at wolfSSL we take vulnerabilities very seriously. We investigate them immediately and fixes are always developed within days of an initial report. We implement rigorous security testing and code review to ensure the best quality releases possible.
With wolfSSL you can be sure that your products will meet the CRA requirements. For more questions about how to comply with the CRA, or if you have questions about any of the above, please write to us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: Post-Quantum Algorithms in cURL
Watch our webinar, “Post-Quantum Algorithms in cURL.” The session will be led by wolfSSL Senior Software Developer Anthony Hu.
In this session, Anthony will cover a wide range of topics, from the fundamental concepts of post-quantum algorithms, including the CNSA 2.0 timelines and the concept of “Harvest Now, Decrypt Later,” to a demonstration on how to make cURL transfers quantum-safe.
Check it out: Post-Quantum Algorithms in cURL
During this webinar, we will cover:
- Motivation: CNSA 2.0
- Demo Architecture
- Getting and Building the Code
- Demo Time!
- Post-Quantum Connection Explained
Gain an understanding of the importance of investing in post-quantum algorithms and learn how to create a quantum-safe security environment for cURL transfers in the future.
Watch it now! Time is ticking until post-quantum algorithm requirements become mandatory, so start preparing to secure your data using cURL with quantum-safe methods.
As always, our webinars will include Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
TLS Session ID vs Tickets
All versions of the Transport Layer Security (TLS) protocol support resuming previously established connections. The keying material previously negotiated is re-used in the new connection. The major benefits of resuming sessions are the much shorter handshake and not having to recompute session keys. In embedded systems, both of these advantages are critical to decrease the latency of a connection. TLS session resumption uses much less bandwidth and fewer clock cycles than a full handshake. There are two methods to resume a TLS session: using the session ID or a session ticket.
The TLS session ID can be used to resume TLS <= 1.2 sessions. It has been deprecated in TLS 1.3 in favor of only tickets. The session ID is sent to the client from the server in the ServerHello message when performing a full handshake. When a client wants to resume a session, it sends the session ID in the ClientHello. The server then needs to find the session matching the ID in its cache and restore the keying material. This requires both sides to store the keying material. This means that servers need to have a cache that grows linearly with the number of peers that it intends to resume with.
TLS session resumption tickets are available in all versions of TLS, although TLS version 1.3 has introduced a few changes. The general idea is that a server can issue an encrypted ticket to the client that contains all of the data necessary to resume a session. The client has to store the ticket and the keying material to be able to resume the session while the server does not have to store anything (apart from the encryption key used to encrypt the ticket). This removes the cache burden on the server entirely. In TLS <= 1.2 the session ticket is sent as part of the handshake while in 1.3 it is a post-handshake message. This means that the server can actually issue multiple tickets in one connection but the client needs to wait until after the handshake for the server to send the ticket before it can resume a session. TLS 1.3 servers usually send the ticket as the first message right after the handshake.
To perform session resumption in wolfSSL, please see the documentation about the wolfSSL_get1_session API.
For more information about session resumption in wolfSSL, or if you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Announcing wolfSSL TPM support for the Espressif ESP32
Infineon and wolfSSL recently announced their collaborative Commitment to Trusted Computing.
wolfTPM is designed for embedded use and leverages all features in the TPM 2.0 specification. wolfTPM is ideal for resource constrained devices and runs on Windows, Linux, RTOS, and bare metal environments.
The Infineon OPTIGA TPM SLB 9672 supports Microsoft Windows and Linux environments. Infineon also offers software and tools to facilitate firmware updates for the TPM.
Today we add the Espressif ESP32 to the long list of devices with wolfTPM support. With the merge of the open source PR #351, our TPM library can now be used in the ESP-IDF for the Infineon 9673 I²C TPM 2.0 module, taking up only about 5×5 mm footprint for a PG-UQFN-32-1,-2 package.
In recent years, TPM gained more attention due to the requirement of Windows 11 machines to have a TPM module present to meet Microsoft’s Security Recommendations. In fact, many other[*1] devices have long taken advantage[*2] of the security features available in a TPM module.
Key features[*3] include :
- Optimized TPM device for IoT and ICT applications
- PQC-protected firmware update mechanism
- Compliant to TPM Main Specification, Family “2.0”, Level 00, Revision 01.59
- Certifications:
- CC, Version 3.1 Rev.5, level EAL4+, AVA_VAN.4 (moderate) according to TCG PC Client TPM Protection Profile (targeted)
- FIPS 140-2 level 2 (physical security level 3) (targeted)
- I2C interface
- Random Number Generator (RNG) implemented according to NIST SP800-90A using entropy source according to NIST SP800-90B
- Full personalization with 4 Endorsement Keys (EK) and 4 EK certificates (RSA 2048, RSA3072, ECC NIST P256, ECC NIST P384)
- Standard temperature range (-40°C .. +85°C) or enhanced temperature range (-40°C .. +105°C)
- PG-UQFN-32-1,-2 package
- Optimized for battery operated devices: low standby power consumption (typ. 120 µA)
- 24 PCRs (SHA-1, SHA-256 or SHA384)
- 51 kByte NV memory [*4]
- Unlimited amount of NV counters (only depending on NV memory utilization)
- Up to 3 loaded sessions (TPM_PT_HR_LOADED_MIN)
- Up to 64 active sessions (TPM_PT_ACTIVE_SESSIONS_MAX)
- Up to 3 loaded transient Objects (TPM_PT_HR_TRANSIENT_MIN)
- Up to 7 loaded persistent Objects (TPM_PT_HR_PERSISTENT_MIN)
- Pre-generation of up to 7 RSA key pairs
- RSA (1024, 2048, 3072 and 4096 bit)
- ECC (NIST P256, BN P256, NIST P384)
- SHA-1, SHA-256, SHA-384
- AES-128, AES-192, AES-256
Why use wolfTPM?
The perfect companion to the Infineon Hardware is the wolfTPM software library, making it easier than ever to easily use the hardware features in your project. Of particular interest is our ability to update the SLB9672 and SLB9673 firmware! See the related blog: Infineon wolfSSL Modus Toolbox Support and wolfTPM Firmware upgrade support,
Security Enhancement: Adding wolfTPM to your Espressif ESP32 projects brings a crucial layer of hardware-based security. By using a Trusted Platform Module (TPM), wolfTPM ensures that all cryptographic operations are handled within a secure chip away from the prying eyes of software attackers. This setup is ideal for maintaining the confidentiality and integrity of your data.
Open Source and Community-Driven: As with all other open-source wolfSSL libraries, wolfTPM thrives on community input and collaboration. This transparency not only helps in enhancing its security capabilities but also keeps it at the forefront of technological and security advancements.
Broad Platform Support: The new support for Espressif ESP32 is another example of wolfTPM’s commitment to versatility across different platforms. This is especially valuable for those working on IoT devices or embedded systems that demand secure, flexible hardware integration options.
Ease of Integration: wolfTPM is designed with developers in mind, offering an intuitive API that makes it easy to add security features into your applications. Whether you’re highly experienced or just getting started in the world of hardware security, wolfTPM comes with all the documentation and support you’ll need to get up and running quickly.
Performance and Efficiency: wolfTPM is both economical and powerful in terms of resource use, making it ideal for the resource-limited environments that are typical of devices such as the ESP32. The library ensures your cryptographic operations are efficient and fast.
Real-World Use Cases: wolfTPM is built to secure a wide variety of applications – from smart home devices ensuring your privacy, to industrial machines that need to operate under stringent security and safety measures. The introduction of wolfTPM to the ESP32 allows for even more applications to benefit from trusted computing technologies.
Compliance and Certification: Using TPM technology with wolfTPM can ease the path to meeting rigorous security standards and compliance demands, critical for many businesses and industries.
Learn more about wolfTPM
Stay tuned for more announcements, as we’ll be also supplying wolfTPM support for the ESP32 as an Espressif Registry Managed Component, along with our existing wolfSSL, wolfSSH, and wolfMQTT components.
Do you want to take security to the next level on your ESP32 project? Let us help you take advantage of all the capabilities of TPM.
Find out more
If you have any feedback, questions, or require support, please don’t hesitate to reach out to us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.
[*1] – See https://github.com/wolfSSL/wolfTPM?tab=readme-ov-file#hardware
[*2] – Governments recognize the importance of TPM 2.0 through ISO adoption (June 29. 2015)
[*3] – Copied from the Infineon OPTIGA™ TPM SLB 9673 TPM2.0 Data Sheet
[*4] – Actual usable NV memory slightly less.
Download wolfSSL Now
Yocto vs Buildroot: Build Systems to Tailor an Embedded Linux Solution
Yocto and Buildroot are powerful solutions designed to manage the complexities of deploying embedded products. Unlike general-purpose distributions such as Ubuntu or Red Hat Enterprise Linux, these systems allow for highly targeted deployments tailored specifically for embedded devices.
General Functionality of Both:
- Compiling from Source: They both handle compiling the kernel, system libraries, bootloader, and user applications, doing everything that is needed for the target environment.
- Cross-Compilation: They allow builds on a host machine (often of a different architecture) to compile software for the target device’s architecture.
- Package Customization: They provide mechanisms to apply custom configuration files and patches, enabling modifications and optimizations of packages to suit specific needs more effectively
Yocto Specific Features:
- Meta-layers and Recipes: Yocto uses meta-layers and recipes (.bb files), which are maintained by the community and offer detailed configuration options, sourcing, and build specifications.
- Toolchain Building: Specializes in creating custom toolchains, enabling the development of environments specifically tailored for the hardware’s architecture and project requirements.
- Complexity and Flexibility: Yocto’s complexity allows for extensive flexibility, supporting multiple development streams and detailed configuration options, suitable for large-scale industrial applications.
- Community and Documentation: Yocto is supported by a vast network of developers and offers robust documentation for complex, industrial-scale deployments.
- Petalinux: Xilinx’s petalinux is based on a fork of Yocto, meaning that the recipes and layers can easily be reused.
- Security Features: Offers advanced security configurations ideal for high-security needs.
Buildroot Specific Features:
- Makefile-Based Build System: Utilizes .mk Makefiles and kconfig for a straightforward approach to managing the download, configuration, and compilation of packages.
- Simplicity by Design: Less resource-intensive and fewer dependencies make it ideal for smaller systems or projects where simplicity is a priority.
- Firmware Generator: Primarily focuses on generating a root filesystem image, streamlining the process to produce minimal and ready-to-deploy firmware.
- Performance Metrics: Known for quicker configuration and compilation, making it suitable for rapid prototyping and small-scale projects.
- Learning Curve and Ease of Use: Offers a simpler learning experience, making it accessible and straightforward for beginners.
- Long-term Maintenance and Updates: Its simplicity facilitates easier updates, while the straightforward nature allows for manual security updates.
By understanding the strengths and limitations of each system, developers can choose the most appropriate tool to create efficient and stable embedded systems. Whether your project demands the robust flexibility of Yocto or the streamlined simplicity of Buildroot, selecting the right tool is crucial for optimal performance and success.
Interested in building one of wolfSSL’s solutions like wolfCLU, wolfMQTT, wolfTPM, or wolfSSH with Yocto? Check out our Yocto layer meta-wolfssl!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfCrypt implementations of LMS/HSS and XMSS/XMSS^MT signatures: build options and benchmarks (Intel x86)
At wolfSSL we’re excited about stateful hash-based signature schemes and the CNSA 2.0, and we just had a webinar on this subject. If you recall, previously we added initial support for LMS/HSS and XMSS/XMSS^MT, through external integration with the hash-sigs and xmss-reference implementations.
Recently however we have completed our own wolfCrypt implementations of these algorithms, and would like to share benchmarking results and some of the build options available. Generally the wolfCrypt implementations of these signature methods are faster, with more options available to tune build size and performance.
With that said, we’ll review some of the more relevant build options and benchmarking data for LMS/HSS, and XMSS/XMSS^MT. These benchmarks were obtained on a Fedora 38 workstation with an Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz. Only a single core was used. wolfSSL was built with –enable-intelasm to utilize assembly speedups for all tests. Note: LMS/HSS and XMSS/XMSS^MT support a very wide range of parameters. For the sake of conciseness only a targeted range is benchmarked here.
LMS build options and benchmarking
The five main defines that customize the wolfCrypt LMS/HSS build are the following:
- WOLFSSL_LMS_LARGE_CACHES
- WOLFSSL_WC_LMS_SMALL
- WOLFSSL_LMS_MAX_LEVELS=N
- WOLFSSL_LMS_MAX_HEIGHT=H
- WOLFSSL_LMS_VERIFY_ONLY
The define WOLFSSL_LMS_LARGE_CACHES will cache more of the authentication path into memory, speeding up signing operations for larger height trees.
The define WOLFSSL_WC_LMS_SMALL reduces code size and memory use overall, with the tradeoff of much slower signing operations. However the performance impact for verification is negligible.
The defines WOLFSSL_LMS_MAX_LEVELS, and WOLFSSL_LMS_MAX_HEIGHT set compile time limits on the size of the LMS/HSS hypertree, and mainly reduce code footprint without impacting performance. These can be used to slim the build size if you are only interested in a specific parameter set range. More specifically, WOLFSSL_LMS_MAX_LEVELS sets the max allowed levels in HSS (the number of trees in the hypertree), while WOLFSSL_LMS_MAX_HEIGHT sets the max allowed height per tree for both LMS and HSS.
The define WOLFSSL_LMS_VERIFY_ONLY restricts the build to a smaller verify-only subset (LMS API and data structures needed for keygen/signing are omitted). This does not impact verify performance, and is intended for embedded targets that need verify-only functionality (e.g. wolfBoot). WOLFSSL_LMS_VERIFY_ONLY can be combined with WOLFSSL_WC_LMS_SMALL, WOLFSSL_LMS_MAX_LEVELS, and WOLFSSL_LMS_MAX_HEIGHT for further footprint reduction.
In Table 1 we show benchmarking results (obtained with ./wolfcrypt/benchmark/benchmark -lms_hss) for these different build options, with the external LMS/HSS implementation provided for comparison.
In general we see the default wolfCrypt LMS/HSS performance (wc_lms) is much faster than the external integration (ext_lms) for all categories of operation (keygen, signing, verifying). The WOLFSSL_LMS_LARGE_CACHES (wc_lms large) option speeds up signing operations for larger height trees, but otherwise does not impact performance. The small variations in verify speed across wc_lms, wc_lms large, and wc_lms small are likely just system noise and do not represent a systematic trend. The WOLFSSL_WC_LMS_SMALL option (wc_lms small) significantly reduces signing speed, but leaves verification speed basically unchanged, making this option attractive for verify-only applications in embedded systems.
Table 1: Comparison of wolfCrypt LMS/HSS (wc_lms), wolfCrypt LMS/HSS with WOLFSSL_LMS_LARGE_CACHES (wc_lms large), wolfCrypt LMS/HSS with WOLFSSL_WC_LMS_SMALL (wc_lms small), and the external integration implementation (ext_lms). All values in units of ops/sec.
wc_lms | wc_lms large | wc_lms small | ext_lms | |
---|---|---|---|---|
L2_H10_W2 keygen | 6.482 | 6.494 | 12.828 | 1.330 |
L2_H10_W2 sign | 4437.469 | 5521.796 | 6.526 | 786.083 |
L2_H10_W2 verify | 13954.450 | 14087.794 | 13874.450 | 4789.383 |
L2_H10_W4 keygen | 3.567 | 3.592 | 6.954 | 0.764 |
L2_H10_W4 sign | 2452.361 | 3052.326 | 3.562 | 443.225 |
L2_H10_W4 verify | 6482.891 | 6707.271 | 6962.215 | 2281.440 |
L3_H5_W4 keygen | 70.926 | 73.673 | 227.376 | 17.467 |
L3_H5_W4 sign | 4660.370 | 4669.019 | 74.653 | 820.640 |
L3_H5_W4 verify | 4632.118 | 4670.963 | 4790.742 | 1756.355 |
L3_H5_W8 keygen | 9.395 | 9.413 | 29.041 | 2.265 |
L3_H5_W8 sign | 609.408 | 605.199 | 9.542 | 106.059 |
L3_H5_W8 verify | 561.759 | 554.635 | 573.341 | 214.093 |
L3_H10_W4 keygen | 2.384 | 2.368 | 7.128 | 0.569 |
L3_H10_W4 sign | 2459.698 | 3067.848 | 2.376 | 444.601 |
L3_H10_W4 verify | 4895.203 | 4345.130 | 4793.853 | 1618.676 |
L4_H5_W8 keygen | 7.045 | 7.017 | 29.258 | 1.770 |
L4_H5_W8 sign | 608.915 | 607.318 | 7.168 | 106.881 |
L4_H5_W8 verify | 446.384 | 443.804 | 438.542 | 145.672 |
Graph 1: Signing speeds for wolfCrypt LMS/HSS (wc_lms), wolfCrypt LMS/HSS with WOLFSSL_LMS_LARGE_CACHES (wc_lms large), and the external integration implementation (ext_lms). All values in units of ops/sec.
XMSS build options and benchmarking
Three important defines that customize the wc_xmss build are:
- WOLFSSL_WC_XMSS_SMALL
- WOLFSSL_XMSS_MAX_HEIGHT=N
- WOLFSSL_XMSS_VERIFY_ONLY
The define WOLFSSL_WC_XMSS_SMALL reduces code size and memory use overall, with the tradeoff of much slower signing operations, and 20-30% slower verification.
The define WOLFSSL_XMSS_MAX_HEIGHT=N sets compile time limits on the max height of the hypertree, and mainly reduces code size without impacting performance.
The define WOLFSSL_XMSS_VERIFY_ONLY restricts the build to a smaller verify-only subset, and can be combined with WOLFSSL_WC_XMSS_SMALL, and WOLFSSL_XMSS_MAX_HEIGHT for further size reduction. It does not impact verify performance.
In Table 2 we show benchmarking results for XMSS/XMSS^MT for these options (obtained with ./wolfcrypt/benchmark/benchmark -xmss_xmssmt_sha256), with the external XMSS/XMSS^MT implementation for comparison. The default wolfCrypt XMSS/XMSS^MT (wc_xmss) is in general better than the external integration (ext_xmss), for all operations. There is a smaller difference between wc_xmss and ext_xmss as compared to wc_lms and ext_lms though, because ext_xmss can benefit from assembly speedups whereas ext_lms cannot. Similar to LMS, the WOLFSSL_WC_XMSS_SMALL option (wc_xmss small) significantly reduces signing performance, but verify speeds remain fast, making this a good option for embedded verify-only targets.
Table 2: Comparison of wolfCrypt XMSS/XMSS^MT (wc_xmss), wolfCrypt XMSS/XMSS^MT with WOLFSSL_WC_XMSS_SMALL (wc_xmss small), and the external integration implementation (ext_xmss). All values in units of ops/sec.
wc_xmss | wc_xmss small | ext_xmss | |
---|---|---|---|
XMSS-SHA2_10_256 keygen | 1.587 | 1.079 | 0.943 |
XMSS-SHA2_10_256 sign | 363.693 | 1.106 | 226.782 |
XMSS-SHA2_10_256 verify | 3050.276 | 2044.995 | 1892.234 |
XMSSMT-SHA2_20/2_256 keygen | 0.808 | 1.100 | 0.472 |
XMSSMT-SHA2_20/2_256 sign | 298.138 | 0.551 | 191.214 |
XMSSMT-SHA2_20/2_256 verify | 1307.295 | 982.836 | 852.348 |
XMSSMT-SHA2_20/4_256 keygen | 9.880 | 35.274 | 7.309 |
XMSSMT-SHA2_20/4_256 sign | 390.942 | 8.681 | 290.516 |
XMSSMT-SHA2_20/4_256 verify | 729.433 | 517.298 | 443.444 |
XMSSMT-SHA2_40/4_256 keygen | 0.406 | 1.107 | 0.237 |
XMSSMT-SHA2_40/4_256 sign | 294.738 | 0.276 | 161.656 |
XMSSMT-SHA2_40/4_256 verify | 750.591 | 487.257 | 424.986 |
XMSSMT-SHA2_40/8_256 keygen | 5.604 | 35.318 | 3.755 |
XMSSMT-SHA2_40/8_256 sign | 469.764 | 4.374 | 293.184 |
XMSSMT-SHA2_40/8_256 verify | 361.289 | 262.160 | 225.254 |
XMSSMT-SHA2_60/6_256 keygen | 0.266 | 1.099 | 0.159 |
XMSSMT-SHA2_60/6_256 sign | 280.160 | 0.185 | 144.637 |
XMSSMT-SHA2_60/6_256 verify | 521.610 | 352.718 | 295.882 |
XMSSMT-SHA2_60/12_256 keygen | 4.143 | 35.280 | 2.505 |
XMSSMT-SHA2_60/12_256 sign | 514.658 | 2.910 | 292.371 |
XMSSMT-SHA2_60/12_256 verify | 247.682 | 170.459 | 152.471 |
Graph 2: Verify speeds for wolfCrypt XMSS/XMSS^MT (wc_xmss), wolfCrypt XMSS/XMSS^MT with WOLFSSL_WC_XMSS_SMALL (wc_xmss small), and the external integration implementation (ext_xmss). All values in units of ops/sec.
Conclusions
In general our wolfCrypt implementations for LMS/HSS and XMSS/XMSS^MT are significantly faster than the external reference implementations, with speedups of 20-30% to even 3x-4x possible depending on the combination of operation, algorithm, and parameters.
The small footprint build shows fast verification speeds for all parameters, making it an attractive choice for embedded verify-only applications (e.g. wolfBoot).
Overall our LMS/HSS implementation is faster than XMSS/XMSS^MT (at least on x86), which is consistent with what is known about these two methods. However which of the two is more appropriate for your use case will ultimately depend on other factors as well, such as signature size, target environment, and parameters used.
If you’re interested in learning more about our post-quantum work, or want to learn more about stateful hash-based signature schemes, contact us at wolfSSL by emailing facts@wolfSSL.com or calling us at +1 425 245 8247 to reach out to your regional wolfSSL business director.
Download wolfSSL Now
Weekly updates
Archives
- October 2024 (2)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)