We have had some reports of low-end embedded systems taking 10-20 seconds to establish a TLS connection when generating a shared secret using the ECDH algorithm.
We wanted to remind our users of the fixed-point caching mechanism provided by wolfSSL. Users can enable fixed point caching with the configure option --enable-fpecc or by defining FP_ECC in their settings. Users will also need to configure which look up table (FP_LUT) to use and the number of entries (FP_ENTRIES).
FP_LUT: General rule is the larger the table, the more memory is needed but the faster subsequent lookup operations will be.
FP_ENTRIES: The number of entries allowed in the cache.
By default if users are not using the autoconf system (IE ./configure --enable-fpecc) users can start by adding these to either wolfssl/wolfcrypt/settings.h or their own user_settings.h when defining WOLFSSL_USER_SETTINGS globally:
/* Fixed point cache (speeds repeated operations against same private key) */
#undef FP_ECC
#define FP_ECC
#ifdef FP_ECC
/* Bits / Entries */
#undef FP_ENTRIES
#define FP_ENTRIES 2
#undef FP_LUT
#define FP_LUT 4 /* NOTE: FP_LUT must be between 2 and 12 inclusively */
#endif
Users can pre-cache fixed points on a curve related to a specific private key prior to establishing a connection to speed up shared secret computation times. Below we have provided some sample code users might use to accomplish this “pre-caching”. Ideally this would be a function you would run on system start-up or initialization of your embedded device prior to establishing a connection:
#include <stdio.h>
#include <string.h>
/* NOTE: ALWAYS include options.h or settings.h before any other wolf headers */
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn.h>
/* Build wolfSSL using ./configure --enable-fpecc or by adding #define FP_ECC to your user_settings.h. */
/* Fixed client ECC key */
static const unsigned char ecc_clikey_der_256[] =
{
0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xF8, 0xCF, 0x92,
0x6B, 0xBD, 0x1E, 0x28, 0xF1, 0xA8, 0xAB, 0xA1, 0x23, 0x4F,
0x32, 0x74, 0x18, 0x88, 0x50, 0xAD, 0x7E, 0xC7, 0xEC, 0x92,
0xF8, 0x8F, 0x97, 0x4D, 0xAF, 0x56, 0x89, 0x65, 0xC7, 0xA0,
0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01,
0x07, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x55, 0xBF, 0xF4,
0x0F, 0x44, 0x50, 0x9A, 0x3D, 0xCE, 0x9B, 0xB7, 0xF0, 0xC5,
0x4D, 0xF5, 0x70, 0x7B, 0xD4, 0xEC, 0x24, 0x8E, 0x19, 0x80,
0xEC, 0x5A, 0x4C, 0xA2, 0x24, 0x03, 0x62, 0x2C, 0x9B, 0xDA,
0xEF, 0xA2, 0x35, 0x12, 0x43, 0x84, 0x76, 0x16, 0xC6, 0x56,
0x95, 0x06, 0xCC, 0x01, 0xA9, 0xBD, 0xF6, 0x75, 0x1A, 0x42,
0xF7, 0xBD, 0xA9, 0xB2, 0x36, 0x22, 0x5F, 0xC7, 0x5D, 0x7F,
0xB4
};
static const int sizeof_ecc_clikey_der_256 = sizeof(ecc_clikey_der_256);
int pre_cache_my_priv_key(void)
{
int ret;
/* If we plan on caching fixed points for ECC operations... */
#ifdef FP_ECC
word32 idx = 0;
WC_RNG rng;
ecc_key dummyPubKey;
ecc_key myPrivKey;
word32 x = 32; /* large enough for 256-bit */
unsigned char exportBuf[x];
wc_ecc_init(&dummyPubKey);
wc_InitRng(&rng);
ret = wc_ecc_make_key(&rng, 32, &dummyPubKey);
if (ret != 0) {
printf("Failed to make the public key\n");
return -1;
}
ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx,
&myPrivKey, sizeof_ecc_clikey_der_256);
if (ret != 0) {
printf("Failed to import private key, ret = %d\n", ret);
return -1;
}
ret = wc_ecc_shared_secret(&myPrivKey, &dummyPubKey, exportBuf, &x);
wc_ecc_free(&dummyPubKey);
if (ret != 0) {
printf("Failed to generate a shared secret\n");
return -1;
}
printf("Successfully pre-cached curve points!\n");
#else
ret = 0;
#endif
return ret;
}
int main(void)
{
int ret;
wolfSSL_Init();
ret = pre_cache_my_priv_key();
/* Do other interesting things, establish a TLS connection, etc. */
wolfSSL_Cleanup(); /* Calls the wc_ecc_fp_free() function to free cache resources */
return 0;
}
If you have any questions on the above solution please contact us anytime at support@wolfssl.com! If you have feedback or comments please send a note to facts@wolfssl.com we would love to hear from you!