Arduino Cryptography Library
Arduino Cryptography Library

Supported algorithms

The library is split into four main sections: core, light-weight, legacy, and other.

Core algorithms

Core algorithms are found within the "libraries/Crypto" directory in the repository:

Reduced memory versions of some algorithms (encryption is slower, but the RAM required for the key schedule is less):

The "tiny" versions only support encryption which makes them suitable for the CTR, CFB, OFB, EAX, and GCM block cipher modes but not CBC. The "small" versions use a little more memory but support both encryption and decryption.

Light-weight algorithms

The algorithms in the "libraries/CryptoLW" directory are new algorithms that have been designed for "light-weight" environments where memory and CPU resources are constrained:

These algorithms are fairly new, but they are ideal for Arduino devices. They don't appear in any internationally adopted standards yet but any algorithms that are adopted into standards later will be moved to the core library. Maybe you'll be the one to create that new standard!

Legacy algorithms

Legacy algorithms in the "libraries/CryptoLegacy" directory are those that should probably not be used in new protocol designs, but may be required for backwards-compatibility with older protocols:

CBC is included in the legacy list because cryptography experts no longer recommend it for use in newer designs. It was an important mode in the past but newer designs should be using authenticated encryption with associated data (AEAD) instead. If you were looking to use CBC in your project, then please consider transitioning to one of the AEAD schemes listed above.

Over time, other algorithms may be moved from the core library to legacy.

Other algorithms

Other algorithms are provided in the remaining directories under "libraries", and consist of algorithms that are either too big for the main library, or are dedicated to a special purpose that only some applications will need:

Optimizations

All cryptographic algorithms have been optimized for 8-bit Arduino platforms like the Uno. Memory usage is also reduced, particularly for SHA256 and SHA512 which save 192 and 512 bytes respectively over traditional implementations. For all algorithms, static sbox tables and the like are placed into program memory to further reduce data memory usage.

ChaCha with 20 rounds and 256-bit keys is the recommended symmetric encryption algorithm because it is twice as fast as AES128, constant-time, and much more secure. AES128, AES192, and AES256 are provided for use in applications where compatibility with other systems is desirable.

If code size is an issue for your application (for example on very low end Arduino variants), then Speck on AVR is less than half the code size of ChaCha, at the cost of more data memory for the state and longer key setup times. The SpeckTiny and SpeckSmall classes are even smaller at the cost of some performance when encrypting.

BLAKE2s and BLAKE2b are variations on the ChaCha stream cipher, designed for hashing, with 256-bit and 512-bit hash outputs respectively. They are intended as high performance replacements for SHA256 and SHA512 for when speed is critical but exact bit-compatibility of hash values is not. BLAKE2s and BLAKE2b support regular hashing, BLAKE2 keyed hashing, and HMAC modes.

Examples and other topics

Performance

Performance on AVR

All figures are for the Arduino Uno running at 16 MHz. Figures for the Ardunino Mega 2560 running at 16 MHz are similar:

Encryption AlgorithmEncryption (per byte)Decryption (per byte)Key SetupState Size (bytes)
AES128 (ECB mode)33.28us63.18us158.68us181
AES192 (ECB mode)39.94us76.48us165.34us213
AES256 (ECB mode)46.61us89.78us217.79us245
AESTiny128 (ECB mode)40.37us10.16us18
AESTiny256 (ECB mode)56.84us17.20us34
AESSmall128 (ECB mode)40.37us71.36us134.22us34
AESSmall256 (ECB mode)56.84us100.55us177.73us66
ChaCha (20 rounds)14.87us14.88us43.74us132
ChaCha (12 rounds)10.38us10.38us43.74us132
ChaCha (8 rounds)8.13us8.14us43.74us132
Speck (128-bit key, ECB mode)9.74us10.12us253.94us275
Speck (192-bit key, ECB mode)10.03us10.41us264.63us275
Speck (256-bit key, ECB mode)10.31us10.71us275.26us275
SpeckSmall (128-bit key, ECB mode)33.93us34.82us207.66us67
SpeckSmall (192-bit key, ECB mode)35.20us35.88us220.55us67
SpeckSmall (256-bit key, ECB mode)36.46us36.93us233.32us67
SpeckTiny (128-bit key, ECB mode)33.93us10.22us35
SpeckTiny (192-bit key, ECB mode)35.20us13.62us35
SpeckTiny (256-bit key, ECB mode)36.46us16.89us35
AEAD AlgorithmEncryption (per byte)Decryption (per byte)Key SetupState Size (bytes)
ChaChaPoly41.20us41.19us902.36us221
GCM<AES128>109.71us109.26us1265.69us284
GCM<AES192>116.38us115.92us1485.56us316
GCM<AES256>123.04us122.59us1760.28us348
GCM<Speck> (256-bit key)86.74us86.29us646.88us378
GCM<SpeckTiny> (256-bit key)112.90us112.44us1225.48us138
EAX<AES128>71.14us71.14us1311.97us268
EAX<AES256>97.80us97.80us1806.57us332
EAX<Speck> (256-bit key)25.89us25.88us690.63us362
EAX<SpeckTiny> (256-bit key)78.20us78.20us1269.19us122
Acorn12820.39us20.06us4817.82us60
Ascon12842.71us43.07us738.68us60
Hash AlgorithmHashing (per byte)FinalizationState Size (bytes)
SHA121.86us1421.86us95
SHA25643.85us2841.04us107
SHA512122.82us15953.42us211
SHA3_25660.69us8180.24us205
SHA3_512113.88us8196.34us205
BLAKE2s20.65us1335.25us107
BLAKE2b65.22us8375.34us211
Authentication AlgorithmHashing (per byte)FinalizationKey SetupState Size (bytes)
SHA1 (HMAC mode)21.86us4290.62us1418.49us95
SHA256 (HMAC mode)43.85us8552.61us2836.49us107
BLAKE2s (Keyed mode)20.65us1335.25us1339.51us107
BLAKE2s (HMAC mode)20.65us4055.56us1350.00us107
BLAKE2b (Keyed mode)65.22us8375.34us8357.25us211
Poly130526.26us489.11us17.06us53
GHASH74.59us15.91us14.79us33
XOF AlgorithmHashing (per byte)Extending (per byte)Encryption (per byte)State Size (bytes)
SHAKE12849.43us49.02us49.59us206
SHAKE25660.77us60.37us60.93us206
Public Key OperationTime (per operation)Comment
Curve25519::eval()2716msRaw curve evaluation
Curve25519::dh1()2718msFirst half of Diffie-Hellman key agreement
Curve25519::dh2()2717msSecond half of Diffie-Hellman key agreement
Ed25519::sign()5148msDigital signature generation
Ed25519::verify()8196msDigital signature verification
Ed25519::derivePublicKey()5102msDerive a public key from a private key
P521::eval()46290msRaw curve evaluation
P521::dh1()46293msFirst half of Diffie-Hellman key agreement
P521::dh2()46304msSecond half of Diffie-Hellman key agreement
P521::sign()60514msDigital signature generation
P521::verify()109078msDigital signature verification
P521::derivePublicKey()46290msDerive a public key from a private key
NewHope::keygen(), Ref639msGenerate key pair for Alice, Ref version
NewHope::sharedb(), Ref1237msGenerate shared secret and public key for Bob, Ref version
NewHope::shareda(), Ref496msGenerate shared secret for Alice, Ref version
NewHope::keygen(), Torref777msGenerate key pair for Alice, Torref version
NewHope::sharedb(), Torref1376msGenerate shared secret and public key for Bob, Torref version
NewHope::shareda(), Torref496msGenerate shared secret for Alice, Torref version

Where a cipher supports more than one key size (such as ChaCha), the values are typically almost identical for 128-bit and 256-bit keys so only the maximum is shown above.

Due to the memory requirements, P521 and NewHope performance was measured on an Arduino Mega 2560 running at 16 MHz. They are too big to fit in the RAM size of the Uno.

Performance on ARM

All figures are for the Arduino Due running at 84 MHz:

Encryption AlgorithmEncryption (per byte)Decryption (per byte)Key SetupState Size (bytes)
AES128 (ECB mode)6.58us11.40us38.15us188
AES192 (ECB mode)7.94us13.83us39.79us220
AES256 (ECB mode)9.30us16.25us49.68us252
AESTiny128 (ECB mode)7.23us1.25us20
AESTiny256 (ECB mode)10.62us1.43us36
AESSmall128 (ECB mode)7.23us12.33us23.44us36
AESSmall256 (ECB mode)10.62us16.92us31.88us68
ChaCha (20 rounds)0.87us0.88us4.96us136
ChaCha (12 rounds)0.70us0.71us4.96us136
ChaCha (8 rounds)0.62us0.62us4.96us136
Speck (128-bit key, ECB mode)0.97us0.96us36.80us288
Speck (192-bit key, ECB mode)1.00us0.98us38.14us288
Speck (256-bit key, ECB mode)1.03us1.01us39.31us288
SpeckSmall (128-bit key, ECB mode)2.72us2.30us26.89us80
SpeckSmall (192-bit key, ECB mode)2.80us2.39us27.80us80
SpeckSmall (256-bit key, ECB mode)2.90us2.48us29.08us80
SpeckTiny (128-bit key, ECB mode)2.72us1.47us48
SpeckTiny (192-bit key, ECB mode)2.81us1.54us48
SpeckTiny (256-bit key, ECB mode)2.90us1.83us48
AEAD AlgorithmEncryption (per byte)Decryption (per byte)Key SetupState Size (bytes)
ChaChaPoly1.71us1.71us45.08us240
GCM<AES128>10.90us10.90us248.83us312
GCM<AES192>12.30us12.31us296.83us344
GCM<AES256>13.66us13.67us350.25us376
GCM<Speck> (256-bit key)5.27us5.28us75.31us408
GCM<SpeckTiny> (256-bit key)7.06us7.07us94.20us168
EAX<AES128>12.33us12.33us234.91us280
EAX<AES256>16.99us16.99us322.92us344
EAX<Speck> (256-bit key)2.80us2.80us81.63us384
EAX<SpeckTiny> (256-bit key)6.69us6.69us110.91us144
Acorn1280.75us0.75us175.70us64
Ascon1283.52us3.50us51.67us72
Hash AlgorithmHashing (per byte)FinalizationState Size (bytes)
SHA10.94us62.34us112
SHA2561.15us76.60us120
SHA5122.87us370.37us224
SHA3_2565.64us735.29us224
SHA3_51210.42us735.49us224
BLAKE2s0.80us53.39us120
BLAKE2b1.28us164.66us224
Authentication AlgorithmHashing (per byte)FinalizationKey SetupState Size (bytes)
SHA1 (HMAC mode)0.94us196.74us68.06us112
SHA256 (HMAC mode)1.15us238.98us80.44us120
BLAKE2s (Keyed mode)0.80us53.39us55.10us120
BLAKE2s (HMAC mode)0.80us168.20us57.60us120
BLAKE2b (Keyed mode)1.28us164.66us166.68us224
Poly13050.81us19.01us2.57us60
GHASH4.47us1.52us2.60us36
XOF AlgorithmHashing (per byte)Extending (per byte)Encryption (per byte)State Size (bytes)
SHAKE1284.60us4.45us4.59us232
SHAKE2565.64us5.49us5.63us232
Public Key OperationTime (per operation)Comment
Curve25519::eval()103msRaw curve evaluation
Curve25519::dh1()103msFirst half of Diffie-Hellman key agreement
Curve25519::dh2()104msSecond half of Diffie-Hellman key agreement
Ed25519::sign()195msDigital signature generation
Ed25519::verify()306msDigital signature verification
Ed25519::derivePublicKey()194msDerive a public key from a private key
P521::eval()1503msRaw curve evaluation
P521::dh1()1503msFirst half of Diffie-Hellman key agreement
P521::dh2()1503msSecond half of Diffie-Hellman key agreement
P521::sign()1860msDigital signature generation
P521::verify()3423msDigital signature verification
P521::derivePublicKey()1503msDerive a public key from a private key
NewHope::keygen(), Ref29msGenerate key pair for Alice, Ref version
NewHope::sharedb(), Ref41msGenerate shared secret and public key for Bob, Ref version
NewHope::shareda(), Ref9msGenerate shared secret for Alice, Ref version
NewHope::keygen(), Torref42msGenerate key pair for Alice, Torref version
NewHope::sharedb(), Torref53msGenerate shared secret and public key for Bob, Torref version
NewHope::shareda(), Torref9msGenerate shared secret for Alice, Torref version