NaCl on 8-Bit AVR Microcontrollers

  • Michael Hutter
  • Peter Schwabe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7918)


This paper presents first results of the Networking and Cryptography library (NaCl) on the 8-bit AVR family of microcontrollers. We show that NaCl, which has so far been optimized mainly for different desktop and server platforms, is feasible on resource-constrained devices while being very fast and memory efficient. Our implementation shows that encryption using Salsa20 requires 268 cycles/byte, authentication using Poly1305 needs 195 cycles/byte, a Curve25519 scalar multiplication needs 22 791 579 cycles, signing of data using Ed25519 needs 23 216 241 cycles, and verification can be done within 32 634 713 cycles. All implemented primitives provide at least 128-bit security, run in constant time, do not use secret-data-dependent branch conditions, and are open to the public domain (no usage restrictions).


Elliptic-curve cryptography Edwards curves Curve25519 Ed25519 Salsa20 Poly1305 AVR ATmega 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barrett, P.: Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 311–323. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman Speed Records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J., Lange, T., Schwabe, P.: The Security Impact of a New Cryptographic Library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012), CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: The Poly1305-AES Message-Authentication Code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005), CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards Curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011); see also full version [8]CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. Journal of Cryptographic Engineering 2(2), 77–89 (2012) see also short version [7], CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems, (accessed January 31, 2013)
  10. 10.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012), CrossRefGoogle Scholar
  11. 11.
    Chu, D., Großschädl, J., Liu, Z.: Twisted Edwards-Form Elliptic Curve Cryptography for 8-bit AVR-based Sensor Nodes. Cryptology ePrint Archive: Report 2012/730 (2012)Google Scholar
  12. 12.
    European Network of Excellence in Cryptology II, (accessed January 18, 2013)
  13. 13.
    Efton. 8051 and AVR Cryptolibrary,
  14. 14.
    Eisenbarth, T., Kumar, S., Paar, C., Poschmann, A., Uhsadel, L.: A Survey of Lightweight-Cryptography Implementations. IEEE Design & Test of Computers - Design and Test of ICs for Secure Embedded Computing 24(6), 522–533 (2007) ISSN 0740-7475CrossRefGoogle Scholar
  15. 15.
    Das Labor e.V. AVR-Crypto-Lib,
  16. 16.
    Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C.: Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 119–132. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  18. 18.
    Hlaváč, J., Lórencz, R., Hadáček, M.: True random number generation on an Atmel AVR microcontroller. In: 2010 2nd International Conference on Computer Engineering and Technology (ICCET), vol. 2, pp. 493–495. IEEE (2010)Google Scholar
  19. 19.
    Hutter, M., Wenger, E.: Fast multi-precision multiplication for public-key cryptography on embedded microprocessors. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 459–474. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Karatsuba, A., Ofman, Y.: Multiplication of Multidigit Numbers on Automata. Soviet Physics-Doklady 7, 595–596 (1963); Translated from Doklady Akademii Nauk SSSR 145(2), 293–294 (July 1962)Google Scholar
  21. 21.
    Kargl, A., Pyka, S., Seuschek, H.: Fast Arithmetic on ATmega128 for Elliptic Curve Cryptography. IACR Cryptology ePrint Archive, report 2008/442 (October 2008),
  22. 22.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    Lange, T.: Vampire – virtual applications and implementations research lab (2007), (accessed January 28, 2013)
  24. 24.
    Liu, A., Ning, P.: TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks. In: Proceedings of International Conference on Information Processing in Sensor Networks, IPSN 2008, St. Louis, Missouri, USA, MO, April 22–24, pp. 245–256 (April 2008)Google Scholar
  25. 25.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks – Revealing the Secrets of Smart Cards. Springer (2007) ISBN 978-0-387-30857-9Google Scholar
  26. 26.
    Meiser, G., Eisenbarth, T., Lemke-Rust, K., Paar, C.: Efficient Implementation of eSTREAM Ciphers on 8-bit AVR Microcontrollers. In: International Symposium on Industrial Embedded Systems, SIES 2008, pp. 58–66 (June 2008)Google Scholar
  27. 27.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987), MathSciNetzbMATHCrossRefGoogle Scholar
  28. 28.
    National Institute of Standards and Technology (NIST). FIPS-180-3: Secure Hash Standard (October 2008),
  29. 29.
    Center of Mathematical Modeling Sigma. CRS-AVR010X-ECC,
  30. 30.
    Scott, M.: MIRACLE – A Multiprecision Integer and Rational Arithmetic C/C++ Library (2003),
  31. 31.
    Straus, E.G.: Addition chains of vectors (problem 5125). American Mathematical Monthly 70, 806–808 (1964), MathSciNetGoogle Scholar
  32. 32.
    Szczechowiak, P., Oliveira, L.B., Scott, M., Collier, M., Dahab, R.: NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks. In: Verdone, R. (ed.) EWSN 2008. LNCS, vol. 4913, pp. 305–320. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Uhsadel, L., Poschmann, A., Paar, C.: Enabling Full-Size Public-Key Algorithms on 8-Bit Sensor Nodes. In: Stajano, F., Meadows, C., Capkun, S., Moore, T. (eds.) ESAS 2007. LNCS, vol. 4572, pp. 73–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Wang, H., Li, Q.: Efficient Implementation of Public Key Cryptosystems on Mote Sensors (Short Paper). In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 519–528. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Wenzel-Benner, C., Gräf, J.: XBX: eXternal Benchmarking eXtension, (accessed January 31, 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Michael Hutter
    • 1
  • Peter Schwabe
    • 2
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria
  2. 2.Digital Security GroupRadboud University NijmegenNijmegenThe Netherlands

Personalised recommendations