Event Timeline
Comment Actions
- Considering next, ed25519/cv25519 only Gnuk and new board design
- Reasons
- STM32F103 is getting older (since 2007)
- Dependency to ARM would not be good
- For current implementation, the execution is not 100% constant-time. Or it is difficult to keep it, because:
- Pipeline of Cortex-M3 is not that simple
- e.g., multiply 32x32 may execute less cycles if operand higher bits are zero
- Flash ROM access has prefetch buffer (although some specific chip, like Fujitsu's Cortex-M3 has no-wait feature)
- Pipeline of Cortex-M3 is not that simple
- Reasons
- Candidate
- PIC32MM running at 25MHz
- no wait for flash access
- No branch predictor (as Cortex-M3 doesn't have)
- MADDU operation is supported
- 5-stage pipe line, simpler
- PIC32MM uses MIPS microAptiv core
- In general, considering RSA, MIPS is difficult architecture for bignum implementation (no carry flag)
- But, for the field 2^255-19 computation, we can adopt 10-limb representation, which avoids carry propagation
- Apparently, the chip is not intended to be used for secure token (thus, risk would be lower)
- 0.3 sec could be achievable? 0.5 sec can be done