Efficient Implementation of the SHA-512 Hash Function for 8-Bit AVR Microcontrollers

SHA-512 is a member of the SHA-2 family of cryptographic hash algorithms that is based on a Davies-Mayer compression function operating on eight 64-bit words to produce a 512-bit digest. It provides strong resistance to collision and preimage attacks, and is assumed to remain secure in the dawning era of quantum computers. However, the compression function of SHA-512 is challenging to implement on small 8 and 16-bit microcontrollers because of their limited register space and the fact that 64-bit rotations are generally slow on such devices. In this paper, we present the first highly-optimized Assembler implementation of SHA-512 for the ATmega family of 8-bit AVR microcontrollers. We introduce a special optimization technique for the compression function based on a duplication of the eight working variables so that they can be more efficiently loaded from RAM via the indirect addressing mode with displacement (using the ldd and std instruction). In this way, we were able to achieve high performance without unrolling the main loop of the compression function, thereby keeping the code size small. When executed on an 8-bit AVR ATmega128 microcontroller, the compression function takes slightly less than 60k clock cycles, which corresponds to a compression rate of roughly 467 cycles per byte. The binary code size of the full SHA-512 implementation providing a standard Init-Update-Final (IUF) interface amounts to approximately 3.5 kB.

[1]  Marilyn A. Brown,et al.  Smart meter deployment in Europe: A comparative case study on the impacts of national policy schemes , 2017 .

[2]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[3]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[4]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[5]  Peter Schwabe,et al.  NaCl on 8-Bit AVR Microcontrollers , 2013, AFRICACRYPT.

[6]  Xiaolin Cao,et al.  Application-oriented SHA-256 hardware design for low-cost RFID , 2012, 2012 IEEE International Symposium on Circuits and Systems.

[7]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[8]  María Naya-Plasencia,et al.  An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography , 2017, ASIACRYPT.

[9]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.

[10]  Tim Güneysu,et al.  Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices , 2012, CARDIS.

[11]  Dag Arne Osvik Fast Embedded Software Hashing , 2012, IACR Cryptol. ePrint Arch..

[12]  Andrey Bogdanov,et al.  Lightweight cryptography for constrained devices , 2014, 2014 International Symposium on Integrated Circuits (ISIC).

[13]  Ricardo Dahab,et al.  Efficient and Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers , 2015, SPACE.

[14]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[15]  Jens Gräf,et al.  XBX Benchmarking Results January 2012 , 2012 .

[16]  Shay Gueron,et al.  SHA-512/256 , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[17]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[18]  Dumitru Daniel Dinu Efficient and Secure Implementations of Lightweight Symmetric Cryptographic Primitives , 2017 .