1.9.5.2 Software ECDSA Verification

This MCC module only supports hardware accelerated ECDSA verification either through secure elements or hardware cryptographic accelerators. Verifying an ECDSA signature is possible in software and is requested periodically. While technically possible, it is an unrealistic solution for most systems. For this discussion we will evaluate solutions on three different platforms example platforms:

  1. A device with 250KB to verify running at 16 MIPs (250K_16MIPS)
  2. A device with 250KB to verify running at 100 MIPs (250K_100MIPS)
  3. A device with 100KB to verify running at 100 MIPs (100K_100MIPS)

There are two parts to every ECDSA verification: the hash of the data being verified and the verification of the signature. These can sometimes be paired into one operation in some systems/hardware but in many systems are done as separate operations.

The time required for the hash calculation is proportional to the amount of data being verified. When the hash is done by the host CPU, the hash time is also proportional to the CPU clock frequency. Our implementation of the SHA256 hash, used with the p256 ECDSA verification, takes 195 cycles per byte hashed. Evaluating this for each of our example hardware platforms:

  1. 250K_16MIPS: 3047 ms hash time
  2. 250K_100MIPS: 488 ms hash time
  3. 100K_100MIPS: 195 ms hash time

The second part of the ECDSA verification is the signature verification. The ECDSA verification is done on the hash of the data so it does not scale with the data. The signature verification is done on the hash value of the data and is thus not dependent on the amount of data being verified when viewed as independent from the hash calculation. The time for the verification is determined by the speed of the device doing the verification and whatever hardware acceleration it has.

Signature Verification - External Secure Element

For current external secure elements, they are internally clocked and a p256 signature verification takes typically between 40-100ms to verify. Because this is done by an external device, this verification time is independent of the host CPU speed as well:

  1. 250K_16MIPS: 40-100 ms signature verification time
  2. 250K_100MIPS: 40-100 ms signature verification time
  3. 100K_100MIPS: 40-100 ms signature verification time

So for an p256 ECDSA verification using an external secure element, the total image verification time for our example devices is approximately:

  1. 250K_16MIPS: 3117 ms image verification time
  2. 250K_100MIPS: 558 ms image verification time
  3. 100K_100MIPS: 265 ms image verification time

In this configuration, the total image verification time is dominated by the hash component and thus largely proportional to the amount of data hashed and the CPU speed of the host processor.

Signature Verification - Software

For evaluating a software ECDSA verification solution, we used a generic C p256 implementation:github.com/oreparaz/p256

Similar to the hash calculation, a software ECDSA verification is going to be proportional to the CPU speed. A p256 signature verification using the above implementation takes approximately 418M instruction cycles. For our example configurations, that verification time is:

  1. 250K_16MIPS: 26125 ms signature verification time
  2. 250K_100MIPS: 4180 ms signature verification time
  3. 100K_100MIPS: 4180 ms signature verification time

Adding in the time required to calculate the hash on the data for the total image verification time:

  1. 250K_16MIPS: 29172 ms image verification time
  2. 250K_100MIPS: 4668 ms image verification time
  3. 100K_100MIPS: 4375 ms image verification time

For the devices currently supported by this module, 16 MIPS and 100 MIPS represent the typical maximum frequencies. A 4-29 second start-up time is too long for most devices/systems. If these numbers are acceptable and you need assistance in migrating to use a software ECDSA implementation, please contact Microchip support (www.microchip.com/support).