Electronics Guide

Advanced Encryption Standard

The Advanced Encryption Standard (AES) has become the dominant symmetric cipher for embedded applications. Operating on 128-bit blocks with key sizes of 128, 192, or 256 bits, AES provides strong security with a structure amenable to efficient implementation on diverse hardware platforms.

Software implementations of AES typically use lookup tables to combine the SubBytes, ShiftRows, and MixColumns operations into a series of table lookups and XOR operations. A standard T-table implementation requires 4 kilobytes of ROM for the tables but achieves good performance on 32-bit processors. For more constrained systems, byte-oriented implementations reduce memory requirements at the cost of increased execution time.

Many modern microcontrollers include hardware AES accelerators that perform encryption and decryption operations in dedicated logic. These accelerators typically achieve throughputs of hundreds of megabits per second while consuming minimal power and freeing the CPU for other tasks. Hardware implementations also provide inherent resistance to certain side-channel attacks that plague software implementations.

Block cipher modes of operation determine how AES encrypts data larger than a single 128-bit block. Counter mode (CTR) and Galois/Counter Mode (GCM) are particularly suitable for embedded systems. CTR mode enables parallel encryption and decryption operations, while GCM provides authenticated encryption that simultaneously ensures confidentiality and integrity.

Lightweight Symmetric Ciphers

For severely constrained devices such as smart cards, RFID tags, and ultra-low-power sensors, even optimized AES implementations may exceed available resources. Lightweight cryptographic algorithms address this need by trading some security margin for reduced implementation cost.

PRESENT is a lightweight block cipher operating on 64-bit blocks with 80-bit or 128-bit keys. Its simple structure based on substitution and permutation layers requires minimal logic gates, making it suitable for hardware implementation in area-constrained designs.

SIMON and SPECK, developed by the NSA, offer flexible block and key sizes optimized for different implementation constraints. SIMON targets hardware efficiency with its Feistel structure and simple round function, while SPECK achieves excellent performance in software through addition, rotation, and XOR operations.

The NIST Lightweight Cryptography standardization process has produced ASCON as the selected algorithm for lightweight authenticated encryption. ASCON provides authenticated encryption with associated data using a permutation-based design that achieves compact hardware implementations and good software performance on small processors.

Stream Ciphers

Stream ciphers generate a pseudorandom keystream that is XORed with plaintext to produce ciphertext. This approach is particularly efficient when encrypting data of arbitrary length or when data arrives continuously rather than in fixed-size blocks.

ChaCha20 has emerged as a preferred stream cipher for embedded systems. Originally designed as a variant of Salsa20, ChaCha20 uses 32-bit addition, rotation, and XOR operations that map efficiently to general-purpose processors. The algorithm processes data in 64-byte blocks, generating keystream from a 256-bit key, a 96-bit nonce, and a 32-bit counter.

ChaCha20-Poly1305 combines the ChaCha20 stream cipher with the Poly1305 message authentication code to provide authenticated encryption. This combination has been standardized for use in TLS and is well-suited to embedded systems lacking AES hardware acceleration.

RSA Implementation

RSA remains widely deployed despite its computational intensity. Security depends on the difficulty of factoring the product of two large prime numbers, requiring key sizes of 2048 bits or larger for current security requirements.

Efficient RSA implementation on embedded systems requires optimized modular arithmetic for large integers. Montgomery multiplication eliminates expensive division operations by working in a transformed representation, while the Chinese Remainder Theorem accelerates private key operations by performing calculations modulo the individual prime factors rather than their product.

Modular exponentiation, the core operation in RSA, is typically implemented using the square-and-multiply algorithm. However, the data-dependent execution pattern of this algorithm leaks information through timing and power consumption. Constant-time implementations use techniques such as Montgomery ladder or fixed-window exponentiation to prevent these side-channel leaks.

RSA key generation requires high-quality random numbers and primality testing. The Miller-Rabin probabilistic primality test is commonly used, with sufficient iterations to achieve acceptable confidence that generated values are prime.

Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) provides security equivalent to RSA with dramatically smaller key sizes. A 256-bit elliptic curve key offers security comparable to a 3072-bit RSA key, making ECC particularly attractive for embedded systems where memory and computational resources are limited.

ECC operations are performed on points lying on an elliptic curve defined by an equation of the form y2 = x3 + ax + b over a finite field. The fundamental operation is scalar multiplication, computing the product of an integer scalar and a curve point through repeated point addition and doubling.

Several standardized curves are commonly used in embedded applications. The NIST P-256 curve operates over a 256-bit prime field and is widely supported in hardware accelerators and cryptographic libraries. Curve25519, designed by Daniel Bernstein, uses a carefully chosen prime that enables fast, constant-time implementations resistant to side-channel attacks.

The Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol enables two parties to establish a shared secret over an insecure channel. Each party generates an ephemeral key pair, exchanges public keys, and computes the shared secret through scalar multiplication. The shared secret can then seed symmetric key derivation for subsequent encrypted communication.

The Elliptic Curve Digital Signature Algorithm (ECDSA) provides digital signatures for authentication and non-repudiation. Signing requires generating a random nonce for each signature; reusing nonces or using predictable nonces enables key recovery attacks that have compromised numerous real-world systems.

Post-Quantum Cryptography

Quantum computers pose a future threat to currently deployed public-key cryptography. Shor's algorithm can efficiently factor large integers and compute discrete logarithms, breaking both RSA and elliptic curve cryptography. While large-scale quantum computers do not yet exist, the long deployment lifecycles of embedded systems motivate consideration of quantum-resistant alternatives.

NIST has standardized several post-quantum cryptographic algorithms. CRYSTALS-Kyber provides key encapsulation based on the hardness of lattice problems, while CRYSTALS-Dilithium offers digital signatures using similar mathematical foundations. These algorithms require larger keys and more computation than current elliptic curve methods but can be implemented on modern microcontrollers.

Hybrid approaches combining classical and post-quantum algorithms provide defense in depth during the transition period. A system might use both ECDH and Kyber for key agreement, ensuring security even if one algorithm is later found to be weak.

SHA-2 Family

The SHA-2 family includes SHA-224, SHA-256, SHA-384, and SHA-512, producing hash values of the indicated bit length. SHA-256 is the most commonly used variant, offering a good balance of security and performance for embedded applications.

SHA-256 processes data in 512-bit blocks through 64 rounds of compression. Each round combines message schedule values with working variables using addition, rotation, and logical operations. The algorithm requires maintaining eight 32-bit working variables and a 64-word message schedule, totaling 320 bytes of state.

Hardware acceleration for SHA-256 is available in many microcontrollers, particularly those targeting security applications. Hardware implementations achieve significantly higher throughput than software while potentially offering side-channel resistance through constant-time operation.

SHA-3 and SHAKE

SHA-3, standardized in 2015, uses an entirely different construction from SHA-2. Based on the Keccak sponge function, SHA-3 absorbs input data into a state array and squeezes output of the desired length. This sponge construction enables extendable-output functions (XOFs) that produce arbitrary-length output.

SHAKE128 and SHAKE256 are XOFs derived from the SHA-3 construction. These functions can generate output of any desired length, making them useful for key derivation, mask generation, and other applications requiring variable-length output.

The Keccak permutation at the heart of SHA-3 operates on a 1600-bit state organized as a three-dimensional array. While the state size exceeds that of SHA-2, the permutation structure maps well to hardware implementation and provides inherent parallelism that software implementations can exploit.

Lightweight Hash Functions

Constrained embedded devices may lack resources for standard SHA-256 implementation. Lightweight hash functions reduce state size and computational requirements while maintaining security appropriate for their intended applications.

PHOTON and SPONGENT are lightweight hash functions based on sponge constructions with reduced state sizes. These designs target hardware implementation efficiency, achieving small gate counts suitable for integration into smart cards and RFID tags.

The ASCON permutation, standardized by NIST for lightweight cryptography, can also be used as the basis for a hash function. ASCON-Hash provides a compact, efficient hash function suitable for the most constrained embedded devices.

HMAC Construction

HMAC (Hash-based Message Authentication Code) constructs a MAC from any cryptographic hash function. The construction applies the hash function twice with the key mixed into inner and outer padding values, providing security even if the underlying hash function has certain weaknesses.

HMAC-SHA256 is widely used in embedded systems for message authentication, key derivation, and pseudorandom number generation. The construction inherits the performance characteristics of the underlying hash function, benefiting from any available hardware acceleration.

Implementing HMAC requires careful key handling. Keys shorter than the hash block size should be padded, while longer keys should be hashed to the appropriate length. The secret key must be protected from disclosure through memory protection and secure storage.

CMAC and GMAC

Cipher-based Message Authentication Code (CMAC) constructs a MAC using a block cipher, typically AES. CMAC processes the message in cipher-block chaining mode with special handling for the final block, producing a MAC equal to the block cipher's block size.

GMAC is the authentication-only variant of Galois/Counter Mode, using the Galois field multiplication at the heart of GCM without the encryption component. GMAC achieves high throughput on systems with hardware acceleration for the GCM polynomial multiplication.

Both CMAC and GMAC benefit from AES hardware acceleration available in many microcontrollers. When hardware acceleration is available, these cipher-based MACs may outperform HMAC while providing equivalent security.

Poly1305

Poly1305 is a high-speed one-time authenticator that produces a 128-bit tag from a message and a single-use 256-bit key. The algorithm performs arithmetic in a prime field, with operations that map efficiently to 32-bit or 64-bit processors.

Poly1305 must be used with a unique key for each message; key reuse enables forgery attacks. In practice, Poly1305 is combined with a stream cipher like ChaCha20 that generates fresh authentication keys from a master key and message nonce.

The ChaCha20-Poly1305 authenticated encryption construction has become widely adopted as an alternative to AES-GCM. On processors lacking AES hardware acceleration, ChaCha20-Poly1305 typically achieves higher performance while providing equivalent security.

Side-Channel Attack Resistance

Side-channel attacks exploit information leakage through power consumption, electromagnetic emissions, timing variations, or other observable characteristics of cryptographic operations. Embedded systems are particularly vulnerable due to the physical accessibility of devices and the close correlation between simple processor operations and observable phenomena.

Timing attacks exploit variations in execution time that depend on secret values. Conditional branches based on key bits, early-exit optimizations, and table lookups with key-dependent indices all create timing variations that can be measured and analyzed to recover keys.

Power analysis attacks measure the power consumption of a device during cryptographic operations. Simple power analysis (SPA) directly observes power traces to identify operations, while differential power analysis (DPA) uses statistical analysis of many traces to extract key bits from small power variations correlated with intermediate values.

Constant-time implementation is the primary defense against timing and power analysis attacks. Code must execute the same sequence of operations regardless of secret values, avoiding conditional branches, variable-length loops, and memory accesses at secret-dependent addresses. This requirement significantly constrains implementation choices and typically reduces performance compared to unprotected implementations.

Masking techniques protect against power analysis by splitting secret values into random shares that are processed independently and recombined only at the end of computation. Boolean masking XORs secrets with random masks, while arithmetic masking adds random values. Higher-order masking uses multiple shares for increased protection against sophisticated attacks.

Fault Attack Countermeasures

Fault attacks deliberately induce errors in cryptographic computations through voltage glitches, clock manipulation, electromagnetic pulses, or laser illumination. By analyzing faulty outputs, attackers can recover secret keys with dramatically fewer operations than required for exhaustive search.

Differential fault analysis against AES can recover the complete key from a small number of faulty ciphertexts. The attack exploits the algebraic structure of AES to deduce key bytes from differences between correct and faulty outputs.

Countermeasures include redundant computation, where critical operations are performed multiple times and results compared before use. Integrity checking verifies that intermediate values remain consistent throughout computation. Hardware sensors can detect glitching attempts and trigger protective responses such as key erasure.

Algorithm-level countermeasures modify the computation to be inherently resistant to certain fault classes. Infection countermeasures propagate faults through subsequent computation in ways that prevent useful analysis of faulty outputs.

Random Number Generation

Cryptographic security depends fundamentally on high-quality random numbers for key generation, nonces, and protocol randomness. Predictable or biased random numbers enable attacks that bypass cryptographic protection entirely.

Hardware random number generators (HRNGs) extract entropy from physical phenomena such as thermal noise, ring oscillator jitter, or metastable circuits. Many microcontrollers include integrated HRNGs that provide raw entropy or conditioned random output suitable for cryptographic use.

Deterministic random bit generators (DRBGs) stretch limited entropy into larger quantities of pseudorandom output. Standards such as NIST SP 800-90A define approved DRBG constructions based on hash functions, block ciphers, or elliptic curves. DRBGs must be seeded with sufficient entropy and reseeded periodically to maintain security.

Testing random number generators presents unique challenges, as any finite output sequence could theoretically be produced by a deterministic process. Statistical test suites such as NIST SP 800-22 evaluate randomness properties, but passing these tests does not guarantee cryptographic quality. Entropy estimation and health monitoring provide ongoing assurance that generators operate correctly.

Software Libraries

Mbed TLS, formerly PolarSSL, provides a compact cryptographic library designed for embedded systems. The library offers a small footprint, modular design, and implementations of common algorithms including AES, SHA-256, RSA, and elliptic curve cryptography.

wolfSSL is another embedded-focused cryptographic library with support for TLS and a wide range of cryptographic algorithms. The library includes optimizations for ARM Cortex-M processors and integration with hardware accelerators on popular microcontroller families.

Libsodium provides a high-level cryptographic API designed for ease of use and resistance to implementation errors. The library emphasizes secure defaults and modern algorithms, making it suitable for developers without deep cryptographic expertise.

Micro-ECC provides a minimal implementation of elliptic curve cryptography optimized for embedded systems. The library focuses specifically on ECDH and ECDSA with commonly used curves, achieving small code size on resource-constrained devices.

Hardware Acceleration

Modern microcontrollers increasingly include dedicated cryptographic accelerators. These hardware engines perform encryption, hashing, and public-key operations with higher throughput and lower power consumption than software implementations.

AES accelerators are the most common cryptographic hardware, available even in low-cost microcontrollers. Hardware AES implementations typically support multiple modes of operation and key sizes, with DMA integration for processing large data volumes without CPU intervention.

Hash accelerators for SHA-256 and SHA-512 offload the computationally intensive compression function from the CPU. Some implementations support simultaneous processing of multiple hash contexts, enabling efficient hashing of multiple data streams.

Public-key accelerators for RSA and elliptic curve operations vary widely in capability. Basic accelerators provide modular arithmetic primitives, while more sophisticated engines perform complete key generation, signature, and key agreement operations with side-channel protection.

True random number generator (TRNG) hardware provides entropy for cryptographic applications. TRNGs should include health monitoring to detect failures and conditioning to improve statistical quality of raw entropy.

Secure Elements

Secure elements are dedicated security chips that store keys and perform cryptographic operations in tamper-resistant hardware. By isolating secret keys from the main processor, secure elements protect against software vulnerabilities and many physical attacks.

Common secure element interfaces include I2C and SPI for communication with the host processor. Command sets vary by vendor but typically include key generation, signature operations, encryption, and secure storage of certificates and configuration data.

Trusted Platform Module (TPM) chips implement standardized secure element functionality for computing platforms. While originally designed for PCs, TPM-like functionality is increasingly available for embedded applications.

Integrated secure elements within system-on-chip devices provide similar protection without requiring an external component. ARM TrustZone creates isolated secure and non-secure processor states, enabling secure code execution and key storage within a single chip.

Key Generation and Storage

Keys must be generated from high-quality random sources with sufficient entropy for the intended security level. Symmetric keys should be generated directly from random bytes, while asymmetric keys require additional processing to produce valid key pairs.

Secure key storage protects keys from extraction by unauthorized parties. Options include encrypted storage using device-unique keys, hardware-protected key stores in secure elements, and one-time programmable memory for permanent keys.

Key derivation functions generate multiple keys from a single master secret. HKDF (HMAC-based Key Derivation Function) is widely used for deriving symmetric keys from shared secrets established through key agreement protocols.

Key Distribution

Symmetric keys must be distributed to communicating parties through secure channels. In manufacturing, keys may be injected during production in controlled facilities. In the field, asymmetric key agreement protocols establish shared secrets without pre-shared keys.

Public-key infrastructure (PKI) distributes public keys through signed certificates that bind keys to identities. Certificate chains enable verification back to trusted root authorities, though embedded systems must carefully manage certificate storage and revocation checking.

Key wrapping protects keys during storage and transport by encrypting them with other keys. The wrapped key can be safely stored or transmitted, with decryption possible only by parties possessing the wrapping key.

Key Lifecycle Management

Keys have finite lifetimes based on cryptographic strength, usage volume, and policy requirements. Session keys may last only for a single communication session, while device identity keys may remain valid for the device's entire operational life.

Key rotation replaces keys before they become vulnerable due to excessive use or advancing cryptanalysis. Rotation procedures must maintain service continuity while transitioning to new keys.

Key revocation invalidates compromised or no-longer-trusted keys. Embedded systems face challenges in revocation because devices may lack continuous network connectivity to receive revocation information. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) provide mechanisms for checking certificate validity when connectivity is available.

Secure key destruction ensures that keys cannot be recovered after they are no longer needed. Memory containing keys should be overwritten before deallocation, and devices should provide mechanisms for key erasure upon detecting tampering or reaching end of life.

TLS for Embedded Systems

Transport Layer Security (TLS) protects network communications between embedded devices and servers. Embedded TLS implementations balance security, code size, and memory requirements, often supporting only essential cipher suites and features.

TLS 1.3, the current version, simplifies the protocol and removes legacy algorithms while improving security and reducing handshake latency. The simplified structure makes TLS 1.3 more suitable for embedded implementation than earlier versions.

Cipher suite selection affects both security and resource requirements. Modern cipher suites based on AES-GCM or ChaCha20-Poly1305 with ECDHE key exchange provide strong security with reasonable embedded overhead.

Secure Boot

Secure boot verifies firmware integrity and authenticity before execution, preventing unauthorized code from running on the device. The boot process forms a chain of trust from hardware root to application code.

The first stage of secure boot typically runs from immutable ROM, establishing the root of trust. This code verifies the next boot stage using public-key signatures or symmetric authentication before transferring control.

Each subsequent boot stage verifies the next, extending the chain of trust through bootloader, operating system, and application layers. Failure at any stage prevents booting, ensuring only authorized code executes.

Firmware Updates

Secure firmware update mechanisms protect against installation of malicious or corrupted firmware. Updates must be authenticated to verify origin and encrypted if confidentiality is required.

Digital signatures provide strong authentication of firmware origin. The device stores the update authority's public key and verifies signatures before accepting updates. Multiple signatures can require approval from multiple parties.

Rollback protection prevents reinstallation of older, potentially vulnerable firmware versions. Monotonic counters or version numbers stored in secure memory ensure that only firmware newer than currently installed can be applied.