image image

Optimizing Crypto on Embedded Microcontrollers

Trainer: Peter Schwabe & Matthias Kannwischer

Date: 5th -7th July 2021 (5hrs for 3days)

Time: 9:00am to 2:00pm PDT

Platform: Zoom + Discord


Day 1: The first day will start with an introductory lecture about programming embedded microcontrollers and optimizing software on the assembly level. This lecture will also highlight how optimizing cryptographic software needs to pay special attention to not leak secret information through timing and introduce the so-called "constant-time" programming paradigm. We will then move to the first of two exercises, namely optimizing the stream cipher ChaCha20 on an ARM Cortex-M4. In this exercise we start from an unoptimized C reference implementation and re-implement the core of ChaCha20 in assembly to obtain better performance.

Day 2: We will first continue working on up the first exercise and then move to a lecture on big-integer arithmetic, a core sub-routine of current asymmetric cryptography like RSA or elliptic-curve cryptography. As a small example of a cryptographic algorithm that requires big-integer arithmetic, we will consider the Poly1305 authenticator in the second exercise. Again, we will start from an unoptimized C reference implementation; but for this exercise, optimization does not require the use of assembly.

Day 3: Through most of day three, we will continue working on the second exercise and then combine the results of both exercises to obtain an implementation of ChaCha20-Poly1305 as described in RFC 7539 and widely deployed in TLS.

Topics covered during the course:

  • Programming embedded microcontrollers, using the STM32F407 as an example
  • Optimizing software on the assembly level
  • Optimizing cryptographic software and the "constant-time" programming paradigm
  • Algorithms for multiprecision arithmetic


After this training you will be able to

  • program embedded microcontrollers using nothing but simple open-source command-line tools;
  • optimize simple but performance-critical sub-routines on the assembly level;
  • recognize and eliminate timing leaks from (cryptographic) software;
  • implement big-integer arithmetic, a core building block for today's asymmetric cryptography.


  • Professionals, who use cryptographic libraries for (embedded) applications and would like to understand more about how such software is written.
  • Anybody who is interested in programming embedded microcontrollers on C and assembly level


  • Participants should be familiar with the C programming language.
  • Prior experience with programming in assembly is not required, neither is experience with programming embedded microcontrollers.


Peter Schwabe is research group leader at MPI-SP and professor at Radboud University. He graduated from RWTH Aachen University in computer science in 2006 and received a Ph.D. from the Faculty of Mathematics and Computer Science of Eindhoven University of Technology in 2011. He then worked as a postdoctoral researcher at the Institute for Information Science and the Research Center for Information Technology Innovation of Academia Sinica, Taiwan and at National Taiwan University. His research area is cryptographic engineering; in particular the security and performance of cryptographic software. He published more than 50 articles in journals and at international conferences presenting, for example, fast software for a variety of cryptographic primitives including AES, hash functions, elliptic-curve cryptography, and cryptographic pairings. He has also published articles on fast cryptanalysis, in particular attacks on the discrete-logarithm problem. In recent years he has focused in particular on post-quantum cryptography. He co-authored the "NewHope" and "NTRU-HRSS" lattice-based key-encapsulation schemes which were used in post-quantum TLS experiments by Google and is co-submitter of seven proposals to the NIST post-quantum crypto project, all of which made it to the second round and five of which made it to the third round.