[loup-vaillant]

Use Monocypher, TweetNaCl, or Libsodium.

Monocypher is portable (C99/C++), pretty fast, and has low memory footprint (generated binary between 30kB and 60kB). Problem: it isn't trusted yet. (I'd like to run a bug bounty, but I'm not sure how I should go about it.)

TweetNaCl is portable (C89), has low memory footprint, and is made by trustworthy professional cryptographers. Problem: it is slow.

Libsodium is blazing fast on modern processors, has portable implementations, and is trusted. Problem: it is pretty big, and I hate the auto tools.

Edit: of course, those recommendations only hold if you have a trustworthy RNG.

[vardump]

What could be used with a small/medium sized microcontroller, something like 64 kB total flash budget and 4-20 kB RAM?

IOW, Cortex M0 territory.

Small IoT is about this size, so I think many will be interested in some answers... any answers.

Say, for securely transmitting sensor data to an x86 server (or similar) without hardcoding symmetric keys on the devices.

[loup-vaillant]

Take Monocypher or TweetNaCL, and rip off any primitive you don't need. This may be enough. Even when you take the whole thing, Monocypher only needs 30kb of x86-64 machine code when compiled with -Os. If you only keep authenticated encryption and x25519, which are enough for many uses, I think you should be able to halve that down to 15kb or less.

If speed doesn't matter, TweetNaCl is even smaller.

If those aren't enough still, you may want to dive in, learn a ton about crypto (starting with https://www.crypto101.io/), and investigate the sponge construction, whose versatility may allow you to shrink the code even more. Perhaps. I'm in over my head at this point.

[posterboy]

avr has aes extensions, surely arm cortex-m has similar. are those any good, are they used by the libs you mention?

[tptacek]

Neither of those libraries uses any extensions. TweetNaCl is a famously minimal implementation of NaCl in portable C by the NaCl authors. Monocypher is a library 'loup-vaillant wrote as a sort of side project. TweetNaCl does see some use, but libsodium is the most popular NaCl implementation, and libsodium's author provides his own low-footprint misuse-resistant crypto API separately.

Neither TweetNaCl nor 'loup-vaillant's library really addresses the low-footprint concern.

[loup-vaillant]

If they have hardware AES support, forget everything I said. Monocypher and TweetNacl are portable C, they don't use extensions of any kind.

[asd2r23dasd]

When you're that small it really requires more context. What are you trying to do?

I've deployed TLS in 50 KiB flash and 6 Kb RAM. But I could rely on hardware support for some public key operations and could pick a single ciphersuite, and controlled the server end as well.

The boring answer is that you'll need to identify the set of primitives you need and then find a library that matches. I can't think of any single primitive that would break that budget, so it'll depend on how many you need!

[JoachimS]

You need to provide more info.

  1. How much of your flash budget is eaten up by the application?

  2. What performance do you need for different use cases and operations?

Generally, RAM is often the least of your problems. And if you are into Cortex M0 or even M0+ territory, your MCU will quite probably sport an AES-128 core. Even if it is slow you should try and use that.

[blattimwind]

libhydrogen might be an option.

[MrBuddyCasino]

Got an opinion on BearSSL?

[tptacek]

I can't be sure, but I think he thinks you should use his thing.

[loup-vaillant]

I'm not yet to the point where I can recommend my thing without even mentioning the other two competitors. I did get bloody thorough, though, and I do think it is good enough for me to bet my job. (Meaning, I'd be willing to lose my job if my employer uses Monocypher on my watch, and data gets leaked because of that choice.)

(As for the original question, I don't know BearSSL enough to have an opinion. It does seem however to get even further than Monocypher on the constant time thing. Monocypher needs the platform to provide constant time 64-bit multiplication. Most do, but not all.)

[dsacco]

> (Meaning, I'd be willing to lose my job if my employer uses Monocypher on my watch, and data gets leaked because of that choice.)

Would you be willing to be personally liable for that data leak?

(Put aside the philosophical question of whether or not it's reasonably for developers to be personally liable for their software failures - I'm interested in how far your confidence in your cryptography goes).