Topic: Reducing binary size ECIES

I'm implementing ECIES (https://en.wikipedia.org/wiki/Integrate … ion_Scheme) using Wolfcrypt to evaluate whether we can use it in a product that runs an embedded Linux environment with very limited code space available. So the goal is to make the binary as small as possible. I read that wolfSSL can often be built using between 30k and 100k of code space, and since we are only using a subset of the functionality I was hoping that I could get it down to somewhere in that range, but so far with a small test app the smallest binary I have been able to produce is 255K (after running "strip" to remove the symbols).

I used this command to configure before building WolfSSL:
./configure --enable-static --disable-rsa --disable-errorstrings --disable-oldtls --disable-oaep --disable-md5 --disable-sha3 --disable-sha224 --disable-asyncthreads --disable-examples --disable-crypttests --disable-chacha --disable-eccshamir --disable-aescbc --disable-sha512 --disable-poly1305

The libwolfssl.a static library that this produces is 426K when I link this to my small test application the total binary size is 255K. When I link my application dynamically (to the .so) the size is only 20K, so I think the wolfcrypt library code is making up the bulk of the binary size. Is there anything else I can try to make this binary smaller?

The Wolfcrypt/WolfSSL functions I am using are:
wc_ecc_import_point_der
wc_ecc_shared_secret_ex
wc_ecc_get_curve_size_from_id
wc_ecc_make_key_ex
wc_ecc_init
wc_EccPrivateKeyDecode
wc_ecc_export_private_only
wc_ecc_export_public_raw
wolfSSL_Init

Share

Re: Reducing binary size ECIES

Hi @sryan,

One of our engineers is going over your build and settings and will post some suggestions here soon, while they are looking into that can you just tell us if you plan on using the SSL/TLS at all? If you are only using the ECC API's then we can also suggest how to entirely disable the TLS parts of the liibrary leaving you with just the crypto and you can replace wolfSSL_Init with wolfCrypt_Init.

Cheers,

KH

Re: Reducing binary size ECIES

Thanks Kaleb, that is correct that we are just using the ECC API. I built it again with the "enable-cryptonly" flag set and the binary size is down to 139k so that's a major improvement already.

Share

Re: Reducing binary size ECIES

Hi @sryan,

There are several additional configuration options that can be disabled to help reduce footprint size. If you plan on using only SHA-256, we suggest disabling SHA-1 and SHA-384 in addition to SHA-512 and SHA-3.

Combined with your current configure options, I’ve listed some configure suggestions below that may be useful:
--disable-sha
--disable-sha384
--disable-sha512
--disable-aes
--disable-aesgcm
--disable-dh
--disable-asm

Is footprint size the main concern for your application? A couple of tradeoffs to consider: decreasing footprint size will generally slow down performance and stronger security typically involves a larger footprint and reduced performance. If performance isn’t an issue, then another suggestion is to define USE_SLOW_SHA256 and NO_INLINE in your CFLAGS.

Best,

Carie

Share