SE050: AES-128 Performance Issues

Those times correspond to the pure processing time of the TPM. We monitored (without introducing timing alterations) the exchange of commands and data over I2C between the microcontroller and the TPM. In this way, we can observe the time elapsed between the sending of the last MCU->TPM command that initiates the encryption and the moment the TPM has the result ready (while the TPM is busy computing, it responds with NACK to the I2C polling performed by the library: Plug & Trust Middleware).

If you only measure the execution time of the sss_cipher_one_go function, you will be adding the time required for data transfer, IV, the interval between pollings, and the result retrieval.

If you have been able to draw any additional conclusions, please let us know, it might be helpful to us as well.

Ok. We measured our timings in a very similar way as well (Using a logic analyser on the I2C bus rather than timing the sss command). We used from when the payload to be encrypted is finished being submitted to the SE050 to when the encrypted data is starting to be read back to the MCU. We also ignored the NACK polls in our timing calculations, and only computed the time that the SE050 should be processing.

Our I2C bus is running at 400Kbps, but since we are excluding all I2C polls/commands in our timings, then this should not matter. Our AES-128 key is a transient key, so I wonder if this has anything to do with our differences in performance. You would think a transient key would be the same or more performant than a persistent key, but who knows.

Understood, a few questions regarding that:

1. What is the polling strategy when NACKs are received? Is it a fixed interval (e.g., every 1–2 ms), or does it follow an incremental backoff approach? We’ve observed that one NXP implementation appears to apply an incremental delay upon receiving NACKs—for instance, delaying 1 ms after the first NACK, 2 ms after the second, 3 ms after the third, and so on.

2. Are you using kSSS_AuthType_None and kSSS_ConnectionType_Plain? I suspect enabling authentication and encryption might slow things down even more on the SE050’s end. In our case, we’re using an SE050C with no authentication or channel encryption.

3. fsl_sss_ftr.h config file:

/*
 *
 * Copyright 2018-2022,2024-2025 NXP
 * SPDX-License-Identifier: Apache-2.0
 */

#ifndef SSS_APIS_INC_FSL_SSS_FTR_H_
#define SSS_APIS_INC_FSL_SSS_FTR_H_

/* ************************************************************************** */
/* Defines                                                                    */
/* ************************************************************************** */

/* clang-format off */


/* # CMake Features : Start */


/** PTMW_Applet : The Secure Element Applet
 *
 * You can compile host library for different Applets listed below.
 * Please note, some of these Applets may be for NXP Internal use only.
 */

/** Compiling without any Applet Support */
#define SSS_HAVE_APPLET_NONE 0

/** SE050 Type A (ECC) */
#define SSS_HAVE_APPLET_SE05X_A 0

/** SE050 Type B (RSA) */
#define SSS_HAVE_APPLET_SE05X_B 0

/** SE050 (Super set of A + B), SE051, SE052 */
#define SSS_HAVE_APPLET_SE05X_C 1

/** SE051UWB (Similar to SE05x) */
#define SSS_HAVE_APPLET_SE051_UWB 0

/** SE051 with SPAKE Support */
#define SSS_HAVE_APPLET_SE051_H 0

/** AUTH */
#define SSS_HAVE_APPLET_AUTH 0

/** SE050E */
#define SSS_HAVE_APPLET_SE050_E 0

/** NXP Internal testing Applet */
#define SSS_HAVE_APPLET_LOOPBACK 0

#if (( 0                             \
    + SSS_HAVE_APPLET_NONE           \
    + SSS_HAVE_APPLET_SE05X_A        \
    + SSS_HAVE_APPLET_SE05X_B        \
    + SSS_HAVE_APPLET_SE05X_C        \
    + SSS_HAVE_APPLET_SE051_UWB      \
    + SSS_HAVE_APPLET_SE051_H        \
    + SSS_HAVE_APPLET_AUTH           \
    + SSS_HAVE_APPLET_SE050_E        \
    + SSS_HAVE_APPLET_LOOPBACK       \
    ) > 1)
#        error "Enable only one of 'PTMW_Applet'"
#endif


#if (( 0                             \
    + SSS_HAVE_APPLET_NONE           \
    + SSS_HAVE_APPLET_SE05X_A        \
    + SSS_HAVE_APPLET_SE05X_B        \
    + SSS_HAVE_APPLET_SE05X_C        \
    + SSS_HAVE_APPLET_SE051_UWB      \
    + SSS_HAVE_APPLET_SE051_H        \
    + SSS_HAVE_APPLET_AUTH           \
    + SSS_HAVE_APPLET_SE050_E        \
    + SSS_HAVE_APPLET_LOOPBACK       \
    ) == 0)
#        error "Enable at-least one of 'PTMW_Applet'"
#endif



/** PTMW_SE05X_Ver : Configures supported applet version.
 * Set it to match the version used on the SE.
 * Examples: for SE050A/B/C/F set 03_XX, for SE050E/51/A5000/SE052 set 07_02.
 *
 *
 */

/** SE050A/B/C/F */
#define SSS_HAVE_SE05X_VER_03_XX 1

/** SE050E/51/A5000/SE052 */
#define SSS_HAVE_SE05X_VER_07_02 0

#if (( 0                             \
    + SSS_HAVE_SE05X_VER_03_XX       \
    + SSS_HAVE_SE05X_VER_07_02       \
    ) > 1)
#        error "Enable only one of 'PTMW_SE05X_Ver'"
#endif


#if (( 0                             \
    + SSS_HAVE_SE05X_VER_03_XX       \
    + SSS_HAVE_SE05X_VER_07_02       \
    ) == 0)
#        error "Enable at-least one of 'PTMW_SE05X_Ver'"
#endif



/** PTMW_HostCrypto : Counterpart Crypto on Host
 *
 * What is being used as a cryptographic library on the host.
 * As of now only OpenSSL / mbedTLS is supported
 */

/** Use mbedTLS as host crypto */
#define SSS_HAVE_HOSTCRYPTO_MBEDTLS 0

/** Use OpenSSL as host crypto */
#define SSS_HAVE_HOSTCRYPTO_OPENSSL 0

/** User Implementation of Host Crypto
 * e.g. Files at ``sss/src/user/crypto`` have low level AES/CMAC primitives.
 * The files at ``sss/src/user`` use those primitives.
 * This becomes an example for users with their own AES Implementation
 * This then becomes integration without mbedTLS/OpenSSL for SCP03 / AESKey.
 *
 * .. note:: ECKey abstraction is not implemented/available yet. */
#define SSS_HAVE_HOSTCRYPTO_USER 0

/** NO Host Crypto
 * Note, this is unsecure and only provided for experimentation
 * on platforms that do not have an mbedTLS PORT
 * Many :ref:`sssftr-control` have to be disabled to have a valid build. */
#define SSS_HAVE_HOSTCRYPTO_NONE 1

#if (( 0                             \
    + SSS_HAVE_HOSTCRYPTO_MBEDTLS    \
    + SSS_HAVE_HOSTCRYPTO_OPENSSL    \
    + SSS_HAVE_HOSTCRYPTO_USER       \
    + SSS_HAVE_HOSTCRYPTO_NONE       \
    ) > 1)
#        error "Enable only one of 'PTMW_HostCrypto'"
#endif


#if (( 0                             \
    + SSS_HAVE_HOSTCRYPTO_MBEDTLS    \
    + SSS_HAVE_HOSTCRYPTO_OPENSSL    \
    + SSS_HAVE_HOSTCRYPTO_USER       \
    + SSS_HAVE_HOSTCRYPTO_NONE       \
    ) == 0)
#        error "Enable at-least one of 'PTMW_HostCrypto'"
#endif



/** PTMW_mbedTLS_ALT : ALT Engine implementation for mbedTLS
 *
 * When set to None, mbedTLS would not use ALT Implementation to connect to / use Secure Element.
 * This needs to be set to SSS for Cloud Demos over SSS APIs
 */

/** Use SSS Layer ALT implementation */
#define SSS_HAVE_MBEDTLS_ALT_SSS 0

/** Enable TF-M based on PSA as ALT */
#define SSS_HAVE_MBEDTLS_ALT_PSA 0

/** Not using any mbedTLS_ALT
 *
 * When this is selected, cloud demos can not work with mbedTLS */
#define SSS_HAVE_MBEDTLS_ALT_NONE 1

#if (( 0                             \
    + SSS_HAVE_MBEDTLS_ALT_SSS       \
    + SSS_HAVE_MBEDTLS_ALT_PSA       \
    + SSS_HAVE_MBEDTLS_ALT_NONE      \
    ) > 1)
#        error "Enable only one of 'PTMW_mbedTLS_ALT'"
#endif


#if (( 0                             \
    + SSS_HAVE_MBEDTLS_ALT_SSS       \
    + SSS_HAVE_MBEDTLS_ALT_PSA       \
    + SSS_HAVE_MBEDTLS_ALT_NONE      \
    ) == 0)
#        error "Enable at-least one of 'PTMW_mbedTLS_ALT'"
#endif



/** PTMW_SCP : Secure Channel Protocol
 *
 * In case we enable secure channel to Secure Element, which interface to be used.
 */

/**  */
#define SSS_HAVE_SCP_NONE 1

/** Use SSS Layer for SCP.  Used for SE050 family. */
#define SSS_HAVE_SCP_SCP03_SSS 0

#if (( 0                             \
    + SSS_HAVE_SCP_NONE              \
    + SSS_HAVE_SCP_SCP03_SSS         \
    ) > 1)
#        error "Enable only one of 'PTMW_SCP'"
#endif


#if (( 0                             \
    + SSS_HAVE_SCP_NONE              \
    + SSS_HAVE_SCP_SCP03_SSS         \
    ) == 0)
#        error "Enable at-least one of 'PTMW_SCP'"
#endif



/** PTMW_FIPS : Enable or disable FIPS
 *
 * This selection mostly impacts tests, and generally not the actual Middleware
 */

/** NO FIPS */
#define SSS_HAVE_FIPS_NONE 1

/** SE050 IC FIPS */
#define SSS_HAVE_FIPS_SE050 0

/** FIPS 140-2 */
#define SSS_HAVE_FIPS_140_2 0

/** FIPS 140-3 */
#define SSS_HAVE_FIPS_140_3 0

#if (( 0                             \
    + SSS_HAVE_FIPS_NONE             \
    + SSS_HAVE_FIPS_SE050            \
    + SSS_HAVE_FIPS_140_2            \
    + SSS_HAVE_FIPS_140_3            \
    ) > 1)
#        error "Enable only one of 'PTMW_FIPS'"
#endif


#if (( 0                             \
    + SSS_HAVE_FIPS_NONE             \
    + SSS_HAVE_FIPS_SE050            \
    + SSS_HAVE_FIPS_140_2            \
    + SSS_HAVE_FIPS_140_3            \
    ) == 0)
#        error "Enable at-least one of 'PTMW_FIPS'"
#endif



/** PTMW_SBL : Enable/Disable SBL Bootable support
 *
 * This option is to enable/disable boot from SBL by switching linker address
 */

/** Not SBL bootable */
#define SSS_HAVE_SBL_NONE 1

/** SE050 based LPC55S SBL bootable */
#define SSS_HAVE_SBL_SBL_LPC55S 0

#if (( 0                             \
    + SSS_HAVE_SBL_NONE              \
    + SSS_HAVE_SBL_SBL_LPC55S        \
    ) > 1)
#        error "Enable only one of 'PTMW_SBL'"
#endif


#if (( 0                             \
    + SSS_HAVE_SBL_NONE              \
    + SSS_HAVE_SBL_SBL_LPC55S        \
    ) == 0)
#        error "Enable at-least one of 'PTMW_SBL'"
#endif



/** PTMW_SE05X_Auth : SE050 Authentication
 *
 * This settings is used by examples to connect using various options
 * to authenticate with the Applet.
 * The SE05X_Auth options can be changed for MCU-SDK Demos and Examples.
 * To change SE05X_Auth option follow below steps.
 * Set flag ``SSS_HAVE_SCP_SCP03_SSS`` to 1 and Reset flag ``SSS_HAVE_SCP_NONE`` to 0.
 * To change SE05X_Auth option other than ``None`` and  ``PlatfSCP03``,
 * execute se05x_Delete_and_test_provision.exe in order to provision the Authentication Key.
 * To change SE05X_Auth option to ``ECKey`` or ``ECKey_PlatfSCP03``,
 * Set additional flag ``SSS_HAVE_HOSTCRYPTO_ANY`` to 1.
 */

/** Use the default session (i.e. session less) login */
#define SSS_HAVE_SE05X_AUTH_NONE 1

/** Do User Authentication with UserID */
#define SSS_HAVE_SE05X_AUTH_USERID 0

/** Use Platform SCP for connection to SE */
#define SSS_HAVE_SE05X_AUTH_PLATFSCP03 0

/** Do User Authentication with AES Key
 * Earlier this was called AppletSCP03 */
#define SSS_HAVE_SE05X_AUTH_AESKEY 0

/** Do User Authentication with EC Key
 * Earlier this was called FastSCP */
#define SSS_HAVE_SE05X_AUTH_ECKEY 0

/** UserID and PlatfSCP03 */
#define SSS_HAVE_SE05X_AUTH_USERID_PLATFSCP03 0

/** AESKey and PlatfSCP03 */
#define SSS_HAVE_SE05X_AUTH_AESKEY_PLATFSCP03 0

/** ECKey and PlatfSCP03 */
#define SSS_HAVE_SE05X_AUTH_ECKEY_PLATFSCP03 0

#if (( 0                             \
    + SSS_HAVE_SE05X_AUTH_NONE       \
    + SSS_HAVE_SE05X_AUTH_USERID     \
    + SSS_HAVE_SE05X_AUTH_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_AESKEY     \
    + SSS_HAVE_SE05X_AUTH_ECKEY      \
    + SSS_HAVE_SE05X_AUTH_USERID_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_AESKEY_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_ECKEY_PLATFSCP03 \
    ) > 1)
#        error "Enable only one of 'PTMW_SE05X_Auth'"
#endif


#if (( 0                             \
    + SSS_HAVE_SE05X_AUTH_NONE       \
    + SSS_HAVE_SE05X_AUTH_USERID     \
    + SSS_HAVE_SE05X_AUTH_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_AESKEY     \
    + SSS_HAVE_SE05X_AUTH_ECKEY      \
    + SSS_HAVE_SE05X_AUTH_USERID_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_AESKEY_PLATFSCP03 \
    + SSS_HAVE_SE05X_AUTH_ECKEY_PLATFSCP03 \
    ) == 0)
#        error "Enable at-least one of 'PTMW_SE05X_Auth'"
#endif



/** PTMW_OpenSSL : For PC, which OpenSSL to pick up
 *
 * On Linux based builds, this option has no impact, because the build system
 * picks up the default available/installed OpenSSL from the system directly.
 */

/** Use 1.1.1 version (Only applicable on PC) */
#define SSS_HAVE_OPENSSL_1_1_1 0

/** Use 3.0 version (Only applicable on PC) */
#define SSS_HAVE_OPENSSL_3_0 1

#if (( 0                             \
    + SSS_HAVE_OPENSSL_1_1_1         \
    + SSS_HAVE_OPENSSL_3_0           \
    ) > 1)
#        error "Enable only one of 'PTMW_OpenSSL'"
#endif


#if (( 0                             \
    + SSS_HAVE_OPENSSL_1_1_1         \
    + SSS_HAVE_OPENSSL_3_0           \
    ) == 0)
#        error "Enable at-least one of 'PTMW_OpenSSL'"
#endif



/** PTMW_MBedTLS : Which MBedTLS version to choose
 */

/** Use 2.X version */
#define SSS_HAVE_MBEDTLS_2_X 1

/** Use 3.X version */
#define SSS_HAVE_MBEDTLS_3_X 0

#if (( 0                             \
    + SSS_HAVE_MBEDTLS_2_X           \
    + SSS_HAVE_MBEDTLS_3_X           \
    ) > 1)
#        error "Enable only one of 'PTMW_MBedTLS'"
#endif


#if (( 0                             \
    + SSS_HAVE_MBEDTLS_2_X           \
    + SSS_HAVE_MBEDTLS_3_X           \
    ) == 0)
#        error "Enable at-least one of 'PTMW_MBedTLS'"
#endif



/** PTMW_SE_RESET_LOGIC : Reset logic of Secure Element.
 * The value of this will be used for 'SE_RESET_LOGIC' define in 'se05x_ic_reset' function.
 * Select 1 (Active High) for SE050 and 51.
 * Select 0 (Active low) for SE052.
 */

/** reset logic is set to 1 */
#define SSS_HAVE_SE_RESET_LOGIC_1 1

/** reset logic is set to 0 */
#define SSS_HAVE_SE_RESET_LOGIC_0 0

#if (( 0                             \
    + SSS_HAVE_SE_RESET_LOGIC_1      \
    + SSS_HAVE_SE_RESET_LOGIC_0      \
    ) > 1)
#        error "Enable only one of 'PTMW_SE_RESET_LOGIC'"
#endif


#if (( 0                             \
    + SSS_HAVE_SE_RESET_LOGIC_1      \
    + SSS_HAVE_SE_RESET_LOGIC_0      \
    ) == 0)
#        error "Enable at-least one of 'PTMW_SE_RESET_LOGIC'"
#endif


/* ====================================================================== *
 * == Feature selection/values ========================================== *
 * ====================================================================== */


/** SE05X Secure Element : Symmetric AES */
#define SSSFTR_SE05X_AES 1

/** SE05X Secure Element : Elliptic Curve Cryptography */
#define SSSFTR_SE05X_ECC 1

/** SE05X Secure Element : RSA */
#define SSSFTR_SE05X_RSA 1

/** SE05X Secure Element : KEY operations : SET Key */
#define SSSFTR_SE05X_KEY_SET 1

/** SE05X Secure Element : KEY operations : GET Key */
#define SSSFTR_SE05X_KEY_GET 1

/** SE05X Secure Element : Authenticate via ECKey */
#define SSSFTR_SE05X_AuthECKey 1

/** SE05X Secure Element : Allow creation of user/authenticated session.
 *
 * If the intended deployment only uses Platform SCP
 * Or it is a pure session less integration, this can
 * save some code size. */
#define SSSFTR_SE05X_AuthSession 1

/** SE05X Secure Element : Allow creation/deletion of Crypto Objects
 *
 * If disabled, new Crytpo Objects are neither created and
 * old/existing Crypto Objects are not deleted.
 * It is assumed that during provisioning phase, the required
 * Crypto Objects are pre-created or they are never going to
 * be needed. */
#define SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ 1

/** Software : Symmetric AES */
#define SSSFTR_SW_AES 0

/** Software : Elliptic Curve Cryptography */
#define SSSFTR_SW_ECC 0

/** Software : RSA */
#define SSSFTR_SW_RSA 0

/** Software : KEY operations : SET Key */
#define SSSFTR_SW_KEY_SET 0

/** Software : KEY operations : GET Key */
#define SSSFTR_SW_KEY_GET 0

/** Software : Used as a test counterpart
 *
 * e.g. Major part of the mebdTLS SSS layer is purely used for
 * testing of Secure Element implementation, and can be avoided
 * fully during many production scenarios. */
#define SSSFTR_SW_TESTCOUNTERPART 0

/* ====================================================================== *
 * == Computed Options ================================================== *
 * ====================================================================== */

/** Symmetric AES */
#define SSSFTR_AES               (SSSFTR_SE05X_AES + SSSFTR_SW_AES)
/** Elliptic Curve Cryptography */
#define SSSFTR_ECC               (SSSFTR_SE05X_ECC + SSSFTR_SW_ECC)
/** RSA */
#define SSSFTR_RSA               (SSSFTR_SE05X_RSA + SSSFTR_SW_RSA)
/** KEY operations : SET Key */
#define SSSFTR_KEY_SET           (SSSFTR_SE05X_KEY_SET + SSSFTR_SW_KEY_SET)
/** KEY operations : GET Key */
#define SSSFTR_KEY_GET           (SSSFTR_SE05X_KEY_GET + SSSFTR_SW_KEY_GET)
/** KEY operations */
#define SSSFTR_KEY               (SSSFTR_KEY_SET + SSSFTR_KEY_GET)
/** KEY operations */
#define SSSFTR_SE05X_KEY         (SSSFTR_SE05X_KEY_SET + SSSFTR_SE05X_KEY_GET)
/** KEY operations */
#define SSSFTR_SW_KEY            (SSSFTR_SW_KEY_SET + SSSFTR_SW_KEY_GET)


#define SSS_HAVE_APPLET \
 (SSS_HAVE_APPLET_SE05X_A | SSS_HAVE_APPLET_SE05X_B | SSS_HAVE_APPLET_SE05X_C | SSS_HAVE_APPLET_SE051_UWB | SSS_HAVE_APPLET_SE051_H | SSS_HAVE_APPLET_AUTH | SSS_HAVE_APPLET_SE050_E | SSS_HAVE_APPLET_LOOPBACK)

#define SSS_HAVE_APPLET_SE05X_IOT \
 (SSS_HAVE_APPLET_SE05X_A | SSS_HAVE_APPLET_SE05X_B | SSS_HAVE_APPLET_SE05X_C | SSS_HAVE_APPLET_SE051_UWB | SSS_HAVE_APPLET_SE051_H | SSS_HAVE_APPLET_AUTH | SSS_HAVE_APPLET_SE050_E)

#define SSS_HAVE_MBEDTLS_ALT \
 (SSS_HAVE_MBEDTLS_ALT_SSS | SSS_HAVE_MBEDTLS_ALT_PSA)

#define SSS_HAVE_HOSTCRYPTO_ANY \
 (SSS_HAVE_HOSTCRYPTO_MBEDTLS | SSS_HAVE_HOSTCRYPTO_OPENSSL | SSS_HAVE_HOSTCRYPTO_USER)

#define SSS_HAVE_FIPS \
 (SSS_HAVE_FIPS_SE050 | SSS_HAVE_FIPS_140_2 | SSS_HAVE_FIPS_140_3)


/* Version checks GTE - Greater Than Or Equal To */
#if SSS_HAVE_APPLET_SE05X_IOT
#    if SSS_HAVE_SE05X_VER_07_02
#        define SSS_HAVE_SE05X_VER_GTE_07_02 1
#        define SSS_HAVE_SE05X_VER_GTE_03_XX 1
#    endif /* SSS_HAVE_SE05X_VER_07_02 */
#    if SSS_HAVE_SE05X_VER_03_XX
#        define SSS_HAVE_SE05X_VER_GTE_07_02 0
#        define SSS_HAVE_SE05X_VER_GTE_03_XX 1
#    endif /* SSS_HAVE_SE05X_VER_03_XX */
#else //SSS_HAVE_APPLET_SE05X_IOT
#   define SSS_HAVE_SE05X_VER_GTE_03_XX 0
#   define SSS_HAVE_SE05X_VER_GTE_07_02 0
#endif // SSS_HAVE_APPLET_SE05X_IOT
/** Deprecated items. Used here for backwards compatibility. */


/* # CMake Features : END */

/* ========= Miscellaneous values : START =================== */

/* ECC Mode is available */
#define SSS_HAVE_ECC 1

/* RSA is available */
#define SSS_HAVE_RSA 1

/* Edwards Curve is enabled */
#define SSS_HAVE_EC_ED 1

/* Montgomery Curve is enabled */
#define SSS_HAVE_EC_MONT 1

/* MIFARE DESFire is enabled */
#define SSS_HAVE_MIFARE_DESFIRE 1

/* PBKDF2 is enabled */
#define SSS_HAVE_PBKDF2 1

/* TLS handshake support on SE is enabled */
#define SSS_HAVE_TLS_HANDSHAKE 1

/* Import Export Key is enabled */
#define SSS_HAVE_IMPORT 1

/* With NXP NFC Reader Library */
#define SSS_HAVE_NXPNFCRDLIB 0

/* For backwards compatibility */
#define SSS_HAVE_TESTCOUNTERPART (SSSFTR_SW_TESTCOUNTERPART)

/* ========= Miscellaneous values : END ===================== */

/* Enable one of these
 * If none is selected, default config would be used
 */
#define SSS_PFSCP_ENABLE_SE050A1 0
#define SSS_PFSCP_ENABLE_SE050A2 0
#define SSS_PFSCP_ENABLE_SE050B1 0
#define SSS_PFSCP_ENABLE_SE050B2 0
#define SSS_PFSCP_ENABLE_SE050C1 0
#define SSS_PFSCP_ENABLE_SE050C2 0
#define SSS_PFSCP_ENABLE_SE050_DEVKIT 0
#define SSS_PFSCP_ENABLE_SE051A2 0
#define SSS_PFSCP_ENABLE_SE051C2 0
#define SSS_PFSCP_ENABLE_SE050F2 0
#define SSS_PFSCP_ENABLE_SE051C_0005A8FA 0
#define SSS_PFSCP_ENABLE_SE051A_0001A920 0
#define SSS_PFSCP_ENABLE_SE050E_0001A921 0
#define SSS_PFSCP_ENABLE_SE051W_0005A739 0
#define SSS_PFSCP_ENABLE_A5000_0004A736 0
#define SSS_PFSCP_ENABLE_SE050F2_0001A92A 0
#define SSS_PFSCP_ENABLE_SE052_B501 0
#define SSS_PFSCP_ENABLE_OTHER 0

/* ========= Calculated values : START ====================== */

/* Should we expose, SSS APIs */
#define SSS_HAVE_SSS ( 0             \
    + SSS_HAVE_APPLET_SE05X_IOT      \
    + SSS_HAVE_HOSTCRYPTO_OPENSSL    \
    + SSS_HAVE_HOSTCRYPTO_MBEDTLS    \
    + SSS_HAVE_HOSTCRYPTO_USER       \
    )

#if SSS_HAVE_HOSTCRYPTO_NONE
#   undef  SSSFTR_SE05X_AuthSession
#   define SSSFTR_SE05X_AuthSession 0
#endif

/* Montgomery curves is not supported in SE05X_A */
#if SSS_HAVE_APPLET_SE05X_A
#       undef SSS_HAVE_EC_MONT
#       define SSS_HAVE_EC_MONT 0
    /* ED is not supported in SE050_A */
#    if SSS_HAVE_SE05X_VER_03_XX
#       undef SSS_HAVE_EC_ED
#       define SSS_HAVE_EC_ED 0
#    endif // SSS_HAVE_SE05X_VER_03_XX
#endif // SSS_HAVE_APPLET_SE05X_A

#if SSS_HAVE_RSA
#    if SSS_HAVE_APPLET_SE051_UWB
#       define SSS_HAVE_RSA_4K 0
#    else
#       define SSS_HAVE_RSA_4K 1
#    endif // SSS_HAVE_APPLET_SE051_UWB
#endif // SSS_HAVE_RSA


#if SSS_HAVE_ECC
#   define SSS_HAVE_EC_NIST_192 1
#   define SSS_HAVE_EC_NIST_224 1
#   define SSS_HAVE_EC_NIST_256 1
#   define SSS_HAVE_EC_NIST_384 1
#   define SSS_HAVE_EC_NIST_521 1
#   define SSS_HAVE_EC_BP 1
#   define SSS_HAVE_EC_NIST_K 1
#   define SSS_HAVE_EDDSA 1
#   if SSS_HAVE_APPLET_SE05X_A
#      undef SSS_HAVE_EDDSA
#      define SSS_HAVE_EDDSA 0
#   endif // SSS_HAVE_APPLET_SE05X_A
#   if SSS_HAVE_APPLET_AUTH
#      undef SSS_HAVE_EC_NIST_192
#      undef SSS_HAVE_EC_NIST_224
#      undef SSS_HAVE_EC_NIST_521
#      undef SSS_HAVE_EC_BP
#      undef SSS_HAVE_EC_NIST_K
#      undef SSS_HAVE_EDDSA
#      define SSS_HAVE_EC_NIST_192 0
#      define SSS_HAVE_EC_NIST_224 0
#      define SSS_HAVE_EC_NIST_521 0
#      define SSS_HAVE_EC_BP 0
#      define SSS_HAVE_EC_NIST_K 0
#      define SSS_HAVE_EDDSA 0
#   endif // SSS_HAVE_APPLET_AUTH
#endif // SSS_HAVE_ECC

#if SSS_HAVE_APPLET
#    if SSS_HAVE_APPLET_AUTH
#       define SSS_HAVE_HASH_1 0
#       define SSS_HAVE_HASH_224 0
#       define SSS_HAVE_HASH_512 0
#    else
#       define SSS_HAVE_HASH_1 1
#       define SSS_HAVE_HASH_224 1
#       define SSS_HAVE_HASH_512 1
#    endif // SSS_HAVE_APPLET_AUTH
#    if SSS_HAVE_APPLET_SE050_E
#       undef SSS_HAVE_RSA
#       define SSS_HAVE_RSA 0
#    endif //SSS_HAVE_APPLET_SE050_E
#    if SSS_HAVE_RSA
#        if SSS_HAVE_APPLET_SE051_H
#           undef SSS_HAVE_RSA_4K
#           define SSS_HAVE_RSA_4K 0
#           define SSS_HAVE_RSA_3K 0
#        else
#        define SSS_HAVE_RSA_3K 1
#        endif //SSS_HAVE_APPLET_SE051_H
#    endif //SSS_HAVE_RSA
#endif



/* ========= Calculated values : END ======================== */

/* clang-format on */

#endif /* SSS_APIS_INC_FSL_SSS_FTR_H_ */

 

On the polling backoff approach, we did obverse a bit of this behavior, but it would only ramp up to 2ms max (so have a single 1ms poll to start and then it moves to 2ms for the rest).

We are using encrypted comms over SCP03 (kSSS_ConnectionType_Encrypted), so yes I would suspect this might be the main cause of our quite different observations on timing.

We are using quite a old version of the Plug and Trust library as well (v03.03) so this may also be why we have some differences.

We don't see any difference in encryption time whether the key is in RAM (kKeyObject_Mode_Transient) or persisted (kKeyObject_Mode_Persistent).

Thank you for your quick response.
So, it's normal for the SE050 to take 15 ms to process the AES-128 CBC encryption of 16 bytes, right?
Is the SE052F faster in this regard?

We couldn't find any processing time values in the datasheet/application notes to evaluate whether this behavior is expected or not.

Hi @mpistarelli ,

 

Yes, you are right, and SE052F behaves the same.

 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------