Abstract
Most widely-used protocols for end-to-end security, such as TLS and its datagram variant DTLS, are highly computation-intensive and introduce significant communication overheads, which makes them impractical for resource-restricted IoT devices. The recently-introduced Disco protocol framework provides a clean and well-documented basis for the design of strong end-to-end security with lower complexity than the (D)TLS protocol and no legacy baggage. Disco consists of two sub-protocols, namely Noise (known from e.g., WhatsApp) and Strobe, and is rather minimalist in terms of cryptography since it requires only an elliptic curve in Montgomery form and a cryptographic permutation as basic building blocks. In this paper, we present IoTDisco, an optimized implementation of the Disco protocol for 16-bit TI MSP430 microcontrollers. IoTDisco is based on David Wong’s EmbeddedDisco software and contains hand-written Assembly code for the prime-field arithmetic of Curve25519. However, we decided to replace the Keccak permutation of EmbeddedDisco by Xoodoo to reduce both the binary code size and RAM footprint. The experiments we conducted on a Zolertia Z1 device (equipped with a MSP430F2617 microcontroller) show that IoTDisco is able to perform the computational part of a full Noise NK handshake in 26.2 million clock cycles, i.e., 1.64 s when the MSP430 is clocked at 16 MHz. IoTDisco’s RAM footprint amounts to 1.4 kB, which is less than 17% of the overall RAM capacity (8 kB) of the Zolertia Z1.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Depending on the application, signatures (e.g., in the form of certificates) may still be necessary to confirm a cryptographically-secure binding between a static public key and the identity of an entity. However, in such case, a Noise-based protocol has to support only signature verification, but not the signing operation. Note that the provision of evidence for the binding of an identity to a static public key is outside the scope of the Noise specification. More concretely, [25, Sect. 14] states that “it is up to the application to determine whether the remote party’s static public key is acceptable.” Sect. 14 of [25] also outlines some methods to ensure a static public key is genuine and trustworthy: certificates (which may be passed in a handshake payload), pre-configured lists of public keys, or pinning/key-continuity approaches where parties remember the public keys they encounter.
References
AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22th USENIX Security Symposium (USS 2013), pp. 305–320. USENIX Association (2013)
Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14
Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)
Bernstein, D.J., van Gastel, B., Janssen, W., Lange, T., Schwabe, P., Smetsers, S.: TweetNaCl: a crypto library in 100 tweets. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 64–83. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_4
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0 (2011). http://keccak.team/files/Keccak-reference-3.0.pdf
Bormann, C., Ersue, M., Keranen, A.: Terminology for constrained-node networks. IETF, Light-Weight Implementation Guidance Working Group, RFC 7228 (2014)
Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8(3), 227–240 (2018)
Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Xoodyak, a lightweight cryptographic scheme. IACR Trans. Symmetric Cryptol. 2020(S1), 60–87 (2020)
Düll, M., et al.: High-speed Curve25519 on 8-bit, 16-bit and 32-bit microcontrollers. Des. Codes Crypt. 77(2–3), 493–514 (2015)
Durumeric, Z., et al.: The matter of Heartbleed. In: Williamson, C., Akella, A., Taft, N. (eds.) Proceedings of the 14th Internet Measurement Conference (IMC 2014), pp. 475–488. ACM (2014)
Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), pp. 387–398. ACM (2013)
Guha Sarkar, P., Fitzgerald, S.: Attacks on SSL: a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky 13 & RC4 biases. Technical report, iSEC Partners Inc. (Part of NCC Group) (2013). http://www.nccgroup.com/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf
Hamburg, M.: The STROBE protocol framework. Cryptology ePrint Archive, Report 2017/003 (2017). http://eprint.iacr.org
Hankerson, D.R., Menezes, A.J., Vanstone, S.A.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004). https://doi.org/10.1007/b97644
Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_20
Hristozov, S., Huber, M., Xu, L., Fietz, J., Liess, M., Sigl, G.: The cost of OSCORE and EDHOC for constrained devices. In: Joshi, A., Carminati, B., Verma, R.M. (eds.) Proceedings of the 11th ACM Conference on Data and Application Security and Privacy (CODASPY 2021), pp. 245–250. ACM (2021)
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Law, L., Menezes, A., Qu, M., Solinas, J.A., Vanstone, S.A.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)
Liu, Z., Großschädl, J., Li, L., Xu, Q.: Energy-efficient elliptic curve cryptography for MSP430-based wireless sensor nodes. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9722, pp. 94–112. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40253-6_6
Menezes, A.J., Stebila, D.: End-to-end security: when do we have it? IEEE Secur. Priv. 19(4), 60–64 (2021)
Moskowitz, R., Hummen, R., Komu, M.: HIP Diet EXchange (DEX). IETF, Internet draft draft-ietf-hip-dex-24 (2021)
Nie, P., Vähä-Herttua, J., Aura, T., Gurtov, A.V.: Performance analysis of HIP diet exchange for WSN security establishment. In: Chen, H., Ben-Othman, J., Cesana, M. (eds.) Proceedings of the 7th ACM Symposium on QoS and Security for Wireless and Mobile Networks (Q2SWinet 2011), pp. 51–56. ACM (2011)
Perrin, T.: The Noise protocol framework (revision 34). Specification (2018). http://noiseprotocol.org/noise.pdf
Rescorla, E.K.: The transport layer security (TLS) protocol version 1.3. IETF, Network Working Group, RFC 8446 (2018)
Restuccia, G., Tschofenig, H., Baccelli, E.: Low-power IoT communication security: on the performance of DTLS and TLS 1.3. In: Proceedings of the 9th IFIP International Conference on Performance Evaluation and Modeling in Wireless Networks (PEMWN 2020), pp. 1–6. IEEE (2020)
Selander, G., Preuß Mattsson, J., Palombini, F.: Ephemeral Diffie-Hellman over COSE (EDHOC). IETF, Internet draft draft-ietf-lake-edhoc-22 (2023)
Stallings, W.: Cryptography and Network Security: Principles and Practice, 7th edn. Pearson (2016)
Texas Instruments Inc: MSP430x2xx Family User’s Guide (Rev. J). Manual (2013). http://www.ti.com/lit/ug/slau144j/slau144j.pdf
The OpenSSL Project: OpenSSL: Cryptography and SSL/TLS Toolkit (2021). http://www.openssl.org
WhatsApp LLC: WhatsApp encryption overview. Technical white paper (2020). http://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Wong, D.: Noise extension: disco (revision 6). Specification (2018). http://www.discocrypto.com/disco.pdf
Wong, D.: Disco: modern session encryption. Cryptology ePrint Archive, Report 2019/180 (2019). http://eprint.iacr.org
Wong, D.: EmbeddedDisco (2020). http://embeddeddisco.com
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cheng, H., Fotiadis, G., Großschädl, J., Ryan, P.Y.A. (2024). IoTDisco: Strong yet Lightweight End-to-End Security for the Internet of Constrained Things. In: Bouzefrane, S., Banerjee, S., Mourlin, F., Boumerdassi, S., Renault, É. (eds) Mobile, Secure, and Programmable Networking. MSPN 2023. Lecture Notes in Computer Science, vol 14482. Springer, Cham. https://doi.org/10.1007/978-3-031-52426-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-52426-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-52425-7
Online ISBN: 978-3-031-52426-4
eBook Packages: Computer ScienceComputer Science (R0)