Advertisement

Triathlon of lightweight block ciphers for the Internet of things

  • Daniel Dinu
  • Yann Le Corre
  • Dmitry Khovratovich
  • Léo Perrin
  • Johann Großschädl
  • Alex Biryukov
Regular Paper
  • 68 Downloads

Abstract

In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom “figure of merit” according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates.

Keywords

IoT Lightweight cryptography Block ciphers Evaluation framework Benchmarking 

Notes

Acknowledgements

We thank all contributors listed at http://www.cryptolux.org/index.php/FELICS_Contributors for the submitted implementations and their support for a fair evaluation of lightweight block ciphers. Daniel Dinu and Léo Perrin were supported by the CORE project ACRYPT (ID C12-15-4009992), funded by the Fonds National de la Recherche (FNR) Luxembourg.

References

  1. 1.
    Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçin, T.: Block ciphers–focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) Advances in Cryptology–CRYPTO 2014, Volume 8616 of Lecture Notes in Computer Science, pp. 57–76. Springer, Berlin (2014)Google Scholar
  2. 2.
    Arduino Due, Arduino.: Specification. http://store.arduino.cc/arduino-due (2015). Accessed 4 Apr 2017
  3. 3.
    ARM Limited. An Introduction to the ARM Cortex-M3 Processor. White paper, http://www.arm.com/ja/files/pdf/IntroToCortex-M3.pdf (2006). Accessed 4 Apr 2017
  4. 4.
    Atmel Corporation. 8-bit AVR Microcontroller with 128K Bytes In-System Programmable Flash: ATmega128, ATmega128L. Datasheet, http://www.atmel.com/images/doc2467.pdf (2008). Accessed 4 Apr 2017
  5. 5.
    Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)CrossRefzbMATHGoogle Scholar
  6. 6.
    Baysal, A., Sahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) Lightweight Cryptography for Security and Privacy—LightSec 2015, Volume 9542 of Lecture Notes in Computer Science, pp. 58–76. Springer, Berlin (2016)Google Scholar
  7. 7.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)Google Scholar
  8. 8.
    Beer, D.: MSPDebug: Debugging Tool for MSP430 MCUs. http://dlbeer.co.nz/mspdebug (2015). Accessed 4 Apr 2017
  9. 9.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to (2015). Accessed 4 Apr 2017
  10. 10.
    Biryukov, A., Kushilevitz, E.: Improved cryptanalysis of RC5. In: Nyberg, K. (ed.) Advances in Cryptology—EUROCRYPT ’98, Volume 1403 of Lecture Notes in Computer Science, pp. 85–99. Springer, Berlin (1998)Google Scholar
  11. 11.
    Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptologypages—EUROCRYPT 2014, Volume 8441 of Lecture Notes in Computer Science, pp. 165–182. Springer, Berlin (2014)Google Scholar
  12. 12.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J., Seurin, Y., Vikkelsoe, C.H.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007, Volume 4727 of Lecture Notes in Computer Science, pp. 450–466. Springer, Berlin (2007)Google Scholar
  13. 13.
    Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçin, T.: PRINCE—A low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 208–225. Springer, Berlin (2012)Google Scholar
  14. 14.
    Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014, Volume 8873 of Lecture Notes in Computer Science, pp. 179–199. Springer, Berlin (2014)Google Scholar
  15. 15.
    Canteaut, A., Fuhr, T., Gilbert, H., Naya-Plasencia, M., Reinhard, J.-R.: Multiple differential cryptanalysis of round-reduced PRINCE. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 591–610. Springer, Berlin (2015)Google Scholar
  16. 16.
    Cazorla, M., Gourgeon, S., Marquet, K., Minier, M.: Implementations of lightweight block ciphers on a WSN430 sensor. http://bloc.project.citi-lab.fr/library.html (2015). Accessed 4 Apr 2017
  17. 17.
    Cazorla, M., Marquet, K., Minier, M.: Survey and benchmark of lightweight block ciphers for wireless sensor networks. In: Samarati, P. (ed.) Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT 2013), pp. 543–548. SciTePress, Setúbal (2013)Google Scholar
  18. 18.
    Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2015/666 (2015)Google Scholar
  19. 19.
    CryptoLUX Team. FELICS: Fair Evaluation of Lightweight Cryptographic Systems. http://www.cryptolux.org/index.php/FELICS (2016). Accessed 4 Apr 2017
  20. 20.
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: NOEKEON. Specification, http://gro.noekeon.org/Noekeon-spec.pdf (2000). Accessed 4 Apr 2017
  21. 21.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES—the Advanced Encryption Standard. Springer, Berlin (2002)CrossRefzbMATHGoogle Scholar
  22. 22.
    Derbez, P., Fouque, P.-A.: Exhausting Demirci–Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) Fast Software Encryption—FSE 2013, Volume 8424 of Lecture Notes in Computer Science, pp. 541–560. Springer, Berlin (2013)Google Scholar
  23. 23.
    Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology—ASIACRYPT 2016, Volume 10031 of Lecture Notes in Computer Science, pp. 484–513. Springer, Berlin (2016)Google Scholar
  24. 24.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full AES2. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT 2013, Volume 8269 of Lecture Notes in Computer Science, pp. 337–356. Springer, Berlin (2013)Google Scholar
  25. 25.
    Eisenbarth, T., Gong, Z., Güneysu, T., Heyse, S., Indesteege, S., Kerckhof, S., Koeune, F., Nad, T., Plos, T., Regazzoni, F., Standaert, F.-X., van Oldeneel tot Oldenzeel, L.: Compact implementation and performance evaluation of block ciphers in ATtiny devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) Progress in Cryptology—AFRICACRYPT 2012, Volume 7374 of Lecture Notes in Computer Science, pp. 172–187. Springer, Berlin (2012)Google Scholar
  26. 26.
    Eisenbarth, T., Kumar, S.S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweight-cryptography implementations. IEEE Des. Test Comput. 24(6), 522–533 (2007)CrossRefGoogle Scholar
  27. 27.
    European Network of Excellence in Cryptology (ECRYPT II). Implementations of Low Cost Block Ciphers in Atmel AVR Devices. http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers (2015). Accessed 4 Apr 2017
  28. 28.
    Evans, D.: The Internet of Things: How the Next Evolution of the Internet is Changing Everything. Cisco IBSG white paper, http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf (2011). Accessed 4 Apr 2017
  29. 29.
    Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong authentication for RFID systems using the AES algorithm. In: Joye, M., Quisquater, J.-J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2004, Volume 3156 of Lecture Notes in Computer Science, pp. 357–370. Springer, Berlin (2004)Google Scholar
  30. 30.
    Gligor, V.D.: Light-weight cryptography—How light is light? Keynote presentation at the Information Security Summer School, Florida State University. Slide deck, http://www.sait.fsu.edu/conferences/2005/is3/resources/slides/gligorv-cryptolite.ppt (2005). Accessed 4 Apr 2017
  31. 31.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: Bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 18–37. Springer, Berlin (2015)Google Scholar
  32. 32.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011)CrossRefGoogle Scholar
  33. 33.
    Han, B., Lee, H., Jeong, H., Won, Y.: The HIGHT Encryption Algorithm. Internet Engineering Task Force, Network Working Group, Internet draft draft-kisa-hight-00 (work in progress) (2011)Google Scholar
  34. 34.
    Hong, D., Lee, J.-K., Kim, D.-C., Kwon, D., Ryu, K.H., Lee, D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim, Y., Lee, H., Perrig, A. (eds.) Information Security Applications—WISA 2013, Volume 8267 of Lecture Notes in Computer Science, pp. 3–27. Springer, Berlin (2013)Google Scholar
  35. 35.
    Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, Volume 4249 of Lecture Notes in Computer Science, pp. 46–59. Springer, Berlin (2006)Google Scholar
  36. 36.
    IEEE Standards Association. IEEE 802.15.4-2015–IEEE Standard for Low-Rate Wireless Networks. http://standards.ieee.org/findstds/standard/802.15.4-2015.html (2015). Accessed 4 Apr 2017
  37. 37.
    Journault, A., Standaert, F.-X., Varici, K.: Improving the security and efficiency of block ciphers based on LS-designs. Des. Codes Cryptogr. 82(1–2), 495–509 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Khoo, K., Peyrin, T., Poschmann, A.Y., Yap, H.: FOAM: Searching for hardware-optimal SPN structures and components with a fair comparison. In: Batina, L., Robshaw, M.J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2014, Volume 8731 of Lecture Notes in Computer Science, pp. 433–450. Springer, Berlin (2014)Google Scholar
  39. 39.
    Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology—EUROCRYPT 2015, Volume 9056 of Lecture Notes in Computer Science, pp. 254–283. Springer, Berlin (2015)Google Scholar
  40. 40.
    Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) Advances in Cryptology—EUROCRYPT 2016, Volume 9665 of Lecture Notes in Computer Science, pp. 344–371. Springer, Berlin (2016)Google Scholar
  41. 41.
    Mendel, F., Rijmen, V., Toz, D., Varici, K.: Differential analysis of the LED block cipher. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 190–207. Springer, Berlin (2012)Google Scholar
  42. 42.
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A.M. (eds.) Selected Areas in Cryptography—SAC 2014, Volume 8781 of Lecture Notes in Computer Science, pp. 306–323. Springer, Berlin (2014)Google Scholar
  43. 43.
    National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS Publication 197, http://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf (2001). Accessed 4 Apr 2017
  44. 44.
    National Institute of Standards and Technology (NIST). Lightweight Cryptography Project. http://csrc.nist.gov/projects/lightweight-cryptography (2016). Accessed 4 Apr 2017
  45. 45.
    National Institute of Standards and Technology (NIST). SHA-3 Project. http://csrc.nist.gov/projects/hash-functions/sha-3-project (2016). Accessed 4 Apr 2017
  46. 46.
    Özen, O., Varici, K., Tezcan, C., Kocair, Ç.: Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. In: Boyd, C., Nieto, J.G. (eds.) Information Security and Privacy—ACISP 2009, Volume 5594 of Lecture Notes in Computer Science, pp. 90–107. Springer, Berlin (2009)Google Scholar
  47. 47.
    Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.E.: SPINS: security protocols for sensor networks. Wirel. Netw. 8(5), 521–534 (2002)CrossRefzbMATHGoogle Scholar
  48. 48.
    Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) Fast Software Encryption—FSE ’94, Volume 1008 of Lecture Notes in Computer Science, pp. 86–96. Springer, Berlin (1995)Google Scholar
  49. 49.
    Schwabe, P., Stoffelen, K.: All the AES you need on Cortex-M3 and M4. In: Avanzi, R.M., Heys, H.M. (eds.) Selected Areas in Cryptography—SAC 2016, Volume 10532 of Lecture Notes in Computer Science, pp. 180–194. Springer, Berlin (2017)CrossRefGoogle Scholar
  50. 50.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2011, Volume 6917 of Lecture Notes in Computer Science, pp. 342–357. Springer, Berlin (2011)Google Scholar
  51. 51.
    Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. Cryptology ePrint Archive, Report 2016/209 (2016)Google Scholar
  52. 52.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight, versatile block cipher. In Leander, G., Standaert, F.-X. (eds.) Proceedings of the 1st ECRYPT Workshop on Lightweight Cryptography, pp. 146–169 (2011)Google Scholar
  53. 53.
    Texas Instruments. MSP430x1xxx Family User’s Guide. http://www.ti.com/lit/ug/slau049f/slau049f.pdf (2006). Accessed 4 Apr 2017
  54. 54.
    Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: scalable sensor network simulation with precise timing. In: Vetterli, M., Yao, K. (eds.) Proceedings of the 4th International Symposium on Information Processing in Sensor Networks (IPSN 2005), pp. 477–482. IEEE (2005)Google Scholar
  55. 55.
    Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: the AVR simulation and analysis framework. http://compilers.cs.ucla.edu/avrora (2005). Accessed 4 Apr 2017
  56. 56.
    Wang, Y., Wu, W.: Improved multidimensional zero-correlation linear cryptanalysis and applications to LBlock and TWINE. In: Susilo, W., Mu, Y. (eds.) Information Security and Privacy—ACISP 2014, Volume 8544 of Lecture Notes in Computer Science. Springer, Berlin (2014)Google Scholar
  57. 57.
    Wenzel-Benner, C., Gräf, J.: XBX: eXternal Benchmarking eXtension for the SUPERCOP crypto benchmarking framework. In: Mangard, S., Standaert, F.-X. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2010, Volume 6225 of Lecture Notes in Computer Science, pp. 294–305. Springer, Berlin (2010)Google Scholar
  58. 58.
    Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: López, J., Tsudik, G. (eds.) Applied Cryptography and Network Security—ACNS 2011, Volume 6715 of Lecture Notes in Computer Science, pp. 327–344. Springer, Berlin (2011)Google Scholar
  59. 59.
    Yang, Q., Hu, L., Sun, S., Qiao, K., Song, L., Shan, J., Ma, X.: Improved differential analysis of block cipher PRIDE. In: López, J., Wu, Y. (eds.) Information Security Practice and Experience—ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science, pp. 209–219. Springer, Berlin (2015)Google Scholar
  60. 60.
    Yang, Q., Hu, L., Sun, S., Song, L.: Extension of meet-in-the-middle technique for truncated differential and its application to RoadRunneR. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) Network and System Security—NSS 2016, Volume 9955 of Lecture Notes in Computer Science, pp. 398–411. Springer, Berlin (2016)Google Scholar
  61. 61.
    Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)Google Scholar
  62. 62.
    ZigBee Alliance. ZigBee Wireless Standard. http://www.zigbee.org (2015). Accessed 4 Apr 2017

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Daniel Dinu
    • 1
  • Yann Le Corre
    • 1
  • Dmitry Khovratovich
    • 1
  • Léo Perrin
    • 1
  • Johann Großschädl
    • 1
  • Alex Biryukov
    • 1
  1. 1.SnT and CSCUniversity of Luxembourg, Maison du NombreEsch-sur-AlzetteLuxembourg

Personalised recommendations