In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom “figure of merit” according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
The main reason for evaluating the execution time for ARM on a development board is that we could not find a cycle-accurate Cortex-M instruction set simulator of good quality that is freely available.
The maintainers of the BLOC project merged our pull request on GitHub that fixed the mentioned issues, see http://github.com/kmarquet/bloc/pull/2.
All results reported in this paper are based on version 1.1.20 of the FELICS framework, which can be downloaded from http://www.cryptolux.org/index.php/File:FELICS.zip.
One can get a rough estimate of the energy consumption by simply forming the product of execution time, average power consumption of the target processor, and supply voltage. More accurate energy figures could be obtained by extending the framework to support power measurements on microprocessor development boards.
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçin, T.: Block ciphers–focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) Advances in Cryptology–CRYPTO 2014, Volume 8616 of Lecture Notes in Computer Science, pp. 57–76. Springer, Berlin (2014)
Arduino Due, Arduino.: Specification. http://store.arduino.cc/arduino-due (2015). Accessed 4 Apr 2017
ARM Limited. An Introduction to the ARM Cortex-M3 Processor. White paper, http://www.arm.com/ja/files/pdf/IntroToCortex-M3.pdf (2006). Accessed 4 Apr 2017
Atmel Corporation. 8-bit AVR Microcontroller with 128K Bytes In-System Programmable Flash: ATmega128, ATmega128L. Datasheet, http://www.atmel.com/images/doc2467.pdf (2008). Accessed 4 Apr 2017
Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)
Baysal, A., Sahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) Lightweight Cryptography for Security and Privacy—LightSec 2015, Volume 9542 of Lecture Notes in Computer Science, pp. 58–76. Springer, Berlin (2016)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)
Beer, D.: MSPDebug: Debugging Tool for MSP430 MCUs. http://dlbeer.co.nz/mspdebug (2015). Accessed 4 Apr 2017
Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to (2015). Accessed 4 Apr 2017
Biryukov, A., Kushilevitz, E.: Improved cryptanalysis of RC5. In: Nyberg, K. (ed.) Advances in Cryptology—EUROCRYPT ’98, Volume 1403 of Lecture Notes in Computer Science, pp. 85–99. Springer, Berlin (1998)
Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptologypages—EUROCRYPT 2014, Volume 8441 of Lecture Notes in Computer Science, pp. 165–182. Springer, Berlin (2014)
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J., Seurin, Y., Vikkelsoe, C.H.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007, Volume 4727 of Lecture Notes in Computer Science, pp. 450–466. Springer, Berlin (2007)
Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçin, T.: PRINCE—A low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 208–225. Springer, Berlin (2012)
Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014, Volume 8873 of Lecture Notes in Computer Science, pp. 179–199. Springer, Berlin (2014)
Canteaut, A., Fuhr, T., Gilbert, H., Naya-Plasencia, M., Reinhard, J.-R.: Multiple differential cryptanalysis of round-reduced PRINCE. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 591–610. Springer, Berlin (2015)
Cazorla, M., Gourgeon, S., Marquet, K., Minier, M.: Implementations of lightweight block ciphers on a WSN430 sensor. http://bloc.project.citi-lab.fr/library.html (2015). Accessed 4 Apr 2017
Cazorla, M., Marquet, K., Minier, M.: Survey and benchmark of lightweight block ciphers for wireless sensor networks. In: Samarati, P. (ed.) Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT 2013), pp. 543–548. SciTePress, Setúbal (2013)
Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2015/666 (2015)
CryptoLUX Team. FELICS: Fair Evaluation of Lightweight Cryptographic Systems. http://www.cryptolux.org/index.php/FELICS (2016). Accessed 4 Apr 2017
Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: NOEKEON. Specification, http://gro.noekeon.org/Noekeon-spec.pdf (2000). Accessed 4 Apr 2017
Daemen, J., Rijmen, V.: The Design of Rijndael: AES—the Advanced Encryption Standard. Springer, Berlin (2002)
Derbez, P., Fouque, P.-A.: Exhausting Demirci–Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) Fast Software Encryption—FSE 2013, Volume 8424 of Lecture Notes in Computer Science, pp. 541–560. Springer, Berlin (2013)
Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology—ASIACRYPT 2016, Volume 10031 of Lecture Notes in Computer Science, pp. 484–513. Springer, Berlin (2016)
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full AES2. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT 2013, Volume 8269 of Lecture Notes in Computer Science, pp. 337–356. Springer, Berlin (2013)
Eisenbarth, T., Gong, Z., Güneysu, T., Heyse, S., Indesteege, S., Kerckhof, S., Koeune, F., Nad, T., Plos, T., Regazzoni, F., Standaert, F.-X., van Oldeneel tot Oldenzeel, L.: Compact implementation and performance evaluation of block ciphers in ATtiny devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) Progress in Cryptology—AFRICACRYPT 2012, Volume 7374 of Lecture Notes in Computer Science, pp. 172–187. Springer, Berlin (2012)
Eisenbarth, T., Kumar, S.S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweight-cryptography implementations. IEEE Des. Test Comput. 24(6), 522–533 (2007)
European Network of Excellence in Cryptology (ECRYPT II). Implementations of Low Cost Block Ciphers in Atmel AVR Devices. http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers (2015). Accessed 4 Apr 2017
Evans, D.: The Internet of Things: How the Next Evolution of the Internet is Changing Everything. Cisco IBSG white paper, http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf (2011). Accessed 4 Apr 2017
Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong authentication for RFID systems using the AES algorithm. In: Joye, M., Quisquater, J.-J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2004, Volume 3156 of Lecture Notes in Computer Science, pp. 357–370. Springer, Berlin (2004)
Gligor, V.D.: Light-weight cryptography—How light is light? Keynote presentation at the Information Security Summer School, Florida State University. Slide deck, http://www.sait.fsu.edu/conferences/2005/is3/resources/slides/gligorv-cryptolite.ppt (2005). Accessed 4 Apr 2017
Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: Bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 18–37. Springer, Berlin (2015)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011)
Han, B., Lee, H., Jeong, H., Won, Y.: The HIGHT Encryption Algorithm. Internet Engineering Task Force, Network Working Group, Internet draft draft-kisa-hight-00 (work in progress) (2011)
Hong, D., Lee, J.-K., Kim, D.-C., Kwon, D., Ryu, K.H., Lee, D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim, Y., Lee, H., Perrig, A. (eds.) Information Security Applications—WISA 2013, Volume 8267 of Lecture Notes in Computer Science, pp. 3–27. Springer, Berlin (2013)
Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, Volume 4249 of Lecture Notes in Computer Science, pp. 46–59. Springer, Berlin (2006)
IEEE Standards Association. IEEE 802.15.4-2015–IEEE Standard for Low-Rate Wireless Networks. http://standards.ieee.org/findstds/standard/802.15.4-2015.html (2015). Accessed 4 Apr 2017
Journault, A., Standaert, F.-X., Varici, K.: Improving the security and efficiency of block ciphers based on LS-designs. Des. Codes Cryptogr. 82(1–2), 495–509 (2017)
Khoo, K., Peyrin, T., Poschmann, A.Y., Yap, H.: FOAM: Searching for hardware-optimal SPN structures and components with a fair comparison. In: Batina, L., Robshaw, M.J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2014, Volume 8731 of Lecture Notes in Computer Science, pp. 433–450. Springer, Berlin (2014)
Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology—EUROCRYPT 2015, Volume 9056 of Lecture Notes in Computer Science, pp. 254–283. Springer, Berlin (2015)
Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) Advances in Cryptology—EUROCRYPT 2016, Volume 9665 of Lecture Notes in Computer Science, pp. 344–371. Springer, Berlin (2016)
Mendel, F., Rijmen, V., Toz, D., Varici, K.: Differential analysis of the LED block cipher. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 190–207. Springer, Berlin (2012)
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A.M. (eds.) Selected Areas in Cryptography—SAC 2014, Volume 8781 of Lecture Notes in Computer Science, pp. 306–323. Springer, Berlin (2014)
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS Publication 197, http://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf (2001). Accessed 4 Apr 2017
National Institute of Standards and Technology (NIST). Lightweight Cryptography Project. http://csrc.nist.gov/projects/lightweight-cryptography (2016). Accessed 4 Apr 2017
National Institute of Standards and Technology (NIST). SHA-3 Project. http://csrc.nist.gov/projects/hash-functions/sha-3-project (2016). Accessed 4 Apr 2017
Özen, O., Varici, K., Tezcan, C., Kocair, Ç.: Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. In: Boyd, C., Nieto, J.G. (eds.) Information Security and Privacy—ACISP 2009, Volume 5594 of Lecture Notes in Computer Science, pp. 90–107. Springer, Berlin (2009)
Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.E.: SPINS: security protocols for sensor networks. Wirel. Netw. 8(5), 521–534 (2002)
Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) Fast Software Encryption—FSE ’94, Volume 1008 of Lecture Notes in Computer Science, pp. 86–96. Springer, Berlin (1995)
Schwabe, P., Stoffelen, K.: All the AES you need on Cortex-M3 and M4. In: Avanzi, R.M., Heys, H.M. (eds.) Selected Areas in Cryptography—SAC 2016, Volume 10532 of Lecture Notes in Computer Science, pp. 180–194. Springer, Berlin (2017)
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2011, Volume 6917 of Lecture Notes in Computer Science, pp. 342–357. Springer, Berlin (2011)
Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. Cryptology ePrint Archive, Report 2016/209 (2016)
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight, versatile block cipher. In Leander, G., Standaert, F.-X. (eds.) Proceedings of the 1st ECRYPT Workshop on Lightweight Cryptography, pp. 146–169 (2011)
Texas Instruments. MSP430x1xxx Family User’s Guide. http://www.ti.com/lit/ug/slau049f/slau049f.pdf (2006). Accessed 4 Apr 2017
Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: scalable sensor network simulation with precise timing. In: Vetterli, M., Yao, K. (eds.) Proceedings of the 4th International Symposium on Information Processing in Sensor Networks (IPSN 2005), pp. 477–482. IEEE (2005)
Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: the AVR simulation and analysis framework. http://compilers.cs.ucla.edu/avrora (2005). Accessed 4 Apr 2017
Wang, Y., Wu, W.: Improved multidimensional zero-correlation linear cryptanalysis and applications to LBlock and TWINE. In: Susilo, W., Mu, Y. (eds.) Information Security and Privacy—ACISP 2014, Volume 8544 of Lecture Notes in Computer Science. Springer, Berlin (2014)
Wenzel-Benner, C., Gräf, J.: XBX: eXternal Benchmarking eXtension for the SUPERCOP crypto benchmarking framework. In: Mangard, S., Standaert, F.-X. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2010, Volume 6225 of Lecture Notes in Computer Science, pp. 294–305. Springer, Berlin (2010)
Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: López, J., Tsudik, G. (eds.) Applied Cryptography and Network Security—ACNS 2011, Volume 6715 of Lecture Notes in Computer Science, pp. 327–344. Springer, Berlin (2011)
Yang, Q., Hu, L., Sun, S., Qiao, K., Song, L., Shan, J., Ma, X.: Improved differential analysis of block cipher PRIDE. In: López, J., Wu, Y. (eds.) Information Security Practice and Experience—ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science, pp. 209–219. Springer, Berlin (2015)
Yang, Q., Hu, L., Sun, S., Song, L.: Extension of meet-in-the-middle technique for truncated differential and its application to RoadRunneR. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) Network and System Security—NSS 2016, Volume 9955 of Lecture Notes in Computer Science, pp. 398–411. Springer, Berlin (2016)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)
ZigBee Alliance. ZigBee Wireless Standard. http://www.zigbee.org (2015). Accessed 4 Apr 2017
We thank all contributors listed at http://www.cryptolux.org/index.php/FELICS_Contributors for the submitted implementations and their support for a fair evaluation of lightweight block ciphers. Daniel Dinu and Léo Perrin were supported by the CORE project ACRYPT (ID C12-15-4009992), funded by the Fonds National de la Recherche (FNR) Luxembourg.
8-bit AVR ATmega128 microcontroller
The ATmega128  microcontroller developed by Atmel is based on an 8-bit RISC architecture and provides 133 instructions, which are encoded to be either 16 or 32 bits wide. Most of the instructions are executed in only one or two clock cycles. The ATmega128 features a two-stage pipeline, making it possible to execute an instruction while the next instruction is fetched from program memory. In addition, it comes with a relatively large register file consisting of 32 general-purpose registers (R0 to R31) of 8-bit width. Six registers can be used as three 16-bit pointers (X, Y, and Z) to access the data space. All 32 registers are directly connected to the arithmetic logic unit (ALU). The standard ALU instructions have a two-address format, which allows them to read two 8-bit operand words from two independent registers and write the result of the operation back to one of them. Like other members of the 8-bit AVR family, the ATmega128 uses a Harvard architecture (i.e., separate memories, buses, and address spaces for program and data) to maximize performance and parallelism. The memory sub-system includes 128 kB of flash (for storing program code), 4 kB of SRAM, and 4 kB of EEPROM.
16-bit MSP430F1611 microcontroller
The MSP430F1611  is a 16-bit microcontroller from Texas Instruments that contains a RISC CPU optimized for ultra-low power consumption and various peripheral modules. A distinguishing feature of the MSP430 architecture is its minimalist instruction set comprising only 27 core instructions and 24 emulated instructions. The length of an instruction can vary between one and three 16-bit words, i.e., between two and six bytes. Depending on the instruction format, the 27 core instructions fall into three categories: double-operand instructions (which overwrite one of the two operands with the result), single-operand instructions, and jumps. The MSP430 instruction set is highly orthogonal and supports seven addressing modes for the source operand and four addressing modes for the destination operand. Depending on the used addressing modes, double-operand instructions have a latency of between one clock cycle (when source and destination operands are held in registers) and six clock cycles (operands are in RAM or flash). There are 16 registers, of which four, namely R0 to R3, serve a special purpose. The von Neumann memory system of the MSP430F1611 consists of 10 kB RAM and 48 kB flash.
32-bit ARM Cortex-M3 microcontroller
The Cortex-M3 is a member of the ARM Cortex-M series of 32-bit microcontrollers that was specifically designed to achieve high system performance in power- and cost-sensitive embedded applications . It is based on the ARMv7-M architecture and supports Thumb-2 technology, which extends the 16-bit fixed-width Thumb instruction set with some additional 32-bit ARM instructions, whereby 16-bit and 32-bit instructions can be freely intermixed. Data processing instructions have a conventional three-address format that allows the target register to be distinct from the two source operands. The first operand must always be one of the 13 general-purpose 32-bit registers, while the second operand can be a register, an immediate value, or a register with an optional shift. Many instructions can be executed conditionally, based on condition flags set by another instruction. Cortex-M3 microcontrollers incorporate a Harvard architecture (enabling simultaneous instruction fetch with data load/store) and have a three-stage pipeline with branch speculation. The specific Cortex-M3 device we use for benchmarking is an Arduino Due board equipped with an Atmel SAM3X8 that features 512 kB flash and 96 kB RAM.
API and implementation requirements
To unify evaluation conditions, our framework imposes some requirements on the implementation of a block cipher. Firstly, basic operations must be performed by functions having the following C prototypes.
void RunEncryptionKeySchedule(uint8_t *key, uint8_t *roundKeys);
void Encrypt(uint8_t *block, uint8_t
void RunDecryptionKeySchedule(uint8_t *key, uint8_t *roundKeys);
void Decrypt(uint8_t *block, uint8_t *roundKeys);
Each of the above functions should be implemented in its own C file. If the cipher key schedule is the same for encryption and decryption then only the encryption key schedule function has to be implemented. The framework takes a common key schedule into account when computing the different metrics. Secondly, all other common code sections should be placed in separate functions to reduce the overall code size. The implementer needs to add the names of the common files to the implementation info file, which gets parsed by the framework when extracting the three metrics for the implementation. Thirdly, the implementer has to choose whether the constants used by the cipher should be stored in flash/ROM or RAM. However, this flexibility comes at the expense that the implementer has to define and use a dedicated macro to read the constant value(s). Fourthly, the block size used by the implementation must be a multiple of 64 bits.
While these requirements guarantee the same evaluation conditions for an accurate assessment of the performance of a block cipher in various different evaluation scenarios, they limit the applicability of some optimization techniques like bit-slicing. Even though bit-sliced implementations can be very fast, they have the disadvantage of high memory consumption and can only be used in non-feedback modes of operation (e.g., CTR mode). However, the performance of a cipher implementation in such (highly) specific settings does not say anything about the cipher’s performance in more general usage scenarios, which is what we are mainly interested in and our framework was designed for. The benchmarking toolsuite is able to verify the compliance with the formulated requirements and to check the correctness of an implementation with the help of test vectors. Since the metrics extraction process is completely automated, the toolsuite is easy to use, even for beginners with little experience.
About this article
Cite this article
Dinu, D., Corre, Y.L., Khovratovich, D. et al. Triathlon of lightweight block ciphers for the Internet of things. J Cryptogr Eng 9, 283–302 (2019). https://doi.org/10.1007/s13389-018-0193-x
- Lightweight cryptography
- Block ciphers
- Evaluation framework