Skip to main content
SpringerLink
Log in

Triathlon of lightweight block ciphers for the Internet of things

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom “figure of merit” according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. The main reason for evaluating the execution time for ARM on a development board is that we could not find a cycle-accurate Cortex-M instruction set simulator of good quality that is freely available.

  2. The maintainers of the BLOC project merged our pull request on GitHub that fixed the mentioned issues, see http://github.com/kmarquet/bloc/pull/2.

  3. All results reported in this paper are based on version 1.1.20 of the FELICS framework, which can be downloaded from http://www.cryptolux.org/index.php/File:FELICS.zip.

  4. One can get a rough estimate of the energy consumption by simply forming the product of execution time, average power consumption of the target processor, and supply voltage. More accurate energy figures could be obtained by extending the framework to support power measurements on microprocessor development boards.

References

  1. Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçin, T.: Block ciphers–focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) Advances in Cryptology–CRYPTO 2014, Volume 8616 of Lecture Notes in Computer Science, pp. 57–76. Springer, Berlin (2014)

    Google Scholar 

  2. Arduino Due, Arduino.: Specification. http://store.arduino.cc/arduino-due (2015). Accessed 4 Apr 2017

  3. ARM Limited. An Introduction to the ARM Cortex-M3 Processor. White paper, http://www.arm.com/ja/files/pdf/IntroToCortex-M3.pdf (2006). Accessed 4 Apr 2017

  4. Atmel Corporation. 8-bit AVR Microcontroller with 128K Bytes In-System Programmable Flash: ATmega128, ATmega128L. Datasheet, http://www.atmel.com/images/doc2467.pdf (2008). Accessed 4 Apr 2017

  5. Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)

    Article  MATH  Google Scholar 

  6. Baysal, A., Sahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) Lightweight Cryptography for Security and Privacy—LightSec 2015, Volume 9542 of Lecture Notes in Computer Science, pp. 58–76. Springer, Berlin (2016)

    Google Scholar 

  7. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)

  8. Beer, D.: MSPDebug: Debugging Tool for MSP430 MCUs. http://dlbeer.co.nz/mspdebug (2015). Accessed 4 Apr 2017

  9. Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to (2015). Accessed 4 Apr 2017

  10. Biryukov, A., Kushilevitz, E.: Improved cryptanalysis of RC5. In: Nyberg, K. (ed.) Advances in Cryptology—EUROCRYPT ’98, Volume 1403 of Lecture Notes in Computer Science, pp. 85–99. Springer, Berlin (1998)

    Google Scholar 

  11. Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptologypages—EUROCRYPT 2014, Volume 8441 of Lecture Notes in Computer Science, pp. 165–182. Springer, Berlin (2014)

    Google Scholar 

  12. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J., Seurin, Y., Vikkelsoe, C.H.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007, Volume 4727 of Lecture Notes in Computer Science, pp. 450–466. Springer, Berlin (2007)

    Google Scholar 

  13. Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçin, T.: PRINCE—A low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 208–225. Springer, Berlin (2012)

    Google Scholar 

  14. Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014, Volume 8873 of Lecture Notes in Computer Science, pp. 179–199. Springer, Berlin (2014)

    Google Scholar 

  15. Canteaut, A., Fuhr, T., Gilbert, H., Naya-Plasencia, M., Reinhard, J.-R.: Multiple differential cryptanalysis of round-reduced PRINCE. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 591–610. Springer, Berlin (2015)

    Google Scholar 

  16. Cazorla, M., Gourgeon, S., Marquet, K., Minier, M.: Implementations of lightweight block ciphers on a WSN430 sensor. http://bloc.project.citi-lab.fr/library.html (2015). Accessed 4 Apr 2017

  17. Cazorla, M., Marquet, K., Minier, M.: Survey and benchmark of lightweight block ciphers for wireless sensor networks. In: Samarati, P. (ed.) Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT 2013), pp. 543–548. SciTePress, Setúbal (2013)

  18. Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2015/666 (2015)

  19. CryptoLUX Team. FELICS: Fair Evaluation of Lightweight Cryptographic Systems. http://www.cryptolux.org/index.php/FELICS (2016). Accessed 4 Apr 2017

  20. Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: NOEKEON. Specification, http://gro.noekeon.org/Noekeon-spec.pdf (2000). Accessed 4 Apr 2017

  21. Daemen, J., Rijmen, V.: The Design of Rijndael: AES—the Advanced Encryption Standard. Springer, Berlin (2002)

    Book  MATH  Google Scholar 

  22. Derbez, P., Fouque, P.-A.: Exhausting Demirci–Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) Fast Software Encryption—FSE 2013, Volume 8424 of Lecture Notes in Computer Science, pp. 541–560. Springer, Berlin (2013)

    Google Scholar 

  23. Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology—ASIACRYPT 2016, Volume 10031 of Lecture Notes in Computer Science, pp. 484–513. Springer, Berlin (2016)

    Google Scholar 

  24. Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full AES2. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT 2013, Volume 8269 of Lecture Notes in Computer Science, pp. 337–356. Springer, Berlin (2013)

    Google Scholar 

  25. Eisenbarth, T., Gong, Z., Güneysu, T., Heyse, S., Indesteege, S., Kerckhof, S., Koeune, F., Nad, T., Plos, T., Regazzoni, F., Standaert, F.-X., van Oldeneel tot Oldenzeel, L.: Compact implementation and performance evaluation of block ciphers in ATtiny devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) Progress in Cryptology—AFRICACRYPT 2012, Volume 7374 of Lecture Notes in Computer Science, pp. 172–187. Springer, Berlin (2012)

    Google Scholar 

  26. Eisenbarth, T., Kumar, S.S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweight-cryptography implementations. IEEE Des. Test Comput. 24(6), 522–533 (2007)

    Article  Google Scholar 

  27. European Network of Excellence in Cryptology (ECRYPT II). Implementations of Low Cost Block Ciphers in Atmel AVR Devices. http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers (2015). Accessed 4 Apr 2017

  28. Evans, D.: The Internet of Things: How the Next Evolution of the Internet is Changing Everything. Cisco IBSG white paper, http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf (2011). Accessed 4 Apr 2017

  29. Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong authentication for RFID systems using the AES algorithm. In: Joye, M., Quisquater, J.-J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2004, Volume 3156 of Lecture Notes in Computer Science, pp. 357–370. Springer, Berlin (2004)

    Google Scholar 

  30. Gligor, V.D.: Light-weight cryptography—How light is light? Keynote presentation at the Information Security Summer School, Florida State University. Slide deck, http://www.sait.fsu.edu/conferences/2005/is3/resources/slides/gligorv-cryptolite.ppt (2005). Accessed 4 Apr 2017

  31. Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: Bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption—FSE 2014, Volume 8540 of Lecture Notes in Computer Science, pp. 18–37. Springer, Berlin (2015)

    Google Scholar 

  32. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011)

    Chapter  Google Scholar 

  33. Han, B., Lee, H., Jeong, H., Won, Y.: The HIGHT Encryption Algorithm. Internet Engineering Task Force, Network Working Group, Internet draft draft-kisa-hight-00 (work in progress) (2011)

  34. Hong, D., Lee, J.-K., Kim, D.-C., Kwon, D., Ryu, K.H., Lee, D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim, Y., Lee, H., Perrig, A. (eds.) Information Security Applications—WISA 2013, Volume 8267 of Lecture Notes in Computer Science, pp. 3–27. Springer, Berlin (2013)

    Google Scholar 

  35. Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, Volume 4249 of Lecture Notes in Computer Science, pp. 46–59. Springer, Berlin (2006)

    Google Scholar 

  36. IEEE Standards Association. IEEE 802.15.4-2015–IEEE Standard for Low-Rate Wireless Networks. http://standards.ieee.org/findstds/standard/802.15.4-2015.html (2015). Accessed 4 Apr 2017

  37. Journault, A., Standaert, F.-X., Varici, K.: Improving the security and efficiency of block ciphers based on LS-designs. Des. Codes Cryptogr. 82(1–2), 495–509 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  38. Khoo, K., Peyrin, T., Poschmann, A.Y., Yap, H.: FOAM: Searching for hardware-optimal SPN structures and components with a fair comparison. In: Batina, L., Robshaw, M.J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2014, Volume 8731 of Lecture Notes in Computer Science, pp. 433–450. Springer, Berlin (2014)

    Google Scholar 

  39. Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology—EUROCRYPT 2015, Volume 9056 of Lecture Notes in Computer Science, pp. 254–283. Springer, Berlin (2015)

    Google Scholar 

  40. Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) Advances in Cryptology—EUROCRYPT 2016, Volume 9665 of Lecture Notes in Computer Science, pp. 344–371. Springer, Berlin (2016)

    Google Scholar 

  41. Mendel, F., Rijmen, V., Toz, D., Varici, K.: Differential analysis of the LED block cipher. In: Wang, X., Sako, K. (eds.) Advances in Cryptology—ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pp. 190–207. Springer, Berlin (2012)

    Google Scholar 

  42. Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A.M. (eds.) Selected Areas in Cryptography—SAC 2014, Volume 8781 of Lecture Notes in Computer Science, pp. 306–323. Springer, Berlin (2014)

    Google Scholar 

  43. National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS Publication 197, http://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf (2001). Accessed 4 Apr 2017

  44. National Institute of Standards and Technology (NIST). Lightweight Cryptography Project. http://csrc.nist.gov/projects/lightweight-cryptography (2016). Accessed 4 Apr 2017

  45. National Institute of Standards and Technology (NIST). SHA-3 Project. http://csrc.nist.gov/projects/hash-functions/sha-3-project (2016). Accessed 4 Apr 2017

  46. Özen, O., Varici, K., Tezcan, C., Kocair, Ç.: Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. In: Boyd, C., Nieto, J.G. (eds.) Information Security and Privacy—ACISP 2009, Volume 5594 of Lecture Notes in Computer Science, pp. 90–107. Springer, Berlin (2009)

    Google Scholar 

  47. Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.E.: SPINS: security protocols for sensor networks. Wirel. Netw. 8(5), 521–534 (2002)

    Article  MATH  Google Scholar 

  48. Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) Fast Software Encryption—FSE ’94, Volume 1008 of Lecture Notes in Computer Science, pp. 86–96. Springer, Berlin (1995)

    Google Scholar 

  49. Schwabe, P., Stoffelen, K.: All the AES you need on Cortex-M3 and M4. In: Avanzi, R.M., Heys, H.M. (eds.) Selected Areas in Cryptography—SAC 2016, Volume 10532 of Lecture Notes in Computer Science, pp. 180–194. Springer, Berlin (2017)

    Chapter  Google Scholar 

  50. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2011, Volume 6917 of Lecture Notes in Computer Science, pp. 342–357. Springer, Berlin (2011)

    Google Scholar 

  51. Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. Cryptology ePrint Archive, Report 2016/209 (2016)

  52. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight, versatile block cipher. In Leander, G., Standaert, F.-X. (eds.) Proceedings of the 1st ECRYPT Workshop on Lightweight Cryptography, pp. 146–169 (2011)

  53. Texas Instruments. MSP430x1xxx Family User’s Guide. http://www.ti.com/lit/ug/slau049f/slau049f.pdf (2006). Accessed 4 Apr 2017

  54. Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: scalable sensor network simulation with precise timing. In: Vetterli, M., Yao, K. (eds.) Proceedings of the 4th International Symposium on Information Processing in Sensor Networks (IPSN 2005), pp. 477–482. IEEE (2005)

  55. Titzer, B.L., Lee, D.K., Palsberg, J.: Avrora: the AVR simulation and analysis framework. http://compilers.cs.ucla.edu/avrora (2005). Accessed 4 Apr 2017

  56. Wang, Y., Wu, W.: Improved multidimensional zero-correlation linear cryptanalysis and applications to LBlock and TWINE. In: Susilo, W., Mu, Y. (eds.) Information Security and Privacy—ACISP 2014, Volume 8544 of Lecture Notes in Computer Science. Springer, Berlin (2014)

    Google Scholar 

  57. Wenzel-Benner, C., Gräf, J.: XBX: eXternal Benchmarking eXtension for the SUPERCOP crypto benchmarking framework. In: Mangard, S., Standaert, F.-X. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2010, Volume 6225 of Lecture Notes in Computer Science, pp. 294–305. Springer, Berlin (2010)

    Google Scholar 

  58. Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: López, J., Tsudik, G. (eds.) Applied Cryptography and Network Security—ACNS 2011, Volume 6715 of Lecture Notes in Computer Science, pp. 327–344. Springer, Berlin (2011)

    Google Scholar 

  59. Yang, Q., Hu, L., Sun, S., Qiao, K., Song, L., Shan, J., Ma, X.: Improved differential analysis of block cipher PRIDE. In: López, J., Wu, Y. (eds.) Information Security Practice and Experience—ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science, pp. 209–219. Springer, Berlin (2015)

    Google Scholar 

  60. Yang, Q., Hu, L., Sun, S., Song, L.: Extension of meet-in-the-middle technique for truncated differential and its application to RoadRunneR. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) Network and System Security—NSS 2016, Volume 9955 of Lecture Notes in Computer Science, pp. 398–411. Springer, Berlin (2016)

    Google Scholar 

  61. Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)

    Google Scholar 

  62. ZigBee Alliance. ZigBee Wireless Standard. http://www.zigbee.org (2015). Accessed 4 Apr 2017

Download references

Acknowledgements

We thank all contributors listed at http://www.cryptolux.org/index.php/FELICS_Contributors for the submitted implementations and their support for a fair evaluation of lightweight block ciphers. Daniel Dinu and Léo Perrin were supported by the CORE project ACRYPT (ID C12-15-4009992), funded by the Fonds National de la Recherche (FNR) Luxembourg.

Author information

Authors and Affiliations

  1. SnT and CSC, University of Luxembourg, Maison du Nombre, 6, Avenue de la Fonte, 4364, Esch-sur-Alzette, Luxembourg

    Daniel Dinu, Yann Le Corre, Dmitry Khovratovich, Léo Perrin, Johann Großschädl & Alex Biryukov

Authors
  1. Daniel Dinu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yann Le Corre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dmitry Khovratovich
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Léo Perrin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Johann Großschädl
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alex Biryukov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johann Großschädl.

Appendices

Target devices

1.1 8-bit AVR ATmega128 microcontroller

The ATmega128 [4] microcontroller developed by Atmel is based on an 8-bit RISC architecture and provides 133 instructions, which are encoded to be either 16 or 32 bits wide. Most of the instructions are executed in only one or two clock cycles. The ATmega128 features a two-stage pipeline, making it possible to execute an instruction while the next instruction is fetched from program memory. In addition, it comes with a relatively large register file consisting of 32 general-purpose registers (R0 to R31) of 8-bit width. Six registers can be used as three 16-bit pointers (X, Y, and Z) to access the data space. All 32 registers are directly connected to the arithmetic logic unit (ALU). The standard ALU instructions have a two-address format, which allows them to read two 8-bit operand words from two independent registers and write the result of the operation back to one of them. Like other members of the 8-bit AVR family, the ATmega128 uses a Harvard architecture (i.e., separate memories, buses, and address spaces for program and data) to maximize performance and parallelism. The memory sub-system includes 128 kB of flash (for storing program code), 4 kB of SRAM, and 4 kB of EEPROM.

1.2 16-bit MSP430F1611 microcontroller

The MSP430F1611 [53] is a 16-bit microcontroller from Texas Instruments that contains a RISC CPU optimized for ultra-low power consumption and various peripheral modules. A distinguishing feature of the MSP430 architecture is its minimalist instruction set comprising only 27 core instructions and 24 emulated instructions. The length of an instruction can vary between one and three 16-bit words, i.e., between two and six bytes. Depending on the instruction format, the 27 core instructions fall into three categories: double-operand instructions (which overwrite one of the two operands with the result), single-operand instructions, and jumps. The MSP430 instruction set is highly orthogonal and supports seven addressing modes for the source operand and four addressing modes for the destination operand. Depending on the used addressing modes, double-operand instructions have a latency of between one clock cycle (when source and destination operands are held in registers) and six clock cycles (operands are in RAM or flash). There are 16 registers, of which four, namely R0 to R3, serve a special purpose. The von Neumann memory system of the MSP430F1611 consists of 10 kB RAM and 48 kB flash.

1.3 32-bit ARM Cortex-M3 microcontroller

The Cortex-M3 is a member of the ARM Cortex-M series of 32-bit microcontrollers that was specifically designed to achieve high system performance in power- and cost-sensitive embedded applications [3]. It is based on the ARMv7-M architecture and supports Thumb-2 technology, which extends the 16-bit fixed-width Thumb instruction set with some additional 32-bit ARM instructions, whereby 16-bit and 32-bit instructions can be freely intermixed. Data processing instructions have a conventional three-address format that allows the target register to be distinct from the two source operands. The first operand must always be one of the 13 general-purpose 32-bit registers, while the second operand can be a register, an immediate value, or a register with an optional shift. Many instructions can be executed conditionally, based on condition flags set by another instruction. Cortex-M3 microcontrollers incorporate a Harvard architecture (enabling simultaneous instruction fetch with data load/store) and have a three-stage pipeline with branch speculation. The specific Cortex-M3 device we use for benchmarking is an Arduino Due board equipped with an Atmel SAM3X8 that features 512 kB flash and 96 kB RAM.

API and implementation requirements

To unify evaluation conditions, our framework imposes some requirements on the implementation of a block cipher. Firstly, basic operations must be performed by functions having the following C prototypes.

void RunEncryptionKeySchedule(uint8_t *key, uint8_t *roundKeys);

void Encrypt(uint8_t *block, uint8_t

*roundKeys);

void RunDecryptionKeySchedule(uint8_t *key, uint8_t *roundKeys);

void Decrypt(uint8_t *block, uint8_t *roundKeys);

Each of the above functions should be implemented in its own C file. If the cipher key schedule is the same for encryption and decryption then only the encryption key schedule function has to be implemented. The framework takes a common key schedule into account when computing the different metrics. Secondly, all other common code sections should be placed in separate functions to reduce the overall code size. The implementer needs to add the names of the common files to the implementation info file, which gets parsed by the framework when extracting the three metrics for the implementation. Thirdly, the implementer has to choose whether the constants used by the cipher should be stored in flash/ROM or RAM. However, this flexibility comes at the expense that the implementer has to define and use a dedicated macro to read the constant value(s). Fourthly, the block size used by the implementation must be a multiple of 64 bits.

While these requirements guarantee the same evaluation conditions for an accurate assessment of the performance of a block cipher in various different evaluation scenarios, they limit the applicability of some optimization techniques like bit-slicing. Even though bit-sliced implementations can be very fast, they have the disadvantage of high memory consumption and can only be used in non-feedback modes of operation (e.g., CTR mode). However, the performance of a cipher implementation in such (highly) specific settings does not say anything about the cipher’s performance in more general usage scenarios, which is what we are mainly interested in and our framework was designed for. The benchmarking toolsuite is able to verify the compliance with the formulated requirements and to check the correctness of an implementation with the help of test vectors. Since the metrics extraction process is completely automated, the toolsuite is easy to use, even for beginners with little experience.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dinu, D., Corre, Y.L., Khovratovich, D. et al. Triathlon of lightweight block ciphers for the Internet of things. J Cryptogr Eng 9, 283–302 (2019). https://doi.org/10.1007/s13389-018-0193-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-018-0193-x

Keywords

Search

Navigation