Abstract
This paper explores state-of-the-art software implementations of “size-minimum” AES on low-end microcontrollers. In embedded environments, reducing memory size often has priority over achieving faster speed. Some recent lightweight block ciphers can be implemented in 200 to 300 ROM bytes, while the smallest software implementation of AES including key scheduling, encryption and decryption is, as far as we know, around 1 K ROM bytes.
The first purpose of this study is to see how small AES could be. To do this, we aggressively minimize code and data size of AES by introducing a ring multiplication for computing the S-box without any lookup table, a compact algorithm for embedding MixColumns into InvMixColumns, and a tiny loop for processing AddRoundKey, ShiftRows and SubBytes at the same time. As a result, we achieve a 192-byte AES encryption-only code and a 326-byte AES encryption-decryption code on the RL78 microcontroller. We also show that an AES-GCM core can be implemented in 429 bytes on the same microcontroller. These codes include on-the-fly key scheduling to minimize RAM size and their running time is independent of secret information, i.e. timing-attack resistant.
The second purpose of this research is to see what processor hardware architecture is suitable for implementing lightweight ciphers from a minimalist point of view. A simple-looking algorithm often results in very different size and speed figures on different low-end microcontrollers in practice, even if their instruction sets consist of similar primitive operations. We show concrete code examples implemented on four low-end microcontrollers, RL78, ATtiny, Cortex-M0 and MSP430 to demonstrate that slight differences of processor hardware, such as carry flag treatment and branch timing, significantly affect size and speed of AES.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Eisenbarth, T., et al.: Compact implementation and performance evaluation of block ciphers in ATtiny devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 172–187. Springer, Heidelberg (2012)
Balasch, J., et al.: Compact implementation and performance evaluation of hash functions in ATtiny devices. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 158–172. Springer, Heidelberg (2013). http://eprint.iacr.org/2012/507.pdf
Matsui, M., Murakami, Y.: Minimalism of software implementation-extensive performance analysis of symmetric primitives on the RL78 microcontroller. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 393–409. Springer, Heidelberg (2014)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. http://eprint.iacr.org/2013/404.pdf
Papagiannopoulos, K., Verstegen, A.: Speed and size-optimized implementations of the PRESENT cipher for tiny AVR devices. In: Hutter, M., Schmidt, J.-M. (eds.) RFIDsec 2013. LNCS, vol. 8262, pp. 161–175. Springer, Heidelberg (2013)
Fischer, V., Drutarovsky, M., Chodowiec, P., Gramain, F.: InvMixColumn decomposition and multilevel resource sharing in AES implementations. IEEE Trans. VLSI Syst. 13(8), 989–992 (2005)
Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, NIST (2001)
Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)
Renesas Electronics, RL78 Family. http://am.renesas.com/products/mpumcu/rl78/index.jsp?campaign=gn_prod
Atmel, tinyAVR Microcontrollers. http://www.atmel.com/products/microcontrollers/avr/tinyavr.aspx
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800–38D, NIST (2007)
RL78 Family, User’s Manual. http://documentation.renesas.com/doc/products/mpumcu/doc/rl78/r01us0015ej0210_rl78.pdf
8-bit AVR Instruction Set http://www.atmel.com/Images/doc0856.pdf
AVR-Crypto-Lib Wiki. http://www.das-labor.org/wiki/AVR-Crypto-Lib/en
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. http://www.groestl.info/
Mixing Assembly and C with AVRGCC. http://www.atmel.com/Images/doc42055.pdf
Bos, J.W., Osvik, D.A., Stefan, D.: Fast Implementations of AES on Various Platforms. http://eprint.iacr.org/2009/501.pdf
Poettering, B.: Rijndael Furious. http://perso.uclouvain.be/fstandae/lightweight_ciphers/source/AES_furious.asm
ARM Cortex-M0 core MCUs. http://www.nxp.com/products/microcontrollers/cortex_m0_m0/
Overview for MSP430 Ultra-Low Power 16-bit MCUs. http://www.ti.com/lsds/ti/microcontroller/16-bit_msp430/overview.page
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Low End Microcontrollers Comparison Chart
Appendix: Low End Microcontrollers Comparison Chart
This table is not intended to be exhaustive, but to illustrate typical cases in implementing lightweight symmetric ciphers for readers’ convenience.
RL78 | ATtiny | CortexM0 | MSP430 | |
---|---|---|---|---|
Hardware Registers | ||||
- Register Size | 8,16 | 8 | 32 | 8,16 |
- Number of General Registers | 8 | 32 | 13 | 12 |
Addressing Modes | ||||
- Number of Operands | 2 | 2 | 2,3 | 2 |
- Read-Modify(-Write) Instructions | R-M | No | No | R-M-W |
- Post-Increment Addressing | No | Yes | No | Yes |
Code Length (bytes) | ||||
- Operation equivalent to xor reg,[mem] | 1-3 | 4 | 4 | 2,4 |
- Conditional Short Jump | 2 | 2 | 2 | 2 |
- Subroutine Call | 3 | 2 | 4 | 4 |
Instruction Latency (cycles) | ||||
- Read from Memory (RAM/ROM) | 1/4 | 2/3 | 2 | 2 |
- Operation equivalent to xor reg,[mem] | 1 | 2 | 2 | 2-3 |
- Conditional Short Jump (taken/not-taken) | 4/2 | 2/1 | 3/1 | 2/2 |
- Call+Return | 9 | 7 | 7 | 7 |
Supported Instructions | ||||
- Shift with multiple counts | Yes | No | Yes | No |
- Rotate Shift without carry | Yes | No | Yes | No |
- Rotate Shift with carry | Yes | Yes | No | Yes |
- Carry preserving increment/decrement | Yes | Yes | No | No |
- Conditional Skip | Yes | Yes | No | No |
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Matsui, M., Murakami, Y. (2015). AES Smaller Than S-Box. In: Eisenbarth, T., Öztürk, E. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2014. Lecture Notes in Computer Science(), vol 8898. Springer, Cham. https://doi.org/10.1007/978-3-319-16363-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-16363-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16362-8
Online ISBN: 978-3-319-16363-5
eBook Packages: Computer ScienceComputer Science (R0)