Chapter

The Final Round: Benchmarking NIST LWC Ciphers on Microcontrollers

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

In this work, we present our benchmarking results for the ten finalist ciphers of the Lightweight Cryptography (LWC) project initiated by National Institute of Standards and Technology (NIST). We evaluate the speed and code size of various software implementations on five different platforms featuring four different architectures. Moreover, we benchmark the dynamic memory utilization of the remaining NIST LWC algorithms on one 32-bit ARM controller. We describe our test cases and methodology and provide some information regarding the design and properties of the finalists before showing and discussing our results. Altogether, we evaluated almost 300 implementations of the 3rd round candidates and pick the most appropriate and best (primary) implementation of each cipher for our comparisons. We include a variant of AES-GCM in our benchmarking in order to be able to compare the state-of-the-art to the novel LWC ciphers. Our research gives an overview over the performance of the latest software implementations of the NIST LWC finalists and shows under which circumstances which candidate is performing the best in our individual test cases. Additionally, we make all benchmarking results, the code for our test framework and every tested implementation available to the public to ensure a transparent testing process.KeywordsLightweight cryptographyBenchmarkingEmbedded systemsEvaluation framework

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers full leakage-resistance, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. Moreover, the leakage integrity bound is asymptotically optimal in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static and incremental associated data efficiently. Concretely, TEDT encourages so-called leveled implementations, in which two TBCs are implemented: the first one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy-efficient protections and performs the bulk of the computation. As a result, TEDT leads to more energy-efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.
Article
Full-text available
In this paper, we present Xoodyak, a cryptographic primitive that can be used for hashing, encryption, MAC computation and authenticated encryption. Essentially, it is a duplex object extended with an interface that allows absorbing strings of arbitrary length, their encryption and squeezing output of arbitrary length. It inherently hashes the history of all operations in its state, allowing to derive its resistance against generic attacks from that of the full-state keyed duplex. Internally, it uses the Xoodoo[12] permutation that, with its width of 48 bytes, allows for very compact implementations. The choice of 12 rounds justifies a security claim in the hermetic philosophy: It implies that there are no shortcut attacks with higher success probability than generic attacks. The claimed security strength is 128 bits. We illustrate the versatility of Xoodyak by describing a number of use cases, including the ones requested by NIST in the lightweight competition. For those use cases, we translate the relatively detailed security claim that we make for Xoodyak into simple ones.
Preprint
Full-text available
The software performance of cryptographic schemes is an important factor in the decision to include such a scheme in real-world protocols like TLS, SSH or IPsec. In this paper, we develop a benchmarking framework to perform software performance measurements on authenticated encryption schemes. In particular, we apply our framework to independently benchmark the 29 remaining 2 nd round candidates of the CAESAR competition. Many of these candidates have multiple parameter choices, or deploy software optimised versions raising our total number of benchmarked implementations to 232. We illustrate our results in various diagrams and hope that our contribution helps developers to find an appropriate cipher in their selection choice.
Article
Full-text available
In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom “figure of merit” according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates.
Article
Full-text available
For security applications in wireless sensor networks (WSNs), choosing best algorithms in terms of energy-efficiency and of small memory requirements is a real challenge because the sensor networks are composed of low-power entities. In some previous works, 12 block-ciphers have been benchmarked on an ATMEL AVR ATtiny45 8-bit microcontroller and the best candidates to use in the context of small embedded platforms have been deduced. This article proposes to study on the TI 16-bit microcontroller MSP430 most of the recent lightweight block cipher proposals as well as some conventional block ciphers. First, we describe the design of the chosen block ciphers with a security and an implementation summary and we then present some implementation tests performed on our dedicated platform. Copyright © 2015 John Wiley & Sons, Ltd.
Conference Paper
Full-text available
RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an on-tag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware. Keywordslightweight–hash function–sponge function– AES
Conference Paper
Full-text available
This paper proposes spongent – a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs. We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.
Chapter
A major challenge when applying cryptography on constrained environments is the trade-off between performance and security. In this work, we analyzed different strategies for the optimization of several candidates of NIST’s lightweight cryptography standardization project on a RISC-V architecture. In particular, we studied the general impact of optimizing symmetric-key algorithms in assembly and in plain C. Furthermore, we present optimized implementations, achieving a speed-up of up to 81% over available implementations, and discuss general implementation strategies.
Chapter
The National Institute of Standards and Technology (NIST) started the standardization process for lightweight cryptography algorithms in 2018. By the end of the first round, 32 submissions have been selected as 2nd round candidates. NIST allowed designers of 2nd round submissions to provide small updates on both their specifications and implementation packages. In this work, we introduce a benchmarking framework for evaluating the performance of NIST Lightweight Cryptography (LWC) candidates on embedded platforms. We show the features and application of the framework and explain its design rationale. Moreover, we provide information on how we aim to present up-to-date performance figures throughout the NIST LWC competition. In this paper, we present an excerpt of our software benchmarking results regarding speed and memory requirements of selected ciphers. All up-to-date results, including benchmarking different test cases for multiple variants of each 2nd round algorithm on five different microcontrollers, are periodically published to a public website. While initially only the reference implementations were available, the ability of automatically testing the performance of the candidate algorithms on multiple platforms becomes especially relevant as more optimized implementations are developed. Finally, we show how the framework can be extended in different directions: support for more target platforms can be easily added, different kinds of algorithms can be tested, and other test metrics can be acquired. The focus of this paper should rather lay on the framework design and testing methodology than on the current results, especially for reference code.
Chapter
S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ones (e.g., 32 bits). In this context, an S-box is then defined as a subfunction whose cryptographic properties can be estimated precisely.
Chapter
Cryptographic algorithms that can simultaneously provide both encryption and authentication play an increasingly important role in modern security architectures and protocols (e.g. TLS v1.3). Dozens of authenticated encryption systems have been designed in the past five years, which has initiated a large body of research in cryptanalysis. The interest in authenticated encryption has further risen after the National Institute of Standards and Technology (NIST) announced an initiative to standardize “lightweight” authenticated ciphers and hash functions that are suitable for resource-constrained devices. However, while there already exist some cryptanalytic results on these recent designs, little is known about their performance, especially when they are executed on small 8, 16, and 32-bit microcontrollers. In this paper, we introduce an open-source benchmarking tool suite for a fair and consistent evaluation of Authenticated Encryption with Associated Data (AEAD) algorithms written in C or assembly language for 8-bit AVR, 16-bit MSP430, and 32-bit ARM Cortex-M3 platforms. The tool suite is an extension of the FELICS benchmarking framework and provides a new AEAD-specific low-level API that allows users to collect very fine-grained and detailed results for execution time, RAM consumption, and binary code size in a highly automated fashion. FELICS-AEAD comes with two pre-defined evaluation scenarios, which were developed to resemble security-critical operations commonly carried out by real IoT applications to ensure the benchmarks are meaningful in practice. We tested the AEAD tool suite using five authenticated encryption algorithms, namely AES-GCM and the CAESAR candidates ACORN, ASCON, Ketje-Jr, and NORX, and present some preliminary results.
Conference Paper
We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software performances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers implementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process). Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency implementations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption. MANTIS basically reuses well understood, previously studied, known components. Yet, by putting those components together in a new fashion, we obtain a competitive cipher to PRINCE in latency and area, while being enhanced with a tweak input.
Conference Paper
In October 2012, the American National Institute of Standards and Technology (NIST) announced the selection of Keccak as the winner of the SHA-3 Cryptographic Hash Algorithm Competition [10,11]. This concluded an open competition that was remarkable both for its magnitude and the involvement of the cryptographic community. Public review is of paramount importance to increase the confidence in the new standard and to favor its quick adoption. The SHA-3 competition explicitly took this into account by giving open access to the candidate algorithms and everyone in the cryptographic community could try to break them, compare their performance, or simply give comments.
Chapter
The origins of eSTREAM can be traced back to the 2004 RSA Data Security Conference. There, as part of the Cryptographer’s Panel, Adi Shamir made some insightful comments on the state of stream ciphers. In particular, with AES [8] deployment being so wide-spread, Shamir wondered whether there remained a need for a stream cipher of dedicated design. As arguments against, one might observe that for most applications, the use of the AES in an appropriate stream cipher mode [9] frequently offers a perfectly adequate solution. Some also doubt our understanding of how best to design a dedicated stream cipher, a view somewhat supported by the lack of surviving stream ciphers in the NESSIE project [1]. However, as counter-arguments Shamir went on to identify two areas where a dedicated stream cipher might conceivably offer some advantage over block ciphers: (1) where exceptionally high throughput is required in software and (2) where exceptionally low resource consumption is required in hardware.
Conference Paper
We consider the problem of implementing security algorithms into embedded systems deployed in automation applications. Such systems are typically built on embedded microcontrollers with limited resources and as hardware changes may not be possible or convenient, the software based cryptography is a suitable solution. In this paper we present results of performance benchmarks of different software-implemented symmetric cryptography algorithms on 8 and 16-bit microcontroller platforms. The contribution of the work is in comparing performance of different algorithms, embedded microcontroller platforms, effects of optimizations and different implementations.
Grain-128AEADv2- A lightweight AEAD stream cipher
  • M Hell
  • T Johansson
  • A Maximov
  • Willi Meier
  • F Sönnerup
  • S J Yoshida
Sipeed Maixduino Specifications v1
  • Seeed Studio
Schwaemm and esch: lightweight authenticated encryption and hashing using the sparkle permutation family
  • C Beierle
FELICS - fair evaluation of lightweight cryptographic systems
  • D Dinu
  • A Biryukov
  • J Großschädl
  • D Khovratovich
  • Y L Corre
  • L Perrin
Performance of state-of-the-art cryptography on arm-based microprocessors
  • H Tschofenig
  • M Pegourie-Gonnard
Permutation-based encryption, authentication and authenticated encryption
  • G Bertoni
  • J Daemen
  • M Peeters
  • G Van Assche
Technology: Submission requirements and evaluation criteria for the lightweight cryptography standardization process
  • N I Standards
TinyJAMBU: a family of lightweight authenticated encryption algorithms
  • H Wu
  • T Huang
JAMBU lightweight authenticated encryption mode and AES-JAMBU
  • H Wu
  • T Huang