Energy Evaluation of Software Implementations of Block Ciphers under Memory Constraints
Johann Großschädl, Stefan Tillich, Christian Rechberger, Michael Hofmann, and Marcel Medwed
Graz University of Technology Institute for Applied Information Processing and Communications Outline • Motivation • Block ciphers • Evaluation approach • Practical results • Conclusions
Stefan Tillich Graz University of Technology 2 Motivation • Moving towards "ubiquitous computing" • Wireless sensor networks • Important aspects • Security • Energy efficiency • Use of limited computational resources • Cryptographic primitives concern all these issues
Stefan Tillich Graz University of Technology 3 Our Work • Study of symmetric block cipher algorithms and implementations to provide • High security • Good performance • Low memory consumption • Low energy consumption
Stefan Tillich Graz University of Technology 4 Block Ciphers • Symmetric cryptographic primitive • Encrypts/decrypts fixed-size block (e.g. 64/128 bits) • Key size typically between 128 and 256 bits • Each key defines mapping from plaintext to ciphertext blocks • Building block for providing confidentiality, data integrity, authentication (modes of operation) • U.S. NIST contest to select Advanced Encryption Standard
Stefan Tillich Graz University of Technology 5 Importance of Memory Efficiency
Performance of AES-128 encryption implementations in dependence on cache size
5000 T-box lookup (1 KB) T-box lookup (4 KB) 4000 T-box lookup (8 KB) S-box lookup (256 Byte) 3000
2000 Clock cycles Clock
1000
0 1 kB 2 kB 4 kB 8 kB 16 kB Cache size (I + D cache of same size)
Stefan Tillich Graz University of Technology 6 Examined Block Ciphers
• Rijndael (AES): 10 rounds • RC6: 20 rounds • Serpent: 32 rounds • Twofish: 16 rounds • XTEA: 64 rounds, 64-bit blocks, no key expansion
Stefan Tillich Graz University of Technology 7 Evaluation Preconditions • 32-bit embedded processor (StrongARM) • Aim for small code size • Runtime memory footprint < 1 KB • No lookup tables > 1 KB • Key size of 128 bits • 128-bit data blocks
Stefan Tillich Graz University of Technology 8 Evaluation Methodology • ANSI C implementations • Simulation with Sim-Panalyzer • Based on SimpleScalar • Models StrongARM SA-1100 • Cycle-accurate ISS • Energy consumption
Stefan Tillich Graz University of Technology 9 Evaluation Criteria • Code size • Performance • Encryption • Decryption • Modes of operation • Average power consumption • Energy / block
Stefan Tillich Graz University of Technology 10 Memory Optimizations
• Prefer use of program memory over RAM • Use subroutines to reduce code size • No loop unrolling • Immediate values (11 bit) for constants • Assembly for critical operations • Use ARM built-in "free" shift/rotate
Stefan Tillich Graz University of Technology 11 Code Size & RAM
5000 Encryption 4500 Decryption 4000 Both 3500
3000
2500 Bytes 2000
1500 1000
500
0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • Rijndael (Gladman): unrolled, 256-byte tables in RAM • Rijndael (ours): not unrolled, 256-byte tables in program mem. • RAM: In all cases (except Rijndael - Gladman) << 1 KB
Stefan Tillich Graz University of Technology 12 Encryption Performance
18000 Encryption 16000 Key expansion 14000
12000
10000
8000
6000 Clock cycles / block 4000
2000
0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours)
• RC6 fastest, but costly key expansion • Performance of Rijndael and XTEA similar • Serpent and Twofish rather slow • Decryption performance similar
Stefan Tillich Graz University of Technology 13 Modes of Operation
• Evaluated encryption of 1,000 blocks in ECB, CBC, CTR, CFB, and OFB mode • RC6: 4.3 –5.2 MB/s • Rijndael: 1.3 –1.4 MB/s • Serpent: 0.6 MB/s • Twofish: 0.4 MB/s • XTEA: 1.5 –1.7 MB/s
Stefan Tillich Graz University of Technology 14 Average Power Consumption
2.0 Encryption Decryption Key expansion 1.8
1.6
1.4
1.2
1.0 Watt 0.8
0.6
0.4
0.2
0.0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • Relatively uniform power consumption • Energy consumption therefore approximately proportional to execution time
Stefan Tillich Graz University of Technology 15 Energy for Encryption
120 Encryption Key expansion 100
80
60 µJoule
40
20
0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • RC6 encryption by far the most energy efficient • Rijndael and XTEA similar • Serpent and Twofish worst
Stefan Tillich Graz University of Technology 16 Conclusion
• Evaluation of block cipher implementations under memory constraints • RC6 • Small and fast (except key expansion) • (U.S patents by RSA Security) • XTEA • Very small and good performance • Rijndael (AES) • Medium size and good performance • Standardized
Stefan Tillich Graz University of Technology 17