Energy Evaluation of Software Implementations of Block Ciphers under Memory Constraints

Johann Großschädl, Stefan Tillich, Christian Rechberger, Michael Hofmann, and Marcel Medwed

Graz University of Technology Institute for Applied Information Processing and Communications Outline • Motivation • Block ciphers • Evaluation approach • Practical results • Conclusions

Stefan Tillich Graz University of Technology 2 Motivation • Moving towards "ubiquitous computing" • Wireless sensor networks • Important aspects • Security • Energy efficiency • Use of limited computational resources • Cryptographic primitives concern all these issues

Stefan Tillich Graz University of Technology 3 Our Work • Study of symmetric block cipher algorithms and implementations to provide • High security • Good performance • Low memory consumption • Low energy consumption

Stefan Tillich Graz University of Technology 4 Block Ciphers • Symmetric cryptographic primitive • Encrypts/decrypts fixed-size block (e.g. 64/128 bits) • Key size typically between 128 and 256 bits • Each key defines mapping from plaintext to ciphertext blocks • Building block for providing confidentiality, data integrity, authentication (modes of operation) • U.S. NIST contest to select Advanced Encryption Standard

Stefan Tillich Graz University of Technology 5 Importance of Memory Efficiency

Performance of AES-128 encryption implementations in dependence on cache size

5000 T-box lookup (1 KB) T-box lookup (4 KB) 4000 T-box lookup (8 KB) S-box lookup (256 Byte) 3000

2000 Clock cycles Clock

1000

0 1 kB 2 kB 4 kB 8 kB 16 kB Cache size (I + D cache of same size)

Stefan Tillich Graz University of Technology 6 Examined Block Ciphers

• Rijndael (AES): 10 rounds • RC6: 20 rounds • Serpent: 32 rounds • Twofish: 16 rounds • XTEA: 64 rounds, 64-bit blocks, no key expansion

Stefan Tillich Graz University of Technology 7 Evaluation Preconditions • 32-bit embedded processor (StrongARM) • Aim for small code size • Runtime memory footprint < 1 KB • No lookup tables > 1 KB • Key size of 128 bits • 128-bit data blocks

Stefan Tillich Graz University of Technology 8 Evaluation Methodology • ANSI C implementations • Simulation with Sim-Panalyzer • Based on SimpleScalar • Models StrongARM SA-1100 • Cycle-accurate ISS • Energy consumption

Stefan Tillich Graz University of Technology 9 Evaluation Criteria • Code size • Performance • Encryption • Decryption • Modes of operation • Average power consumption • Energy / block

Stefan Tillich Graz University of Technology 10 Memory Optimizations

• Prefer use of program memory over RAM • Use subroutines to reduce code size • No loop unrolling • Immediate values (11 bit) for constants • Assembly for critical operations • Use ARM built-in "free" shift/rotate

Stefan Tillich Graz University of Technology 11 Code Size & RAM

5000 Encryption 4500 Decryption 4000 Both 3500

3000

2500 Bytes 2000

1500 1000

500

0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • Rijndael (Gladman): unrolled, 256-byte tables in RAM • Rijndael (ours): not unrolled, 256-byte tables in program mem. • RAM: In all cases (except Rijndael - Gladman) << 1 KB

Stefan Tillich Graz University of Technology 12 Encryption Performance

18000 Encryption 16000 Key expansion 14000

12000

10000

8000

6000 Clock cycles / block 4000

2000

0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours)

• RC6 fastest, but costly key expansion • Performance of Rijndael and XTEA similar • Serpent and Twofish rather slow • Decryption performance similar

Stefan Tillich Graz University of Technology 13 Modes of Operation

• Evaluated encryption of 1,000 blocks in ECB, CBC, CTR, CFB, and OFB mode • RC6: 4.3 –5.2 MB/s • Rijndael: 1.3 –1.4 MB/s • Serpent: 0.6 MB/s • Twofish: 0.4 MB/s • XTEA: 1.5 –1.7 MB/s

Stefan Tillich Graz University of Technology 14 Average Power Consumption

2.0 Encryption Decryption Key expansion 1.8

1.6

1.4

1.2

1.0 Watt 0.8

0.6

0.4

0.2

0.0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • Relatively uniform power consumption • Energy consumption therefore approximately proportional to execution time

Stefan Tillich Graz University of Technology 15 Energy for Encryption

120 Encryption Key expansion 100

80

60 µJoule

40

20

0 RC6 Rijndael Rijndael Serpent Twofish XTEA (Gladman) (ours) • RC6 encryption by far the most energy efficient • Rijndael and XTEA similar • Serpent and Twofish worst

Stefan Tillich Graz University of Technology 16 Conclusion

• Evaluation of block cipher implementations under memory constraints • RC6 • Small and fast (except key expansion) • (U.S patents by RSA Security) • XTEA • Very small and good performance • Rijndael (AES) • Medium size and good performance • Standardized

Stefan Tillich Graz University of Technology 17