On the Energy Consumption of Quantum-Resistant Cryptographic Software Implementations Suitable for Wireless Sensor Networks
Total Page:16
File Type:pdf, Size:1020Kb
On the Energy Consumption of Quantum-resistant Cryptographic Software Implementations Suitable for Wireless Sensor Networks Michael Heigl1;2, Laurin Doerr1;2, Martin Schramm2 and Dalibor Fiala1 1Department of Computer Science and Engineering, University of West Bohemia, Pilsen 301 00, Czech Republic 2Institute ProtectIT, Deggendorf Institute of Technology, 94469 Deggendorf, Germany Keywords: Wireless Sensor Networks, Post-quantum Cryptography, Energy Consumption. Abstract: For an effective protection of the communication in Wireless Sensor Networks (WSN) facing e.g. threats by quantum computers in the near future, it is necessary to examine the applicability of quantum-resistant mechanisms in this field. It is the aim of this article to survey possible candidate schemes utilizable on sensor nodes and to compare the energy consumption of a selection of freely-available software implementations using a WSN-ready Texas Instruments CC1350 LaunchPad ARM® Cortex®-M3 microcontroller board. 1 INTRODUCTION itary area, cryptographic schemes are inevitable to preserve the protection goals confidentiality, integrity The set consisting of base stations and multiple tiny and authenticity. The application of these schemes on autonomous devices interconnected via an ad-hoc the other side still imposes several limitations since communication is called WSN. Nowadays, they have the known resource issues and other constraints pre- permeated many technological areas mainly driven by sented in (Sen, 2013) inhibit the deployment in WSN. the Internet of Things (IoT). The sensor nodes are Furthermore, with the advent of quantum comput- composed of a microcontroller, a radio transceiver, ers, quantum computation will have a tremendous im- a power supply (typically battery-powered), memory pact on a major field of cryptography not only erupt- and one or more sensors to collect data from the im- ing WSN-security. It has the potential to break or mediate environment and transmit it wirelessly. Ap- weaken asymmetric schemes including the Elliptic- plication areas are boosted by the IoT ranging from Curve Diffie-Hellman (ECDH) key exchange often simple measurements of environmental data such as applied in the embedded domain. temperature or smoke towards IoT-enabled Smart Thus, in this work possible state-of-the-art cryp- Cars (Bartolomeu et al., 2018). tographic schemes are proposed which are resistant The ever-increasing and more advanced attack to the power of quantum computers. A selection of capabilities and strategies pose an enormous chal- freely-available software implementation candidates lenge and demand IT-security for WSN in the near are integrated on a WSN-ready microcontroller board future. The sophistication of attacks utilizing dis- and evaluated in terms of their applicability in WSN. tributed, cloud or even quantum computation (Sen, The remainder of this paper is structured as follows: 2013) forces classical IT-security to change into sus- Section 2 discusses the threats from quantum comput- tainable cyber resilience. However, the application of ers towards cryptographic schemes. A state-of-the-art viable cryptographic schemes vital for holistic secu- review on cryptographic mechanisms with regard to rity solutions are often seen as an undesirable over- quantum-resistance for WSN is provided in Section 3. head cost and therefore neglected in the design of Details on the measurement setup and integration of a WSN. Due to the inherent resource limitations in selection of freely-available software implementation terms of memory size, processing speed as well as candidates on the Texas Instruments CC1350 Launch- energy consumption, attacks towards WSN are man- Pad microcontroller board are presented in Section 4. ifold (Costa et al., 2017). Because of the open com- The evaluation in Section 5 deals with energy con- munication nature of the wireless radio channel, at- sumption measurements with respect to fundamental tackers can easily eavesdrop on, intercept, inject and cryptographic components and discusses their com- forge the exchanged information. Especially when putational and communication cost. A short conclu- it comes to the transmission of confidential informa- sion and a glance at the future work of the ongoing tion, for instance measurements in the medical or mil- research work finalizes the article in Section 6. 72 Heigl, M., Doerr, L., Schramm, M. and Fiala, D. On the Energy Consumption of Quantum-resistant Cryptographic Software Implementations Suitable for Wireless Sensor Networks. DOI: 10.5220/0007835600720083 In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019), pages 72-83 ISBN: 978-989-758-378-0 Copyright c 2019 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved On the Energy Consumption of Quantum-resistant Cryptographic Software Implementations Suitable for Wireless Sensor Networks 2 QUANTUM NERVOUSNESS 3 CRYPTOGRAPHY FOR WSN Quantum computing is founded on the microscopic The protection of communicated data in WSN to physical phenomena of quantum mechanics. Instead achieve the stated security goals is mainly founded on of using bits with observed states 0 and 1 on contem- hash functions, symmetric-key and asymmetric-key porary computers, quantum computers are based on algorithms composed of the following crucial com- quantum bits (qubits). Qubits are particles that can ponents: message authentication, message encryption exist in both states simultaneously, by the effect of / decryption, key exchange, digital signature. Es- superposition, and are able to exploit true parallelism pecially with the threat of quantum computers to- due to quantum entanglement (Jozsa, 1997). In the wards asymmetric cryptography, practical alternatives era of having first viable quantum computers, the so- for contemporary schemes in WSN such as ECDH or called quantum nervousness begins and represents a DSA must be researched. new type of threat for cryptography in general. Post-quantum cryptography (PQC) refers to cryp- Shor’s algorithm (Shor, 1997) makes use of the tographic schemes that can function on classical quantum Fourier transform to extract the required in- non-quantum machines but promise to withstand formation from the superposition of quantum states the impact of Shor’s or Grover’s algorithm run- which allows to break all contemporary asymmet- ning on quantum-accelerated computers. Several ric cryptography such as RSA, DSA or Elliptic- different families of PQC are presented in (Bern- Curve Cryptography (ECC) based schemes. Espe- stein et al., 2009) including hash-based, code- cially ECC is widely deployed in IoT-environments based, lattice-based, multivariate-quadratic-equations due to the more efficient arithmetic, low memory and secret-key cryptography. Supersingular elliptic- usage, shorter key sizes and lower CPU consump- curve isogeny cryptography is much closer to classi- tion compared to RSA or DSA (Mani and Nishamol, cal ECDH-schemes, but it is very young and not well 2013). Even if asymmetric cryptography with ade- researched (Bogomolec and Gerhard, 2018). quate key sizes (BSI, 2018) is considered very safe Recommendations for cryptographic schemes to today, the underlying mathematical problems such as be used in the quantum-era, not intended for embed- efficient integer factorization e.g. in RSA or the cal- ded domains, are provided by (PQCRYPTO, 2015). culation of the discrete logarithm e.g. in ECC can be Even if some PQC software implementations aimed solved with Shor’s algorithm in a reasonable amount for low-cost devices exist (Xu et al., 2018), a major of time if a powerful quantum computer can be uti- demerit is the poor resource-efficiency especially in lized. Even if such efficient machines are currently terms of communication overhead of most of the post- far from being practically feasible, the NIST states quantum schemes compared to contemporary cryp- that a quantum computer capable of breaking RSA- tography which makes them hardly applicable on 2048 or ECC-256 in a matter of hours could be built resource-constrained devices. Another uncertainty by 2030 (NIST, 2016). with PQC is that there could be a currently unknown A breakthrough has recently been announced by algorithm that breaks even such schemes in the near Google regarding its 72-qubit capable Bristlecone future. Thus, a combination with contemporarily used paving the way for large scale quantum comput- mechanisms could be a possible tradeoff. An exam- ers (Kelly, 2018). Those will also affect symmet- ple is Google’s CECPQ1 which is a key exchange that ric cryptography such as AES. Even if Grover’s al- concatenates the results of an X25519 and NewHope gorithm (Grover, 1996) has been initially intended to key exchange. X25519 is a Diffie-Hellman-based key search unsorted databases, it can be applied to crack exchange applying Curve25519. symmetric ciphers. However, the impact is far less The following sections discuss the cryptographic than with Shor’s algorithm since currently it is as- key components with respect to the application in sumed that doubling the key length mitigates its harm. WSN by stating contemporary applied schemes and According to the authors of (Amy et al., 2016), cryp- possible PQC-alternatives. With respect to the secu- tographic hash functions are not affected by quan- rity level, schemes providing 128-bit will be consid- tum computers. They state that both SHA-256 and ered, since the 112-bit security level should be phased SHA3-256 need around 2166 logical