compared algorithm

8/6/2019 Compared Algorithm

1/13

International Journal of Network Security, Vol.9, No.1, PP.8294, July 2009 82

Analytical Comparison of Cryptographic

Techniques for Resource-Constrained Wireless

SecurityM. Razvi Doomun and KMS Soyjaudah

(Corresponding author: M. Razvi Doomun)

Faculty of Engineering, University of Mauritius

Reduit Campus, Mauritius

(Email: [email protected])

(Received May 29, 2007; revised and accepted Feb. 2 & Mar. 3, 2008)

Abstract

With the widespread growth in applications for resource-limited Wireless Sensor Networks (WSN), the need forreliable and efficient security mechanisms for them has in-creased manifold but its implementation is a non-trivialtask. Limitations in processing speed, battery power,bandwidth and memory constrain the applicability of ex-isting cryptography Algorithms for WSNs. In this paper,two potential block ciphers, namely the RC5 and AES-Rijndael, are analyzed and their suitability for resource-limited wireless network security are compared based on

performance criteria such as computational complexityoverhead and energy consumption. Using simulation testsand analytical models, we provide important analysisand considerations on practical feasibility of these crypto-graphic Algorithms in sensor networks to help designerspredict security performance under a set of constraints forWSNs.

Keywords: Block cipher analysis, computational over-head, energy-efficient encryption, wireless sensor net-work, wireless security

1 Introduction

Resource-efficient cryptographic Algorithms are becom-ing a pre-requisite for security services in various networkenvironments, such as Wireless Sensor Networks (WSN),in which low computational cost and low power consump-tions are key performance requirements. Though, securityin WSNs share many characteristics with traditional wire-less ad-hoc networks, there are fundamental differencesbetween the make-up and aims of the two types of net-works. Although WSNs are economically viable, but atthe same time their operational requirements prevent the

direct application of existing highly reliable traditionalwireless security techniques [11]. Traditional wireless net-

work security standards are not well-suited for sensor net-works as they are more demanding in memory, energy andare computationally intensive. An important aspect isthat the sensor nodes in WSNs are unattended, deployedin hostile environment, have unreplenishing energy andnetwork topology is unknown making them prone to dif-ferent types of malicious attacks like eavesdropping, mas-querading, traffic-analysis, etc. These devices are verylimited in their energy (Typically 20-30 Joules of initialenergy), computation processor, bandwidth and commu-nication capabilities that impose strong restrictions on theprocessing capabilities and available memory for security

mechanism executions. Thus, providing high degree ofsecurity in terms of data privacy and authentication is achallenging task and is at the same time of high priority.A number of security techniques have been proposed inrecent years to cope with battery characteristics for de-signing better energy-efficient security protocol [8, 11, 17].It has been argued that, using asymmetric cryptographyon highly resource-constrained devices is often not feasibledue to delay, energy and memory constraints. For com-parison, an implementation of symmetric cryptographyon an 8-bit micro-controller uses 7150 bytes of programmemory [8], in contrast to 30 KBytes of program memory

for the smallest available implementation of asymmetriccryptography [5]. As a result, symmetric cryptographyis the choice for applications that cannot afford compu-tational complexity. Efficient cryptographic Algorithmswith optimized implementations, in terms of energy con-sumption and computational overhead, are imperative tomaximize the battery lifetime of sensor nodes.

The aim of this paper is to present a methodology forthe evaluation of the complexity or computational costand energy efficiency of two block ciphers, Advance En-cryption Standard (AES)- Rijndael and RC5, that havebeen published as potentially suitable for WSN security.

Generally, the energy consumption by cryptographic Al-gorithms executed on a given microprocessor is expected


2/13


to be proportional to the number of clock cycles neededby the processor for their execution. The main contri-butions of this work can be summarized as follows: (1)Compare the number of basic processing operations re-quired by each encryption Algorithm and, analyze theircapabilities with other similar well-established results andperformance models. (2) Provide a simulation frame-

work and mathematical model to assess the processingoverhead and energy consumption of the cryptographicalgorithms. (3) Evaluate analytically simulation resultsto understand requirements of optimized cryptosystemsfor resource-limited wireless device and the design adap-tive encryption for future energy-efficient WSN securityThe rest of the paper is structured as follows: Section 2presents the related work. Section 3 describes the RC5and AES-Rijndael block cipher algorithms. Section 4introduces our analytical models of cryptographic algo-rithms complexity in terms of primitive operations. InSection 5, the experimental methodology is discussed and,

performance results and evaluation of cryptographic algo-rithms are presented in Section 6. Finally, Section 7 endsup with final considerations and future works.

2 Related Work

Security designers are facing the critical task of guaran-tying the security of increasingly more complex wirelessnetwork systems while dealing with very tight constraints.The ingredients of a security protocol are cryptographicalgorithms, which are selected based on the security ob- jectives that are to be achieved by the protocol. Manybattery-powered wireless systems are constrained by theenvironments they operate in and the resources they pos-sess, hence security designers should not address securityconsiderations from a functional perspective only. One ofthe current foremost challenges is the mismatch betweenthe energy and performance requirements of security pro-cessing, and the available battery and processor process-ing. These challenges have to be addressed to provide anefficient and reliable wireless security solution and theyhave been emphasized by Ravi et al. in [13] as proposedbelow. The processing gap highlights that current wire-less network security system architectures are not capable

of keeping up with the computational demands of secu-rity processing. The battery gap emphasizes that thecurrent energy consumption overheads of supporting se-curity on battery constrained wireless systems are veryhigh. The flexibility imposes that a mobile wireless sys-tem is often required to execute multiple heterogeneoussecurity protocols and standards. The tamper resis-tance emphasizes that secure mobile wireless systems arefacing an increasing number of attacks from physical tosoftware attacks. Side-channel attacks also represent animportant threat for these systems. The assurance gapis related to reliability and stresses the fact that secure

systems must continue to operate reliably despite attacksfrom intelligent adversaries who intentionally seek out un-

desirable failure modes.

However, security should not be overdone and efficientencryption algorithm refers to one which requires littlestorage, makes optimal use of hardware resources andconsumes less energy. The cost of encryption and de-cryption depend on a number of parameters: the sizeof the plaintext and ciphertext, respectively; the imple-

mentation complexity of the algorithm; the cipher modeadopted; and the key scheduling. Specifically, key lengthis important and the longer the key the higher the en-cryption time. Also, the cost for decryption depends onthe cost of the checks needed to accept the decryption.In particular there are two main concerns about the im-plementation of AES-Rijndael on sensor nodes claimed inthe literature [7, 15, 19]: (1) It is often considered tooslow and (2) It requires more space in memory. In fact,the baseline version of AES-Rijndael uses over 800 bytesmemory space for lookup tables, which is a high over-head on constrained WSN environment. However some

researchers do believe that Rinjdael can be efficiently im-plemented on WSN platform and Vitaletti and Palom-bizio [19] presented an improved implementation of AES-Rijndael for wireless sensor networks running on Eyessensor nodes. Their implementation of AES-Rijndael issmaller, from about 1/3 to 1/5 of the size of previous im-plementations and shows reasonable speed performance(slower than RC5 by a factor 2). Xiao et al. [9] analyzedthe security overhead of AES-CCMP in IEEE 802.15.4specification. The authors observed that processing cy-cles per block increases as key length increases, payloadincreases or MIPS decreases. AES-CCMP Decryptionhas much higher processing cycles than encryption andthe increase of processing cycles over the key length andthe payload size tends to be linear. Karlof et al. alsodesigned a chain-block-cipher (CBC) security mechanismcalled TinySec [8], and argued why CBC is the most ap-propriate encryption scheme for sensor networks. Initiallythey found AES-Rijndael to be slow for sensor networksand their work established that RC5 is one of the mostappropriate encryption methods for software implemen-tation on embedded micro-controllers. The use of CBCmode with blocks of size 8-byte results in ciphertexts hatare multiples of 8 bytes causing message expansion henceincreasing power consumption. Karlofet al. proposed the

use of ciphertext stealing technique [8] to ensure that theciphertext and plaintext are of same length. Encryptingdata payloads of less than 8 bytes generates ciphertextof 8 bytes since it requires as a minimum one block ofciphertext. Nonetheless, the ciphertext stealing processinvolves additional computation, which degrades the sen-sors power life span. In [9], Law et al. evaluated theperformance and energy characteristics of symmetric keyalgorithms on sensor node. Using the benchmark param-eters, code, data memory and CPU cycles, the simulationresults showed that AES-Rijndael is suitable for high secu-rity and energy-efficiency. However, the evaluation results

in [10] which provide a comparative study on performanceof symmetric key cryptography in sensor networks, dis-


3/13


agreed with the work in [18] in which RC5 was selectedas the encryption/decryption scheme. In the paper [2],the authors assess the feasibility of different encryptionschemes for a range of embedded architectures, i.e. fromlow-end 8-bit width to high-end 32-bit width processors,and its impact on the performance of encryption. For asequence initialization-encryption-decryption of plaintext

size 16 bytes using RC5, 75% of execution time accountsfor initialization step, 13% of execution time for encryp-tion and 13% of execution time for decryption. The ini-tialization overhead is significant for most encryption al-gorithms, in particular for small plaintext size. The AESencryption of a single 128-bit block of data using a 128-bit key requires approximately 2109 clock cycles on theStrong ARM platform, whereas the decryption of a singleblock can take 2367 cycles, and the key scheduling wouldrequire some 670 clock cycles [4]. Given a clock frequencyof 133 MHz, the corresponding energy values are typi-cally 5.7 J (for encryption), 6.4 J (decryption), and

1.8 J (key scheduling). An analysis of various ciphers ispresented in [10, 20] and a summary of RC5 and AES-Rijndael qualitative performance comparison is shown inTable 1.

By examining the CPU cycles, authors in [10] concludethat AES-Rijndael is the most energy efficient cipher asits fewer CPU cycles is equivalent in less energy used.Conversely, RC5 has a noticeable advantage in both datamemory and code memory at the expense of speed. Theauthors in [9] have developed some well-known crypto-graphic algorithm, including two implementations of RC5,in search for the best compromise in security and energyefficiency, on a typical sensor node. The reference RC5

implementation [14] and Schneiers RC5 implementation[15] with different coding style were compared to assesscode size and speed optimization impact on energy usedper byte.

Generally, it is agreed that AES-Rijndael has strongcryptographic properties, but at the cost of more mem-ory and processing requirements compared to RC5. Fur-thermore, AES has higher mean values for energy-latencyproduct, which means that it consumes the most energyper byte during encryption and decryption [6]. Mostprior work in the literature has focused on efficient AEScipher implementations with throughput as main crite-

rion. However, AES-Rijndael implementations in smalland constrained environments require additional factorsto be accounted for, such as complexity, memory and en-ergy supply. In Potlapally et al. [12], the result for 128-bitAES encryption claimed is 151 nJ/bit for encryption en-ergy usage. Execution time and energy consumption ofkey set up and encryption can differ in a factor of 1000.Hodjat et al. state in [7] that the AES encryption it-self takes only 11 cycles, but the complete program withloading the data and key, AES encryption, and returningthe result back to the software routine takes a total of704 cycles. Thus, AES-Rijndael decryption was found to

consume approximately up to 20-30% more energy thanencryption [7]. Nevertheless, its performance is very good

and seems likely to remain so on many 8-bit or 32-bit pro-cessors since it uses only efficient and commonly availableinstructions. Consequently, the performance of any sym-metric key cryptography is essentially dependent on twofactors, namely embedded data bus width and instruc-tion set [21]. Some encryption algorithms are adapted to32-bit word arithmetic, while most embedded processors

generally use 8 or 16 bit data bus width.In this section we have presented a detail literature

review of the overhead computational costs to guaran-tee the cryptographic flexibility of secure wireless system.The need for studying AES-Rijndael and RC5 are alsodiscussed. Based on all the related research, security per-formance and energy are closely related and have to beconsidered for the design of efficient and optimized wire-less security mechanisms. Several questions are tackledin this research work: What are the performance andthe potential cryptographic mechanisms? What are theoverhead and computational costs to provide flexible and

reliable wireless security? What are the relationships be-tween the cryptographic primitive operations and the per-formance of the wireless security system? The complex-ity analysis of AES-Rijndael and RC5 in this study ex-plores the impact of various parameters on the computa-tional/processing cost, hence energy consumption, for se-cure communication in resource-constrained environment.Based on our analysis, we also discuss optimization oppor-tunities for efficient implementation of the cryptographicalgorithms.

3 Description of Block Ciphers

In this section, we provide an overview of RC5 andAES-Rijndael cryptographic algorithms.

3.1 Overview of RC5

RC5 is a fast symmetric block cipher with a two-wordinput block size plaintext and output block ciphertext.RC5 implementation with a 64-bit data block and 64-bitkey uses the XOR, addition and rotation (circular shift)operations. Larger number of encryption rounds Nr pre-

sumably provides an increased level of security but at theexpense of speed and more memory. RC5 uses an ex-pandable key table, S, that is derived from the secretkey K and the size t of Table S also depends on Nr, withS has t = 2 (Nr + 1). The strength of RC5 dependsheavily on the cryptographic properties of data-dependentrotations. The description of the encryption algorithm isgiven in the pseudo-code that follows. We assume thatthe input block is given in two w-bit registers A and B,and that the output is also placed in the registers A andB. During encryption, the plaintext is split into two 32-bit words and a series of XOR (), rotation (


4/13


5/13


Likewise, a circular shift (rotate) operation of an 8-bitword by n positions is taken as a bytewise-OR and 8shifts.

4.2 AES-Rijndael computational analysis

AddRoundKey() Transformation: In the AddRound-

Key() transformation, a Round Key is added to the Stateby a simple bitwise XOR operation. This is implementedwith 8Nb bytewise-ANDs and 4Nb bytewise-ORs, whereisNb = block length/32.

SubBytes() Transformation: The SubBytes() transfor-mation is a non-linear substitution that operates indepen-dently on each byte of the State using a substitution table(S-box). The transformations are: multiplicative inversein GF(28) and an affine mapping/inverse affine mappingover GF(28) for the encryption/decryption process. TheByteSub transformation can be realised using 16 look-up tables with 8bit-input/8bit-output. In this case, it is

excluded in the complexity evaluation, but will have animpact on memory cost. But the S-box can also be imple-mented by mathematical calculations, then each SubByteoperation incurs 3Nb bytewise-ANDs and 2Nb bytewise-ORs.

ShiftRows() Transformation: In the ShiftRows() trans-formation, the bytes in the last three rows of the Stateare cyclically shifted over different numbers of bytes (off-sets). The first row, Row 0, is not shifted. The Shiftrowtransformation can be implemented using cyclic left shiftoperation. Each ShiftRows consists of 3Nb shifts of bytesand 3Nb bytewise-ORs.

MixColumns() Transformation: The MixColumns()transformation operates on the State column-by-column,treating each column as a four-term polynomial. Thecolumns are considered as polynomials over GF(28)and multiplied modulo x4 + 1 with a fixed polynomial{03}x3 + {01}x2 + {01}x1+ {02} to given elements ofa new 4Nb array. MixColumns transformation costsfor every element 4 bytewise-XORs, 6-bitwise-XORs, 2byteswise-ORs and 16 shifts, i.e. it can be implementedfor each round operation with 19Nb bytewise-XORs,8Nb bytewise-ORs and 64Nb shifts; or 38Nb bytewise-ANDs, 27Nb bytewise-ORs and 64Nb shifts. Hence, thenumber of operations required to execute one normal

round (i.e. SubBytes (negligible), ShiftRows, Mix-Columns and AddRoundKey) are 46Nb bytewise-ANDs,31Nb + 12 bytewise-ORs and 64Nb + 96 binary shifts.The last Nr round transformation does not have theMix-Columns step. Its equivalent implementation is with8Nb bytewise-ANDs, 7Nb bytewise-ORs and 3Nb shiftsof bytes.

(I) SubBytes look-up table neglecting SubBytesoperation cost

Neglecting SubBytes in complexity model, the com-putational effort required for AES-Rijndael encryption of

one block of data is a function of the block size, the keysize, and the number of processing cycles required for per-

forming basic operations bytewise-AND (Ta), bytewise-OR (To), and bytewise shift (Ts) and expressed in generalterms as:

TAESENCRY PT

= (46NbNr 30Nb)Ta + [31NbNr + 12(Nr 1)

20Nb]To + [64NbNr + 96(Nr 1)

61Nb]Ts.

A critical limitation of AES-Rijndael is related to itsdecryption because the cipher and its inverse make use ofpartially different code. The decryption code has InvMix-Columns operation, which uses a transformation with an-other polynomial, 0Bx3 + 0Dx2 + 09x + 0E. This leadsto an additional complexity for decryption as multipli-cation by bigger coefficients costs much more. Overall,InvMixColumns transformation needs 134Nb bytewise-ANDs, 99Nb bytewise-ORs and 32Nb shifts of bytes tobe implemented. Hence, the difference in computationbetween one InvMixColumn and MixColumn operationis [96NbTa + 72NbTo 32NbTs]. Therefore, the to-tal number of processing cycles in computational effortrequired for AES-Rijndael decryption of one block ofdata is given by:

TAESDECRYPT

= TAESENCRY PT + {[96NbTa + 72NbTo

32NbTs] (Nr 1)}.

Table 2 shows the number basic operations AND, ORand SHIFT calculated for Encryption, Decryption andkey Expansion in AES-Rinjdael with SubBytes look-up

table.If Sd is the size of an unencrypted user data packet inbits, i.e. plaintext, the number of operations required todo the encryption, OPAES(Sd):

OPAES(Sd) = TAESENCRYPT Sd/blocksize,

where denotes ceil function.Assuming, a processor executes Cp Millions Instruc-

tions Per Second (MIPS), and TIMEAES(Sd,Cp) referto time required by the processor for encrypting one userpacket of length Sd bits with AES-Rijndael. Then,

TIMEAES(Sd,Cp) = TAESENCRYPT

Sd/blocksize/Cp.

(II) For SubBytes with mathematical operation

TmAESENCRYPT

= (46NbNr 30NbTa) + [31NbNr + 12(Nr 1)

20Nb]To + [64NbNr + 96(Nr 1)

61Nb]Ts + [3NbTa + 2NbTo](Nr 1).

And

TmAESDECRYPT

= TmAESENCRYPT + [96NbTa + 72NbTo

32NbTs] (Nr 1).


6/13


7/13


8/13


and current drawn by the operating device are measuredand the power consumed for each algorithm are deter-mined by subtracting the idle power consumption. Theprocessing times of different encryption stages are deter-mined by including different timers in the source codes.Using the Oprofile tool [1], the number of processor cy-cles used by each algorithm are determined since it is well

know that processor cycles is linearly correlated to en-ergy usage. Each functional block of the cryptographicalgorithm, such as initialization, encryption and decryp-tion, is executed many times with the same input, andthe modal value of results are taken over these runs. Theabove measurements will be repeated by varying the blocksize to be encrypted, key size and number of rounds. Thenthe correlation to energy consumption and processor cy-cle usage can be determined. The methodology adoptedin the analysis of cryptographic computational complex-ity and energy-efficiency for wireless sensor network se-curity is shown in Figure 1. The main components are

the analytic computational load and energy cost models.Two components are included; a model for computationalcomplexity that derives the computational overhead of aparticular encryption algorithm in terms of IPS (instruc-tions per second) or processor cycles per second and anenergy cost model that estimates energy consumption interms of Joules/bit. In order to derive results from thesemodels (either in the form of one optimal design for agiven set of parameters or more general design tradeoffs),a number of input parameters are specified: computa-tional complexity parameters (e.g., key length, number ofencryption rounds, processor speed etc.) and energy costparameters (e.g., memory requirements, CPU utilization,

throughput etc.). The cryptographic algorithm simula-tion environment is also used to verify the accuracy ofthe analytical model.

6 Execution Time Measurement

ANSI C implementations of the AES and RC5 block ci-phers are used to evaluate their computational perfor-mance and energy cost characteristics. For encryptionthe libraries Crypto++ and OpenSSL providing imple-mentation of RC5 and AES in C Language have beenadapted. Sim-Panalyzer [16], a cycle accurate instructionset simulator, Oprofile and Wattch [1] are used to mea-sure both the execution time and the energy consumptionof software running on processor. In order to evaluate theperformance of the cryptographic algorithms, the follow-ing simulation tests are carried out:

1) Encrypting data arrays of different size up to 8192byte with RC5/AES. For each size, the test was exe-cuted multiple times and the median execution timewas calculated.

2) Encrypting different size data up to 8192 byte with

RC5/AES while periodically measuring the batteryvoltage/power consumption for different rounds.

Figure 1: Cryptographic analysis model and optimizationmethodology


9/13


Figures 2 and 3 illustrates the execution time measure-ment in the cipher simulation procedure. In Figure 2,Initialization of data array, and different bit pattern (filessuch as image, audio etc) are considered for the AES-Rijndael encryption. Time measurement is a complex op-eration on real sensor nodes, and timestamp T1 describesstart time of encryption in the simulation operation. Dif-

ferent block sizes up to 1024 bytes are considered duringexecution of AES-Rinjdael (and RC5). Intermediate exe-cution times of encryption (decryption) modules are cap-tured after each rounds to determine the execution timeof each encryption (decryption) stage and timestamp T2represents finishing time of process. The battery volt-age was also periodically measured. For each block size,the test was executed multiple times to achieve an ad-equate confidence interval and the mean execution timewas taken. Tb[i], Ts[i], Tm[i], Tk[i] are the time recordedfor the ith round, Byte substitution, Shift row, Mix col-umn and Key addition steps.

7 Performance Analysis

7.1 Simulation results and Costs analysis

The simulation performance of AES-Rijndael and RC5cryptographic techniques are assessed in terms of com-putational overhead, complexity, execution time and en-ergy cost. The computation times are linearly dependentto the amount of data being processed. The amount ofcomputational energy consumed by a security functionon a given microprocessor is primarily determined by thenumber of clocks needed by the processor to computethe security function, which in turn depends largely onthe code efficiency of the cryptographic algorithm.

RC5 requires that a pre-computed key schedule to bestored in memory taking up significant bytes memory foreach key. While, Rijndael needs another code for decryp-tion because of the asymmetry of encryption and decryp-tion and it takes almost twice memory for code since mostpart of it cannot be shared. The execution time and thebattery consumed are proportional to the complexity ofoperations per round as proved by complexity equationsderived and the number of data moves required makingit difficult to affirm how much effect each type of low-

level operation has in the performance of the schemes. Itis mainly because data transfers are difficult to analyzewith different register allocations that can be done by thecompiler and state of the operation system. From abovemetrics and results, although it seems that an increasein power consumption is directly proportional to the in-creased operations, the increase is less amplified. Thiscan be attributed to the fact that the data access fromthe file over which the operations are performed. How-ever, the increased power consumption of larger key sizerepresents a compromise that should be considered beforechoosing the size of the key. For normal applications, 128

bits key is considered very secure hence going for higherkey sizes would mean unnecessary wastage of resources

Figure 2: Timing of different stages in AES-Rijndael


10/13


11/13


Table 8: Percentage of operations with encrypt() computation modelAES 128/10 Encrypt() Bytewise-AND Bytewise-OR Shift (bytes)

SubBytes 120Ta (6.6%) 80To (6.0%) 0 (0.0%)ShiftRows 0 (0.0%) 120To (9.0%) 120Ts (5.0%)

MixColumns 1368Ta (75.7%) 972To73.0% 2304Ts (95.0%)AddRoundKey 320Ta (17.7%) 160To (12.0%) 0 (0.0%)

modules combined in encrypt() function. The main rea-son is due to the multiplication operation in the Mix-Columns() function, which is used to perform the GF(28)field multiplication on the data operands. Comparingthe simulation values and computation model values, inTables 7 and 8 reveal that cyclic shift (rotation) opera-tions are more costly than bytewise-AND or bytewise-OR,hence adding extra computational load on microproces-sor. Results in Table 6 confirms that decrypt () has morecomputational overhead than encrypt(), approximately

20-35% more clock cycles, because of the additional com-plexity of the GF multiplication in InvMixColumns() ofdecrypt (). The InvMixColumns() needs to perform fourmultiplications while MixColumns() performs only twomultiplications per each byte of the State. This com-plies with the mathematical model analysis where the dif-ference in computation between one InvMixColumn andMixColumn operation is [96NbTa + 72NbTo 32NbTs].

As expected, the energy values are almost proportionalto the corresponding execution times. Going from AES-128 bits key to AES-192 bits causes increase in power andtime consumption by about 10% - 15% and to 256 bit key

causes an increase of 16% - 25%. AES-128 has 3396, AES-192 has 6186, and AES-256 has 9704 different byte oper-ations, which implies 35% and 45% more operations forAES-192 and AES-256 when compared to AES-128. Al-though RC5 algorithm seems well suitable algorithm forsensor networks, there are two considerations about whythis choice may not be optimal for all resource-limited ar-chitecture. First, the key expansion step of the algorithmmay not be integrated in the encryption process. This re-sults in the need to have round keys stored for the wholeencryption process which leads to a slightly higher mem-ory requirement than desired (at least 112 bytes for RC5-32/12/8 when the original key needs to be kept). Second,

the RC5 algorithm extensively uses circular shifts. Thisoperation is often not supported by low cost processorsand must be emulated by single step shifts, which leadsto bad runtime behaviour. The AES-Rijndael algorithmcan thereby offer the best performance, but requires largelookup-tables. Also this algorithm is not constructed fora key length shorter than 128-bit, which are often used insensor networks

7.2 Optimisation Scope

The cipher algorithms need to perform highly complex

sets of arithmetic functions, which can be simplified us-ing look-up tables, caching and bit-manipulation. The

SubBytes() in AES-Rijndael can be implemented usingmathematical formula but consumes higher processor cy-cles and more energy. Hence, it is more efficient to imple-ment it using a look-up table. But, look-up tables con-sume a lot of memory and efficient algorithms should gen-erate it before encryption or decryption starts. Although,the code size will increase, it certainly improves overallcryptographic performance by minimising the dormantmemory occupation. The basic operations of each blockcipher can be implemented in different ways; however, im-

plementations that are suitable for resource-constrainednodes are favoured. The programming codes are mademore flexible for module reusability in the application.The Mulitplication () function is made common to bothMixColumns() and InvMixColumns(). Finally, the Mix-Columns() and InvMixColumns() functions are the high-cost critical paths in the encryption and decryption pro-gram, respectively. It is more important to optimisethe critical paths to a higher extent than the less criti-cal paths. If the finite field inversion, InvMixColumns(),were implemented using Boolean functions only, then therequired execution time and the energy cost would be

very high. A moderate sized look-up table would be moreefficient even on memory-restricted devices. To providevariable security strengths with limited amount of compo-nents, code efficiency, reusability and flexibility are impor-tant factors when choosing the components. In addition,the communication overhead of the algorithm, e.g., addi-tional bytes we need to add to each data packet, shouldalso be taken into consideration. RC5 is a highly efficientand flexible cryptographic algorithm, for which many pa-rameters (key size, block size, number of rounds) can beadjusted to tradeoff security strength with power con-sumption. The comparison of RC5 implementations isprovided in Table 9.

Table 9: Comparison of RC5 implementation gainRC5 Operation Execution

Implementation cycles TimeC version 5750 1.70 ms

SPINS (C+ ASM) 2775 0.75 msTinySec (C+ ASM) 1775 0.50 ms

Table 10 gives the average speed performance gainfrom AES optimization. Encrypt() and Decrypt() achieve

up to 21% and 11% execution time gain, respectively.ShiftRows() are optimized better than all other sub-


12/13


Figure 4: Energy consumption for AES-Rijndael and RC5 for different rounds

Table 10: Speed performance gain with optimizationAES Percentage Speed Performance (%)

Main () 12Encrypt() 21Decrypt() 11

SubBytes() 26ShiftRows() 50

MixColumns() 1.4AddRoundKey() 29

functions, whereas MixColumns() are the least improveddue to the implementation of look-up table.

Optimizing block cipher implementations towards lowenergy consumption and low computational overhead is ofparamount importance for virtually any battery-poweredwireless device, especially sensor nodes. Memory utiliza-tion is also a critical concern since RAM and cache sizeis a precious resource in sensor nodes. Hence, code sizeoptimization and lightweight block cipher software imple-mentations that meet operational requirements of WSNs

are important.

8 Conclusions and Future Re-

search

The performance evaluation of cryptographic algorithmsis vital for the safe and efficient development of cryp-tosystem in devices with low computational power. Inthis paper, we presented a systematic model of crypto-graphic algorithms complexity and in particular analyzedthe suitability of RC5 and AES-Rijndael encryption tech-

niques to provide efficient link layer security. The ap-proach presented in this paper and its respective tools

allow efficiency estimation of the algorithms in resource-constrained devices. The results evaluations bring thepossibility of verifying the viability of the algorithm ap-plication in resource-limited device. The simulation re-sults presented quantify the differences in computationalcomplexity overhead and energy cost of AES-Rijndael andRC5 algorithm with varying operational parameters. Be-sides, a simple and low overhead analytic model has beenpresented to compare the execution time and number ofprocessing required for RC5 and AES-Rijndael. These

outcomes can be helpful for security designers in adoptinga specific cryptographic scheme for resource constrainedwireless environment. AES-Rijndael is suitable on all as-pects and future research in optimization techniques willdefinitely make it the de facto encryption for resource-constrained wireless networks. RC5 is good on the codepoint of view, but the key schedule consumes more time.Resource and cost constraints remain a challenge in de-signing efficient security mechanisms for WSNs. Severaldirections for future research arise from work. One futureresearch is to explore adaptive cryptographic mechanismsto optimize energy consumption by varying cipher param-eters with timely acquisition of resource-context in WSN

environment. The adaptability of the security system willimprove sensor nodes batterys lifetime.

References

[1] D. Brooks, and et. al, Wattch: A frameworkfor architectural-level power analysis and optimiza-tions, ISCA, pp. 83-94, 2000.

[2] P. Ganesan, R. Venugopalan, and P. Peddabacha-gari, Analyzing and modelling encryption overhead

for sensor network nodes, ACM in Proceedings ofWSNA03, pp. 151-159, Sep. 2003.


13/13


[3] F. Granelli and G. Boato, A novel methodology foranalysis of the computational complexity of block ci-phers: Rijndael, Camellia and Shacal-2 compared,Third Conference on Security and Network Architec-tures (SAR04), pp. 1-7, June 2004.

[4] J. Grobschadl, S. Tillich, C. Rechberger, M. Hof-mann, and Marcel Medwed, Energy evaluation of

software implementations of block ciphers undermemory constraints, Proceedings of the 10th Con- ference on Design, Automation and Test in Europe,pp. 1110-1115, 2007.

[5] V. Gupta, M. Millard, S. Fung, Y.Zhu, N. Gura, andS. Shantz. Sizzle: a standards-based end to end se-curity architecture for the embedded internet, Pro-ceedings of third IEEE International Conference onPervasive Computing and Communications, PerCom2005, pp. 247-256, Kaua, Huwaii: IEEE, Mar. 8-12,2005.

[6] C. T. R. Hager, S. F. Midkiff, J. M. Park, and T.

L. Martin, Performance and energy efficiency ofblock ciphers in personal digital assistants, ThirdIEEE International Conference on Pervasive Com-puting and Communications, pp. 127-136, Mar. 8-12,2005.

[7] A. Hodjat and I. Verbauwhede, Interfacing a highspeed crypto accelerator to an embedded CPU, Pro-ceedings of the 38th Asilomar Conference on Signals,Systems, and Computers, vol. 1, pp. 488-492, IEEEPress, 2004.

[8] C. Karlof, N. Sastry, and D. Wagner. TinySec:a link layer security architecture for wireless sen-

sor networks, ACM SenSys 2004 in Proceedings ofthe 2nd International Conference on Embedded Net-worked Sensor Systems, pp. 162-175, Nov. 2004.

[9] Y. W. Law, S. Dulman, S. Etalle, and P. J. M.Havinga. Assessing security-critical energy-efficientsensor networks, Proceedings 18th IFIP TC11 In-ternational Conference in Information Security, Se-curity and Privacy in the Age of Uncertainty (SEC),pp. 459-463, Athens, Greece, May 2003.

[10] Y. Law, J. Doumen, and P. Hartel. Benchmarkingblock ciphers for wireless sensor networks (extendedabstract), 1st IEEE International Conference Mo-

bile Ad-hoc and Sensor Systems, IEEE Computer So-ciety Press, pp. 447-456, Oct. 2004.

[11] A. Perrig, J. Stankovic, and D. Wagner, Securityin wireless sensor networks, Communication ACM,vol. 47, no. 6, pp. 53-57, 2004.

[12] N. R. Potlapally, S. Ravi, A. Raghunathin, and N. K.Jha, Analyzing the energy consumption of securityprotocols, Proceedings. 2003 International Sympo-sium on Low Power Electronics and Design, pp. 25-27, Aug. 2003.

[13] S. Ravi, A. Raghunathan, P. Kocher, and S. Hattan-gady, Security in embedded systems: Design chal-

lenges, ACM Transactions on Embedded ComputingSystems, vol. 3, no. 3, pp. 461-491, Aug. 2004.

[14] R. L. Rivest, The RC5 encryption algorithm, Pro-ceedings of the 1994 Leuven Workshop on Fast soft-ware Encryption, pp. 86-96, Springer-verlag, 1995.

[15] B. Schneier, Applied Cryptography:Protocols, Algo-rithms and Source Code in C, John Wiley & SonsInc. 2nd Edition, 1996.

[16] Sim-Panalyzer Project, Last Accessed, May 2007.

http://www.eecs.umich.edu/panalyzer/.[17] H. S. Soliman, and M. Omari, Application of syn-

chronous dynamic encryption system (DES) in wire-less sensor networks, International Journal of Net-work Security, vol. 3, no. 2, pp. 160-171, Sep. 2006.

[18] A. P. R. Szewczyk, V. Wen, D. Culler, and J. D.Tygar, SPINS : security protocols for sensor net-works, Wireless Networks, vol. 8, no. 5, pp. 521-534,Sep. 2002.

[19] A. Vitaletti, Gianni palombizio: Rijndael for sen-sor networks: is speed the main issue?, ElectronicNotes Theorem Computer Science, vol. 171, pp. 71-81, 2007.

[20] J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary,Wireless sensor network security: Survey, Securityin Distributed, Grid, and Pervasive Computing, pp.367-403, CRC Press, Yang Xiao, Editor, Auerbachpublications, 2006.

[21] Y. Wang, G. Atterbury, and B. Ramamurthy, Asurvey of security issues in wireless sensor networks,IEEE Communications Surveys & Tutorials, vol. 8,no. 2, pp. 2-23, 2006.

[22] C. Xenakis, N. L. Merakos, and I. Stavrakakis, Ageneric characterization of the overheads imposed byIPsec and associated cryptographic algorithms, El-

sevier Journal of Computer Networks, pp. 3225-3241,2006.[23] Y. Xiao, H. Chen, B. Sun, R. Wang, and S. Sethi.

MAC security and security overhead analysis inIEEE 802.15.4 wireless sensor networks, EURASIPJournal on Wireless Communication and Network-ing, pp. 1-12, 2006.

M. Razvi Doomun holds a B.Eng (Hons) in Electronicand Communication Engineering from University ofMauritius and an MSc in Multimedia Communicationsfrom University of Surrey, UK. He is at present lecturerin the Department of Computer Science and Engineering

at University of Mauritius and currently doing his PhD inWireless Security. He has published articles on Wirelesssecurity and multimedia communication.

KM Sunjiv Soyjaudah received his BSc. (Hons.) de-gree in Physics from Queen Mary College, University ofLondon in 1982, his M.Sc. degree in digital electronicsfrom Kings College, University of London in 1991 andhis PhD degree from University of Mauritius in 1998.He is a chartered engineer and a member of the IEEE.He is presently Professor in the department of electricaland electronic engineering of the University of Mauritius.His interests are communication theory, cryptography andwireless network security.

compared algorithm

Documents