Cryptography Overhead Evaluation and Analysis for Wireless Sensor Networks

Wei Liu Department of Electronics

Engineering, Tsinghua University

wliu03@mails.thu.edu.cn

Rong Luo Department of Electronics

Engineering, Tsinghua University

luorong@tsinghua.edu.cn

Huazhong Yang Department of Electronics

Engineering, Tsinghua University

yanghz@tsinghua.edu.cn

Abstract

Security is a critical factor to deploy large scale wireless sensor networks. Limited resource constraints, such as computation power, program memory, SRAM, and energy budget, present a big challenge to implement existing cryptography algorithms. In this paper, we evaluate the overhead of comprehensive cryptography algorithms suitable for wireless sensor networks. All the factors that may affect algorithm choice, including SRAM which is critical for network operations and always ignored by previous works, are analyzed. According to our experimental results, SkipJack, RC4, and HIGHT are the best candidates for time critical or energy efficient applications. However, if SRAM is more stringent than time and energy, TEA, SEA, and SkipJack are better than other candidates because their SRAM requirements are non-key-related. 1. Introduction

Wireless sensor network (WSN) is becoming more and more important as a physical world information acquisition and processing platform. As these networks are usually deployed in open fields where adversaries can easily approach, and data packets are transmitted through non-secure wireless channels, security issues are more important and more challenging than traditional networks. In order to prevent adversaries from eavesdropping, injecting and tampering with data packets, security services are necessary. The security level is application related. In most applications data confidentiality and integrity are basic requirements. To satisfy these requirements, cryptography algorithms have to be implemented on sensor nodes.

Although cryptography algorithms are already well established and used in traditional networks, security

concerns in WSN are attracting attention recently [1]. Because of the very limited resources, traditional algorithms can not be directly used in WSN. Generally, the processing units used by sensor nodes are resource constrained 8-bit or 16-bit microcontrollers. At the same time, these sensor nodes are always battery powered, which provides very limited energy budget. Providing these considerations, it is critical to implement cryptography algorithms in a resource and computation efficient manner.

In this work, comprehensive cryptography algorithms suitable for WSN are implemented efficiently, including latest algorithms specially proposed for low cost embedded applications. Based on these implementations, all the factors that may affect algorithm choice, such as clock cycles, code size, SRAM usage, and energy consumption, are evaluated and analyzed. According to our analysis, internal data size approximating to microcontroller word size and arithmetic operations being supported directly by instruction set are the most important factors for implementing cryptography algorithms on sensor nodes efficiently. Among the algorithms we studied, SkipJack, RC4, and HIGHT are the best candidates for time critical or energy efficient applications. However, if SRAM is more stringent than time and energy, TEA, SEA, and SkipJack are better than other candidates because their SRAM requirements are non-key-related.

The paper is organized as follows. In Section 2, related work of cryptography algorithms in WSN are discussed. In Section 3, the candidate cryptography algorithms are briefly described and compared. In Section 4, the implementation considerations of this work are explained and experimental results are given accompanied with detailed analysis and suggestions. We conclude this paper in Section 5.

2009 International Conference on Communications and Mobile Computing

978-0-7695-3501-2/09 $25.00 © 2009 IEEE

DOI 10.1109/CMC.2009.31

496

2009 International Conference on Communications and Mobile Computing

978-0-7695-3501-2/09 $25.00 © 2009 IEEE

DOI 10.1109/CMC.2009.31

496

2. Related Works 2.1. Symmetric cryptography

Although AES [2] is an excellent choice for many security applications due to its software oriented architecture, it is not ideal for low end embedded applications such as RFID tags and WSN. Other algorithms, such as TEA [3] and IDEA [4], also optimized for software architecture, are designed for general purpose applications, not especially for low end embedded applications.

With respect to security in WSN, SPINS [1] makes a key contribution. SPINS provided a security framework utilizing RC5 [4] to provide basic security services. Their work is mainly focused on security protocol, not for efficient implementation. TinySec [5] is a link layer security architecture with efficient implementation. TinySec thoroughly considered the characteristics of WSN and addressed the extreme resource constraints through careful design. Two cryptography algorithms, RC5 and SkipJack [4], were evaluated, and their computational overhead was compared in terms of execution time. 2.2. Asymmetric cryptography

Asymmetric cryptography, also referred as public key cryptography, is considered as unsuitable for WSN due to considerable computational overhead. N. Gura et al [6] compared performance of ECC and RSA on 8-bit MCU. Their work showed that a single 160 bit prime field point multiplication of ECC needed 6.48×106 clock cycles. As far as we know, it’s the best published result of ECC software implementation for 8-bit MCU. There is an obvious conclusion that public key cryptography is 3 to 4 orders of magnitude slower than symmetric cryptography.

TinyPK [7] utilized RSA algorithm to secure WSN. The basic idea is to divide computation into high overhead part and low overhead part, then distribute the low overhead part to sensor nodes and the high overhead part to more powerful devices, such as base stations. Although it mitigates the overhead on sensor nodes, the requirements are still larger than symmetric cryptography. TinyECC [8] and NanoECC [9] studied the feasibility of ECC in WSN. Although these works show better performance than RSA based schemes, they are still not satisfactory enough. 2.3. Embedded computing oriented algorithms

Recently, Researchers from cryptography area have proposed several embedded computing oriented algorithms, such as HIGHT [10], SEA [11], and PRESENT [12]. These algorithms considered resource constraints during design phase, so they have potential efficiency in WSN. As they are new proposals, strong cryptanalysis is needed to prove their security. 2.4. Overhead evaluation and analysis

The overhead of cryptography algorithms have been

well studied on general purpose platforms [13] [14]. However, their efficiency on embedded platforms emerges recently. Among these works, hardware implementation and optimization is majority. From the viewpoint of WSN, cost is a critical factor for large scale deployment. It is a little expensive to design hardware especially for cryptography. We believe that efficient software implementation of appreciate cryptography algorithms is more suitable.

P. Ganesan et al [15] studied the encryption overhead of several cryptography algorithms on different platforms ranging from 8-bit embedded platforms to 64-bit general purpose platforms. It also gave an approximate model for predicting overhead. However, this work only covers a few cryptography algorithms, and merely takes clock cycles and code size into account. For WSN, SRAM is more critical than program memory, especially for network operations such as packet buffer, route table and so on. There are very limited SRAM resources in embedded processors used by typical sensor nodes. As a result, SRAM is a more important criterion for choosing appreciate cryptography algorithm.

In order to provide better guidelines for designers of security schemes in WSN, we considered several kinds of cryptography algorithms suitable for WSN in our paper. At the same time, we used more comprehensive measures to evaluate these algorithms, including SRAM that is critical for network operations and always ignored by previous works.

3. Algorithm Description

The candidate cryptography algorithms we chose satisfy one of the following criteria: (1) It is comprehensively used in some security standards, such as AES, or it is adopted by some security protocols for WSN, such as RC5; (2) It is an embedded computing oriented cryptography algorithm, such as SEA. Table 1 lists these candidate algorithms with corresponding parameters.

497497

Table 1. Candidate cryptography algorithms Algorithm Type Block Size Key Size Conventional Algorithms

AES block 128 128 RC5 block 64 128

SkipJack block 64 80 RC4 stream 8 128 IDEA block 64 128 TEA block 64 128

Embedded Computing Oriented Algorithms HIGHT block 64 128

SEA block 96 96 PRESENT block 64 128

3.1. Conventional algorithms

AES can process keys with length of 128, 192, and

256 bits. Basic operations include byte substitution, byte rotation, finite field multiplication, and XOR.

RC5 has selectable block size, key size, and round number to be adaptable to processors with different word sizes. Basic operations include addition, XOR, and bitwise rotation. RC5 has some properties suitable for low resource embedded applications.

Basic operations of SkipJack include word shift, XOR and byte substitution. As there is no key schedule or initialization phase, and encryption/decryption has no relation to key size, it is not unfair for SkipJack to use 80 bit key size comparing with 128 bit key size of other algorithms.

RC4 [4] has variable length of keys. The algorithm is quite simple and includes addition, XOR and byte substitution.

IDEA includes modified modular multiplication, XOR, and modular addition. TEA includes addition, XOR, and word shift. It is very simple to be easily implemented in many languages on many platforms. 3.2. Embedded computing oriented algorithms

Although the objective of HIGHT is to provide low

resource hardware implementation, it is also efficient in software for its very simple architecture. Basic operations include byte addition, byte subtraction, XOR, and bitwise rotation.

SEA is targeted for processors with limited instruction set. Basic operations include XOR, word rotation, bitwise rotation, and addition. Although the algorithm is flexible and simple, the round number required to provide adequate security is relatively large.

PRESENT has an ultra lightweight hardware implementation. Basic operations include XOR, byte nibble substitution, and bitwise permutation. Although byte nibble substitution and bitwise permutation have

very efficient hardware implementation, they are complicated in software implementation. 4. Experiments and Analysis 4.1. Implementation considerations

Due to comprehensive usage of Micaz [16] platform,

ATmega128L becomes one of the most popular microcontrollers in WSN. We implemented the candidate algorithms on ATmega128L in C and Assembly with the criteria described in the next paragraph. The target file was built using avr-gcc 4.3.0 and simulated using avr studio 4.14. The test vectors were 128 bit long to cover all block sizes. Each algorithm was executed 1000 times with different test vectors. The test vectors were chosen to cover all bit patterns with different number of 0 and 1. Results were averaged over these executions to eliminate possible discrepancy caused by different bit pattern.

Our purpose is to compare relative resource usage of these cryptography algorithms, in terms of clock cycles, code size, SRAM usage, and energy consumption. Therefore, we used a straightforward approach for all our algorithm implementations. The arithmetic operations directly supported by C, such as bitwise shift, are implemented in C without any assembly optimization. The arithmetic operations which are not directly supported by C, such as bitwise rotation, are implemented using assembly optimization. 4.2. Performance evaluation and analysis

Figure 1 illustrates the clock cycles overhead for

each algorithm on ATmega128L platform. The detailed numbers are also listed in Table 2. From this figure, it is obvious that RC4 is the best in terms of encryption/decryption, which is consistent with the opinion of P. Ganesan et al [15]. However, taken initialization into account, RC4 is no longer the best. Generally, initialization is required before each encryption/decryption process of RC4, which corresponds to larger encryption/decryption overhead. To avoid frequent initializations, internal counters of R C 4 h a v e t o b e m a i n t a i n e d b e t w e e n e a c h communication pair, which will result in large communication overhead that is more unacceptable than large computation overhead. Based on this consideration, SkipJack seems to be a better choice. The encryption/decryption overhead is a little higher than RC4, but there is no initialization overhead. The only drawback is its relatively large code size, which is illustrated in Figure 2. The reason of large code size

498498

Figure 1. Overhead in terms of clock cycles

but perfect performance comes from SkipJack’s special structure. The whole encryption/decryption process of SkipJack can be expressed as a complicated expression, that is, the ciphertext can be directly expressed in terms of plaintext, not immediate results.

AES behaves better than it is expected to be. Although with a more complicated algorithm, the encryption/decryption overhead is comparable with RC5, and the encryption overhead is even a little better. This is because all internal operations of AES are 8-bit data type oriented, which can be efficiently implemented by ATmega128L. However, the complicated algorithm structure leads to the highest program memory overhead among the candidates. RC5, which is used by SPINS and considered by TinySec, has moderate overhead among the candidates. Although the initialization overhead is high, it is not a big problem as it only needs to be executed once for every key. The reason why SPINS and TinySec chose RC5 to provide basic security services is its security. However, some other candidates have been proven to possess the same security level, which makes RC5 no longer so attractive.

IDEA behaves well during encryption and decryption, although it has the highest initialization overhead. The initialization overhead of IDEA mainly comes from computing modular multiplicative inverse, which is very expensive for 8-bit ATmega128L. Compared with AES and RC5, the encryption/decryption overhead of IDEA is much better. It owes to its simple and regular structure, as well as its 16-bit internal data type. Although optimized for software architecture, TEA behaves not very well on 8-bit platform. The 32-bit internal data type limits its performance. Despite the algorithm is simple and only includes simple operations, these operations need many assembly instructions to be

executed. Simultaneously, TEA is hard to be adjusted to fit 8-bit operations due to its too simple structure.

Table 2. Clock cycles of each algorithm

Clock cycles AlgorithmInit Encryption Decryption

AES 2310 10720 23780 RC5 44590 13000 13090

SkipJack N/A 3130 3100 RC4 10260 770 770 IDEA 84460 6800 6800 TEA N/A 14350 13840

HIGHT 6360 7730 7860 SEA N/A 31330 31330

PRESENT 17340 29870 31510

Among the embedded computing oriented algorithms, HIGHT performs better than SEA and PRESENT. It contributes to simple structure and 8-bit oriented internal data type. Taken clock cycles and memory overhead together, HIGHT may be the optimal candidate because it achieves better performance with less memory overhead. SEA and PRESENT are even worse than conventional algorithms, although they are embedded computing oriented. SEA requires a relatively large round number to provide adequate security, which is 2~7 times than other block ciphers. PRESENT has a basic operation of bitwise permutation. Although it has no performance overhead in hardware implementation as it only needs wiring, for software implementation it is very expensive because there is not direct assembly instruction support. 4.2. Program memory and SRAM overhead

Figure 2. Code size and SRAM usage

Figure 2 depicts program memory and SRAM

overhead for each algorithm and corresponding data

499499

are listed in table 3. For each algorithm, the SRAM is used according to the following criteria: (1) If the algorithm needs S-box, this S-box is preloaded to SRAM before it is needed to improve performance; (2) If there is key schedule or expanded key table, it is stored in SRAM until all encryption/decryption operations finish; (3) SRAM overhead of key itself is not considered to only reflect the SRAM requirement of the algorithm.

RC4 behaves perfect in terms of code size due to its simple structure and serialized 8-bit data processing. RC5, TEA, HIGHT, and SEA have moderate code size because of their simple structure. IDEA has a little larger code size as it needs complicated modular multiplicative inverse computation that also brings high burden for initialization. The code size of PRESENT mainly comes from bitwise permutation. AES’s complicated algorithm structure results in its largest code size and SkipJack’s overhead is due to its structure optimization for performance.

TEA and SEA almost need no SRAM as there are no storage requirements for S-box and key schedule. The SRAM overhead of SkipJack and RC4 mainly comes from S-box and that of RC5, IDEA, HIGHT and PRESENT mainly comes from key schedule. AES has more than two times of overhead compared with other candidates as it needs two S-boxes respectively for encryption and decryption. The SRAM overhead represents the worst case as performance and memory tradeoff can be considered. If performance degradation is allowed, the S-box can be stored in other place, such as program memory and EEPROM, and the key schedule can be generated only when it is to be used. Then, the SRAM can be shared with other function modules.

Table 3. Code size and SRAM usage Algorithm Code Prop SRAM Prop

AES 6120 4.78% 698 17.5%RC5 1136 0.89% 104 2.60%

SkipJack 5660 4.42% 256 6.40%RC4 180 0.14% 258 6.45%IDEA 1992 1.56% 208 5.20%TEA 1050 0.82% 4 0.10%

HIGHT 888 0.69% 136 3.40%SEA 732 0.57% 0 0

PRESENT 3048 2.38% 288 7.20%

It is obvious in table 3 that even the largest code size is still less than 5% of the whole program memory while the highest SRAM usage approaches 18% of the whole size. The situation will deteriorate if there are more than one key used by security protocol. It is common that there are several keys for unicast, several

keys for broadcast, and several keys for communicating with base stations. We can divide the SRAM overhead into key-related and non-key-related overhead. For example, the S-box is non-key-related as it doesn’t vary with the number of keys. With this consideration, TEA, SEA, SkipJack, and even AES are more suitable for security protocols with more than one key. This case is not satisfied by RC4 because its S-box will be changed with key in the initialization phase. 4.3. Energy consumption overhead

The energy consumption of each algorithm is listed

in table 4. This is evaluated using power consumption data we measured on Micaz nodes. The average current of ATmega128L when it works in busy mode at 7.37MHz is about 8.7mA. To eliminate the effect of voltage change, we use mAh as unit. These data are proportional to corresponding clock cycles and can be useful in determining the energy budget for security applications.

Table 4. Energy consumption overhead

Energy consumption (10-6 mAh) AlgorithmInit Encryption Decryption

AES 0.76 3.52 7.80 RC5 14.62 4.26 4.29

SkipJack N/A 1.03 1.02 RC4 3.36 0.25 0.25 IDEA 27.69 2.23 2.23 TEA N/A 4.71 4.54

HIGHT 2.09 2.53 2.58 SEA N/A 10.27 10.27

PRESENT 5.69 9.79 10.33 5. Conclusion

Limited resource constraints, such as computation power, program memory, SRAM and energy budget, present a big challenge to implement existing cryptography algorithms in WSN. In this paper, we evaluate the clock cycles, code size, SRAM usage, and energy consumption of comprehensive cryptography algorithms that are potentially suitable for WSN. Based on the experimental results, we analyze the reasons generating these overheads and suggestions to choose appreciate algorithms according application requirements are given.

According to our analysis, internal data size approximating to microcontroller word size and arithmetic operations supporting directly by instruction set are the most important factors for implementing cryptography algorithms on sensor nodes efficiently.

500500

Among the algorithms we studied, SkipJack, RC4, and HIGHT are the best candidates for time critical or energy efficient applications. However, if SRAM is more stringent than time and energy, TEA, SEA, and SkipJack are better than other candidates because their SRAM requirements are non-key-related. Acknowledgments

This work is partly supported by 863 project of

China (Grant 2006AA01Z224). We would like to thank Yongpan Liu and Yinan Sun for their helpful discussions. References [1] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J.D. Tygar, “SPINS: Security protocols for sensor networks”, In Proceedings of the 7th Annual International Conference on Mobile Computing and Networking (MobiCom 01), ACM Press, 2001, pp. 189-199. [2] National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES), 2001. [3] D. Wheeler and R. Needham, “TEA, a Tiny Encryption Algorithm”, In Proceedings of the 2nd International Workshop on Fast Software Encryption, LNCS 1008, Springer-Verlag, 1994, pp. 363–366. [4] B. Schneier, Applied Cryptography (Second Edition), John Wiley & Sons, 1996. [5] C. Karlof, N. Sastry, and D. Wagner, “Tinysec: a link layer security architecture for wireless sensor networks”, In Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems, ACM Press, 2004, pp. 162-175. [6] N. Gura, A. Patel, A. Wander, H. Eberle, and S. Chang-Shantz, “Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs”, In Proceedings of 6th International Workshop on Cryptographic Hardware and Embedded Systems, LNCS 3156, Springer-Verlag, 2004, pp. 119-132. [7] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, P. Kruus, “TinyPK: Securing Sensor Networks with Public Key Technology”, In Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks, ACM Press, 2004, pp. 59-64. [8] A. Liu, P. Ning, “TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks”, In Proceedings of the 7th International Conference on Information Processing in Sensor Networks, SPOTS Track, 2008, pp. 245-256. [9] P. Szczechowiak, L. B. Oliveira, M. Scott, M. Collier, and R. Dahab, “NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks”, In Proceeding of the 5th European Workshop on Wireless Sensor Networks, LNCS 4913, Springer-Verlag, 2008, pp. 305-320. [10] D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B.-S. Koo, C. Lee, D. Chang, J. Lee, K. Jeong, H. Kim, J. Kim, and S. Chee, “HIGHT: A New Block Cipher Suitable for Low-

Resource Device”, In Proceedings of the 8th International Workshop on Cryptographic Hardware and Embedded Systems, LNCS 4249, Springer-Verlag, 2006, pp. 46–59. [11] F.-X. Standaert, G. Piret, N. Gershenfeld, and J.-J. Quisquater, “SEA: A Scalable Encryption Algorithm for Small Embedded Applications”, In Proceedings of the 7th Smart Card Research and Advanced Application Conference, LNCS 3928, Springer-Verlag, 2006, pp. 222–236. [12] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: An Ultra-Lightweight Block Cipher”, In Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, LNCS 4727, Springer-Verlag, 2007, pp. 450-466. [13] W. Freeman and E. Miller, “Experimental analysis of cryptographic overhead in performance-critical systems”, In Proceedings of the 7th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, ACM Press, 1999, pp. 348-357. [14] J. Burke, J. McDonald, and T. Austin, “Architectural support for fast symmetric-key cryptography”, In Proceedings of the International Conference on Architectural Support for Programming Languages and. Operating Systems, ACM Press, 2000, pp. 178-189. [15] P. Ganesan, R. Venugopalan, P. Peddabachagari, A. Dean, F. Mueller, M. Sichitiu, “Analyzing and Modeling Encryption Overhead for Sensor Network Nodes”, In Proceeding of the 2nd International Workshop on Wireless Sensor Networks and Applications, ACM Press, 2003, pp. 151-159. [16] Crossbow technology inc. http://www.xbow.com.

501501