Survey and benchmark of block ciphers for wireless sensor networks

Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far. We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications.

[1]  Antoine Joux,et al.  A Statistical Attack on RC6 , 2000, FSE.

[2]  Mitsuru Matsui,et al.  MISTY , KASUMI and Camellia Cipher Algorithm Development , 2002 .

[3]  Mitsuru Matsui,et al.  Speci cation of Camellia | a 128-bit Block Cipher , 2001 .

[4]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[5]  Elaine B. Barker,et al.  Report on the Development of the Advanced Encryption Standard (AES) , 2001, Journal of research of the National Institute of Standards and Technology.

[6]  Bart Preneel,et al.  Cryptographic Primitives for Information Authentication - State of the Art , 1997, State of the Art in Applied Cryptography.

[7]  C. Karlof,et al.  Secure routing in wireless sensor networks: attacks and countermeasures , 2003, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003..

[8]  William Millan,et al.  On Linear Redundancy in the AES S-Box , 2002, IACR Cryptol. ePrint Arch..

[9]  Sean Murphy,et al.  Remarks on security of AES and XSL technique , 2002 .

[10]  Seokhie Hong,et al.  Truncated Differential Cryptanalysis of Camellia , 2001, ICISC.

[11]  Geoffrey Keating Performance Analysis of AES candidates on the 6805 CPU core , 1999 .

[12]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[13]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[14]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[15]  Robert Szewczyk,et al.  System architecture directions for networked sensors , 2000, ASPLOS IX.

[16]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[17]  Michael Scott,et al.  Did Filiol Break AES ? , 2003, IACR Cryptol. ePrint Arch..

[18]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[19]  Bruce Schneier,et al.  On the Twofish Key Schedule , 1998, Selected Areas in Cryptography.

[20]  Paul J.M. Havinga,et al.  Design of a low-power testbed for Wireless Sensor Networks and verification , 2003 .

[21]  Shai Halevi,et al.  MARS - a candidate cipher for AES , 1999 .

[22]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[23]  Burton S. Kaliski,et al.  On the Security of the RC5 Encryption Algorithm , 1998 .

[24]  Fumihiko Sano,et al.  Performance Evaluation of AES Finalists on the High-End Smart Card , 2000, AES Candidate Conference.

[25]  Howard M. Heys,et al.  A Timing Attack on RC5 , 1998, Selected Areas in Cryptography.

[26]  Matthew J. B. Robshaw,et al.  Essential Algebraic Structure within the AES , 2002, CRYPTO.

[27]  Jung Hee Cheon,et al.  Improved Impossible Differential Cryptanalysis of Rijndael and Crypton , 2001, ICISC.

[28]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[29]  Ronald L. Rivest,et al.  The RC 6 TM Block Cipher , 1998 .

[30]  Eli Biham,et al.  In How Many Ways Can You Write Rijndael? , 2002, ASIACRYPT.

[31]  Peter Kruus,et al.  CONSTRAINTS AND APPROACHES FOR DISTRIBUTED SENSOR NETWORK SECURITY , 2000 .

[32]  Ulrich Kühn,et al.  Improved Cryptanalysis of MISTY1 , 2002, FSE.

[33]  Bruce Schneier,et al.  The Twofish encryption algorithm: a 128-bit block cipher , 1999 .

[34]  Takeshi Shimoyama,et al.  Correlation Attack to the Block Cipher RC5 and the Simplified Variants of RC6 , 2000 .

[35]  Stefan Lucks The Saturation Attack - A Bait for Twofish , 2000, FSE.

[36]  Sang-Uk Shin,et al.  Provable Security of KASUMI and 3GPP Encryption Mode f8 , 2001, ASIACRYPT.

[37]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[38]  Yee Wei Law,et al.  Assessing Security-Critical Energy-Efficient Sensor Networks , 2002 .

[39]  Yeping He,et al.  Square Attack on Reduced Camellia Cipher , 2001, ICICS.

[40]  Joos Vandewalle,et al.  Linear Cryptanalysis of RC5 and RC6 , 1999, FSE.

[41]  Marine Minier,et al.  A Collision Attack on 7 Rounds of Rijndael , 2000, AES Candidate Conference.

[42]  Jean-Jacques Quisquater,et al.  cAESar results: Implementation of Four AES Candidates on Two Smart Cards , 2000 .

[43]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[44]  Takeshi Koshiba,et al.  Theoretical Analysis of "Correlations in RC6" , 2002, IACR Cryptol. ePrint Arch..

[45]  Deborah Estrin,et al.  An energy-efficient MAC protocol for wireless sensor networks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[46]  Miodrag Potkonjak,et al.  On communication security in wireless ad-hoc sensor networks , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[47]  Margaret Martonosi,et al.  Hardware design experiences in ZebraNet , 2004, SenSys '04.

[48]  Pascal Junod Linear Cryptanalysis of DES , 2000 .

[49]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[50]  David A. Wagner,et al.  Markov Truncated Differential Cryptanalysis of Skipjack , 2002, Selected Areas in Cryptography.

[51]  Vincent Rijmen,et al.  State of the Art in Applied Cryptography: Course on Computer Security and Industrial Cryptography, Leuven, Belgium, June 3-6, 1997 Revised Lectures , 1998 .

[52]  Atsuko Miyaji,et al.  Known Plaintext Correlation Attack against RC5 , 2002, CT-RSA.

[53]  Donggang Liu,et al.  Establishing pairwise keys in distributed sensor networks , 2005, ACM Trans. Inf. Syst. Secur..

[54]  David A. Wagner,et al.  TinySec: a link layer security architecture for wireless sensor networks , 2004, SenSys '04.

[55]  Willi Meier,et al.  Correlations in Rc6 , 2000 .

[56]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[57]  Eyal Kushilevitz,et al.  Improved Cryptanalysis of RC5 , 1998, EUROCRYPT.

[58]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[59]  Sasikanth Avancha,et al.  Security for Sensor Networks , 2004 .

[60]  Aura Ganz,et al.  Runtime security composition for sensor networks (SecureSense) , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).

[61]  Ju-Sung Kang,et al.  Pseudorandomness of MISTY-Type Transformations and the Block Cipher KASUMI , 2001, ACISP.

[62]  Ulrich Kühn,et al.  Cryptanalysis of Reduced-Round MISTY , 2001, EUROCRYPT.

[63]  David E. Culler,et al.  Versatile low power media access for wireless sensor networks , 2004, SenSys '04.

[64]  Koen Langendoen,et al.  Efficient broadcasting protocols for regular wireless sensor networks , 2003, 2003 International Conference on Parallel Processing, 2003. Proceedings..

[65]  LawYee Wei,et al.  Survey and benchmark of block ciphers for wireless sensor networks , 2006 .

[66]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[67]  Jacques Patarin,et al.  About the XL Algorithm over GF(2) , 2003, CT-RSA.

[68]  Amr M. Youssef,et al.  On Some Algebraic Structures in the AES Round Function , 2002, IACR Cryptol. ePrint Arch..

[69]  Ronald L. Rivest,et al.  The RC5 Encryption Algorithm , 1994, FSE.

[70]  Fauzan Mirza,et al.  An Observation on the Key Schedule of Twofish , 1999 .

[71]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search , 1996, CRYPTO.

[72]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[73]  Takeshi Koshiba,et al.  Theoretical Analysis of chi2 Attack on RC6 , 2004, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[74]  Eric Filiol,et al.  Plaintext-dependant Repetition Codes Cryptanalysis of Block Ciphers - The AES Case , 2003, IACR Cryptol. ePrint Arch..

[75]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[76]  Eli Biham,et al.  Improved Impossible Differentials on Twofish , 2000, INDOCRYPT.

[77]  Sean Murphy Comments on the Security of the AES and the XSL Technique , 2002 .

[78]  Mitsuru Matsui,et al.  A Description of the MISTY1 Encryption Algorithm , 2000, RFC.

[79]  Steve Babbage,et al.  On MISTY1 Higher Order Differential Cryptanalysis , 2000, ICISC.

[80]  Kazukuni Kobara,et al.  Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis , 2001, ASIACRYPT.

[81]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[82]  Toshinobu Kaneko,et al.  On the Strength of KASUMI without FL Functions against Higher Order Differential Attack , 2000, ICISC.

[83]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[84]  Bruce Schneier,et al.  A Performance Comparison of the Five AES Finalists , 2000, AES Candidate Conference.

[85]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[86]  Takeshi Koshiba,et al.  Multiple Linear Cryptanalysis of a Reduced Round RC6 , 2002, FSE.

[87]  Tri Van Le Novel Cyclic and Algebraic Properties of AES , 2003, IACR Cryptol. ePrint Arch..

[88]  David E. Culler,et al.  Lessons from a Sensor Network Expedition , 2004, EWSN.

[89]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[90]  Niels Ferguson,et al.  A Simple Algebraic Representation of Rijndael , 2001, Selected Areas in Cryptography.

[91]  Eli Biham,et al.  NESSIE security report y , 2002 .

[92]  Yasuo Hatano,et al.  Higher Order Differential Attack of Camellia (II) , 2002, Selected Areas in Cryptography.

[93]  Sangwoo Park,et al.  On the Security of CAMELLIA against the Square Attack , 2002, FSE.

[94]  John Worley,et al.  AES Finalists on PA-RISC and IA-64: Implementations & Performance , 2000, AES Candidate Conference.

[95]  Willi Meier,et al.  Correlations in RC6 with a Reduced Number of Rounds , 2000, FSE.

[96]  Matthew J. B. Robshaw,et al.  Key-Dependent S-Boxes and Differential Cryptanalysis , 2002, Des. Codes Cryptogr..

[97]  Willi Meier,et al.  Solving Underdefined Systems of Multivariate Quadratic Equations , 2002, Public Key Cryptography.