PAGE—Practical AES-GCM Encryption for Low-End Microcontrollers

Kyungho Kim,Seungju Choi,Hyunjun Kim,Hyeokdong Kwon,Zhe Liu,Hwajeong Seo

doi:10.3390/app10093131

Kyungho Kim, Seungju Choi + Show 4 more

Open Access

https://doi.org/10.3390/app10093131

Copy DOI

Abstract

An optimized AES (Advanced Encryption Standard) implementation of Galois Counter Mode of operation (GCM) on low-end microcontrollers is presented in this paper. Two optimization methods are applied to proposed implementations. First, the AES counter (CTR) mode of operation is speed-optimized and ensures constant timing. The main idea is replacing expensive AES operations, including AddRound Key, SubBytes, ShiftRows, and MixColumns, into simple look-up table access. Unlike previous works, the look-up table does not require look-up table updates during the entire encryption life-cycle. Second, the core operation of Galois Counter Mode (GCM) is optimized further by using Karatsuba algorithm, compact register utilization, and pre-computed operands. With above optimization techniques, proposed AES-GCM on 8-bit AVR (Alf and Vegard’s RISC processor) architecture from short-term, middle-term to long-term security levels achieved 415, 466, and 477 clock cycles per byte, respectively.

Highlights

Resource constrained devices for Internet of Things (IoT) applications only equip limited RAM, ROM, computation capability and battery power
We proposed optimized implementations of AES–CTR and AES–Galois Counter Mode (GCM) on low-end
The implementation of AES–CTR is accelerated with the re-designed look-up table

Summary

Introduction

Resource constrained devices for Internet of Things (IoT) applications only equip limited RAM, ROM, computation capability and battery power. Under these hard conditions, the secure and robust network connection is a fundamental building block for IoT services. The secure and robust network connection is a fundamental building block for IoT services General cryptography solutions, such as encryption and authentication, for high-end desktop can be straightforwardly adopted to low-end microcontrollers. These approaches require heavy computation overheads since it is targeting for high-end processors.

Methods

Results

Conclusion