25th Biennial Symposium on Communications

Energy Efficiency of Symmetric Key Cryptographic

Algorithms in Wireless Sensor Networks

Xueying Zhang, Howard M. Heys, and Cheng Li

Faculty of Engineering and Applied Science
Memorial University of Newfoundland
St. John’s, NL, A1B 3X5, Canada
Email: {xueying.zhang, hheys, licheng}@mun.ca

Abstract— In this paper, we examine the energy efficiency of spoofed (authentication), and replayed (freshness). Encryption
symmetric key cryptographic algorithms applied in wireless is used to ensure the confidentiality. A message authentication
sensor networks (WSNs) and in our study we consider both code (MAC), functioning as a secure checksum, provides the
stream ciphers and block ciphers. We derive the computational data integrity and authentication in the network.
energy cost of the ciphers under consideration by comparing the Symmetric key ciphers and asymmetric key ciphers are the
number of CPU cycles required to perform encryption. After
evaluating a number of symmetric key ciphers, we compare the two fundamental categories of ciphers. The security of
energy performance of stream ciphers and block ciphers applied asymmetric cryptography depends on the difficulty of a
to a noisy channel in a WSN. In conclusion, we recommend using mathematical problem and the resulting algorithm consumes
a lightweight block cipher referred to as byte-oriented considerably more energy than symmetric key ciphers, which
substitution-permutation network (BSPN), to achieve energy are constructed by iteratively applying simple cryptographic
efficiency with a level of security suitable for wireless sensor operations. Hence in WSNs, the symmetric key cipher is
networks.
typically utilized to encrypt data during the transmission of
Keywords - wireless sensor networks; security; cryptographic sensor data, conforming to the limited energy source in the
algorithm; stream cipher; block cipher sensor device.

I. SYMMETRIC KEY CRYPTOGRAPHY IN WSNS B. Symmetric Cryptography in WSNs

In WSNs, energy limitations make the security schemes
S election of a suitable security scheme is critical in wireless
sensor networks (WSNs) because of the open media
broadcast communication and the limited energy supply of the
focus on ciphers with efficient computational energy
consumption. The two types of symmetric key ciphers, block
ciphers and stream ciphers, have different features.
sensor device [1]. To achieve the security requirements,
several researchers have focused on evaluating cryptographic 1) Size of Encryption Operands
algorithms in WSNs [2][3] and proposing energy efficient The size of encryption operands is different for stream
ciphers [4][5]. Although the transmission of data is the most ciphers and block ciphers. Stream ciphers typically operate on
energy consuming activity in a wireless sensor node, it is also one bit of plaintext data to produce one ciphertext bit. This is
important to select an energy efficient cipher that will typically achieved by XORing plaintext bits with a
minimize the energy consumption of the energy constrained pseudorandom sequence of bits called the keystream to
sensor node. produce the ciphertext bits. In contrast, block ciphers operate
In this paper, we evaluate the energy performance of both on a block of plaintext bits (typically, 64 bits or 128 bits) at
stream ciphers and block ciphers. After comparing the number one time to produce a block of ciphertext bits. When
of CPU cycles of each cipher, we further analyze the ciphers encrypting a large sequence of plaintext bits, stream ciphers
when they are applied in a WSN with a poor channel quality. can efficiently operate on variable lengths, while block ciphers
Our analysis results show that the lightweight block cipher, may need to pad plaintext out to have a length that is a
referred to as byte-oriented substitution-permutation network multiple of the block size. In WSNs, the resulting extra
(BSPN), is the most energy efficient cipher among all the ciphertext bits result in increased transmission energy cost of
candidate symmetric key ciphers. the sensor node.
A. Security Requirements and Cryptography in WSNs 2) Security Considerations
Although the Advanced Encryption Standard (AES) [7] is
In WSNs, four major security requirements are integrity, the most widespread block cipher and is considered secure,
confidentiality, authentication, and freshness [6]. To prevent
other block ciphers with a suitable level of security can be also
the network from being attacked, a security scheme should be
used considering the specific application environment.
capable of protecting each data packet within the network
Compared to block ciphers, stream ciphers have not gained
from being eavesdropped (confidentiality), altered (integrity),
widespread confidence in their security strengths. However,
This work is supported in part by the Natural Sciences and Engineering stream ciphers are still being used in wireless communications
Research Council (NSERC) of Canada and funds from the Wireless
Communications and Mobile Computing Research Center (WCMCRC) of
Memorial University

978-1-4244-5711-3/10/$26.00 ©2010 IEEE 168

 25th Biennial Symposium on Communications

due to their fast operation and flexible implementation. ATmega128 CPU, a popular 8-bit microcontroller, which has
3) Operation Modes been chosen in wireless sensor devices such as MICA2 [9].
A mode of operation is used when encrypting a bulk of II. BLOCK CIPHERS IN WSNS
data by a block cipher. Five basic modes of operation for A. Block Cipher Overview
block ciphers include electronic codebook (ECB) mode,
In WSNs, a sensor node is an energy limited device, which
cipher block chaining (CBC) mode, cipher feedback (CFB)
transmits low entropy information with limited life period for
mode, output feedback (OFB) and counter mode [8]. Some
many applications. A lightweight block cipher, with small
modes are block oriented, such as ECB and CBC, which block size and key size, is appropriate for this purpose, as it is
operate on plaintext of multiple block size. In contrast, some energy efficient and provides sufficient security in WSNs. We
modes make the block cipher function as a stream cipher, such choose four block ciphers as candidates and consider the
as CFB mode, OFB mode and counter mode, which can different energy performance when applied in WSNs. The
encrypt the plaintext bit by bit. Note that the mode of selected block ciphers are AES [7], Skipjack [10], Puffin [11]
operation determines the size of ciphertext unit, which relates and BSPN1 [12]. Characteristics of these ciphers are shown in
to the communication energy cost in a WSN. Table I.
4) Key Setup TABLE I. CHARACTERISTICS OF BLOCK CIPHERS
Usually there is a key setup period included in the Block cipher Block size Key size # Rounds
AES 128 bits 128 bits 10
operation of symmetric key ciphers. For example, AES has a Skipjack 64 bits 80 bits 32
key expansion phase to generate round keys from the cipher Puffin 64 bits 128 bits 32
key. Although the detailed operation of key setup is different BSPN 64 bits ≥ 64 bits2 8
for different ciphers, it can be complicated and take a 1) Advanced Encryption Standard
relatively long time to finish. In WSNs, key setup is very AES [7] is the most popularly deployed symmetric key
infrequent since it will only follow the establishment of a new cipher. Although, as we shall see, the energy cost per byte of
cipher key. AES is high, it is generally regarded as a secure choice when
5) Keystream Setup selecting ciphers for security schemes.
Keystream setup or setup of initialization vector (IV) takes 2) Skipjack
place in symmetric key ciphers whenever a new IV is Skipjack [10] is designed to take the place of the Data
established. Stream ciphers periodically must re-initialize the Encryption Standards (DES). It is utilized for WSNs in the
keystream based on an updated IV to ensure that the TinySec scheme [13] due to its energy efficiency. However,
transmitter and receiver are synchronized in their encryption some research has shown that Skipjack has security weakness
and decryption processes, respectively. For block ciphers, all under certain cryptanalyses [14][15].
modes of operation, except ECB mode, use IVs, which are 3) Puffin
periodically updated to establish synchronization between Puffin [11] is a recently proposed compact block cipher
encryption and decryption. When a block cipher is used in a designed for hardware implementations. Puffin can resist
stream cipher mode such as counter mode, the setup of the IV differential and linear cryptanalysis and it is also resistant to
is equivalent to keystream setup. The energy cost of keystream related-key attacks and weak keys, which are two main
setup for stream ciphers is much higher than that of block insecurities of the key schedule.
ciphers, which will be specifically discussed later in this paper. 4) Byte-wise SPN
In a WSN, the energy cost of keystream setup is especially Byte-wise SPN (BSPN) is a compact block cipher we
critical in the selection of stream ciphers and block ciphers. suggest to use in WSNs [12], which provides moderate
security to the energy limited environment. It has no apparent
C. Energy Efficiency of the Symmetric Key Cipher weaknesses and is resistant to both the differential and linear
The encryption computational energy cost of symmetric cryptanalysis attacks [12]. In the next section, we will show
key ciphers ( ) for NPL bits of plaintext can be calculated that it provides good energy performance applied in WSNs
by compared to other candidate block ciphers.
/ / , (1) BSPN is a block cipher with an 8 byte block size and 64-
where and are the power and frequency of the CPU, bit (or larger) key size. It has 8 rounds of operation and each
respectively, and is the number of CPU cycles required to round of operation includes add round key, substitution and
perform an encryption of a block of size u. For a block cipher, linear transformation as shown in Fig. 1. It uses an 8×8 S-box,
u is the block size, while for stream ciphers u represents the which functions as a nonlinear transformation between 8 bits
keystream block size which is the amount of keystream of input and 8 bits of output. The result of the linear
produced at one time. The symbol . denotes the ceiling transformation, U, is achieved by bitwise XORing the output
operator. We can see that and determine the bytes, Vi, of the other seven S-boxes after adding the round
computational energy cost of the cipher in the same CPU key, i.e., for byte i
environment. For convenience, we use the number of CPU , ,1 8. (2)
cycles per byte to evaluate the energy efficiency of the In the figure, the connection between each component
symmetric key ciphers. The number of cycles is obtained from represents one byte of data and S represents an 8×8 S-box.
an implementation of the cipher in assembly language on the 1
The cipher proposed in [12] is not named. In this paper we label the
cipher as BSPN.
2
The key size of BSPN could be easily extended to 80 or 128 bits.

169
 25th Biennial Symposium on Communications

The “Add Key” operation is achieved through bitwise XOR of C. Discussion

the 64-bit data and the 64-bit round key. A description of the Since the cipher is implemented by software (i.e., by
method to generate the round keys is given in [12]. assembly language), the number of CPU cycles is directly
related to the architecture of the block cipher and instruction
set of the CPU. The characteristics of the block cipher’s
substitution and linear transformation are two critical factors
affecting the number of CPU cycles. These characteristics are
summarized in Table III. The “Linear Trans. Unit” refers to
the basic unit manipulated by the linear transformation. BSPN
achieves the best energy performance among the four ciphers
because of its efficiency of substitution and linear
transformation for an 8 bit CPU. Note that for an 8 bit CPU,
the number of cycles to change a value of one byte compared
to changing one bit of the byte is the same, because they both
include loading the byte value from the memory and writing it
back.
TABLE III. CHARACTERISTICS OF SUBSTITUTION AND PERMUTATION.
Block cipher Structure S-box Linear Trans. Unit
BSPN SPN 8×8 8 bits
Skipjack Feistel 8×8 8 bits
AES SPN 8×8 8 bits
Fig. 1 Structure of cipher BSPN.
Puffin SPN 4×4 1 bit
B. Implementation Comparison
We have implemented the four block ciphers in assembly Puffin, as block cipher aimed for compactness, was
language on the ATmega128 processor and the results are designed for hardware purposes making it not appropriate for
shown in Table II. We can see that BSPN requires the fewest the software implementation. BSPN’s use of the 8×8 S-box
number of CPU cycles per byte among the four block ciphers makes the substitution value look-up convenient in an 8 bit
and thus has the lowest computational energy cost. The CPU. In contrast, a 4×4 S-box used in Puffin requires 2
relationship between the CPU cycles and the size of plaintext memory accesses to update one byte of data during the
is illustrated in Fig. 2. The total number of cycles to encrypt is substitution. Although in Puffin we can reconstruct the S-box
based on operating the cipher in ECB mode. However, results to make it appropriate for the byte operation, extra memory
for other modes, such as CBC mode or counter mode would needs to be allocated. BSPN performs a linear transformation
be very similar. In this figure, BSPN achieves the best energy on the data by XORing the output bytes of other S-boxes
efficiency for all plaintext sizes. The number of CPU cycles of directly, which greatly reduces the complexity on an 8 bit
Puffin is noticeably higher than others because of its hardware CPU compared to the cipher Puffin, whose linear
design purpose. AES achieves a better result than Puffin, transformation is structured on a bitwise basis. Although part
while slightly worse than the other two ciphers. Note that of the linear transformation can be optimized, it cannot change
although the performance of Skipjack is slightly better than the result of taking a large number of cycles to execute.
AES, it is vulnerable to cryptanalysis. The implementation of AES is an efficient 8-bit
implementation based on using the “xtime” operation for
TABLE II. IMPLEMENTATION RESULT OF DIFFERENT BLOCK CIPHERS.
MixColumns [16]. As shown in the table, both AES and
Block cipher Block size (bits) Cycles per block Cycles per byte BSPN have the 8×8 S-box and byte oriented linear
BSPN 64 796 99 transformation. The reason that AES costs 105 cycles more
Skipjack 64 1482 186
AES 128 3266 204
than BSPN per byte is because of the algorithm complexity of
Puffin 64 43418 5427 AES. It should be noted, however, that AES is designed for a
6 128-bit level of security for both key and block size, while
10
BSPN is designed for a 64-bit level of security both in key and
block size.
III. STREAM CIPHERS IN WSNS
Total No. of CPU Cycles

5 BSPN
10
SKIPJACK We have selected three stream ciphers to compare: RC4,
AES Sosemanuk and Salsa. RC4 is a popular stream cipher
PUFFIN
4
generating a small size (8 bit) keystream block to XOR with 8
10 bits of plaintext, and Sosemanuk and Salsa are from the
eSTREAM project (Profile I), which are considered secure
and designed for software purposes. Although there are also
10
3 two other stream ciphers in the Profile I, Rabbit and HC-128,
we do not consider them for the same reasons explained in
0 64 128 192 256 320 384 448 512 [17]: Rabbit is patented and HC-128 is too complicated to be
Plaintext Size (bits)
implemented efficiently on an 8 bit CPU.
Fig. 2 Computational costs of block ciphers.

170
 25th Biennial Symposium on Communications

Like the block ciphers, we have implemented RC4 in 1) Block Cipher Synchronization
assembly language on ATmega128 and the cycles of the other When using block ciphers, the computational cost can be
two ciphers are taken from [17], which uses the same platform calculated directly by the number of data blocks times the
to compare stream ciphers. Table IV shows the characteristics energy cost per block. That is, fixed computational energy is
and implementation results of the three stream ciphers. If not consumed for the given data block. The computational energy
considering the keystream setup period, RC4 uses the fewest cost of IV synchronization for a block cipher only includes a
number of cycles to generate the keystream bytes for few CPU cycles, such as loading and storing the new IV. The
encryption. computational cost of key setup for block ciphers can be more
TABLE IV. IMPLEMENTATION RESULT OF DIFFERENT STREAM CIPHERS. substantial. However, we assume that key setup is very
Stream Keystream CPU cycles Cycles per byte infrequent and base our analysis on the assumption that the
cipher block size Setup Encrypt (encrypt) round keys are already generated and stored.
RC4 8 bits 18787 31 31
Sosemanuk 640 bits 8739 8559 107
2) Stream Cipher Synchronization
Salsa 512 bits 60 17812 279 For stream ciphers, two stages are included in the operation
of the cipher: (1) keystream setup based on an updated IV and
The relation between the number of CPU cycles and the
(2) the keystream generation and encryption of plaintext. For
size of the plaintext is illustrated in Fig. 3, which is obtained
most stream ciphers, the computational energy cost of IV
on the assumption that the keystream setup period only
synchronization (causing keystream setup) may take a
happens once at the beginning of communication and then the
considerable proportion of the total computational energy cost.
keystream is generated continuously. In this figure, it can be
This is particularly notable for RC4.
seen that when the size of plaintext is smaller than 81 bytes,
RC4 has the worst performance because the number of setup B. Comparison of Steam Cipher and Block Cipher
cycles is greatly larger than others. However, after that point, In this section, we compare the energy performance of the
RC4 achieves the best energy performance since dramatically stream ciphers and block ciphers using the analysis model
fewer cycles are needed to generate the keystream bytes for from our previous research [18]. Both the physical parameters
encryption. and the packet formats for the data packet and IV packet are
x 10
4
the same as shown in [18]. In the analysis, we apply the
14
counter mode of operation to the block cipher, ensuring that it
12 RC4 functions similarly to a stream cipher. This results in a fair
Total No. of CPU Cycles

Sosemanuk
10 Salsa
comparison between stream ciphers and block ciphers and it is
a suitable mode for WSN applications [6]. A separate IV
8
packet is assumed to be sent periodically for the IV
6 synchronization, where K is used to denote the
4 synchronization period, that is, the number of data packets
sent between IV packets. The data packet is accepted and
2
considered valid only when the MAC recalculation is correct.
0
0 50 100 150 200 250 300 350 400
In our analysis, we assume that for each block cipher case, the
Plaintext Size (bytes) block cipher is used in CBC mode to generate the MAC. For
Fig. 3 Computational costs of stream ciphers. stream cipher cases, the MAC is generated by AES used in
CBC mode.
IV. SELECTION BETWEEN STREAM CIPHER AND BLOCK CIPHER x 10
4

14
In previous sections, we evaluated the symmetric key BSPN
ciphers’ energy performance without considering the 12 AES
application of the cipher to a protocol used in a noisy wireless RC4
Total Valid Data (bytes)

channel resulting in a non-zero probability of bit errors. In this 10 Sosemanuk

section, we further analyze the energy performance of the 8
stream ciphers and block ciphers when they are applied in
WSNs with poor channel quality. 6

A. Channel Quality Consideration 4

In a noisy communication channel, bit errors may result in
2
packets being lost or corrupted and the resulting decryption
may lose synchronization with encryption. This can be 0
0 5 10 15 20 25 30
resolved by periodic resynchronization involving the transfer Payload Size (bytes)
of an initialization vector (IV). The IV can be sent in each
Fig. 5 Energy performance of different ciphers (BER = 10-4).
packet as in TinySec [13] or sent in a separate IV packet
occasionally as implied by SPINS [6], in order to re-establish We analyze the amount of total valid data transferred from
cryptographic synchronization. The resynchronization a sensor to an aggregator node or base station in a WSN given
computational energy cost is different for different ciphers, a fixed energy supply. The resulting total valid data for
which directly impacts the lifetime of the sensor device. different ciphers is shown in Fig. 5, where K = 5 and the bit

171
 25th Biennial Symposium on Communications

error rate (BER) is 10-4. Bit errors are randomly and applied to the link layer of wireless sensor networks. We
independently generated. Fig. 5 represents a meaningful evaluate the energy efficiency by comparing the number of
relative comparison of ciphers. We can see that the BSPN CPU cycles per byte for different symmetric key ciphers,
cipher achieves the best energy performance. Although RC4 including both stream ciphers and block ciphers. We further
takes the fewest number of cycles per byte, it shows the worst analyze the ciphers according to their characteristics and the
energy performance under a noisy channel due to its large effect of the channel quality when applied in WSNs. Finally,
number of keystream setup cycles. we conclude from the analysis results that the lightweight
The value of K impacts the amount of valid transferred block cipher, BSPN, achieves good performance, providing
information together with the size of payload. One packet energy efficiency as well as suitable security for sensor nodes
transmitted with an error will lead to the packet being in a WSN.
discarded and, hence, the following packets cannot be
decrypted correctly until the next IV packet comes. This REFERENCES
encourages the value of K to be small. On the other hand, [1] Y. Wang, G. Attebury, B. Ramamurthy, "A Survey of Security Issues in
small K consumes significant communication energy cost to Wireless Sensor Networks," IEEE Communications Surveys & Tutorials,
transfer the IV packet, which will also decrease the energy vol.8, no.2, pp. 2-23, 2006
[2] W. K. Koo, H. Lee, Y. H. Kim and D. H. Lee, "Implementation and
performance. An optimal value of K exists to balance these
Analysis of New Lightweight Cryptographic Algorithm Suitable for
two factors. The effect of period K and payload size on the Wireless Sensor Networks," in Proc of 2008 Information Security and
amount of valid data is shown as Fig. 6, where the cipher Assurance (ISA 2008), pp.73-76, Korea, April 2008.
BSPN is applied and BER is 10-4. It can be seen that as the [3] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and S. C. Shantz, "Energy
Analysis of Public-key Cryptography for Wireless Sensor Networks," in
payload size increases, the amount of total valid data can Proc of 2005 Pervasive Computing and Communications (PerCom
obtain a maximum value with an optimal selection of period K. 2005), pp. 324-328, Germany, March 2005.
5
x 10 [4] M. Henricksen, "Tiny Dragon - An Encryption Algorithm for Wireless
1.8 Sensor Networks," in Proc of 10th High Performance Computing and
payload = 5 bytes
1.6 Communications, (HPCC '08), p.p. 795-800, 25-27 Sept. 2008.
payload = 10 bytes
[5] R. Tahir, M. Y. Javed, M. Tahir and F. Imam, "LRSA: Lightweight
Total Valid Data (bytes)

payload = 15 bytes
1.4 Rabbit Based Security Architecture for Wireless Sensor Networks," in
payload = 20 bytes
Proc of 2008 Intelligent Information Technology Application (IITA '08),
1.2 payload = 30 bytes
vol.3, pp. 679-683, China, Dec. 2008.
1 [6] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar, “SPINS:
Security Protocols for Sensor Networks,” ACM Wireless Networks, vol.
0.8 8, no. 5, pp. 521-534, Sept. 2002.
[7] National Institute of Standards and Technology (NIST), “Advanced
0.6
Encryption Standard (AES),” Federal Information Processing Standard
0.4 (FIPS) 197, Nov. 2001.
[8] A.J. Menezes, P. van Oorschot, and S.A. Vanstone, Handbook of
0.2 Applied Cryptography. CRC Press, 1997.
0 5 10 15 20 25 30 35 40
[9] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, and K. Pister,
Synchronization Period K
"System Architecture Directions for Networked Sensors," in Proc. of
Fig. 6 Effects of period and payload size on throughput (BSPN, BER = 10-4). ACM ASPLOS IX, pp. 93-104, Nov. 2000.
[10] “SkipJack and KEA Algorithm Specifications,” National Institute of
The optimal value of K varies a little for different ciphers Standards and Technology, Mai.1998.
given other parameters fixed. Fig. 7 shows the effect of [11] H. Cheng, H.M. Heys, and C. Wang, "PUFFIN: A Novel Compact
different ciphers, which is obtained under the condition of Block Cipher Targeted to Embedded Digital Systems", in Proc of
Euromicro Conference on Digital System Design (DSD 2008), Parma,
payload size of 25 bytes and BER equal to 10-4. We can see Italy, Sep. 2008.
that the optimal value changes according to different ciphers [12] A. Youssef, S.E. Tavares, and H.M. Heys, "A New Class of
being used, but in all cases it is in the range of 5 – 8. Substitution-Permutation Networks", in Proc of Workshop on Selected
x 10
4 Areas in Cryptography(SAC '96), Queen's University, Kingston, Ontario,
13 Aug. 1996.
BSPN [13] C. Karlof, N. Sastry, and D. Wagner, “TinySec: a Link Layer Security
12 AES Architecture for Wireless Sensor Networks,” in Proc of the 2nd
international Conference on Embedded Networked Sensor Systems
Total Valid Data (bytes)

RC4
11 Sosemanuk (SenSys '04), pp. 162-175, New York, November 2004.
[14] L. Granboulan, “Flaws in Differential Cryptanalysis of Skipjack,”
10
Lecture Notes in Computer Science 2355: Fast Software Encryption,
9 Springer-Verlag, pp. 81-98, 2002.
[15] L. R. Knudsen, M. J. B. Robshaw and D. Wagner, “Truncated
8 Differentials and Skipjack,” Lecture Notes in Computer Science 1666:
Advances in Cryptology – CRYPTO’99, Springer-Verlag, pp. 790, 1999.
7 [16] J. Daemen, V. Rijmen, The Design of Rijndael: AES - the Advanced
Encryption Standard, Springer-Verlag New York, 2002.
6 [17] G. Meiser, T. Eisenbarth, K. Lemke-Rust, and C. Paar, "Efficient
0 5 10 15 20 25 30 35 40
Synchronization Period K Implementation of eSTREAM Ciphers on 8-bit AVR Microcontrollers,"
in Proc of 2008 Industrial Embedded Systems (SIES 2008), pp. 58-66,
Fig. 7 Optimal K for different ciphers (payload size = 25 bytes, BER=10-4). June 2008.
[18] X. Zhang, H.M. Heys, and C. Li, "An Analysis of Link Layer
V. CONCLUSION Encryption Schemes in Wireless Sensor Networks," in Proc of IEEE
In this paper, we have investigated the energy performance International Conference on Communications (ICC 2010), Cape Town,
May 2010.
of symmetric key cryptographic algorithms when security is

172