Traditional computing systems are designed to operate in steady-state. They run algorithms continuously using an apparently infinite energy source: the wall plug. In that case, one would optimize algorithm implementations towards minimal power dissipation and maximal throughput. Cryptographic engineers have long focused on this case, and cryptographic algorithms are designed assuming this plentiful-energy assumption.
In the world of lightweight cryptography, computers may also operate from batteries or energy harvesters. Batteries have a finite energy storage capacity, but energy harvesters can, in principle, deliver as much energy as you want. You only have to be patient.
While energy usage and power consumption are frequently mentioned together (and sometimes even mixed up), they reflect two very different properties of an implementation. Energy usage reflects a resource requirement, while power consumption reflects a performance characteristic. For example, each encryption performed by a cipher requires some energy. A battery can only support a limited number of encryption operations. If one knows the energy per encryption, it’s possible to predict the number of encryptions on a battery charge. Based on the power consumption of the cipher alone however, one cannot tell how long the battery will last.
Is the energy consumption of a cryptographic implementation important? Should we insist that new cryptographic designs not specify their power dissipation, but also their energy usage? We argue that, indeed, energy usage is an important metric, for battery operation as well as for energy-harvester driven operation.
Cryptographic computations can be formulated as iterations of a cryptographic kernel, using a mode of operation. Let’s call the energy needed by a cryptographic device to complete a single iteration, the energy quantum. Energy quanta are application dependent, and they can measure the energy needed to complete the computations for signatures, ciphertext blocks, message digests for a fixed message length, and so on. Quanta are discrete - it’s not helpful to compute only half a signature or only half of the number of rounds in a block cipher. A high energy quantum does not imply a high power dissipation or vice versa. For example, complex algorithms may need a longer time to complete on a simple cryptographic device, so a very low power dissipation can still result in a high energy quantum.
If we know the energy quantum, we can predict the operation of a battery-powered system as wel as an energy-harvested system. In a battery-operated design, the energy in a battery decreases stepwise as the cryptographic device completes quanta, and eventually the battery is exhausted. In an energy-harvester based system, the harvester will continuously recharge an energy store such as a supercap. Hence, the energy store will be recharged even as energy quanta are taken out. As long as the energy influx in the energy harvester is larger than the amount of energy quanta consumed, the lifetime of the energy-harvester cryptosystem is effectively unlimited.
A critical factor in determining this balance is the system duty-cycle, which is the relative on-time of the cryptosystem. The energy capacity of both the battery and the energy store of an energy harvester are limited. A higher energy store capacity increases the autonomy of the cryptosystem, but also its cost.
At the upcoming 2nd NIST Workshop on Lightweight Cryptography, we propose to quantify the energy needs of a lightweight cryptographic implementation as a normalized factor in Joules/byte, where byte represents the useful payload computed per energy quantum . It’s a metric that captures the suitability of an implementation for an energy-starved environment. In contrast to power dissipation (which is a performance metric that can be scaled), energy usage is a resource requirement that cannot be scaled so easily.
With 50 billion devices expected in the Internet of Things, it’s worth thinking for a moment about how many Joules each of them will need to keep us safe.
 C. Patrick, P. Schaumont, “The role of Energy in the Lightweight Cryptographic Profile,” 2nd NIST Workshop on Lightweight Cryptography, Gaithersburg, MD, October 2016.