Assessing Latency of Lightweight AEAD Algorithms in CAN †
Leonie Simpson, Joshua Dean Copeland, Geoffery WalkerThe CAN protocol does not include cryptographic security mechanisms. While older vehicles had physically isolated CAN networks; modern vehicles’ external connectivity can result in remote attack vectors as demonstrated by Miller and Valasek’s Jeep Hacking in 2015. Some proposals for cryptographically securing CAN transmissions use specialised hardware and/or use non-lightweight cryptographic algorithms. In this paper we consider the suitability of lightweight Authenticated Encryption with Associated Data algorithms for providing security to the CAN protocol. NIST held a lightweight cryptography standardisation process, announcing ten finalists in 2021, and selecting ASCON from the finalists in 2023. This work aims to evaluate softwareimplementations of these algorithms for securing the very short payload lengths of standard CAN frames, without requiring specific CAN variants and/or specialised hardware for longer payloads or cryptographic acceleration. This would enable implementation of CAN bus security on low-end existing vehicle MCUs via firmware, without hardware modification, by using such algorithms with any existing CAN protocols that use encryption and/or MACs. We tested by re-purposing Weatherly’s benchmarking software via modifying the test procedure to test shorter 4-byte payloads with authentication data in existing CAN frames. Low-end 8-bit 16 MHz and 20 MHz AVR processors are used for benchmarking, and results are used to rank finalists with respect to their time-efficiency advantage over AES-GCM.We also compare to encrypting the payload without including the ID and control bits as associated data to assess the performance impact of the associated data, and also compare to authentication-only use of the AEAD cipher where both the ID and payload are all processed as associated data to authenticate without encrypting. We find that several NIST finalists outperform AES-GCM in our testing of AEAD in the CAN data field. ASCON and TinyJAMBU are particularly time-efficient among nonce-misuse resilient finalists. If nonce-misuse resilience is not required, Schwaemm-128-128 has the best time-efficiency even against ASCON and TinyJAMBU variants, with this advantage being to an even greater extent in AD-based authentication-only results. The finalists’ varying results against AES-GCM, and some discussion about other aspects such as nonce-misuse resilience and code-size are discussed. We also found that the relative overhead of processing the ID as associated data ranges from 50% to less than 1% across the tested cipher variants. We also found that while most cipher variants are more efficient, and some have negligible difference, when processing the payload as associated data; there are cipher variants that are less efficient.