Recently, we have witnessed the emergence of intermittently powered computational devices, an early example is the Intel WISP (Wireless Identification and Sensing Platform). How we engineer basic security services to realize mutual authentication, confidentiality and preserve privacy of information collected, stored and transmitted by, and establish the veracity of measurements taken from, such devices remain an open challenge; especially for batteryless and intermittently powered devices. While the cryptographic community has significantly progressed lightweight (in terms of area overhead) security primitives for low cost and power efficient hardware implementations, lightweight software implementations of security primitives for resource constrained devices are less investigated. Especially, the problem of providing security for intermittently powered computational devices is unexplored. In this paper, we illustrate the unique challenges posed by an emerging class of intermittently powered and energy constrained computational IoT devices for engineering security solutions. We focus on the construction and evaluation of a basic hash primitive-both existing cryptographic hash functions and non-cryptographic hash functions built upon lightweight block ciphers. We provide software implementation benchmarks for eight primitives on a low power and resource limited computational device, and outline an execution model for these primitives under intermittent powering.
I. INTRODUCTION
The realization of new applications from studying the behaviors of bees [1] to healthy aging of our species [2] with tiny computing and sensing devices are providing the impetus for new growth areas in the field of Internet of Things (IoT). However, provisioning of fundamental security services such as authentication, confidentiality and message integrity remains a challenge for resource limited environments such as with IoT devices.
Computational batteryless or passive technologies, exemplified the Intel WISP and the Farsens Spider illustrated in Fig. 1 , are a class of emerging low power embedded systems and communication technologies attracting increasing attention from both academia and industry sectors driven by their ability to operate, potentially, indefinitely and often in deeply embedded applications [3] where battery replacements (a) (b) Fig. 1 . Examples of intermittently powered computations and energy constrained devices operating on harvested power. (a) Intel CRFID device: WISP4.1DL [4] , [5] ; and (b) Farsens Spider CRFID device [6] .
are not practicable. The challenge of providing basic security services to this emerging class of devices employing ultra low power computing platforms is significantly more difficult as a result of intermittent powering, and severe computation and energy limitations.
To date, mostly hardware cost minimization-implementing security primitives with, for example, less transistors for application specific integrated circuits (ASICs)-is considered for realization of lightweight security primitives. However, the problem of supporting security services for tiny computational platforms exemplified by low power and reduced instruction set microcontrollers increasingly being used to realize Internet of Things (IoT) devices has received less attention; while, the problem of providing security for intermittently powered computational devices is unexplored.
In this paper, we investigate the unique challenges posed by an emerging class of intermittently powered computations and energy constrained computational devices for engineering security solutions. While encryption and decryption primitives for ultra low power microcontrollers have received some attention [7] , [8] , we focus on the unexplored software implementation and evaluation of hash primitives-both existing hash functions and non-cryptographic hash functions built upon lightweight block ciphers-on ultra low power microcontrollers suitable for energy constrained devices. For the first time and to the best of our knowledge, we provide benchmarks of hash functions expected to yield a lightweight implementation in a reduced instruction set architecture (RISC) microcontroller. It is hoped that such benchmarks will provide a useful guide to engineering crytographic solutions for resource constrained devices. We also briefly discuss an execution model for hash primitives based on [9] for operating under intermittent powering. We begin with an illustration of the unique challenges posed by intermittently powered and resource limited devices.
II. INTERMITTENTLY POWERED PERVASIVE DEVICES
In contrast to depleting chemical energy in a battery, energy harvesting and battery free devices scavenge power from ambient sources, such as radio waves, vibrations, and solar radiation or are remotely energized through wireless powering. A generic architecture of a device operating on harvested energy is shown in Fig. 2 (a) . An input oscillating voltage is rectified-and often boosted through a charge pump-to V cap and regulated to voltage V reg used to operate a load, e.g., an ultra low power microcontroller.
A. Intermittent Powering
A typical battery free device operation can be described by the intermittent power cycle (IPC) illustrated in Fig. 2 (b). The voltage V cap across the reservoir capacitor gradually ramps up until V on , the startup voltage of the booster circuit. As the regulator delivers the necessary power to the load, the charge on the reservoir capacitor and hence V cap is rapidly drawn down, subsequently, the booster cuts off when V cap drops below V off ; that is when the rectifier circuit cannot replenish the reservoir capacitor faster than its draw down. When V cap falls below V off , a brownout event occurs resulting in complete state loss and restarting of the microcontroller-Load in Fig. 2 . Hence, only within the period highlighted in light blue, can the Load be actually powered. Such a period is called the intermittent power cycle (IPC), which is short and fragmented over time in practice [9] . Fig. 3 demonstrates an example of intermittent powering affects on the operation of a batteryless device running on harvested power. In this example from [10] , a WISP4.1DL CRFID device is wirelessly powered and executing firmware to sample two on-board sensors-an accelerometer and a barometer-and backscattering data to an RFID reader to support sensor data retrieval; the sudden power loss event during the sensor sampling process is highlighted by green arrows. All operations must be completed prior to a brownout event or within an IPC; otherwise the device will loose its state immediately. This problem becomes more severe in the engineering of a security layer given the computational complexity and power consumption of security primitives. Given a power loss event, the device will be rebooted once the reservoir capacitor is charged and the control flow restarts from the entry point of the application instead of the moment before power failure. In the worst case, the application program always encounters power failures, and may never completely execute a task.
B. Available Clock Cycles
Given intermittent powering, devices are also limited by the computations-measured by clock cycles-that can be executed before a brownout event. Theoretically, available energy to the load E laod within one single IPC can be expressed by (1) , with E RF the energy available from the energy harvester during an IPC, and C the reservoir capacitor's capacitance. This capacitor starts discharging when its terminal voltage reaches V on , and stops discharging below V off . Since C, V on and V off are all constant, when E RF
the energy available to the load is dominated by the size of the reservoir capacitor. Otherwise, the reservoir capacitor is replenished before getting discharged and the device could operate continuously.
Total available clock cycles N ck that the CPU could execute before power loss can be expressed by:
with P load the average power of the load including the computational elements and sensors, and f CP U the selected operating frequency of the CPU. To quantify the available clock cycles within one IPC, we follow the method and setup described in [11] . In our measurement, a hash function is executed without any RFID communications to reduce the influence from uncontrolled variables-such as energy loss during backscattering, clock frequency change when executing RFID protocol commands and random inactive times due to the random time slot selected for communicating with an RFID reader-on the measurements. We can see the typical distribution of clock cycles under intermittent operating conditions in Fig. 4 . We can see that due to reasons such as variable energy available from the energy harvester E RF and the ability of power harvesting circuits to replenish the reservoir capacitor, the available number of clock cycles vary in practice.
III. RELATED WORK
Research studies have benchmarked block ciphers [7] with clearly defined testing frameworks and publicly available source code aimed at embedded systems including AVR8051 [12] and ATinny45 [13] . However, we observe that the method of logging clock cycles is not explicitly mentioned; for example, we can see differences in reported results between [8] and [7] .
Although, benchmarks such as the recent work in [14] which consists of 22 password hashing functions, are reported for desktop platforms, to our knowledge, there are no software implementation benchmarks of hash functions on resource limited microcontrollers. For resource constrained devices, hash function evaluations have focused on hardware implementations such as on ASIC (application specific integrated circuits) such as RFID ICs (integrated circuits) or FPGA (fieldprogrammable gate arrays) platforms as in [15] , [16] . In our study, we focus on recent ultra low power computing platforms such as the the MSP430 series from Texas Instruments where the need is to build lightweight-both in terms of computations and energy-security primitives such as hash functions in software as opposed to hardware.
IV. EVALUATED HASH FUNCTIONS
We refer to existing hash functions as cryptographic hash functions since their security has generally been well assessed. In general, one-way compression functions built from block ciphers can also be used to construct hash functions-for a brief introduction see [29] . Among the methods used for building one-way compression functions are the well known Therefore, we selected the SPECK block cipher since it showed the least overhead-see evaluations in Table II . We refer to hash functions we have derived based on compression functions built from lightweight block ciphers using the popular Merkle-Damgård construction method as noncryptographic hash functions. The full list of all hash functions evaluated in this work is summarized in Table I . Here, BLAKE2s, MD5, and DM-PRESENT are cryptographic hash functions. In the following, we describe the construction of non-cryptographic hash functions: DM-SPECK, MMO-SPECK, and MP-SPECK. DM-SPECK: The configuration of Davies-Meyer (DM) compression function based construction is depicted in Fig. 5 (a) . The input message m is first sliced into n blocks with k-bits each-k is the key size of the cipher E. In case the message is not an integer multiple of k, zero-padding is appended to the end of the message m. At each DM compression stage, 1 Although there are other methods as in [15] , in this preliminary study, we are interested in comparing the representative implementation overhead from constructed hash functions from lightweight block ciphers with cryptographic hash functions on a resource limited device. Therefore we will not discuss details of hash function designs and limit ourselves to DM, MMO and MP.
SPT-IoT'19 -The Third Workshop on Security, Privacy and Trust in the Internet of Things the output hash value of the previous stage H i−1 is fed into E to obtain the intermediate value V im . Subsequently, V im is XORed with H i−1 to obtain H i . A fixed initialization vector (IV) is input at the initial stage. MMO-SPECK: The Matyas-Meyer-Oseas (MMO) based hash function configuration is depicted in Fig. 5 (b) . Unlike the DM construction, the message fragment m i is fed to the plaintext port of the cipher E instead of the key port. The output from the previous stage is first re-arranged through the g function to match the size of key port of cipher E. The output of E is XORed with message m i to produce the next value H i . MP-SPECK: The Miyaguchi-Preneel (MP) is a variant of the MMO configuration, where the next hash value H i is obtained by XORing the previous hash value H i−1 with V im and m i .
Notably, when dealing with necessary a-size-to-b-size bit length conversions in the implementation of the g function, we can follow two types of implementations: i) padding zeros; and ii) duplicating inputs to perform a n-to-2n mapping.
V. BENCHMARKING A. Hash Function Implementations
We selected the MSP430FR5969 microcontroller (MCU) for evaluating the performance of software based hash function implementations. We selected this 16-bit ultra low power MCU due to the following attributes: 
B. Benchmark Metrics
The clock cycles required to complete a hash function operation is the most significant measure. The clock cycles are read out with the Profile Clock tool supported in the CCS environment. For a fair comparison, the clock cycles are normalized as clock cycles per byte. Two different input message sizes are considered: a short message (Short) of 10 Bytes (notably, MD5 has 64 byte block size, and hash functions constructed from SPECK has a 16 byte block size), and a long message (Long) of 1,280 Bytes. The short message can be digested within one single hash iteration. The dominant factors in Short message performance is the initialization string padding and data input/output. In the Long message test, the message size is much larger than the block size and the dominant factor influencing performance is the multiple compression processes.
Memory footprint comprising of ROM usage and RAM usage is the other performance metric. ROM usage is indicative of the code size, and the RAM usage represents the size of the internal state necessary for the algorithm. The code size was read from the .text block in FRAM using the Memory Allocation tool in CCS, while the internal state was manually counted for any local variables declared within the algorithm routine.
C. Block Cipher Performance
The performance results of tested block ciphers are detailed in Table II . Overall, we can observe that SPECK demonstrates the best performance. This is the main reason that it is chosen for constructing the non-cryptographic hash functions. 
D. Non-cryptographic Hash Functions: Security Performance
Unlike the cryptographic hash functions, the hash functions built upon block ciphers might not necessarily pertain the desirable security properties of a hash function. In this context, we first assess their security related properties using statistical tests, where the test suite SMHasher 2 designed to evaluate security performance of non-cryptographic functions is adopted. The security performance is, in general, assessed through evaluating the distribution and the collision properties of the non-cryptographic hash functions. We briefly describe these tests below. Avalanche Tests: The avalanche test evaluates the degree to which a hash value is affected by a single bit flipped in the message. Differential Tests: For all possible small n-bit subsets of a k-bit key, generate 1,000 random key pairs that differ in only those n bits and assess if any hashes to the same value; if so, the hash function is prone to far more collisions than expected. Table III ), measures the degree to which more than one message shares the same hash value. Ideally, a hash function should be free of collisions, regardless of the format of the input message. In practice, the probability of finding a collision is given by P col in (3) 3 where k is the the number of hashed values, and N is the total number of possible hash values (for example, N = 2 128 for a hash with a 128-bit binary output).
Ideally, if one bit in the message vector is flipped, each bit in the hash output should have an equal probability (50%) of flipping its value. In the distribution measure (abbreviated as Dist. in Table III ), 0% implies that message bit information is perfectly distributed across all hash value bits, and 100% implies that at least one hash value bit ether has a direct correlation with one specific message bit; or the hash value is not affected by any message bit. A high distribution value implies information leakage through the hash function.
E. Results
The tested results in terms of clock cycles per byte and memory footprint are summarized in Table III . In terms of clock cycle performance, we can observe that standard cryptographic hash functions always outperformed the noncryptographic counterparts constructed from the lightweight 3 https://preshing.com/20110504/hash-collision-probabilities/ SPECK block cipher, while the MD5 exhibits the best performance among all tested hash functions. In terms of memory footprint, the non-cryptographic hash functions appears to have better performance than standard cryptographic counterparts.
However, SPECK non-cryptographic hash functions display notable collisions in the TwoBytes, Permutation and Zeros keyset tests. Meanwhile, non-cryptographic hashes tends to present large undesirable bias in TwoBytes and Zeros keyset tests. Although these results are not unexpected, we have found that the construction of a hash from the lightweight block ciphers we have evaluated have not delivered a lightweight hash function in a soft implementation.
Therefore, based on the set of evaluation measures we have employed, we can see that MD5 designed for software implementation provided the best overall suitability (performance and security) for resource limited computational platforms.
VI. INTERMITTENT EXECUTION MODEL
Commodity MCUs generally support multiple operational modes, including low-power (sleep) and power-down modes. The intermittent powering leads to limited clock cycles within an IPC, therefore, completion of e.g., hash, might not be possible within one IPC. In this context, a low-power sleep state [31] can be used to intermit execution to allow the reservoir capacitor restore its energy. This intermittent execution model (IEM) can realize task execution in an energy limited setting [9] . First, it stretches the time frame to complete the task and hence allows the energy harvester to collect more energy. Second, memory state is preserved during the lowpower sleep mode. IEM is illustrated in Fig. 6 (a-b) while the success rate for performing BLAKE2s hash over a 1,280 byte long message is shown in Fig. 6(c) . We can see that the success rate at the 40 cm operating distance is nearly tripled, and the device could be used at a 60 cm range from an RFID reader antenna; which otherwise would be unfeasible without IEM.
VII. CONCLUSION AND FUTURE WORK
In this work we have presented benchmarks for eight software based hash function implementations aimed at resource constrained devices. Our benchmarks are evaluated on a batteryless CRFID device. MD5 hash demonstrated the best overall performance, in particular, clock cycle overhead; thus, it is recommended 4 . In an energy constrained environment, we advocate employing IEM to overcome the problems posed by limited energy (clock cycles). Future work should consider a more detailed investigation of non-crytographic hash functions-including analyzing their security, optimizing code to reduce the implementation overhead, further investigating IEM settings along with their applicability and performance improvements. Moreover, we have not considered side-channel attacks, e.g., power-and timing-based, resilience when implementing codes and we leave this for future work.
