6246
A Systematic Technical Survey Of Lightweight
Cryptography On Iot Environment
Abdulrazzaq H. A. Al-ahdal, Nilesh K.Deshmukh
Abstract: The world becomes a small village due to the connecting heterogeneous devices such as RFID, smart devices, sensors. Systems such as the system of large industrial companies, private spaces, and public utilities are connected via the internet of things (IoT) to be embedded systems linking the world. In general, this process requires transferring data and storing themin different devices. Therefore, data cryptography is considered the main concern during transmission. The increasing number of interconnected systems will be very large, requiring strong cryptographic among different devices. Yet, these devices have limited resources in size and cost. These restrictions are not available in traditional cryptography but there is a new trend for cryptographic called lightweight cryptography (LWC) which plays a vital role in security IoT environment. Hence, the current paper presents a comprehensive survey of LWC algorithms to provide a clear vision for future research to secure IoT environment by using LWC. The survey used in this paper aims at providing a clear classification and accurate definition of LWC algorithms (symmetric-key) along with comparison and performance analysis of LWC algorithms (block cipher and hash function) based on such important features such as latency, area, throughput, and power and energy consumption.
Keywords: Symmetric Cryptography, Lightweight Cryptography, Block Cipher, Hash Function, Embedded systems, IoT. —————————— ——————————
1 INTRODUCTION
n the last decade, the world has become increasingly interconnected with many different devices, such as sensor, smart device and RFID , to accomplish many tasks [1].Nowadays, IoT is a modern technology of smart things. Laptop, Telephone, Refrigerator, Car are physical objects known as smart things. IoT is a network of devices of smart objects which are identifiable, accessible and controlled by network of devices. They are also able to compute and make decisions. IoT is a global network with dynamic capabilities that use standard communication protocols. It can work on physical and virtual objects. It has smart interfaces for use which are easily integrated into information networks [2]. In comparison to desktop computers, the devices connected to each other have limitation in IoT environment. These limitations can be presented in power consumption, computation cost and memory overhead. These restrictions are ineffective in desktop computers [3]. Security is an important factor to reduce such limitation. It is the process of securing data as they are transmitted and exchanged among objects. Therefore, the data security service is represented in confidentiality, integrity, authentication and authorization. Through cryptography, the data is protected during diffusion in IoT so that it cannot be manipulated [4]. Cryptography is an important algorithms means in security that can be defined as converting plaintext (original text) into ciphertext (mysterious text) and reversing from ciphertext into plaintext. These operations are called encryption and decryption by using a cipher or cipher [5].Conventional cryptography has many standard algorithms such as Advanced Encryption Standard (AES), and Data Encryption Standard (DES). AES is one of the most important algorithms in cryptography which has not been broken so far. It has a block size of 128 bit and key
length of 128,192, 256 bits. The algorithm AES can be practically applied in different platforms [6]. DES has a block size of 64 bit with key length of 56 bits. The key size of DES is smaller than AES key size which is a disadvantage of DES [7]. Therefore security level is not strong in DES compared with AES [8]. The algorithm of cryptography provides a high level security but does not concern itself in hardware requirements; power consumption, computation cost, and memory overhead. That is, the traditional cryptographic technique does not focus on the hardware requirements which make it unsuitable to work on very low computing power devices. Therefore, there are difficulties and challenges to implement traditional encryption algorithms in addition to being expensive and used in desktop computers and not with small devices. To meet these challenges, algorithms are designed and called LWC to suit limited resources devices. LWC is a new direction of cryptography to meet the tremendous sophistication of technology everywhere and the inefficiency of practical applications and complicated mathematical processes in traditional cryptography because they are expensive in processing and memory space.
When designing LWC algorithm, we must take into account the trade-off between security, cost, and performance (illustrates in fig 1). There are three objectives for this trade-off – security and cost, security and performance, performance and cost which are difficult to improve at the same time. There are also several measures to provide security for devices with restricted environment when designing, low power, energy consumption, speed is acceptable. The goal of LWC is to reduce the overall implementation costs in traditional encryption, through several aspects such as area, throughput, latency, and power and energy consumption. I
————————————————
Abdulrazzaq H. A. Al-Ahdal, Researcher Scholar, School of Computational Sciences, S.R.T.M. University, Nanded, India. Assistant Lecturer, Computer Science, Faculty of Computer Science & Engineering, Hodeidah University, Yemen. [email protected]
Nilesh K.Deshmukh, Assistant Professor, School of Computational Sciences, S.R.T.M. University, Nanded, India.
6247 This paper is a study of most recent algorithms that have been
invented in recent years in LWC. This survey leads to an accurate definition of lightweight cipher for low resource devices through classification of cipher and implementations of hardware. Analysis and comparison of existing research and comparison with some blocks are not lightweight this survey draws a path for researchers to develop algorithms with better performance for low-cost encryption for low resource devices. The rest of this paper is organized as follows: Section 2.1 presents the overview of LWC. In Section 2.2, we provide Measurement of Evaluation LWC. In Section 2.3, we provide Taxonomy of LWC. In Section 3, we discuss the performance according to their taxonomy and trends of design. The conclusion is given in Section 4.
2
LIGHTWEIGHT
CRYPTOGRAPHY
2.1 An overview of (LWC)
Anew direction of cryptography called LWC is developed to overcome the constraint device environment that runs on very low computing power such as RFID, sensors or small device that work on internet of things. It is a trade-off between performances, security, and cost. Hardware LWC implementations reduce the overall implementation costs in traditional cryptography, making it suitable for application to run on low-constraint devices through design in order to perform their tasks efficiently. The efficiency is based on several aspects such as Gate Equivalence (GE), CMOS technology, throughput, power and energy consumption. GE is determined by the logic gates in the block cipher and hash function that are required to implement. Therefore the design approach is affected by Gate Equivalent (GE). Manufacturing-technology-independent complexity of digital electronic circuits is determined by a unit of measure called GE. In CMOS technologies, the silicon area of a NAND2 gate represents the technology dependent unit area commonly referred to as GE .In hardware implementation, the area is represented by number of GE. The security in basic RFID tag requires total gates logic from 1000 to 10000. The security for low-cost RFID tags, requires range from 200 to 3000 GE [72, 73, 74]. The low-cost RFIDs devices proposed require less than or equal to 2000GE and lightweight devices can be acceptable up 3000GE, see Table 1, 2. Another factor is CMOS technology that affects the characteristics of implementation. Different results are produced from different standard-cell libraries and technologies in implementation for same block such as PRESENT that is presented in [9], the results are 1000GE on 0.35μm and 1075GE on 0.18μm CMOS technology. Simple
cycles are provided to optimize the throughput and minimize power consumption in hardware and software implementations and to minimize power consumption that is required to keep memory and CPU. This is a major goal in implementations of hardware and software, suitable for low-cost devices. The power consumption is the main concern for active(wireless sensor ) and passive(smart cards and RFID tags) devices where that have their own power supply, energy consumption or that do not have their own power supply and must adapt to the host device’s constraints. The power consumption is related to the direct link to chip area [59]. The low power consumption is achieved while using a small area. The 100 kHz is frequently is tested LWC, Tables 1, 2. Due to the increasing number of applications that use smart and low-resource devices, lightweight algorithms have been designed. These applications use wireless sensor network (WSN), radio-frequency identification (RFID), and smart cards [9], wireless body area network (WBAN)[10] [11], and internet of things (IoT) [12] to transfer information between them. There are several studies to investigate the implementation of lightweight block cipher. Lata et al. [13] gives an overview of lightweight primitives and protocols proposed for the security of RFID systems with a comparison of the possibilities of the applications of such primitives. John [14] suggests the purpose of the survey of lightweight crypto primitives, performances hardware implementations by two types; block ciphers and stream ciphers for analysed security features. Panasenko et al. [15] suggest an approach when designing LWC and focuses on some recommendations and limitations when implementing LWC. Juels [16] proposes a survey examining approaches to privacy protection and integrity assurance in RFID systems and processing the social and technical context of their work. Arora et al. [17] give an overview of lightweight stream; block and Hybrid ciphers of Hummingbird and compared other LWC with hybrid model of Hummingbird [18]. Mohd et al.[19] proposes a taxonomy and implementation of lightweight block cipher and compared them to select energy metrics that is the best in low constrained devices. LWC have many characteristics, depending on the technology used in design. The metrics to be considered for performance evaluation when implementing LWC are presented in section 2.2.
2.1 Measurement of Evaluation LWC
Implementations of hardware in LWC depend on GE and technology of hardware. We present implementations of details hardware in Tables 1, 2 to investigate features of security, cost and performance, or trade-offs between performance and cost. The metrics to be considered for performance evaluation when implementing LWC are as follows:
Security strength: any algorithm select must be providing high security.
AREA: Depend on Gate Equivalent (GE).One GE Equivalent of a two NAND gate that called silicon area.
6248 IJSTR©2020
www.ijstr.org 0.18 μm. The number of Gate Equivalent (GE) refers to area and complexity in hardware implementation which depend on technology used. The number of GE is a common metric in the proposed algorithm to measure the efficiency, this number can be calculated by dividing the silicon area that is used for a cipher with a given standard cell library by the area of a two-input NAND gate [20].
Throughput: Frequencies resulting from encryption and decryption processes are measured in
(Kb/s).Moreover, they achieve of the maximum rate of production (throughput). In implementation of
hardware, the frequency is (100 KHz).
Latency: It refers to the number of clock-cycles necessary to compute a single block’s encryption / decryption.
Power and energy consumption: Power (expressed in μW), to estimate consume of power in hardware implementation. The estimate of power relies on the technology of hardware and GE. In implementations of hardware and software, the consumption of energy per bit can computed by the formula 1 [75]:
(1)
Efficiency: It is the minimizing resource usage in hardware or software. On other hand, it is trade-off between implementation size and performance. In the hardware efficiency is computed by the formula2 [75]:
Hardware Efficiency Throughput Kbps Area KGE (2)
2.3 Taxonomy of LWC
The exchange of information requires safe efficient encryption/decryption, including symmetric and asymmetric encryptions; we present our taxonomy of LWC in Fig 2.Security features in the Asymmetric ciphers is strong but more expensive due to more computational operations [21]. Asymmetric cipher leads to more security but it is slower than symmetric cipher, such as, Elliptic curve cryptography (ECC) [22], Rivest–Shamir–Adleman (RSA) [23]. The asymmetric (public key) requires a lot of mathematical and arithmetic operations in LWC, which require using more resources by factoring. The asymmetric (public key) is expensive for the most low-resource devices. ECC uses small factor length and low computational operations requirements. Asymmetric cryptography such as ECC and RSA cannot achieve LWC metrics up to now. The ECC provides the most effective way for low-resource devices [24].RSA supports key size between 1024 to 4096 bits in the most algorithm for asymmetric(public key), which require more hardware footprint. So, the asymmetric (public key) is not appropriate for application in low-resources.ECC offers same security with small key and low computational requirements than RSA for low-resource devices [25].
Symmetric cipher offers low security level form asymmetric cipher, but requires less computational operations and faster than asymmetric cipher. Batina et al. [26] implemented ECC on low-resource devices, which require gates from 8500 to 14000. But in case of symmetric cipher such as, PRESENT requires GE 1570. Clearly, the symmetric cryptographic primitives are less costly than asymmetric cryptography in the implementation. Therefore, we focus on the symmetric cryptography in this paper. Taxonomy of symmetric ciphers is block ciphers, stream and hash function.
The stream cipher cannot be supported by some protocols [27].In this work the focus in only block ciphers in section 2.3.1 and hash function in section 2.3.2, We classify block cipher into two structures: SP-network structure and Feistel structure.
2.3.1 Lightweight Block cipher
The general proposed of the block cipher is to provide a semi-random flipping that builds complex protocols. There are several definitions for the lightweight block cipher. In [28], it is appropriate implementation for low-resource devices and treat Fig. 2 Taxonomy of LWC
6249 challenges: reduce overhead (silicon area or memory used),
low-energy consumption, and sufficient security. Some researchers adopted certain characteristics to define lightweight ciphers [29]. In order to design a lightweight cipher, such requirements must be met as:
Smaller block sizes: To keep memory, block size in lightweight block ciphers should be (64 bits or 80 bits) not as the block size used in a conventional AES (128 bits).
Smaller key sizes: For efficiency, key sizes in lightweight block ciphers should be (less than 96 bits).The key size acceptable by NIST is less than 112-bit and equal or more than 80-bits [77].
Simpler rounds: To save area: The S-boxes operations in lightweight block use 4-bit S-boxes. While, conventional block use 8-bit S-boxes.
Simpler key schedules: To save the power consumption, latency and memory: uses a simple key schedule in most of the lightweight block ciphers. Minimal implementations (Uses of resource): the
encryption and decryption are not required for all applications. Some applications need either encryption or decryption operations. The block cipher functions use fewer resources.
A) SP-Network Structure
Block cipher in SP-network, uses a chain of associated mathematical operations in cryptography. The operations in SP-network are several rounds or "layers" of substitution boxes (boxes) and permutation boxes (P-boxes).The S-boxes and P-S-boxes perform efficient in hardware such as XOR, transferring blocks of input bits into output bits. The key is used in each round. S-boxes depend on the key. The output of an S-box substitute is an input for another S-box to ensure decryption. In particular, the length of the input and output should be the same, as illustrated in Fig 3. A P-box is a mix for all output of each S-box of one round, and makes its inputs to S-boxes of the next round. In each round, it uses XOR between input/output from using S-boxes and P-boxes and key. To strengthen the cryptography, it uses S-box and P-box together to satisfy confusion and diffusion properties [30][31].The block cipher of SP-network are such as: AES[32], PRESENT[34], Hummingbird[35], LED[39], PRINCE[40], PRINT-cipher[37], KLEIN[38] which are discussed as follows:
AES: It is one of the most important algorithms in cryptography designed by Daemen and Rijmen[32]. Block cipher of AES was developed by Feldhofer et
al. [33] to be considered for LWC. It has block size 128 bit and key length (128,192, 256) bits. AES algorithm can work as a fixed input size to implement with low-power devices. The hardware implementation of AES for 128-bit block of data requires 2400 GE within 226 clock cycles and has a power consumption of 2.4 μW on a 0.13 μm (CMOS) process [82].Achieving of a small area in AES can be done by using alternative scan flops with (D flip-flops and MUX), also by using alternative LFSR with FSM.
PRESENT: In 2007,Bogdanov et al .[34] proposed algorithm for a lightweight block cipher. It is used in two situations: the desired low-power consumptions and high chip efficiency. It has particularly high performance in compact hardware implementation. The block cipher works in 31 rounds, and supports two keys size 80 and 128 bits. The one round consists of an XOR operation, a bitwise permutation, and a nonlinear substitution, which consists of 4-bit input and 4-bit output (4 × 4) S-boxes. PRESENT-80 for hardware implementation requires an area of 1030 GE within 516 clock cycles and has a power consumption of 1.54 μW on a 0.18 μm for (Encryption/Decryption) [83]. The design of PRESENT does not use algebraic unit in diffusion layer, as the result, PRESENT provides hardware efficiency in implementation.
Hummingbird: Engels et al. designed Hummingbird [35], and Hummingbird-2 [36]. It’s an ultra-lightweight cryptography for encryption and authentication of small hardware devices like RFID tags. The block size is 16 bits. It consists of 4 rounds and the last round only includes the key mixing and the S-box substitution steps. As any other SP-network, one round consists of three stages: a key mixing step, a substitution layer, and a permutation layer. This block size is suitable for constrained devices because it deals with small messages. Security is weak in hummingbird and hummingbird-2, because the smaller size of block.
PRINT- Cipher: Knudsen et al. [37] proposed the PRINT-cipher block code for IC printing as one of the low-constrained devices. There are two operations for cipher state: collect a round key by using bitwise XOR and shuffling by fixed linear diffusion layer. Each S-box contains 3 bit entry which is permuted in a key-dependent permutation layer; lastly, the cipher state is mixture of a layer of b3 nonlinear S-box substitutions.
KLEIN: According to Gong et al. [38] It is one of a new Lightweight block ciphers. The block size is a fixed 64-bit and key length 64, 80 or 90-bits.The KLEIN cipher has a 4 bit S-box and its operations are mixes from the AES and from PRESENT as well. In the block cipher, the key length and block size refer to trade-offs between performance and security, as considering security measured by block size and performance measured by key length.
6250 all state-of-the-art attacks. The cipher state uses
4-bits matrix to represent arranged concepts, with all nibble showing an element from GF (24) with a polynomial as: 𝑥 + 𝑥 + 1. The S-box in the LED is same as the PRESENT. The LED is also the same as lightweight hash function PHOTON.
PRINCE: PRINCE lightweight block cipher mainly gives priority to low latency, Borghoff et al. [40]. The cipher with a slightly different key can provide decryption by reusing the encryption process. The block size 64 bits uses a 4-bit S-box. Hardware implementation of PRINCE requires 2953 GE [84]. B) Feistel Structure
The construction of block cipher in a Feistel cipher uses a symmetric structure in cryptography. Feistel cipher proposed a strong cipher that alternates substitutions (S-boxes) and permutations (P-boxes). Encryption and decryption operations in the Feistel structure are similar and identical in some cases, requiring a reversal of the key schedule. Therefore, the block cipher requires implementing of half the size of the code and the circuit. The operation is illustrated in the Feistel cipher in Fig 4. The round function is F, and sub key is K0,…,Kn for the
rounds 0 , 1 , … , n respectively. The encryption operation, divided the plaintext into equal (L0, R0):
For each round i = 0, 1, …, n compute L i + 1 = R i
R i + 1 = L I ⊕ F (Ri , K i)
Then the ciphertext is (R n + 1 , L n + 1)
The operation Decryption: a ciphertext (R n + 1, L n + 1)
Computing for i = n, n − 1, …, 0 R i = L i + 1
L i = R i + 1⊕ F ( L i + 1 , K i ) .
Then (L0, R0) is the plaintext again.
The round function F in Feistel structure must not be invertible compared to SP-Structure. This is an advantage of Feistel structure [41],[ 42]. The block ciphers of Feistel structure are: HIGHT [43], DESL [44], CLEFIA [45], KATAN [46], KTANTAN [46], LBLOCK [48], SIMON [49], SPECK [49], QTL [51], Piccolo [52] and LEA [53] which are discussed as follows:
HIGHT: It means (high security and light weight) , proposed by Hong et al. [43].The block cipher is an ARX based on a generalized Feistel Structure GFS. The block cipher uses the operations XOR and bitwise rotations for input, and XOR or addition modulo 28 for output. The block cipher consists of 64-bit block size and key size 128-bit. The implementation of HIGHT in Hardware is suitable for low-resource hardware implementation because the
single operation uses 8-bit processor oriented. The processes of coding and decoding in HIGHT are the similar. HIGHT requires2608 GE for implementation of hardware within 34 clock cycles and 188.2Kbps throughput [85].
DESL & DESXL: DESL and DESXL (DES Lightweight), proposed by Poschmann et al. [44]. The primary idea of DESL and SESXL is to reduce gate complexity to limit the size of hardware. DESL and DESXL use only one single box rather than 8-boxes from the original DES. DESL and DESXL by a single S-box are strong against attacks and solve weakness of DES. The security strength and reducing wiring costs are done by remaining the original first permutation and its inverse. The block size 64-bits and small key size 56-bits achieve limited protection. Thus, applications that possess short term security DESL is desired. Implementation of DESL in hardware requires 2629 GE, and implementation of DESXL in hardware requires 2186 GE.
CLEFIA: It is lightweight block cipher that provides efficiency in implementations of hardware, proposed by Shirai et al. [45]. The CLEFIA block cipher has four branches from a generalized Feistel structure (GFS). CLEFIA has two round F-functions, every function uses 32-bits per round. Each branch consists of 32 bits for making block size 128 bits. The F-function input process divides the 32-bits into two parts: (S) a substitution step leads to a simple S-box substitution and (D) a publishing step leads to a linear combination of substituted. CLEFIA uses this scenario to guarantees immunity against pioneer attacks. Implementation of CLEFIA requires 2604GE for (encryption/decryption) while encryption only requires 2488GE [87].
KATAN and KTANTAN: They are two block ciphers proposed by De Cannière et al. [46] KATAN and KTANTAN form new family of lightweight block cipher basically designed on bivium stream cipher [47]. This design has a structure called nonlinear feedback shift register (NLFSR) in Feistel structure. The block size of cipher is 32-, 48- and 64 bits and key length 80 bits. Utilization of the physical footprint is at the heart of these two designs, at the cost of some speed. KATAN is less compact than KTANTAN. KTANTAN does not change the key because it is used in devices that have a fixed key. The key schedule is the only difference between KATAN and KTANTAN. KATAN and KTANTAN require less than 1000 GE hardware implementations. They use shift register, therefore, KATAN and KATANTAN are appropriate for RFID devices [46].
6251 second half applies simple rotation operation,
therefore, the more round iteration the more leads to security margins. The LBLOCK implementation requires 1320 GE.
SIMON: It is one of the families of lightweight block cipher proposed by Beaulieu et al. [49] in 2013.Thestructure SIMON is Feistel structure. The nonlinear function in SIMON uses a bitwise AND operation achieving an optimal performance hardware implementations, making it suitable for hardware. SPECK: It is one of the families of lightweight block
cipher proposed by Beaulieu et al. [49] in 2013. The structure SPECK is Feistel structure. The nonlinear function in SPECK uses the modular addition operation achieving an optimal performance in software implementations, making it suitable for software.
TWINE: According to Suzaki et al. [50] the block cipher has 64-bit block size and key length 80- and 128 bit. The structure that TWINE uses is a generalized Feistel structure (GFS) with 16 branches. The Feistel function is called eight times per round, consisting of simply XORing a sub-key and the application of a 4-bit S-box. In the TWINE, A round function has a nonlinear layer using 4-bit S-boxes and a diffusion layer, which permutes the 16 blocks. The diffusion layer provides better diffusion because it does not use the circular shift in diffusion layer designs. The TWINE with 64-bit block size and key length 80 implementation requires 1799GE.
QTL: According to Lang Li et al. [51], the structure used in QTL is a generalized Feistel structure. The QTL has block size of 64-bits with 46-bit or 128-bit keys length. The one round can process half the block message in Feistel structure, but QLT can change the whole message. The QTL uses diffusion of the (SPNs) structure, which achieve the security in Feistel-type structures. The QLT reduces the power consumption and area, and does not use the key schedule in designing. The QTL achieves high security and cost implementation in hardware. The QTL implementation requires 1026 GE.
Piccolo: According to Shibutani et al. [52], it is a new block cipher of lightweight. It is a generalized Feistel network. The Piccolo has block size 64-bits and 80- and 128-bits keys length. Piccolo achieves low power consumptions and high security, because of its design that based on (half-word based round permutation) and (permutation for key expanding). The Piccolo-80 and Piccolo-128 implementation requires 743 GE, 818 GE respectively. Therefore, it becomes suitable for FRID devices.
LEA: According to Hong et al. [53], it means Lightweight block Encryption Algorithm. It was designed by the Electronics and Telecommunication Research Institute of Korea (ETRIK) for software-oriented. It can be implemented in different platforms. The software encryption in LEA is fast on most common processors. The operations in LEA are simple Rotation, XOR and Addition and they do not use operation of S-Box. It provides high efficiency implementation in software it also provides high efficiency implementation in hardware. The
implementation of hardware requires 3826 GE for power consumption 3.82 μW [54].
2.3.2 Lightweight Hash Function
In cryptography, the hash function takes input size of a variable-length message and produces output shorter messages with a fixed size. Two important properties that hash function must hold. The first property is collision resistant (cannot find two hashing messages to same hash value), and the second is the (second) pre-image resistant (cannot find the message (or pre-image) that generates output message), therefore, the hash function should be one-way. The collision or (second) pre-image must be strong (means difficult computationally for the attacker). The ideal hash function, to an n bit, an attacker requires computing 2 n/2 to find a collision, and compute 2n to find a (second) pre-image [55]. The conventional hash functions such as MD2 [56] and SHA [57] use large size of internal state and more power consumption; therefore, they may not be suitable for low-resource devices [58]. For this reason, researchers developed new a lightweight hash function to be suitable for low-resource devices. The construction and compression functions are main parts in hash function. The compression function is repeated by the construction function.The differences between them are listed and discussed [59]:
Internal state (Smaller) and size output: Applications needed smaller internal state and smaller output size when collision resistance of hash functions is not required. But when applications require collision resistance of hash functions, the hash function must have the same security against pre-image, second-pre-image and collision attacks. This may reduce the size of the internal state.
Message size (Smaller): Input size in conventional hash functions support (around 264 bits), while protocols for lightweight hash functions support (at most 256 bits). The short messages in hash functions are suitable for lightweight applications.
What is important in hash function is that it is used in several applications which are used in evaluating security levels that use Digital Signature (DS), Message-Authentication Code (MAC) and Authenticated Encryption (AE).There are three types of constructions used in hash function that will be discussed.
A) Davies-Meyer construction
The compression function is used to build a modern hash function based on the foundations and theories of Merkel and Demagar [60]. Input in compression function is a fixed-length input; this input consists of a chaining variable and a message extract. The output is a fixed-length [59].
Compression function in the Davies–Meyer feeds mi (each block in message) as the key to a block cipher, feeds Hi-1
(previous hash value) as the plaintext to be encrypted. The Hi
6252 (next hash value) is output ciphertext coming from XORed (⊕)
(Hi-1). Value (H0) is constant initial value because it’s the first
round, the previous hash value does not exist, therefore value (H0) is used [59], as illustrated in Fig 5. It is computed by: Hi=
Emi (Hi-1) ⊕ Hi-1. The Davies-Meyer construction hash function
such as: DM-PRESENT [59] and H-PRESENT [59] are discussed as follows:
DM-PRESENT and H-PRESENT: DM-PRESENT80, DM-PRESE128 and H-DM-PRESENT80, DM-PRESE128 and H-PRESENT128 [59] were developed on the bases of the block cipher of PRESENT [34] for lightweight designs of the hash function. The block cipher ignores the feed forward in compression function and the reversible components that can be used.
Compression function in the DM-PRESENT [59] takes input from two variables Hi and Mi. Hi (some words of the chaining variable) and Mi (some words of the formatted message extract). In Davies–Meyer has used the message extract. Mi of the construction operation to come out with a new a single 64-bit chaining variable as follows:
Hi E Hi, M ⊕ Hi
In this the equation, E refers to the encryption with PRESENT-80 or encryption with PRESENT-128.The hash function provides 64-bit security for application that requires one-way. In each iteration, the compression function involves of 64 bits of chaining variable and 80 bits of message-related input, therefore, a simple trade-off between space and throughput are provided by DM-PRESENT-80 and DM-PRESENT-128. To increase space required for an implementation, it requires the replacing of the PRESENT with other block. Compression function of H-PRESENT-128, takes two input 64-bit (chaining variables) and one 64-bit (message extract), denoted by the triple (H1; H2; M), and outputs the updated chaining variables (H’1; H’2) as the following equation:
H’1 E H1, H2 || M ⊕ H1 and H’2 E H1 ⊕ c, || M ⊕ H1 Where c is a constant (non-zero) and E denotes PRESENT-128, thus, the 128 bits long of the chaining variable H1||H2 and 64 bits of message-related input
are hashed per iteration. Hirose proves to find a collision, an adversary requires at least 2n queries; where n is the block size of the cipher. From the same analysis to find the pre-image resistance, an adversary also requires at least 22n queries to the cipher.
B) Sponge Construction
Balancing the security and memory implementation requirements is considered one of the challenges that face designing lightweight hash function. Moreover, security requirements in lightweight hash functions are Important to prevent collision. Therefore, it must produce output size ≥ 256 bits, but it is computationally expensive. Sponge construction was proposed to address this issue by reducing the (second) pre-image resistance security for the same internal state size [61]. Sponge construction relies on (b-bit) permutation P, with two variables, capacity c bits and bit rate r. The mi is the r-bit
message block and Zi is a part of the hash value and has an output length n. The width of a sponge construction corresponds to the size of its internal state b = r + c ≥ n. Initially, set zero for the bits of the state. Then, the input message is padded and split into blocks of r-bit. The construction relies on two phases: The first absorbing phase: the input message block(r-bit) is XORed with the first r-bit of the state before processing of the function P after processing each message blocks. In the next second squeezing phase: output block returns to the first r-bit of the state, followed by involved of function P as illustrated in Fig 6. Number of output blocks can be chosen by the user [62, 63]. In terms of lightweight design, the sponge construction [64] is only an alternative form of Merkle–Damgård construction. The process in sponge construction uses one permutation and combination of simple XOR and the internal state to generate the message blocks. Storage of message blocks and ―feed forward‖ values are required in Davies–Meyer construction but not required in sponge construction. However, to attain traditional security it requires large state in sponge construction [55]. The Sponge construction hash functions are such as: Keccak [63], PHOTON [39], Quark [62], GLUON [68], Spongent [61] and Neeva [68] which are discussed as follows:
Keccak: Keccak- f [200] and Keccak- f [400] were implemented for lightweight that were provided by Kavun and Yalcin [63]. They are variables from the SHA-3 hash function. The sponge construction is used to develop Keccak. Its building block is a set of seven permutations. The permutation is a primary function of Keccak, which is selected from a set of seven permutations denoted by Keccak-f[b] where width of the permutation [b] can be {25, 50, 100, 200, 400, 800, 1600} [65].
PHOTON: Guo et al. [39] proposed for lightweight hash function that is suitable for passive FRID. The PHOTON is combined from AES (i.e. internal unkeyed permutation) and sponge construction (i.e domain extension algorithm). The cost of hardware implementation (1120 GE for 64-bit) to attain collision resistance security and minimal internal state memory size [65].The output size in the photon hash function is 64≤ n ≤256, and input bit rate denote r, and output b
i t
r a t e
d e
note r′. Therefore, a photon hash function denotes as PHOTON-n/r/r`. The size of internal state relies on the size of the hash output; and internal state uses five various values: 100, 144, 196, 256, and 288 bits, thus, the five internal permutations P, one for each internal state size. S-boxes used in photon have two types: the 4-bit such as PRESENT S-box and the 8-bit such as AES S-box.
6253 Quark: it’s a lightweight hash function proposed by
Aumasson et al. [62]. The idea of Quark is reduce memory consumption of sponge construction. A permutation P in the Quark is based on block cipher such as KATAN [46] and stream ciphers such as Grain [66].The Quark hash function consists of three types, namely, U-QUARK (security of 64-bit), D-QUARK (security of 80-bit), and T-Quark (security of 112-bit).In order to prevent collision attacks or multi-collisions attack, for example, U-Quark requires at least 64-bit security [62].However, implement of U-Quark needs 1379 GE and consumes power 2.44 μW
at 100 kHz [62].T-Quark requires 2296 GE for implementation. There are three nonlinear Boolean functions in internal permutation, such as F, g (same exist in Grain) and h, in addition to, one linear Boolean function p, with P processes. The p permutation processes are based on three steps: initialization, state update, and calculated output, as Fig 7 illustrates:
GLUON: It is a third lightweight hash function after PHOTON and Quark designed by Berger et al.[67] It uses sponge construction [69], called F function , where F is a filtered feedback with carry shift register (FCSR).This function relies on the hardware stream cipher(F-FCSR-v3) [88] and the software stream cipher(X-FCSR-v2) [71].The basic building blocks used in PHOTON and Quark in hardware size are lighter than GLUON. The GLUON of hash function consists of three types to attain security level, namely, GLUON-64 (security of 64-bit), GLUON-80(security of 80-bit), and GLUON-112 (security of 112-bit), requiring respectively2071, 2799.3 and 4724 GE [67].
Spongent: It is lightweight hash function based on sponge construction with modified permutation in the block cipher PRESENT, designed by Bogdanov [61]. To implement Spongent in chain low area, the 4-bit S-box is the major block of functional logic which is suitable for that. Moreover, the 4-bit S-box fulfils the PRESENT design criteria in terms of differential and linear properties [34]. Spongent consists of 13 variants made as a solution for different level of collision resistance and (second) pre-image resistance. The round function in Spongent is simple; therefore, the Spongent provides minimized state size. The message blocks are split into r-bit input, and XORed into the r right-most bit positions of the state, returning from the same r-bit positions is also output hash. Any linear approximation over the S-box is unprejudiced, where S-box involves masks for input and output from only single bits. This helps to limit the
linear hull effect discovered in round-reduced PRESENT [61].
Neeva: It uses the sponge construction and PRESENT block cipher proposed for lightweight hash function [68].The proposed schema in construction is b-bit and + initial to register, where c is capacity and r is rate of state b. The rate is 32-bit, and the capacity is 224-bit, therefore, the total of states is 256-bit, which use 32 rounds. The process of Neeva is asfollows, first the Message M is padded and then divided into the 32-bit blocks after that the first message block M1 is XORed to the state. After that, applying the PRESENT S-box in parallel, updated register is split in 16-bit words and apply Feistel structure (FS) over 64-bit. After an 8-bit left rotation, it is inserted to a round constant. The output of first round came after modular addition to updated register to keep feeding to next round until 32 rounds. This is the absorbing phase. In squeezing phase, it takes MSB (32-bit) of final register from absorbed phase. Then, apply function F seven-times over the update register. Every time takes out MSB (32-bit).the seven 32 bit are chain in order to get the output of 224-bit.
C) Merkle- Damgård Construction
It is lightweight hash function, the construction in hash function in SHA1, MD5 and SHA2 is the same as in the Merkle- Damgård Construction. The collision resistance in the Merkle- Damgård Construction is taken from collision resistance of the one-way compression function. The compression in hash function cannot handle the input variable-fixed size. Therefore, an MD-compliant padding function in Merkle- Damgårdis used to produce an output of size that is double of the fixed number[60].The output in hash function, divided into set of blocks, every block has fixed size, and then processes them at one time with compression function. In each time, combined of output from previous round is input to next block. In this construction, the compression function H mapping {0, 1}n × {0, 1}k to {0, 1}n, is fixed and public initialization vector of {0,1}n, and message (m1,m2, …, mt) where each mi is a block of k bits. The build of hash function H is as illustrated in Fig 8. The Merkle- Damgård Construction hash function is such as ARMADILLO [70] which is discussed as follows:
ARMADILLO: Badel et al. [70] proffered the ARMADILLO. It is a multi-purpose primitive used as digital signatures and MAC such as a PRF and PRNG. The structure in ARMADILLO and Merkle–Damgård construction is the same one, requiring 2,923 GE for implementation of ARMADILLO in hardware, 176 clock cycles per one computation and consuming 44 μW power.
The updated version of ARMADILLO is named ARMADILLO2. The robust design of ARMADILLO2 is Fig. 7 Quark Permutation Diagram
6254 more than ARMADILLO. The compression function in
ARMADILLO2 is more secured and more compact in hardware that used in ARMADILLO.
3 INTERPRETATION
AND
DISCUSSION
There are important factors which must be adhered to during the process of comparing the different cipher to evaluate the performance when implementing the primitives to make them a fair comparison:
1. Security Level: The security level must be the same while implementation in order to provide a fair comparison. When we compare between the efficient ciphers, we use the same technology with the same key and data path size.
2. CMOS technology: LWC has many characteristics and depends on the technology. Thus, implementation on the same platform for all proposals is difficult. Guo and Schaumont [71] studied the comparison LWC hash function in the hardware implementation influenced by technology and standard-cell libraries. They concluded that the fair comparison can be achieved between hardware implementation when using the same technology even if different standard-cell libraries are used. On the other hand, the implementation of different techniques generates different and inaccurate results. In contrast, implementation of the same technology shows similar results, noticed during the reports regarding energy consumption and performance. We can conclude from the authors of the said work that power consumption and GE are influenced by technology; Latency is not influenced by technology. Throughput may be influenced by technology when the maximum throughput is needed. When implementation differs from one technique to another, the assessment is based on subsets of more than one technique between the implementation of ciphers. For instant, in hardware Piccolo is only implemented in 0.13μm and TWINE only in 0.09μm. The implementation of PRESENT in 0.09 μm and 0.13μm. PRESENT is less efficient than Piccolo in 0.13μm and more efficient than TWINE in 0.09μm. Therefore, we derive that in general, TWINE is also less efficient than Piccolo.
3. Showing implementation options to improve the design for a good and specific evaluation such as serial,
parallel and round based. Summary of implementation of hardware for symmetric LWC in Tables 1, 2.Table 1 shows that the applications were classified according to the structure of the block cipher, the size of block and the length of the key. Table 2 shows that the applications were classified according to the structure of the hash cipher, hash output size and data path size. The rest of the parameters in the tables 1, 2 are the latency, throughput, the power consumed, the technology, the area, the hardware efficiency and the energy.
The implementation in tables 1, 2 offers encryption only, unless stated otherwise. Furthermore, the following symbols are used:
– (S) For serialized implementations –(P) For parallel implementations.
– (A) For implementations that offer decryption/ encryption.
6255 In term of Energy per bit, the block cipher LED and DESL
consuming high energy per bit than block cipher OTL, PRINCE,CLEFIA,TWINE,PRINT-cipher, KTANTAN, HIGHT, KATAN and SIMON. While in term Latency, the blocks are DESL, KTANTAN, AES, KTANTAN, SIMON and KATAN produce high latency and in term Throughput, the blocks are DESL, KTANTAN, SIMON and KATAN produce low throughput. Mohd et al.[19] Showed that the top performing cipher in term Energy is KLEIN, mCrypton, PRINCE, Neckeon , PRESENT and KATAN. In term of hardware Efficiency (Kbps/KGE), the cipher that has high value hardware efficiency is best. The top of block cipher is Piccolo, PRINT-Cipher, OTL, KLEIN, PRINCE and LBLOC.
Based on the above criteria, Fig 13 shows the best applications that match block cipher in hardware implementations in terms of block size 64-bit and key length
between 80 and 112 bit. The blocks Piccolo, LBLOC, PRESENT, TWINE, SIMON and SPECK offer the best. In Table 2, in term of GE, the serialized implement requires less GE than paralleled implement. Therefore, the serialized implement is slower than paralleled implement because it needs high latency cycle per block and consumes high power than paralleled implement. From two classifications of block cipher: Feistel structure-based cipher is faster than network-based cipher, but hardware implementation of SP-network requires less GE from Feistel structure based primitives. There are some problems of security in Feistel structure in contrast to SPN-type. But encryption and decryption offered by Feistel structure-based cipher is of small cost. However, decryption functionality is not required in many applications. Therefore, SP-network cipher with only decryption is the candidate for application that uses only Fig. 9 Term of GE (Hardware implementation).
Fig. 10 Term of Power (Hardware implementation).
6256 decryption. Therefore, there are two advantages to Feistel
compared to SPN:
It uses a small round function.
It uses encryption/decryption in same program to reduce implementation cost of decryption.
The hash function based on a sponge construction such as SPONGENT, Quark, PHOTON, recently published, achieves security level though it requires large state. Sponge construction saves the internal memory size because there is no need to feed-forward in Davies-Meyer constructions. Therefore, a sponge construction is the best choice. The authors in [76] in 2017 display lightweight algorithms (LED, CLEFIA, Piccolo, Midori, PRINCE, PRESENT, TWINE, SIMON and SPECK) that have high levels of performance in the implementation and effectiveness and there are no attacks against them so far. Furthermore lightweight hash function is PHOTON, Keccak, SPONGENT and QUARK.
3.1 Trends of design
Smart and light technologies are new modern trends for the world that use devices such as RFID, sensor and embedded systems. Consequently, researchers have been developing and proposing a range of cryptographic algorithms to suit these devices. The NIST provides a LWC project that describes the issues and develop a technique for the standardization of lightweight cryptographic algorithms. In this project, numerous metrics are identified to evaluate the lightweight properties, in hardware implementation chip size (area or resource) and/or energy consumption (performance), and in software implementation code size and/or RAM size. To provide knowledge for selecting or determining cipher of LWC in design directions, the following are required:
Block size and key length: Large block and key size cannot achieve space reduction. Memory is effected by large block size and large key size; therefore, it must be blocked. The size and key size should be small to save memory. For instant, block size in lightweight block ciphers should be (64 bits or 80 bits), not as block size that is used in a conventional AES (128 bits). Key sizes in lightweight block ciphers should be (less than 96 bits). The key size acceptable by NIST is less than 112-bit and equal or more than 80-bits [77], as PRESENT of 80-bit. On the other hand, various issues of security, if we use block size less than 32 bits, the birthday attacks will be possible. Blocks of 64-bit and keys size of 80-bit are popular parameters for ciphers of lightweight.
Key schedule: Uses key schedules simple in most of the lightweight block ciphers to save power consumption, latency and memory. Therefore some attacks can be possible to get keys during generate sub-keys such as weak keys and related keys, but can prevent this attackers by using key derivation function (KDF) of security, description in [78], [79] and [80].When security level is not more important than implementation cost, for applications, the good select is simple key schedule and Feistel structure; SPNs and simple key schedule when moderate security is the best choice.
Area: The major component in block ciphers is S-boxes to save area. The S-S-boxes operations in lightweight block used 4-bit S-boxes; while conventional block used 8-bit S-boxes. Therefore, reducing the size to 4-bit S-boxes is very important to save area and achieve security level in implementation of hardware. That
6258 TABLE 2
6259
4
CONCLUSION
LWC is the new trend of traditional cryptography, which provides a secure environment for embedded systems running on low-cost devices. In this paper, we provide a comprehensive survey of lightweight symmetric-key cryptography (block cipher, hash function algorithm), through the modern applications that work on it. This classification shows the contrast and difference between ciphers in terms of different characteristics. Moreover, this leads to accurate definition of symmetric-keycryptography (block cipher, hash function algorithm) for low resource devices through classification of cipher and implementations of hardware, according to the advertised conditions for LWC. Through the comparison and analysis of all the proposed various characteristics of security, shown in the tables, performance and cost have been considered. Research in this area is still ongoing due to recent developments and rapid growth in this area. This leads to the suggestion of new algorithms. These systems will be part of our personal lives leading to computing everywhere. Therefore, we hope that the analysis provided will help build strong systems that secure the transition process in Internet of things (IoT).
REFERENCES
[1] McKay, Kerry A., Larry Feldman, and Gregory A. Witte. (2017) "Toward Standardizing Lightweight Cryptography." ITL Bulletin- (2017).
[2] Nandhini, P., & Vanitha, D. V. (2017). A Study of Lightweight Cryptographic Algorithms for IoT.International Journal of Innovations and Advancement in Computer Science, 26-35.
[3] Alkuhlani, Ahmed Mohammed Ibrahim, and S. B. Thorat. "Lightweight Anonymity-Preserving Authentication and Key Agreement Protocol for the Internet of Things Environment." International Conference on Intelligent Information Technologies. Springer, Singapore, 2017. [4] Nguyen, K. T., Laurent, M., &Oualha, N. (2015). Survey on
secure communication protocols for the Internet of Things. Ad Hoc Networks, 32, 17-31.
[5] Kahn, D. The Codebreakers, 1181 pp. ISBN 0-684-83130-9. Look for the 1967 rather than the 1996 edition.
[6] M. Feldhofer, J. Wolkerstorfer, and V. Rijmen. AES Implementation on a Grain of Sand. IEE Proceedings Information Security, 152(1):13-20, 2005.
[7] Standard, N. F. (1999). Data Encryption Standard (DES). Federal Information Processing Standards Publication. [8] Standard, N. F. (2001). Announcing the advanced
encryption standard (AES). Federal Information Processing Standards Publication, 197, 1-51.
[9] Rolfes C, Poschmann A, Leander G, Paar C. Ultra-lightweight implementations for smart devices--security for 1000 gate equivalents. InCARDIS 2008 Aug 25 (Vol. 5189, pp. 89-103).
[10] Zhang GH, Poon CC, Zhang YT. A review on body area networks security for healthcare. ISRN Communications and Networking. 2011 Jan 1;2011:21.
[11] Chen M, Gonzalez S, Vasilakos A, Cao H, Leung VC. Body area networks: A survey. Mobile networks and applications. 2011 Apr 1;16(2):171-93.
[12] Atzori L, Iera A, Morabito G. The internet of things: A survey. Computer networks. 2010 Oct 28;54(15):2787-805.
[13] Lata, Manju, and Adarsh Kumar. (2014).Survey on Lightweight Primitives and Protocols for RFID in Wireless Sensor Networks. International Journal of Communication Networks and Information Security (IJCNIS), 6(1).
[14] John, J. (2012). Cryptography for Resource Constrained Devices: A Survey. International Journal on Computer Science & Engineering, 4(11).
[15] Panasenko, Sergey, and Sergey Smagin. (2011). Lightweight Cryptography: Underlying Principles and Approaches. International Journal of Computer Theory and Engineering,3(4).
[16] Juels, A. (2006). RFID security and privacy: A research survey. Selected Areas in Communications, IEEE Journal on, 24(2), 381-394.
[17] Arora, Nikita, and Yogita Gigras (2013). LIGHT WEIGHT CRYPTOGRAPHIC ALGORITHMS: A SURVEY, IJRDTM –Kailash | ISBN No. 978-1-63041-994-3| Vol.20 | Issue 08. [18] Fan, X., Hu, H., Gong, G., Smith, E. M., & Engels, D. (2009, November). Lightweight implementation of Hummingbird cryptographic algorithm on 4-bit microcontrollers. In Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for (pp.1-7). IEEE.
[19] Mohd, B.J., Hayajneh, T. and Vasilakos, A.V.,2015. A survey on lightweight block ciphers for low-resource devices: Comparative study and open issues. Journal of Network and Computer Applications, 58, pp.73-93
[20] Grabher, P., Großschädl, J., & Page, D. (2008).Light-weight instruction set extensions for bitsliced cryptography. In Cryptographic Hardware and Embedded Systems–CHES 2008 (pp. 331-345). Springer Berlin Heidelberg.
[21] Ågren, M. (2012). On some symmetric lightweight cryptographic designs. Department of Electrical and Information Technology, Faculty of Engineering, Lund University.
[22] Hankerson, D., Vanstone, S., & Menezes, A. J. (2004). Guide to elliptic curve cryptography.Springer.
[23] Rivest, R. L., Shamir, A., &Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120-126.
[24] Chien, Hung-Yu, and Chi-Sung Laih. (2009). ECC-based lightweight authentication protocol with untraceability for low-cost RFID. Journal of parallel and distributed computing, 69(10),848-853.
[25] Manifavas, C., Hatzivasilis, G., Fysarakis, K., &Rantos, K. (2014). Lightweight Cryptography for Embedded Systems–A Comparative Analysis. In Data Privacy Management and Autonomous Spontaneous Security (pp. 333-349). Springer Berlin Heidelberg.
[26] , L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., &Verbauwhede, I. (2006). An Elliptic Curve Processor Suitable For RFID-Tags. IACR Cryptology ePrint Archive, 2006, 22.
[27] McKay KA, Bassham L, Turan MS, Mouha N. Report on lightweight cryptography. NIST DRAFT NISTIR. 2016 Aug;8114.
6260 [29] Cazorla M, Marquet K, Minier M. Survey and benchmark
of lightweight block ciphers for wireless sensor networks. In Security and Cryptography (SECRYPT), 2013 International Conference on 2013 Jul 29 (pp. 1-6). IEEE. [30] Preneel, B., &Rijmen, V. (1998). Principles and
performance of cryptographic algorithms. Dr. Dobb's Journal: Software Tools for the Professional Programmer, 23(12), 126-130.
[31] Ferguson N, Lucks S, Schneier B, Whiting D, Bellare M, Kohno T, Callas J, Walker J. The Skein hash function family, version 1.3. Citeseer 2008. 2010 Oct.
[32] J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer,2002. [33] Feldhofer, M., Dominikus, S., &Wolkerstorfer, J. (2004).
Strong authentication for RFID systems using the AES algorithm. In Cryptographic Hardware and Embedded Systems-CHES 2004 (pp. 357-370). Springer Berlin Heidelberg.
[34] Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J. ... &Vikkelsoe, C. (2007). PRESENT: An ultralightweight block cipher. In Cryptographic Hardware and Embedded ystems-CHES 2007 (pp. 450-466). Springer Berlin Heidelberg.
[35] Fan, X., Hu, H., Gong, G., Smith, E. M., & Engels, D. (2009, November). Lightweight implementation of Hummingbird cryptographic algorithm on 4-bit microcontrollers. In Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for (pp.1-7). IEEE.
[36] Engels, D., Saarinen, M. J. O., Schweitzer, P.,& Smith, E. M. (2012). The Hummingbird-2lightweight authenticated encryption algorithm. In RFID. Security and Privacy (pp.19-31). Springer Berlin Heidelberg.
[37] Knudsen, L., Leander, G., Poschmann, A., & Robshaw, M. J. (2010). PRINTcipher: a block cipher for IC-printing. In Cryptographic Hardware and Embedded Systems, CHES 2010 (pp. 16-32). Springer Berlin Heidelberg.
[38] Gong, Z., Nikova, S., & Law, Y. W. (2012). KLEIN: a new family of lightweight block ciphers. In RFID. Security and Privacy (pp. 1- 18). Springer Berlin Heidelberg.
[39] Guo, J., Peyrin, T., Poschmann, A., & Robshaw, M. (2011). The LED block cipher. In Cryptographic Hardware and Embedded Systems–CHES 2011 (pp. 326-341). Springer Berlin Heidelberg.
[40] Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E. B., Knezevic, M., Knudsen, L. R. ... &Yalçın,T. (2012). PRINCE–A low-latency block cipher for pervasive computing applications. In Advances in Cryptology– ASIACRYPT 2012 (pp. 208-225). Springer Berlin Heidelberg.
[41] Menezes, Alfred J.; Oorschot, Paul C. van; Vanstone, Scott A. (2001). Handbook of Applied Cryptography (Fifth ed.). p. 251. ISBN 0849385237.
[42] Luby, Michael; Rackoff, Charles (April 1988), "How to Construct Pseudorandom Permutations from Pseudorandom Functions", SIAM Journal on Computing, 17 (2): 373–386, doi:10.1137/0217022, ISSN 0097-5397. [43] Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B. S.
... & Chee, S. (2006). HIGHT: A new block cipher suitable for low-resource device. In Cryptographic Hardware and Embedded Systems-CHES 2006 (pp. 46-59). Springer Berlin Heidelberg.
[44] Poschmann, A., Leander, G., Schramm, K., &Paar, C.
(2007). New Lightweight DES Variants Suited for RFID Applications. In FSE (Vol. 4593, pp. 196-210).
[45] Shirai, T., Shibutani, K., Akishita, T., Moriai, S., & Iwata, T. (2007, January). The 128-bit block cipher CLEFIA. In Fast software encryption (pp. 181-195). Springer Berlin Heidelberg.
[46] De Canniere, C., Dunkelman, O., &Knežević, M. (2009). KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers. In Cryptographic Hardware and Embedded Systems-CHES 2009 (pp. 272-288). Springer Berlin Heidelberg.
[47] Canniere, C. De, and B. Preneel. (2005). Trivium specifications. ESTREAM. ECRYPT Stream Cipher Project, Report, 30, 2005.
[48] Wu, Wenling, and Lei Zhang. (2011, January). LBlock: a lightweight block cipher. In Applied Cryptography and Network Security (pp. 327-344). Springer Berlin Heidelberg.
[49] Beaulieu, R., Shors, D., Smith, J., Treatman Clark, S., Weeks, B., & Wingers, L. (2013). The Simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404, 2013. http://eprint. iacr. Org. [50] Suzaki, T., Minematsu, K., Morioka, S., & Kobayashi, E.
(2011, November). Twine: A lightweight, versatile block cipher. In ECRYPT Workshop on Lightweight Cryptography (pp.146-169).
[51] Li, L., Liu, B. and Wang, H., 2016. QTL: A new ultra-lightweight block cipher, Microprocessors and Microsystems.
[52] Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita,T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In:Cryptographic Hardware and Embedded Systems (CHES 2011),Springer, LNCS, 6917, pp. 342– 357 (2011).
[53] Hong, D., Lee, J.-K., Kim, D.-C., Kwon, D., Ryu, K.H., Lee, D.-G.: LEA: a 128-bit block cipher for fast encryption on common processors. In: International Workshop on Information Security Applications (WISA 2013), Springer, LNCS, 8267, pp. 3–27 (2014).
[54] Lee, D., Kim, D. C., Kwon, D., & Kim, H. (2014). Efficient hardware implementation of the lightweight block encryption algorithm LEA. Sensors, 14(1), 975-994. [55] Guo, J., Peyrin, T., &Poschmann, A. (2011a).The
PHOTON family of lightweight hash functions. In Advances in Cryptology–CRYPTO 2011 (pp. 222-239). Springer Berlin Heidelberg.
[56] Kaliski B. The MD2 message digest algorithm, April 1992. Request for Comments (RFC).;1319.
[57] FIPS N. 180-2: Secure hash standard (SHS). US Department of Commerce, National Institute of Standards and Technology (NIST). 2012 Mar.
[58] Ideguchi K, Owada T, Yoshida H. A Study on RAM Requirements of Various SHA-3 Candidates on Low-cost 8-bit CPUs. IACR Cryptology ePrint Archive. 2009;2009:260.
[59] Poschmann, A.Y.: Lightweight Cryptography: Cryptographic Engineering for a Pervasive World. Ph.D. Thesis, Ruhr University Bochum, 2009, http://d-nb.info/996578153.
[60] Menezes, Alfred J., Paul C. Van Oorschot, and Scott A. Vanstone (1996). Handbook of applied cryptography. CRC press.
6261 K., &Verbauwhede, I. (2013).Spongent: The design space
of lightweight cryptographic hashing. Computers, IEEE Transactions on, 62(10), 2041-2053.
[62] Aumasson, J. P., Henzen, L., Meier, W., &Naya-Plasencia, M. (2013). Quark: A lightweight hash. Journal of cryptology, 26(2), 313-339.
[63] Kavun, Elif Bilge, and TolgaYalcin. (2010). A lightweight implementation of Keccak hash function for radio-frequency identification applications. In Radio radio-frequency identification: security and privacy issues (pp. 258-269).Springer Berlin Heidelberg.
[64] Feldhofer, M., Dominikus, S., &Wolkerstorfer,J. (2004). Strong authentication for RFID systems using the AES algorithm. In Cryptographic Hardware and Embedded Systems-CHES 2004 (pp. 357-370). Springer Berlin Heidelberg.
[65] Macé, F., Standaert, F. X., &Quisquater, J. J.(2008). FPGA implementation (s) of a scalable encryption algorithm. Very Large Scale Integration (VLSI) Systems, IEEE Transactions on, 16(2), 212-216. Menezes, A. J., Van Oorschot, P. C., & Vanstone, S. A. (1996).Handbook of applied cryptography. CRC press.
[66] Daemen, Joan, and Vincent Rijmen (2002). The design of Rijndael: AES-the advancedencryption standard. Springer. [67] Berger, T. P., D’Hayer, J., Marquet, K., Minier, M., & Thomas, G. (2012). The GLUON family:a lightweight Hash function family based on FCSRs. In Progress in Cryptology-AFRICACRYPT 2012 (pp. 306-323). Springer Berlin Heidelberg.
[68] Bussi, K., Dey, D., Kumar, M. and Dass, B.K.,2016. Neeva: A Lightweight Hash Function.
[69] Arnault, F., Berger, T., Lauradoux, C., Minier,M., & Pousse, B. (2009). A New Approach for FCSRs, Selected Areas in Cryptography: 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13-14, 2009,Revised Selected Papers.Arnault, F., Berger, T., Lauradoux, C., Minier, M., & Pousse, B. (2009).
[70] Badel, S., Dağtekin, N., Nakahara Jr, J., Ouafi, K., Reffé, N., Sepehrdad, P. ... &Vaudenay, S. (2010). ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware.
[71] Guo, X., &Schaumont, P. (2011, November). The technology dependence of lightweight hash implementation cost. In ECRYPT Workshop on Lightweight Cryptography (pp. 0-0).
[72] Sarma, S. E. (2001). Towards the five-cent tag. Technical Report MIT-AUTOID-WH-006, MIT Auto ID Center, 2001. Available from http://www. autoidcenter. org.
[73] Weis, S. A., Sarma, S. E., Rivest, R. L., & Engels, D. W. (2004). Security and privacy aspects of low-cost radio frequency identification systems. In Security in pervasive computing (pp. 201-212). Springer, Berlin, Heidelberg. [74] Saarinen, Markku-Juhani O., and Daniel W. Engels. "A
do-it-all-cipher forbid: Design requirements." IACR Cryptology EPrint Archive 2012 (2012): 317.
[75] Hatzivasilis, G., Fysarakis, K., Papaefstathiou, I., &Manifavas, C. (2017). A review of lightweight block ciphers. Journal of Cryptographic Engineering, 1-44. [76] Naofumi Homma,(2017). Cryptographic Technology
Guideline (Lightweight
Cryptography)[CRYPTREC-GL-0001-2016-E],available on line,
www.cryptrec.go.jp/report/cryptrec-gl-0001-2016-e.pdf [77] Barker, E., and Roginsky, A., Transitions:
Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST Special Publication (SP) 800-131A Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, November 2015, https://doi.org/10.6028/NIST.SP.800-131Ar1.
[78] Chen, L., Recommendation for Key Derivation through Extraction-then-Expansion, NIST Special Publication (SP) 800-56C, National Institute of Standards and Technology, Gaithersburg, Maryland, November 2011, https://doi.org/10.6028/NIST.SP.800-56C.
[79] Chen, L., Recommendation for Key Derivation Using Pseudorandom Functions (Revised), NIST Special Publication (SP) 800-108, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2009, https://doi.org/10.6028/NIST.SP.800-108.
[80] Dang, Q., Recommendation for Existing Application-Specific Key Derivation Functions, NIST Special Publication (SP) 800-135 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, December 2011, https://doi.org/10.6028/NIST.SP.800-135r1.
[81] Eisenbarth, T., Kumar, S., Paar, C., Poschmann, A., &Uhsadel, L. (2007). A survey of lightweight-cryptography implementations. IEEE Design & Test of Computers, (6), 522-533.
[82] Moradi, A., Poschmann, A., Ling, S., Paar, C., & Wang, H. (2011, May). Pushing the limits: a very compact and a threshold implementation of AES. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 69-88). Springer, Berlin, Heidelberg.
[83] Yap, H., Khoo, K., Poschmann, A., Henricksen, M.: EPCBC—a block cipher suitable for electronic product code encryption.In: Cryptology and Network Security (CANS), Springer, LNCS,7092, pp. 76–97 (2011).
[84] Batina, L., Das, A., Ege, B., Kavun, E.B., Mentens, N., Paar, C., Verbauwhede, I., Yalcin, T.: Dietary recommendations for lightweight block ciphers power, energy and area analysis of recently developed architectures. In: Hutter, M., Schmidt, J.-M. (eds.) RFIDsec 2013, vol. 8262, pp. 101–110. Springer, LNCS(2013).
[85] Lim, Y.-I., Lee, J.-H., You, Y., Cho, K.-R.: Implementation of HIGHT cryptic circuit for RFID tag. IEICE Electron. Express 6(4), 180186 (2009).
[86] Kitsos, P., Sklavos, N., Parousi, M., Skodras, A.N.: A comparative study of hardware architectures for lightweight block ciphers. Comput. Electr. Eng. 38(1), 148160 (2012).
[87] Akishita, T., Hiwatari, H.: Very compact hardware implementations of the block cipher CLEFIA. In: Selected Areas in Cryptography SAC’12). Springer, LNCS, 7118, pp. 278–292 (2012).
