Towards Light Weight CryptographySchemes for Resource Constraint

Devices in IoT

Santosh Pandurang Jadhav

Faculty of Telecommunications Technical University of Sofia BulgariaE-mail spjadhav375gmailcom

Received 28 August 2019 Accepted 07 November 2019Publication 29 January 2020

Abstract

The Internet of Things (IoT) is becoming the most relevant next Internet-related revolution in the world of Technology It permits millions of devicesto be connected and communicate with each other Beside ensuring reliableconnectivity their security is also a great challenge Abounding IoT deviceshave a minimum of storage and processing capacity and they usually needto be able to operate on limited power consumption Security paths thatdepend maximum on encryption are not good for these resource constraineddevices because they are not suited for performing complicated encryptionand decryption tasks quickly to be able to transmit data securely in real-time This paper contains an overview of some of the cryptographic-basedschemes related to communication and computational costs for resourceconstrained devices and considers some approaches towards the devel-opment of highly secure and lightweight security mechanisms for IoTdevices

Keywords Constrained devices cryptographic algorithms IoT lightweightcryptography signcryption

Journal of Mobile Multimedia Vol 15_1amp2 91ndash110doi 1013052jmm1550-464615125ccopy 2020 River Publishers

92 S P Jadhav

1 Introduction

In near future the Internet of Things (IoT) will be an essential elementof our daily lives Numerous energy constrained devices and sensors willcontinuously be communicating with each other the security of which mustnot be compromised Even nowadays IoT with its millions of unsecureddevices is in no way immune to attacks Such attacks can compromisegateways and deeper levels of IoT networks and disturb their performanceparalyze infrastructures make systems fail and even put human lives injeopardy Such attacks could be classified as physical network software andencryption attacks [1 2]

In physical attacks the system is accessed through proximity for exampleinserting a USB drive Such tampering with a system or network can enablethe attacker to take over its control and extract data or corrupt the systemperformance with a malicious code that opens a backdoor without beingnoticed or force the system to get shut down by a distributed denial of service(DoS) attack The Owlet WiFi Baby Heart Monitor [1] susceptibility is onecase which shows how devices with the best of acceptation such as adjustingparents when their babies experience heart troubles can be dangerous if takenadvantage of by a dishonest party The connectivity element makes themvulnerable and manufacturers and developers should take extra steps to securedevices at the hardware layer There are also physical attacks which target theenergy consumption and in such battery drains even if the system is in sleepmode

In the network type of attacks the attackers attempt to listen to what isflowing through the network by inserting themselves between the user andthe device which is also called ldquoMan in Middle attackrdquo The goal is stealingpasswords creating fake identification and diverting the network packetsto the desired locations for data analysis Monitoring and eavesdroppingnode subversion node malfunctions replication attack are different typesof attacks on IoT Networks The jeep hacking was a type of attack whichexploits firmware update vulnerability In this attack they hijacked the Jeepvehicle over the Sprint cellular network and were able to discover that theycould make it speed up slow down and even drive it as they wish It wasone of the proofs of the various emerging IoT attacks Manufacturers anddevelopers often ignore the security of peripheral devices or networks andthus the consequences can be dangerous [1]

When some malware is installed into a network program or any malicioussoftware sends a virus or corrupts the data or keeps watch on performingactivities these can be classified as software attacks The mirai botnet was

Towards Light Weight Cryptography Schemes 93

the largest Distributed DoS attack ever happened and was launched on theservice provider using an IoT botnet The IoT botnet was made by malwarecalled Mirai Once the devices and computers were infected with Mirai theycontinuously search the internet for affected IoT devices and then use knowndefault user identities and passwords to log in affecting them with malwareTrojan horse worm logical bombs are types of software attacks [1]

Encryption attacks directly affect the heart of the algorithmic systemThe attacker tries to find the encryption keys and if succeeds learns how thealgorithms were developed Usually in such cases attackers develop their ownalgorithms with the goal of installing them and taking control of the system

Various security mechanisms are developed in order to handle such typesof attacks But many IoT devices have to be operated on minimum powerand hence with less storage capacity memory and processing capability iethey are resource-constrained devices In such cases the application of mostof the standard security mechanisms can easily fail and other ldquolight weightrdquocryptographic approaches should be introduced which use less memory andpower and are highly secure

Further this paper is organised as follows Point 2 is an introduction tolightweight cryptography and its variants along with an overview of variouslightweight ciphers In Point 3 a general metric for the performance analysisof lightweight algorithms is presented In Point 4 some aspects of future workare considered and the last point concludes the paper

2 Lightweight Cryptography Algorithms

There are conventional methods of cryptography such as the AdvancedEncryption Standard (AES) Secure Hash Algorithms (SHA-265) RivestndashShamirndashAdleman (RSA) and Elliptic curve cryptography (ECC) which workon systems that have abundant computational power and memory capacitiesbut they cannot perform well with embedded systems and sensor networksTherefore lightweight cryptography methods are proposed to overcomemany of the problems of conventional cryptography when applied to sys-tems having constraints related to physical size computational requirementslimited memory and energy consumption Lightweight cryptography permitsthe application of secure encryption for devices with limited resources

Many efforts are made to develop lightweight cryptography algorithmsalong with higher security [3] In communication systems encryption isalready deployed as standard on the data link layer But in many casesencryption in the application layer is more effective as it is giving an end to

94 S P Jadhav

Figure 1 Implementation of lightweight cryptography at the application layer

end data protection from the device to the server and allows for implementingsecurity independently from the type and structure of the communication sys-tem The encryption mechanism should be applied at the processor processingthe application as shown in Figure 1 and on the available resources thereforeit should be as lightweight as possible

In resource constrained IoT devices having limited computing speedlow power backups and smaller size (circuit size ROMRAM sizes) thepower is greatly dependent on the hardware such as the circuit size or theprocessor in use Thus the size becomes the reference point for the lightnessof the encryption method and also for the power consumption The latteris dependent on the computing speed and execution time so the numberof computations that determines the processing speed usually is consideredto be an index of the lightness of the algorithm The throughput of anycryptographic system is calculated as the average of total plain text in anumber of k bytes divided by the average encryption time and in the case ofdecryption throughput is calculated as the average of total cipher text dividedby the average decryption time

Since encryption is a technology for securing the overall system thelightweight cryptography needs to adopt a method that is evaluated asensuring sufficient security in the light of modern cryptography The Inter-national Standards Organization (ISO) and the International ElectrotechnicalCommission (IEC) are maintaining standards about information and com-munication technology According to these standards the algorithms to beconsidered as ldquolight weight cryptographyrdquo should follow requirements relatedto [4]

bull Security strength for lightweight cryptography The minimum is 80-bit but is suggested that at least of 112-bit security should be appliedfor systems that will give security for maximum longer periods

Towards Light Weight Cryptography Schemes 95

Figure 2 Types of lightweight cryptography

bull Hardware implementation properties The chip area covered by thecryptographic mechanism and the energy consumption should be lesscompared to existing ISO standards

bull Software implementation properties The code size and requiredRAM size should have fewer resource requirements than in existingstandards for the same platform

bull The generality of the lightweight properties claimed for the crypto-graphic mechanism

21 Classification of Lightweight Cryptography Algorithms

A classification of lightweight cryptographic algorithms is shown in Figure 2There are two major types of cryptography algorithms symmetric andasymmetric

211 Symmetric encryptionSymmetric encryption uses the same key for both encryption and decryptionof data This method of encryption is secure and relatively faster The majordrawback of symmetric key encryption is the sharing of the key between thetwo communicating parties An attacker can decrypt the data if he has accessto the key Symmetric key algorithms assure the confidentiality and integrityof data but do not guarantee authentication This type of encryption uses threetypes of algorithms based on hashing stream and block ciphers

bull Hashing This method is based on producing a ldquohashrdquo with a privatekey that can be verified with a public key For lightweight cryptographyPHOTON [5] Spongent [6] and Lesamanta LW [7] are defined as stan-dards for hashing methods within ISOIEC 29192-52016 Conventional

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

92 S P Jadhav

1 Introduction

In near future the Internet of Things (IoT) will be an essential elementof our daily lives Numerous energy constrained devices and sensors willcontinuously be communicating with each other the security of which mustnot be compromised Even nowadays IoT with its millions of unsecureddevices is in no way immune to attacks Such attacks can compromisegateways and deeper levels of IoT networks and disturb their performanceparalyze infrastructures make systems fail and even put human lives injeopardy Such attacks could be classified as physical network software andencryption attacks [1 2]

In physical attacks the system is accessed through proximity for exampleinserting a USB drive Such tampering with a system or network can enablethe attacker to take over its control and extract data or corrupt the systemperformance with a malicious code that opens a backdoor without beingnoticed or force the system to get shut down by a distributed denial of service(DoS) attack The Owlet WiFi Baby Heart Monitor [1] susceptibility is onecase which shows how devices with the best of acceptation such as adjustingparents when their babies experience heart troubles can be dangerous if takenadvantage of by a dishonest party The connectivity element makes themvulnerable and manufacturers and developers should take extra steps to securedevices at the hardware layer There are also physical attacks which target theenergy consumption and in such battery drains even if the system is in sleepmode

In the network type of attacks the attackers attempt to listen to what isflowing through the network by inserting themselves between the user andthe device which is also called ldquoMan in Middle attackrdquo The goal is stealingpasswords creating fake identification and diverting the network packetsto the desired locations for data analysis Monitoring and eavesdroppingnode subversion node malfunctions replication attack are different typesof attacks on IoT Networks The jeep hacking was a type of attack whichexploits firmware update vulnerability In this attack they hijacked the Jeepvehicle over the Sprint cellular network and were able to discover that theycould make it speed up slow down and even drive it as they wish It wasone of the proofs of the various emerging IoT attacks Manufacturers anddevelopers often ignore the security of peripheral devices or networks andthus the consequences can be dangerous [1]

When some malware is installed into a network program or any malicioussoftware sends a virus or corrupts the data or keeps watch on performingactivities these can be classified as software attacks The mirai botnet was

Towards Light Weight Cryptography Schemes 93

the largest Distributed DoS attack ever happened and was launched on theservice provider using an IoT botnet The IoT botnet was made by malwarecalled Mirai Once the devices and computers were infected with Mirai theycontinuously search the internet for affected IoT devices and then use knowndefault user identities and passwords to log in affecting them with malwareTrojan horse worm logical bombs are types of software attacks [1]

Encryption attacks directly affect the heart of the algorithmic systemThe attacker tries to find the encryption keys and if succeeds learns how thealgorithms were developed Usually in such cases attackers develop their ownalgorithms with the goal of installing them and taking control of the system

Various security mechanisms are developed in order to handle such typesof attacks But many IoT devices have to be operated on minimum powerand hence with less storage capacity memory and processing capability iethey are resource-constrained devices In such cases the application of mostof the standard security mechanisms can easily fail and other ldquolight weightrdquocryptographic approaches should be introduced which use less memory andpower and are highly secure

Further this paper is organised as follows Point 2 is an introduction tolightweight cryptography and its variants along with an overview of variouslightweight ciphers In Point 3 a general metric for the performance analysisof lightweight algorithms is presented In Point 4 some aspects of future workare considered and the last point concludes the paper

2 Lightweight Cryptography Algorithms

There are conventional methods of cryptography such as the AdvancedEncryption Standard (AES) Secure Hash Algorithms (SHA-265) RivestndashShamirndashAdleman (RSA) and Elliptic curve cryptography (ECC) which workon systems that have abundant computational power and memory capacitiesbut they cannot perform well with embedded systems and sensor networksTherefore lightweight cryptography methods are proposed to overcomemany of the problems of conventional cryptography when applied to sys-tems having constraints related to physical size computational requirementslimited memory and energy consumption Lightweight cryptography permitsthe application of secure encryption for devices with limited resources

Many efforts are made to develop lightweight cryptography algorithmsalong with higher security [3] In communication systems encryption isalready deployed as standard on the data link layer But in many casesencryption in the application layer is more effective as it is giving an end to

94 S P Jadhav

Figure 1 Implementation of lightweight cryptography at the application layer

end data protection from the device to the server and allows for implementingsecurity independently from the type and structure of the communication sys-tem The encryption mechanism should be applied at the processor processingthe application as shown in Figure 1 and on the available resources thereforeit should be as lightweight as possible

In resource constrained IoT devices having limited computing speedlow power backups and smaller size (circuit size ROMRAM sizes) thepower is greatly dependent on the hardware such as the circuit size or theprocessor in use Thus the size becomes the reference point for the lightnessof the encryption method and also for the power consumption The latteris dependent on the computing speed and execution time so the numberof computations that determines the processing speed usually is consideredto be an index of the lightness of the algorithm The throughput of anycryptographic system is calculated as the average of total plain text in anumber of k bytes divided by the average encryption time and in the case ofdecryption throughput is calculated as the average of total cipher text dividedby the average decryption time

Since encryption is a technology for securing the overall system thelightweight cryptography needs to adopt a method that is evaluated asensuring sufficient security in the light of modern cryptography The Inter-national Standards Organization (ISO) and the International ElectrotechnicalCommission (IEC) are maintaining standards about information and com-munication technology According to these standards the algorithms to beconsidered as ldquolight weight cryptographyrdquo should follow requirements relatedto [4]

bull Security strength for lightweight cryptography The minimum is 80-bit but is suggested that at least of 112-bit security should be appliedfor systems that will give security for maximum longer periods

Towards Light Weight Cryptography Schemes 95

Figure 2 Types of lightweight cryptography

bull Hardware implementation properties The chip area covered by thecryptographic mechanism and the energy consumption should be lesscompared to existing ISO standards

bull Software implementation properties The code size and requiredRAM size should have fewer resource requirements than in existingstandards for the same platform

bull The generality of the lightweight properties claimed for the crypto-graphic mechanism

21 Classification of Lightweight Cryptography Algorithms

A classification of lightweight cryptographic algorithms is shown in Figure 2There are two major types of cryptography algorithms symmetric andasymmetric

211 Symmetric encryptionSymmetric encryption uses the same key for both encryption and decryptionof data This method of encryption is secure and relatively faster The majordrawback of symmetric key encryption is the sharing of the key between thetwo communicating parties An attacker can decrypt the data if he has accessto the key Symmetric key algorithms assure the confidentiality and integrityof data but do not guarantee authentication This type of encryption uses threetypes of algorithms based on hashing stream and block ciphers

bull Hashing This method is based on producing a ldquohashrdquo with a privatekey that can be verified with a public key For lightweight cryptographyPHOTON [5] Spongent [6] and Lesamanta LW [7] are defined as stan-dards for hashing methods within ISOIEC 29192-52016 Conventional

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 93

the largest Distributed DoS attack ever happened and was launched on theservice provider using an IoT botnet The IoT botnet was made by malwarecalled Mirai Once the devices and computers were infected with Mirai theycontinuously search the internet for affected IoT devices and then use knowndefault user identities and passwords to log in affecting them with malwareTrojan horse worm logical bombs are types of software attacks [1]

Encryption attacks directly affect the heart of the algorithmic systemThe attacker tries to find the encryption keys and if succeeds learns how thealgorithms were developed Usually in such cases attackers develop their ownalgorithms with the goal of installing them and taking control of the system

Various security mechanisms are developed in order to handle such typesof attacks But many IoT devices have to be operated on minimum powerand hence with less storage capacity memory and processing capability iethey are resource-constrained devices In such cases the application of mostof the standard security mechanisms can easily fail and other ldquolight weightrdquocryptographic approaches should be introduced which use less memory andpower and are highly secure

Further this paper is organised as follows Point 2 is an introduction tolightweight cryptography and its variants along with an overview of variouslightweight ciphers In Point 3 a general metric for the performance analysisof lightweight algorithms is presented In Point 4 some aspects of future workare considered and the last point concludes the paper

2 Lightweight Cryptography Algorithms

There are conventional methods of cryptography such as the AdvancedEncryption Standard (AES) Secure Hash Algorithms (SHA-265) RivestndashShamirndashAdleman (RSA) and Elliptic curve cryptography (ECC) which workon systems that have abundant computational power and memory capacitiesbut they cannot perform well with embedded systems and sensor networksTherefore lightweight cryptography methods are proposed to overcomemany of the problems of conventional cryptography when applied to sys-tems having constraints related to physical size computational requirementslimited memory and energy consumption Lightweight cryptography permitsthe application of secure encryption for devices with limited resources

Many efforts are made to develop lightweight cryptography algorithmsalong with higher security [3] In communication systems encryption isalready deployed as standard on the data link layer But in many casesencryption in the application layer is more effective as it is giving an end to

94 S P Jadhav

Figure 1 Implementation of lightweight cryptography at the application layer

end data protection from the device to the server and allows for implementingsecurity independently from the type and structure of the communication sys-tem The encryption mechanism should be applied at the processor processingthe application as shown in Figure 1 and on the available resources thereforeit should be as lightweight as possible

In resource constrained IoT devices having limited computing speedlow power backups and smaller size (circuit size ROMRAM sizes) thepower is greatly dependent on the hardware such as the circuit size or theprocessor in use Thus the size becomes the reference point for the lightnessof the encryption method and also for the power consumption The latteris dependent on the computing speed and execution time so the numberof computations that determines the processing speed usually is consideredto be an index of the lightness of the algorithm The throughput of anycryptographic system is calculated as the average of total plain text in anumber of k bytes divided by the average encryption time and in the case ofdecryption throughput is calculated as the average of total cipher text dividedby the average decryption time

Since encryption is a technology for securing the overall system thelightweight cryptography needs to adopt a method that is evaluated asensuring sufficient security in the light of modern cryptography The Inter-national Standards Organization (ISO) and the International ElectrotechnicalCommission (IEC) are maintaining standards about information and com-munication technology According to these standards the algorithms to beconsidered as ldquolight weight cryptographyrdquo should follow requirements relatedto [4]

bull Security strength for lightweight cryptography The minimum is 80-bit but is suggested that at least of 112-bit security should be appliedfor systems that will give security for maximum longer periods

Towards Light Weight Cryptography Schemes 95

Figure 2 Types of lightweight cryptography

bull Hardware implementation properties The chip area covered by thecryptographic mechanism and the energy consumption should be lesscompared to existing ISO standards

bull Software implementation properties The code size and requiredRAM size should have fewer resource requirements than in existingstandards for the same platform

bull The generality of the lightweight properties claimed for the crypto-graphic mechanism

21 Classification of Lightweight Cryptography Algorithms

A classification of lightweight cryptographic algorithms is shown in Figure 2There are two major types of cryptography algorithms symmetric andasymmetric

211 Symmetric encryptionSymmetric encryption uses the same key for both encryption and decryptionof data This method of encryption is secure and relatively faster The majordrawback of symmetric key encryption is the sharing of the key between thetwo communicating parties An attacker can decrypt the data if he has accessto the key Symmetric key algorithms assure the confidentiality and integrityof data but do not guarantee authentication This type of encryption uses threetypes of algorithms based on hashing stream and block ciphers

bull Hashing This method is based on producing a ldquohashrdquo with a privatekey that can be verified with a public key For lightweight cryptographyPHOTON [5] Spongent [6] and Lesamanta LW [7] are defined as stan-dards for hashing methods within ISOIEC 29192-52016 Conventional

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

94 S P Jadhav

Figure 1 Implementation of lightweight cryptography at the application layer

end data protection from the device to the server and allows for implementingsecurity independently from the type and structure of the communication sys-tem The encryption mechanism should be applied at the processor processingthe application as shown in Figure 1 and on the available resources thereforeit should be as lightweight as possible

In resource constrained IoT devices having limited computing speedlow power backups and smaller size (circuit size ROMRAM sizes) thepower is greatly dependent on the hardware such as the circuit size or theprocessor in use Thus the size becomes the reference point for the lightnessof the encryption method and also for the power consumption The latteris dependent on the computing speed and execution time so the numberof computations that determines the processing speed usually is consideredto be an index of the lightness of the algorithm The throughput of anycryptographic system is calculated as the average of total plain text in anumber of k bytes divided by the average encryption time and in the case ofdecryption throughput is calculated as the average of total cipher text dividedby the average decryption time

Since encryption is a technology for securing the overall system thelightweight cryptography needs to adopt a method that is evaluated asensuring sufficient security in the light of modern cryptography The Inter-national Standards Organization (ISO) and the International ElectrotechnicalCommission (IEC) are maintaining standards about information and com-munication technology According to these standards the algorithms to beconsidered as ldquolight weight cryptographyrdquo should follow requirements relatedto [4]

bull Security strength for lightweight cryptography The minimum is 80-bit but is suggested that at least of 112-bit security should be appliedfor systems that will give security for maximum longer periods

Towards Light Weight Cryptography Schemes 95

Figure 2 Types of lightweight cryptography

bull Hardware implementation properties The chip area covered by thecryptographic mechanism and the energy consumption should be lesscompared to existing ISO standards

bull Software implementation properties The code size and requiredRAM size should have fewer resource requirements than in existingstandards for the same platform

bull The generality of the lightweight properties claimed for the crypto-graphic mechanism

21 Classification of Lightweight Cryptography Algorithms

A classification of lightweight cryptographic algorithms is shown in Figure 2There are two major types of cryptography algorithms symmetric andasymmetric

211 Symmetric encryptionSymmetric encryption uses the same key for both encryption and decryptionof data This method of encryption is secure and relatively faster The majordrawback of symmetric key encryption is the sharing of the key between thetwo communicating parties An attacker can decrypt the data if he has accessto the key Symmetric key algorithms assure the confidentiality and integrityof data but do not guarantee authentication This type of encryption uses threetypes of algorithms based on hashing stream and block ciphers

bull Hashing This method is based on producing a ldquohashrdquo with a privatekey that can be verified with a public key For lightweight cryptographyPHOTON [5] Spongent [6] and Lesamanta LW [7] are defined as stan-dards for hashing methods within ISOIEC 29192-52016 Conventional

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 95

Figure 2 Types of lightweight cryptography

bull Hardware implementation properties The chip area covered by thecryptographic mechanism and the energy consumption should be lesscompared to existing ISO standards

bull Software implementation properties The code size and requiredRAM size should have fewer resource requirements than in existingstandards for the same platform

bull The generality of the lightweight properties claimed for the crypto-graphic mechanism

21 Classification of Lightweight Cryptography Algorithms

A classification of lightweight cryptographic algorithms is shown in Figure 2There are two major types of cryptography algorithms symmetric andasymmetric

211 Symmetric encryptionSymmetric encryption uses the same key for both encryption and decryptionof data This method of encryption is secure and relatively faster The majordrawback of symmetric key encryption is the sharing of the key between thetwo communicating parties An attacker can decrypt the data if he has accessto the key Symmetric key algorithms assure the confidentiality and integrityof data but do not guarantee authentication This type of encryption uses threetypes of algorithms based on hashing stream and block ciphers

bull Hashing This method is based on producing a ldquohashrdquo with a privatekey that can be verified with a public key For lightweight cryptographyPHOTON [5] Spongent [6] and Lesamanta LW [7] are defined as stan-dards for hashing methods within ISOIEC 29192-52016 Conventional

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

96 S P Jadhav

crypto hash functions for MD5 and SHA1 and other modern hashmethods are not convenient for IoT devices National Institute of Stan-dards and Technology (NIST) has thus recommended new hashingmethods such as SPONGENT PHOTON Quark and Lesamnta-LWThese methods generate a much smaller memory footprint and havean input of just 256 characters (whereas conventional hash functionshave up to 264 bits) Chaskey Cipher is a permutation based lightweightcryptography method for signing messages (MAC) using a 128-bit keyThe Chaskey takes a 128-bit block using a 128-bit Addition-Rotation-XOR-based permutation [8]

bull Streaming A stream cipher is a symmetric key cipher in which plain-text digits are combined with a pseudorandom cipher digit stream In thistype each plaintext digit is encrypted one at a time with the analogousdigit of the keystream to give a digit of the cipher text stream as aresult Mickey V2 is a lightweight stream cipher and was written bySteve Babbage and Matthew Dodd It creates a key stream from an 80-bit key and a variable length initialization vector (of up to 80 bits)The keystream has a maximum length of 240 bits [9] Trivium is alsoone lightweight stream cipher and it was developed by Christophe DeCanniere and Bart Preneel and has a low footprint for hardware Ituses an 80-bit key and generates up to 264 bits of output with an 80-bit IV [10] Grain and Enocoro are the Light Weight Stream Cipherswhich have 80 bit and 128-bit key respectively Grain has relatively lowpower consumption and memory [11] Ecarno is defined by Hitachi andis included in ISOIEC 29192 International Standard for a lightweightstream cipher method

bull Block A block cipher is an encryption method that applies a determin-istic algorithm along with a symmetric key to encrypt a block of textrather than encrypting one bit at a time as in stream ciphers PRESENTand CLEFIA for block methods are defined as standards for lightweightcryptography within ISOIEC 29192-22012 One of the first to showpromise for a replacement for AES for lightweight cryptography isPRESENT [12] It operates on 64-bit blocks and uses a substitution-permutation method CLEFIA is a well known lightweight block cipherwas defined by Sony and has 128 192 and 256-bit keys and 128-bitblock sizes

Many lightweight cryptography algorithms were developed among themseveral symmetric algorithms use AES (Advanced encryption standards) as a

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 97

Table 1 Comparison of various symmetric lightweight ciphersRef No Algorithm Keysize Block size Merits[13] AES 128 128 Supports larger key sizes Faster in

both hardware and software

[14] PRESENT 80128 64 Ultra lightweight cipher Energyefficient

[15] RECTANGLE 128 64 Fast implementations using bit-slicetechniques

[16] HIEGHT 128 64 Ultra-lightweight Provides highsecurity Good for RFID tagging

[17] CAMELLIA 128 128 Resistance to brute force attack onkeys Security levels comparable toAES

[18] TWINE 80128 64 Good for small hardware Efficientsoftware performance

[19] SIMON 128 128 Supports several key sizes Performswell in hardware

[19] SPECK 128 128 Performs better in software

[20] XTEA 128 64 Works based on network

[21] KTANTAN 80 324864 Very efficient hardware-orientedblock cipher algorithm

[22] TREYFER 64 64 Aimed at smart card applicationsExtremely simple algorithm

[23] Lilliput 80 64 Reduces the delay and increases thespeed of operation

[24] PRINCE 128 64 Overhead for decryption on top ofencryption is negligible

standard Table 1 shows some of the different symmetric algorithms and theirmerits Examples of lightweight algorithms with some industry applicationsare given in Table 2

212 Asymmetric encryptionAsymmetric cryptography is a cryptographic system that utilizes two typesof keys public keys that may be distributed widely and private keys whichare known only to the owner The generation of the public keys depends oncryptographic algorithms based on one way mathematical functions Thusthe public key can be openly distributed without compromising security as

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

98 S P Jadhav

Table 2 Various lightweight ciphers used for industry applicationsRef No Algorithm Applications[25] A51 2G GSM protocol still uses this algorithm

[26] Atmel Ciphers Stream ciphers used by the secure memory cryptoMemory and CryptoRF families of products fromAtmel

[27] Crypto-1 Stream cipher used by the Mifare classic line ofsmartcards

[28 29] Css Content of DVD discs is encrypted by the contentscrambling system

[30] Dsc Stream cipher used to encrypt the communications ofcordless phones

[31] Hitag2 Megamos Stream ciphers used in the car immobilizersimplemented by different car manufacturers

[32] Kindle Cipher (PC1) Amazon used it at least up until 2012 for the DRMscheme protecting its e-book using the Mobi file format

[33] Oryx Stream cipher Oryx was chosen by the telecom industryassociation standard (tia) to secure phonecommunications in North America

[34] CMEA This block cipher was used by the telecom industryassociation standard to secure the transmission of phonenumbers across telephone lines

for achieving effective of security the requirement is keeping the privatekey private [35] In such this type of systems any person can encrypt amessage using the receiverrsquos public key but the encrypted message canonly be decrypted with the receiverrsquos private key Asymmetric lightweightcryptography algorithms are highly recommended for devices with resourcelimitations Asymmetric ciphers are computationally far more demandingthan their symmetric counterparts There are conventional asymmetric algo-rithms such as RabinRSA which is based on integer factorization prob-lem ECCHECC which are based on Elliptic Curve Discrete LogarithmProblem

The RivestndashShamirndashAdleman (RSA) is the most popular algorithm forasymmetric cryptography which supports key sizes from 1024 to 4096bits As such it is well known for the various public key cryptosystemsthat researchers propose But its large hardware footprint and its resourcedemanding implementations guide researchers go for other algorithms which

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 99

Table 3 Comparisons of key sizes in bits of ECC and HECCSecurity level Elliptic curve HECC Genus 2 HECC Genus 3256 94 47 32

512 128 64 43

1024 174 87 58

2048 234 117 78

4096 313 157 105

8192 417 209 139

are more convenient for applications in constrained devices [36] Rabin issomewhat similar to RSA There is one main difference in the complexity ofthe factorization problems that they depend upon The encryption for Rabin isfaster than RSA But the decryption is less efficient BluJay [37] is a hybridRabin-based scheme that is suitable for lightweight platforms and is based onWIPR and Hummingbird-2 The encryption by BluJay is significantly fasterand more lightweight than RSA and ECC for the same level of security

Elliptic Curve Cryptography (ECC) and its counterpart HECC (HyperElliptic Curve Cryptosystem) HECC have been considered as one of the bestsuits for power constraint devices in embedded systems It is being observedthat as security increases the key size of the conventional asymmetric algo-rithm such as RSA grows much faster as compared to ECC ECC and HECCare more suitable for devices which need lightweight cryptography due totheir lesser resources such as memory computational power and energyHECC is a generalization of elliptic curves As the genus increases thearithmetic of encryption gets more and more complex but it needs fewerbits than ECC for the same level of security As HECCrsquos operand size issmaller it is considered to have better performance than ECC and to bemore attractive for applications in resource-constrained devices Exampleof an application requiring smaller operand and less computational poweris E-commerce where lightweight cryptography is needed in order to makefaster transactions [38] In Table 3a short comparison of ECC and HECCalgorithms is presented [39 40]

An example of algorithm based on the Discrete Logarithm Problem(DLP) in Finite Fields is ElGamal [41] This algorithm is of less interest forapplication in resource constrained platforms because its computation is moreintensive than RSA and the result of the encryption from plaintext results inan increase of two times in the size of the ciphertext It is also consideredvulnerable to some types of attacks like chosen encryption attacks

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

100 S P Jadhav

There are some application specific asymmetric algorithms which areknown for their performance and their resistance to quantum computer baseddecryption approaches such as MSS NTRU McEliece MQ YAK MerkleSignature Scheme (MSS) is a hash based cryptography and uses typical AESbased hash functions It is popular because of its smaller code size and fasterverification process them RSA and ECC [42] NTRU is one of the opensource public key cryptosystems that utilizes lattice-based cryptography forencryption and decryption of data NTRU was patented but was placed in thepublic domain in 2017 It has two algorithms NTRUEncrypt for encryptionand NTRUSign for digital signatures Like other prominent public keycryptosystems it is also resistant to attacks using Shorrsquos algorithm and itsperformance is significantly better Regarding the performance of NTRU inequivalent cryptographic strength it should be noted that NTRU executescostly private key operations much faster than RSA Performance time ofRSA private operation increases as the cube of the key size while as that of anNTRU operation increases quadratically [43] NTRU provides the same levelof security comparable to RSA and ECC and therefore is highly efficient andsuitable for embedded system RSA is 200 times slower in key generation andalmost 3 times slower in encryption and about 30 times slower in decryptionas compared with NTRU The drawback of NTRU is that it produces largeroutput which may lower the performance of the cryptosystem if the numberof transmitted messages is complex and crucial but it is safe when it isimplemented when the recommended parameters are used [44]

McEliece is an asymmetric algorithm which was not largely acceptedbecause of its larger public and private key matrices as compared to RSAThe encryption and decryption are faster than RSA McEliece was not used toproduce signatures but the signature has been constructed based on Nieder-reiter scheme which is a variant of McEliece From a security point of viewNiederreiter provides the same security level as McEliece [45] MQ requires9690 bytes for the public key and 879 bytes for the private key and is basedon the problem of solving multivariable quadratic equations over finite fieldsIt is commonly accepted that multivariate cryptography is more successfulfor building signature schemes basically because multivariate schemes givethe shortest signature among quantum resistant algorithms [46]

In 2010 Feng Hao proposed the public key authenticated key agreementprotocol YAK Like other protocols YAK normally requires a public keyinfrastructure to distribute authentic public keys to the parties involved inthe communication YAK provides different security properties One is theprivate key security in which an attacker cannot learn the userrsquos static private

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 101

key even though if all session-specific secrets in any compromised sessionis known Another is full forward secrecy in which session keys that weresecurely settled in the past uncorrupted sessions will remain incomputable inthe future even when both usersrsquo static private keys are not closed In suchtypes of key security the attacker cannot compute the session key even if heacts like a user but has no permission to the userrsquos private key [47]

22 Signcryption

There are various mechanisms for lightweight cryptography algorithms effec-tively to address the issues with resource constraint devices Signcryption isone of them This is a new public key cryptographic primitive that executesthe functions of digital signature and encryption in a single logical stepand with a cost lower than that required by the traditional approach ofsignature followed by encryption [48] The biggest advantage of signcryptionover the application of signature followed by encryption is the reduction ofcomputational cost and communication overhead which can be shown by

Cost (signcryption) lt Cost(signature) + Cost(encrypt)

Many signcryption schemes that have been proposed are based on HECCThe Authors in [49] propose a signcryption scheme which greatly improvesefficiencies for software and hardware applications but could not addressforward secrecy and public verification In [50] an efficient HECC basedencryption scheme is developed which saves computational time and com-munication overhead up to 40 due to small key size but is missing to showforward secrecy authentication and availability properties

A signcryption scheme with forwarding secrecy based on HECC thatprovides functionality and public verifiability which is more suitable forresource constraint devices is proposed in [51] but it uses zero-knowledgeprotocol for public verifiability In [52] a public verifiable signcryptionscheme with forwarding secrecy based on HECC is considered There inpublic verifiability a third party can verify the authenticity of the senderwithout cracking the confidentiality and knowing the private key of thereceiver In this case the third party just needs the signcrypted text and someadditional parameters A mathematical model of public verifiability propertyis not given the paper

Approach to smart card resistance as well as to offline password guessingattack in proposed in [53] based on secure signcryption on HECC withsensor-based random number Limitations related to the generation of random

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

102 S P Jadhav

Table 4 Coefficients for general metricPlatform Performance metric α B λ micro τ

Areabit 1 0 0 0 0

Th = NB TB 0 minus1 0 minus1 0

ThA minus1 minus1 0 minus1 0

Hardware FOM= ThGE2 minus2 minus1 0 minus1 0

Th (A Eb) minus1 minus1 minus1 minus2 0

Power 0 minus1 1 0 0

Energy per bit 0 0 1 1 0Cyclesblock 0 0 0 0 1

Software Through output 0 minus1 0 minus1 0

Code size cycle countblock size 1 0 0 1 1

numbers is one drawback of this scheme In [54] an implementation ofHECC based signcryption approach is described but it is not implementedfor resource constrained devices

3 General Performance Metric for LightweightCryptography Algorithms

Considering different works in the literature related to the performance analy-sis of different lightweight cryptography algorithms the authors in [55] comeup with a generalized metric that attempts to allow performance compari-son of lightweight algorithms by presenting a uniform formula to representcurrent and future performance metrics Such a general metric for hardwaredesign is given by

General Metric(Aα T βBEλBC

τBN

microB) =

Aα T βBEλBC

τB

NmicroB

where A is the area TB the time to encrypt one block E is the energy CB isthe number of cycles to encrypt one block NB is the block size α β λ τ andmicro are power coefficients This general metric includes respective coefficientsrepresenting different performance metrics By stating the appropriate valueof these coefficients all the different metrics related to the performance of thevarious cryptographic ciphers could be covered In Table 3 the values of thedifferent coefficients used to derive different performance metrics by usingthe general metric are given

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 103

The retrieving of different performance metrics using the values of thecoefficient given in Table 4 can be illustrated by the determination of theso-called Figure of Merit (FOM)

FOM = General metric = Aminus2 Tminus1B Eminus1

B C0BN

minus1B

This shows that any performance metric can be derived without any confusionand ambiguity As an example of performance efficiency the throughput perarea (ThA) can be derived as

ThA = General metric = Aminus1 Tminus1B E0

BC0BN

minus1B

For a HECC based signcryption scheme that has various major operationssuch as hyperelliptic curve divisor multiplication (HECDM) Encryption andDecryption inverse division addition subtraction and key hash operationsthe computational cost is calculated by the time required for the execution ofthese major operations For example using an implementation platform witha pc running on c with 170 GHz processing speed and intel i3 CPU 4 GBRAM capacity and OS WINDOWS 7 the time for the encryption followedby signature approach for a 5 kb and 10 kb text file is noted to be 276 ms and293 ms respectively For signcryption using HECC and SHA-256 it is foundto be 246 ms and 269 ms respectively This shows that the cost of signcryptionis less than the cost of the approach of signature followed by encryption Inthis sample case considering the general metric for software the calculatedthroughput is

Throughput =T βBC

τB

NmicroB

=256minus1

5minus1= 0019 blockms

In this way it is possible to find the efficiency and performance of differ-ent lightweight cryptography algorithms and their lightness in respect toapplication for securing resource constraint devices to be evaluated

4 Future Work

Recently many lightweight cryptographic algorithms had evolved in securingthe resource constraint devices in IoT ECC and HECC combined with sign-cryption had shown the remarkable results in computational cost and energyconsumption There is a generalized signcryption algorithm for low comput-ing devices which is proposed in [56] This general approach which uses

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

104 S P Jadhav

Figure 3 General approach for lightweight cryptography

(Pu ndash Public parameters IDA ndash Identity of Alice IDB ndash Identity of Bob S ndash SelectedAlgorithms for hash and encryption t0 ndash Timestamp)

all the security features can be used in developing lightweight cryptographicmechanisms for devices with little computing power

In Figure 3 the general approach towards lightweight cryptography isillustrated where three parties are involved in the system during communica-tion The sender and receiver need to share their public parameter (Pu) theiridentities (ID) and choose among several available algorithms (S) for hashgeneration encryption and decryption Along with this signcryption helps inreducing the time required for the total cryptographic process which makesthe scheme more efficient

In future scope for researchers after referring the general approach is toimplement zero knowledge protocol for verification purpose for signcryptionusing lightweight cryptography algorithm HECC Which can improve thesecurity level of the system while the use of lightweight encryption algorithmand signcryption scheme will make the system having resource constraintdevices more efficient and secure

5 Conclusion

From the presented in this paper survey and analysis of lightweight cryptog-raphy algorithms it can be concluded that there is a need for more secureefficient lightweight cryptography mechanisms that could be suitable forimplementation in resource constraint devices for IoT Such mechanismsshould have lower computational cost lower power consumption and shouldprovide same or higher level of security On solution is the use of differentschemes such as signcryption zero knowledge protocol along with secure

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

Towards Light Weight Cryptography Schemes 105

and lightweight cryptography protocol which can solve some of the majorissues of security as well as allow the development of highly efficient securitymechanism for low resource constraint devices in IoT

References

[1] httpswwwiotforallcom5-worst-iot-hacking-vulnerabilities[2] Sattar B Sadkhan Akbal O Salman ldquoA Survey on Lightweight-

Cryptographyrdquo 2018 International Conference on Advances in Sustain-able Engineering and Applications (ICASEA) pp 105ndash108 2018

[3] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on HyperElliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications (BIGCOM)pp 51ndash58 2017

[4] Biryukov Alex and Leo Perrin ldquoState of the Art in LightweightSymmetric Cryptographyrdquo IACR Cryptology ePrint Archive P 5112017

[5] Guo J Peyrin T Poschmann A ldquoThe PHOTON family of lightweighthash functions Springer vol 6841 pp 222ndash239 2011

[6] Bogdanov A Knezevic M Leander G et al ldquoSPONGENT the designspace of lightweight cryptographic hashingrdquo IACR Cryptology ePrintArchive 2011

[7] Hirose S Ideguchi K Kuwakado H et al A lightweight 256-bithash function for hardware and low end devices Lesamnta-LW BerlinHeidelberg pp 151ndash168 Springer 2011

[8] Buchanan WJ ldquoChaskey Cipherrdquo [Internet] Available from httpasecuritysitecomencryptionchas

[9] Buchanan WJ ldquoMickey V2 lightweight stream cipherrdquo [Internet]Available from httpasecuritysitecomencryptionmickey

[10] Buchanan WJ ldquoTrivium lightweight stream cipherrdquo [Internet] Avail-able from httpasecuritysitecomencryptiontrivium

[11] 9WJ ldquoGrain lightweight stream cipherrdquo [Internet] Available fromhttpasecuritysitecomencryptiongrain

[12] Bogdanov A Knudsen LR Leander G et al ldquoPRESENT An ultra-lightweight block cipherrdquo vol 4727 pp 450ndash466 2007

[13] A Moradi et al ldquoPushing the Limits A Very Compact and a Thresh-old Implementation of AESrdquo in Advances in Cryptology ndash EURO-CRYPT 2011 Lecture Notes in Computer Science vol 6632 pp 69ndash88Springer 2011

106 S P Jadhav

[14] A Bogdanov et al ldquoPRESENT An Ultra-Lightweight Block Cipher inCryptographic Hardware and Embedded Systems - CHES 2007 LectureNotes in Computer Science pp 450ndash466 Springer 2007

[15] W Zhang et al RECTANGLE a bit-slice lightweight block ciphersuitable for multiple platformsrdquo in Science China Information Sciencesvol 58(12) pp 1ndash15 2015

[16] D Hong et al ldquoHIGHT A New Block Cipher Suitable for Low-Resource Devicerdquo in Cryptographic Hardware and Embedded Systemsndash CHES 2006 Lecture Notes in Computer Science pp 46ndash59 2006

[17] A Satoh and S Morioka ldquoHardware Focused Performance Comparisonfor the Standard Block Ciphers AES Camellia and Triple-DESrdquo inLecture Notes in Computer Science Information Security pp 252ndash266Springer 2003

[18] T Suzaki et al ldquoTWINE A Lightweight Block Cipher for Multi-ple Platformsrdquo in Selected Areas in Cryptography Lecture Notes inComputer Science vol 7707 pp 339ndash354 Springer 2013

[19] R Beaulieu et al ldquoThe SIMON and SPECK lightweight block ciphersin Proceedings of the 52nd Annual Design Automation Conferencepp 1ndash6 2015

[20] R M Needham and D J Wheeler Tea extensions Technical reportCambridge University Cambridge UK October 1997

[21] Christophe De Canniegravere Orr Dunkelman and Miroslav KneževicKATAN and KTANTAN ndash a family of small and efficient hardware-oriented block ciphers In Christophe Clavier and Kris Gaj editorsCryptographic Hardware and Embedded Systems ndash CHES 2009 volume5747 of Lecture Notes in Computer Science pp 272ndash288 SpringerHeidelberg September 2009

[22] Gideon Yuval Reinventing the Travois EncryptionMAC in 30 ROMbytes In Biham [Bih97] pp 205ndash209 1997

[23] Thierry Pierre Berger Julien Francq Marine Minier and Gaeumll ThomasExtended generalized Feistel networks using matrix representation topropose a new lightweight block cipher Lilliput IEEE Transactions onComputers pp 99 August 2015

[24] Julia Borghoff Anne Canteaut Tim Guumlneysu Elif Bilge KavunMiroslav Knezecic Lars R Knudsen Gregor Leander VentzislavNikov Christof Paar Christian Rechberger Peter Rombouts Soslashren SThomsen and Tolga Yalccedilin ldquoPRINCE ndash A low-latency block cipher forpervasive computing applicationsrdquo vol 7658 pp 208ndash225 2012

Towards Light Weight Cryptography Schemes 107

[25] Ross Anderson A5 (Was HACKING DIGITAL PHONES) uk elecom(Usenet) httpsgroupsgooglecomforummsguktelecomTkdCaytoeU4Mroy719hdroJmsguktelecomTkdCaytoeU4Mroy719hdroJJune 1994

[26] Flavio D Garcia Peter van Rossum Roel Verdult and Ronny WichersSchreur Dismantling Secure Memory Crypto Memory and CryptoRFIn Proceedings of the 17th ACM Conference on Computer and Commu-nications Security CCS rsquo10 pp 250ndash259 New York NY USA 2010ACM

[27] Karsten Nohl David Evans Starbug Starbug and Henryk PloumltzldquoReverse engineering a cryptographic RFID tagrsquo In USENIX securitysymposium volume 28 2008

[28] M Becker and A Desoky ldquoA study of the DVD content scramblingsystem (CSS) algorithmrdquo In Proceedings of the Fourth IEEE Interna-tional Symposium on Signal Processing and Information Technologypp 353ndash356 Dec 2004

[29] Lea Troels Moslashller Pedersen Carsten Valdemar Munk and Lisbet MoslashllerAndersen ldquoCryptography ndash the rise and fall of DVD encryptionrdquoAvailable online at httpciteseerxistpsueduviewdocdownloadsessionid=3672D97255B2446765DA47DA97960CDFdoi=10111186103amprep=rep1amptype=pdf 2007

[30] Stefan Lucks Andreas Schuler Erik Tews Ralf-Philipp Weinmann andMatthias Wenzel ldquoAttacks on the DECT authentication mechanismsrdquoIn Marc Fischlin editor Topics in Cryptology ndash CT-RSA 2009 vol-ume 5473 of Lecture Notes in Computer Science pp 48ndash65 SpringerHeidelberg April 2009

[31] Roel Verdult Flavio D Garcia and Baris Ege ldquoDismantling MegamosCrypto Wirelessly lockpicking a vehicle immobilizerrdquo In Supplementto the 22nd USENIX Security Symposium (USENIX Security 13)pp 703ndash718 USENIX Association August 2013

[32] Alex Biryukov Gaetan Leurent and Arnab Roy ldquoCryptanalysis of theldquokindlerdquo cipherrdquo In Knudsen and Wu [KW13] pp 86ndash103 August2012

[33] David Wagner Leone Simpson Ed Dawson John Kelsey WilliamMillan and Bruce Schneier Cryptanalysis of ORYX In Stafford ETavares and Henk Meijer editors SAC 1998 5th Annual InternationalWorkshop on Selected Areas in Cryptography volume 1556 of LectureNotes in Computer Science pp 296ndash305 Springer Heidelberg August1999

Towards Light Weight Cryptography Schemes 107

[25] Ross Anderson A5 (Was HACKING DIGITAL PHONES) uk elecom(Usenet) httpsgroupsgooglecomforummsguktelecomTkdCaytoeU4Mroy719hdroJmsguktelecomTkdCaytoeU4Mroy719hdroJJune 1994

[26] Flavio D Garcia Peter van Rossum Roel Verdult and Ronny WichersSchreur Dismantling Secure Memory Crypto Memory and CryptoRFIn Proceedings of the 17th ACM Conference on Computer and Commu-nications Security CCS rsquo10 pp 250ndash259 New York NY USA 2010ACM

[27] Karsten Nohl David Evans Starbug Starbug and Henryk PloumltzldquoReverse engineering a cryptographic RFID tagrsquo In USENIX securitysymposium volume 28 2008

[28] M Becker and A Desoky ldquoA study of the DVD content scramblingsystem (CSS) algorithmrdquo In Proceedings of the Fourth IEEE Interna-tional Symposium on Signal Processing and Information Technologypp 353ndash356 Dec 2004

[29] Lea Troels Moslashller Pedersen Carsten Valdemar Munk and Lisbet MoslashllerAndersen ldquoCryptography ndash the rise and fall of DVD encryptionrdquoAvailable online at httpciteseerxistpsueduviewdocdownloadsessionid=3672D97255B2446765DA47DA97960CDFdoi=10111186103amprep=rep1amptype=pdf 2007

[30] Stefan Lucks Andreas Schuler Erik Tews Ralf-Philipp Weinmann andMatthias Wenzel ldquoAttacks on the DECT authentication mechanismsrdquoIn Marc Fischlin editor Topics in Cryptology ndash CT-RSA 2009 vol-ume 5473 of Lecture Notes in Computer Science pp 48ndash65 SpringerHeidelberg April 2009

[31] Roel Verdult Flavio D Garcia and Baris Ege ldquoDismantling MegamosCrypto Wirelessly lockpicking a vehicle immobilizerrdquo In Supplementto the 22nd USENIX Security Symposium (USENIX Security 13)pp 703ndash718 USENIX Association August 2013

[32] Alex Biryukov Gaetan Leurent and Arnab Roy ldquoCryptanalysis of theldquokindlerdquo cipherrdquo In Knudsen and Wu [KW13] pp 86ndash103 August2012

[33] David Wagner Leone Simpson Ed Dawson John Kelsey WilliamMillan and Bruce Schneier Cryptanalysis of ORYX In Stafford ETavares and Henk Meijer editors SAC 1998 5th Annual InternationalWorkshop on Selected Areas in Cryptography volume 1556 of LectureNotes in Computer Science pp 296ndash305 Springer Heidelberg August1999

108 S P Jadhav

[34] David Wagner Bruce Schneier and John Kelsey Cryptanalysis ofthe cellular encryption algorithm In Burton S Kaliski Jr editorAdvances in Cryptology ndash CRYPTOrsquo97 volume 1294 of Lecture Notesin Computer Science pp 526ndash537 Springer Heidelberg August 1997

[35] httpsenwikipediaorgwikiPublic-key_cryptography[36] Oren Y Feldhofer M WIPR - a low-resource public-key identification

scheme for RFID tags and sensor nodes In Basin DA Capkun SLee W (eds) WISEC pp 59ndash68 ACM 2009

[37] Saarinen M-JO The BlueJay ultra-lightweight hybrid cryptosystemIn 2012 IEEE Symposium on Security and Privacy Workshops (SPW)24ndash25 May 2012 pp 27ndash32 2012

[38] Javed R Shaikh et al (2017) rsquoEnhancing E-Commerce SecurityUsing Elliptic Curve Cryptographyrsquo International Journal of CurrentAdvanced Research 06(08) pp 5338ndash5342 DOI httpdxdoiorg1024327ijcar201753420701

[39] Reza Alimoradi ldquoA Study of Hyperelliptic Curves in CryptographyrdquoI J Computer Network and Information Security 2016 8 67ndash72

[40] Roman R Alcaraz C Lopez J A survey of cryptographic primitivesand implementations for hardware-constrained sensor network nodesJ Mob Netw Appl 12(4) 231ndash244 2007

[41] Gamal TE A public key cryptosystem and a signature scheme basedon discrete logarithms IEEE Trans Inf Theor 31(4) 469ndash472 (1985)

[42] Rohde S Eisenbarth T Dahmen E Buchmann J Paar C Fasthash-based signatures on constrained devices In Grimaud G Stan-daert F-X (eds) CARDIS 2008 LNCS vol 5189 pp 104ndash117Springer Heidelberg 2008

[43] httpsenwikipediaorgwikiNTRUPerformance[44] Howgrave-Graham N Silverman JH Whyte W Choosing para-

meter sets for NTRUEncrypt with NAEP and SVES - 3 In Menezes A(ed) CT-RSA 2005 LNCS vol 3376 pp 118ndash135 SpringerHeidelberg 2005

[45] Shoufan A Wink T Molter G Huss S Strentzke F A novelprocessor architecture for McEliece cryptosystem and FPGA plat-forms In Proceedings of the 20th IEEE International Conferenceon Application-specific Systems Architectures and Processors (ASAP2009) pp 98ndash105 2009

[46] Yang B-Y Cheng C-M Chen B-R Chen JM Implementingminimized multivariate PKC on low-resource embedded systems In

Towards Light Weight Cryptography Schemes 109

Brooke PJ Clark JA Paige RF Polack FAC (eds) SPC 2006LNCS vol 3934 pp 73ndash88 Springer Heidelberg (2006)

[47] httpsenwikipediaorgwikiYAK_(cryptography)[48] httpsenwikipediaorgwikiSigncryption[49] X W Zhou rdquoImproved Signcryption Schemes Based on Hyper-elliptic

Curves Cryptosystemrdquo in Applied Mechanics and Materials pp 546ndash552 2010

[50] Nizamuddin S A Chaudhry W Nasar and Q Javaid ldquoEfficientSigncryption Schemes based on Hyperelliptic Curve CryptosystemrdquoIEEE International Conference on Emerging Technologies (ICET 2011)pp 84ndash87 September 2011

[51] A S Ch Nizamuddin M Sher G Anwar N Husnain and I AzeemldquoAn efficient signcryption scheme with forwarding secrecy and publicverifiability based on hyper elliptic curve cryptographyrdquo MultimediaTools and Applications vol 74 pp 1711ndash1723 2015

[52] C Ashraf and M Sher ldquoPublic verifiable signcryption schemes withforward secrecy based on hyperelliptic curve cryptosystemrdquo in Interna-tional Conference on Information Systems Technology and Manage-ment pp 135ndash142 2012

[53] J Premalatha K Sathya and V Rajasekar ldquoSecure signcryption onhyperelliptic curve with sensor-based random numberrdquo pp 95ndash98

[54] P Kumar A Singh and A D Tyagi ldquoImplementation of Hyperel-liptic Curve Based Signcryption Approachrdquo International Journal ofScientific and Engineering Research Vol 4 Issue 7 2013

[55] Bassam J Mohd Thaier Hayajneh Athanasios Vasilakos ldquoA survey onlightweight block ciphers for low-resource devices Comparative studyand open issues Journal of Network and Computer Applications 58pp 73ndash93 2015

[56] Anuj Kumar Singh BDKPatro ldquoPerformance Comparison of Sign-cryption Schemes ndash A Step towards Designing Lightweight Cryp-tographic Mechanismrdquo International Journal of Engineering andTechnology (IJET) ISSN (Online) 0975-4024 AprndashMay 2017

[57] Shamsher Ullah Xiang-Yang Li Lan Zhang ldquoA Review of Signcryp-tion Schemes Based on Hyper Elliptic Curverdquo 2017 3rd InternationalConference on Big Data Computing and Communications 978-1-5386-3349-617 2017 IEEE

110 S P Jadhav

Biography

Santosh Pandurang Jadhav is a PhD student at the Technical Universityof Sofia at Sofia Bulgaria since 2017 He received his BE in InformationTechnology Engineering from North Maharashtra University India in 2007and ME in Computer Science amp Engineering from the Savitribai phulePune University of Maharashtra India in 2012 As an Assistant Professorin NDMVPSrsquos KBT college of engineering Nashik Maharashtra India hehas acquired a solid experience about 11 years of teaching in InformationTechnology Engineering

• Introduction
• Lightweight Cryptography Algorithms
• • Classification of Lightweight Cryptography Algorithms
  • • Symmetric encryption
    • Asymmetric encryption
    • • Signcryption
      • • General Performance Metric for Lightweight Cryptography Algorithms
        • Future Work
        • Conclusion