IMPLEMENTATION OF LIGHTWEIGHT CRYPTOGRAPHIC
Journal of Theoretical and Applied Information Technology15th October 2017. Vol.95. No 19 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195IMPLEMENTATION OF LIGHTWEIGHT CRYPTOGRAPHICPRIMITIVES1BARAA TAREQ HAMMAD, 1NORZIANA JAMIL, 1MOHD EZANEE RUSLI, 2MUHAMMADREZA Z’ABA and ISMAIL T. AHMED1Universiti Tenaga Nasional, Jalan IKRAM-UNITEN, Kajang, Selangor, Malaysia2MIMOS Berhad, Technology Park Malaysia, Kuala Lumpur, MalaysiaABSTRACTLightweight cryptography is not a new branch in cryptography. It is a subject specifically addressing theimplementation of security mechanism in pervasive computing that are characterized by smart but resourceconstrained devices. There are at least two main lightweight symmetric cryptographic primitives namelylightweight block cipher and lightweight hash algorithm. Most of the previous surveys were focusing onimplementation of specific cryptographic primitives. In this paper we present a comprehensive survey of alllightweight symmetric cryptographic primitives, from hardware and software perspectives. The survey coversanalysis of these algorithms and a comparison between these primitives in terms of throughput, number ofcycle, comprehensive area, power, and energy. We also provide a classification of the structure of lightweightblock cipher and lightweight hash function. These classifications are very useful because the primitives havedifferent and sometimes contrary characteristics. Finally this comprehensive survey highlights some of theissues related to security aspect of small key length in lightweight cryptographic primitives.Keywords: Lightweight Cryptography, Symmetric Cryptography, Block Cipher, Hash Function.decrease the execution time of traditionalcryptographic primitives [1, 2, 3, 4, 5]. However,the overall implementation costs of these attemptshas increased because of the hardware requirementsof recommended integrated components.Lightweight cryptography aims at minimizing theoverall implementation costs of cryptographicprimitives relative to several aspects, such as keysize, cycle rate, throughput rate, powerconsumption, and areas, which are measured inGate Equivalence (GE) [66].Lightweight cryptographic primitives are generallydivided into two categories, viz: lightweightsymmetric cipher and lightweight asymmetriccipher. The first design of the lightweightsymmetric cipher was DESL algorithm [6]. Thisalgorithm was based on the general structure of theData Encryption Standard (DES) [7], in whichdifferent S-boxes were used. The key size is 56 bits,with 1848 GE. Two recent lightweightcryptographic primitives are PRESENT blockcipher [8] and PHOTON hash function [9].Panasenko et al. [10] proposed approach to thedesign of lightweight cryptographic primitives.They also highlighted some constraints andrecommendations for implementing lightweightcryptographic primitives. John [11] conducted a1- INTRODUCTIONNowadays, Personal digital assistants (PADs),cellular phones, radio-frequency identification(RFID) tags, low-end smart cards, wireless sensors,custom controllers, smart cards, healthcare devices,and a plethora of small devices have ushered in anew explosion of technology. These devices meetnumerous application and consumer demands.However, these devices typically have severallimitations in terms of energy/power, computation,memory, storage, and/or resources. Theselimitations result in challenges to theimplementation of cryptographic primitives in thesedevices. Lightweight cryptography was thusintroduced.Lightweight cryptography is a modern branch ofcryptography that resulted from the significantexpansion in ubiquitous emerging technologies. Interms of performance, the implementation oftraditional cryptography in these devices isimpractical because of the complex and heavymathematical operations of the traditionalcryptographic primitives. These operations requirehigh processing power and large memory space. Inother words, the implementation of traditionalcryptography in constrained environments isexpensive. Many researchers have attempted to5126
Journal of Theoretical and Applied Information Technology15th October 2017. Vol.95. No 19 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195At this time, no promising asymmetriccryptographic primitive has met the desiredsecurity and lightweight properties as comparedwith conventional primitives. Asymmetriccryptography provides more security functionalitythan the symmetric cipher, but requires morecomputational power and is slower than symmetriccryptography [59].Elliptic curve cryptography (ECC) [22], Rivest–Shamir–Adleman (RSA) [23], discrete logarithms[24], LPKI [68] and LEPA [67] are examples ofasymmetric cryptographic family. ECC isconsidered the most effective method for resourceconstrained devices because of its small operandlengths and relatively low computationalrequirements [25]. This interest is normallydictated by the need for good hardware andsoftware requirements. At this time, no promisingasymmetric cryptographic primitive has met thedesired security and lightweight properties ascompared with conventional primitives, such asRSA and ECC. Using Public-key in lightweightcryptography, Public-key constructions need a lotof mathematical operation and computational, suchas factoring which require huge resources tocomplete. Approaches based on public keycryptography are too expensive for the mostresource constrained devices.RSA is the most popular algorithm for asymmetriccryptography and supports key sizes from 1024 to4096 bits. But require a large hardware footprintand the resource demanding implementations thatled researchers to looking for other algorithms forapplications in constrained devices. ECC is moreattractive for low constrained devices. Its offer thesame level of security with shorter keys comparedto RSA and lower computational requirements[56].Asymmetric cryptography provides more securityfunctionality than the symmetric cipher, butrequires more computational power and is slowerthan symmetric cryptography. Batina et al. [26]showed that ECC, which was implemented on aconstrained device, requires between 8500 and14000 gates while in case of symmetric primitiveslike PRESENT as an example it require only 1570GE. Obviously, the implementation of asymmetriccryptographic primitives is more costly thansymmetric ones. Therefore, it is not the focus of thispaper.We classify the Lightweight Cryptographic BlockCipher according into the structure that build basedon it into Feistel structure and SP-network TAN [35], MIBS [60], CLEFIAsurvey of lightweight cryptographic primitives withonly two block ciphers and stream ciphers. Heanalyzed the security features and performances ofthe hardware implementations of some primitives.Katagi et al. [12] provided an overview of thetechnology and standardization status oflightweight cryptography primitives. Batina et al.[13] analyzed the requirements of some lightweightblock ciphers and compared these requirementswith those of the AES algorithm. Juels reported asurvey examining the approaches for privacyprotection and integrity assurance in RFID systemsand then discussed the social and technical contextsof his work [14]. Lata et al. [15] provided anoverview of some lightweight primitives and theirattributes with a comparison of the possibilities ofthe applications of such primitives. Arora et al. [16]discussed the lightweight stream cipher andlightweight block cipher primitives and comparedthe hybrid model of Hummingbird [17] with otherlightweight cryptography primitives. Mohd et.al.Provided a taxonomy of lightweight block cipherimplementation and showed that the most importantmetric in low constrained devices is energy metrics[18]. This paper gives a more comprehensive surveyof lightweight symmetric cryptographic primitiveswhich include lightweight block ciphers andlightweight hash algorithm. These classificationsare very useful because the primitives have differentand sometimes contrary characteristics. Also, thissurvey highlights some of the issues related tosecurity aspect of small key length in lightweightcryptographic primitives.The remainder of this paper is organized as follows.Section 2 presents the structures of lightweightblock ciphers and lightweight hash functions. InSection 3, we provide a classification for bothlightweight block cipher and lightweight hashfunction, and discuss the performance according totheir structures. Section 4 discusses the securityaspect of small key in lightweight primitives. Theconclusion is given in Section 5.2-LIGHTWEIGHTCRYPTOGRAPHICPRIMITIVEWe present a holistic view of lightweightcryptographic primitives as shown in Figure 1.As crucial applications go pervasive, the need forsecurity in RFID and sensor networks isdramatically increasing, which requires secure yetefficiently implementable cryptographic primitivesincluding symmetric and asymmetric cryptographyas we shown in Figure 1.5127
Journal of Theoretical and Applied Information Technology15th October 2017. Vol.95. No 19 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.org[34], HIGHT [29], CURUPIRA [31], LBlock [38],SIMON and SPECK [42], TWINE [40], QTL [39].SP-network such as AES [2], PRESENT [8],Humming bird-2 [49, 50], LED [41], PRINCE [51],PRINTcipher [52], KLEIN [53].From this classification, we note that the Feistelstructure-based primitives performs faster than SP-E-ISSN: 1817-3195network-based primitives. However, in terms ofhardware implementation while the SP-network ismore hardware friendly where it require less GE.Also, there was a few attempts to build aLightweight stream ciphers such as Grain [51],Trivium [36], MICKEY [61], BEAN [62], Wg-8[63], Fruit [64], and Lizard [65].Figure 1. Lightweight Cryptographic Primitives.2-1 Lightweight Block CiphersIn this section, we review existing lightweight blockciphers:A. AES: - Feldhofer et al. [27] introduced anauthentication protocol for RFID tags using AES[28]. The proposed low-power implementation ofthe AES operates on a fixed input size. Theflexibility of AES enables its implementation ondifferent platforms. Efficient implementations arepossible on 8-, 32-, 64-, and 128-bit platforms. Thehardware implementation of AES to encrypt a 128bit block of data requires 3595 GE within 996 clockcycles and has a power consumption of 8.15 µA ona 0.35 µm (CMOS) process.B. HIGHT: - Hong et al. [29] design HIGHT (highsecurity and light weight) was standardized by theTelecommunications Technology Association ofKorea. The structure of HIGHT is a generalizedFeistel structure GFS, and the round function is lightwhen compared with the SP-like structure. Everyoperation in HIGHT is 8-bit processor-oriented,making it suitable for low-resource hardwareimplementation. Therefore, HIGHT is hardwareoriented rather than software-oriented. Hardwareimplementation of HIGHT requires 3048 GE. Theencryption and decryption processes in HIGHT arethe same.C. DESL & DESXL (DES Lightweight) proposedby Poschmann et al. [6]. The design is based onDES. The main idea of DESL and DESXL is tominimize gate complexity by using serial hardware.Furthermore, a single S-box repeated eight times isused in the round function instead of the eight Sboxes employed in the original DES. The single Sbox is more resistant to differential and linearcryptanalysis than the original DES S-boxes. Theoriginal initial permutation and its inverse areremoved because they do not provide additionalcryptographic strength, as well as to decrease wiringcosts. DESL implementation requires 1848 GE. Thesmall 56-bit key size provides limited protection.Thus, DESL is suitable for applications that requireshort-term security.D. Curupira: - Barreto [30] suggested the use of“Curupira-1” for the original key schedule. Marcos[31] proposed the use of “Curupira-2” for the newspecification. We simply write “Curupira” whendiscussing both. The round function structure isused for Curupira [31], with nonlinear layer γ,permutation layer π, linear diffusion layer θ, and keyaddition layer σ (Kr).5128
Journal of Theoretical and Applied Information Technology15th October 2017. Vol.95. No 19 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195GE. The use of shift registers makes KATAN andKATANTAN suitable for low-resource devices[35]. The KTANTAN32 can be implemented in 462GE at 100 KHz, whereas KTANTAN48 requires588 GE and KATAN64, the largest cipher, requires1054 GE at 100 KHz.H. Hummingbird: - Engels et al. designHummingbird [17], and Hummingbird-2 [58],Hummingbird is not classified under the blockcipher or stream cipher category, but has theproperties of both. The 16-bit block cipher is atypical SP-network consisting of four rounds and afinal round that only includes the key mixing andthe S-box substitution steps. The round comprisesthree stages, namely, a key mixing step, asubstitution layer, and a permutation layer. Theblock size is 16 bits, which is suitable for lowconstrained devices because it deals only with smallmessages. The implementation of Hummingbirdrequires 3220 GE. Authenticated Encryption withAssociated Data is a method in Hummingbird thatauthenticates any associated data that travels withcipher text. Processing of associated data occursonly after an entire encrypted payload has beenprocessed.L. PRINTcipher: - Knudsen et al. [37] proposedthe PRINTcipher block cipher for integrated circuitprinting or IC-printing as one of the low constraineddevices. The structure of PRINTcipher is an SPnetwork. The cipher state is combined with a roundkey using bitwise XOR. Then, the cipher state isshuffled using a fixed linear diffusion layer.Thereafter, the cipher state is combined with around constant by using bitwise XOR. The 3-bitentry to each S-box is permuted in a key-dependentpermutation layer. Finally, the cipher state is mixedusing a layer of b3 nonlinear S-box substitutions.J. LBlock: - Wu and Zhang [38] proposed theLBlock lightweight block cipher with Feistelstructure. The LBlock consists of eight 4 4 Sboxes in parallel and requires 1320 GE. The LBlockconsists of three parts, namely, encryptionalgorithm, decryption algorithm, and keyscheduling. Each round consists of round function,confusion function, and diffusion function(permutation of eight 4-bit words). The number ofS-boxes is decreased, and the size of each S-box isminimized. More rounds are needed to achieveadequate security margins. In each round of LBlock,only half of the data is selected to undergo roundfunction, whereas the other half undergoes a simplerotation operation.K- LED: - Guo et al. [39] presented an LED blockcipher with SP-network structure. The cipher stateis conceptually arranged in a 4-bit matrix, with eachFigure2. Structure of the Curupira-1 S-Box [30].With a highly nonlinear S-box, the Curupira S-boxis the same as that used in Anubis [32] and Khazad[33], in which the implemented 8 8-bit CurupiraS-box is composed of two 4 4-bit S-boxes,namely, P and Q, to ensure high diffusion speed.The Curupira S-box has the advantage of beingcyclical, which indicates that the original key isrecovered after a certain number of rounds, thuseliminating the need for storing any intermediarysubkey during encryption and decryption. However,the use of the Curupira S-box results in manymemory/performance trade-offs.E. PRESENT: - [8] is an SP network block cipherwith 31 rounds. The block size is 64 bits, and thecipher supports two keys sizes, which are 80 and128 bits. Each round consists of an XOR operationto introduce a secret round subkey, a bitwisepermutation, and a nonlinear substitution, whichconsists of 16 identical S-boxes with 4-bit input and4-bit output (4 4). Hardware implementationof PRESENT-80 requires an area of 1570 GE.F. CLEFIA: - [34] is a block cipher uses thegeneralized Feistel structure (GFS). CLEFIA hastwo different 32-bit F functions per round, with eachfunction containing two distinct 8 8 S-boxes anda maximum distance separable (MDS) matrix. Thisconstruction is used to maximize cipher resistanceagainst differential and linear cryptanalysis.CLEFIA requires 5979 GE.G. KATAN and KTANTAN: - De Cannière et al.[35] proposed a new family of block cipherscomposed of two variants, namely, KATAN andKTANTAN. The design is based on the Triviumstream cipher [36], which is similar to a nonlinearfeedback shift register (NLFSR), with a Feistelstructure. KTANTAN is more compact thanKATAN and is used in devices in which the key isfixed and can never be changed. The only differencebetween KATAN and KTANTAN is the keyschedule. KATAN and KTANTAN are hardwareefficient block ciphers that require less than 10005129
Journal of Theoretical and Applied Information Technology15th October 2017. Vol.95. No 19 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgnibble representing an element from GF (24) with apolynomial expressed as X4 X 1. The S-box inthe LED cipher is the same as the PRESENT S-box,and its implementation requires 1265 GE.L. TWINE: - Suzaki et al. [40] proposed TWINE.The structure of TWINE depends on Type-2generalized Feistel network structure (GFS), with16 4-bit sub blocks. TWINE uses only one 4-bit Sbox and 4-bit XOR. A round function of TWINEconsists of a nonlinear layer using 4-bit S-boxes anda diffusion layer, which permutes the 16 blocks. Thediffusion layer is not a circular shift and is designedto provide better diffusion than the circular shift.The decryption of TWINE is the same as theencryption in that it uses the same S-box and keyschedule with the inverse block shuffle. TWINErequires 2285 GE.M. PRINCE: - Borghoff et al. [41] proposed thePRINCE. A ciphertext is computed within a singleclock cycle and requires 8679 GE. The cipher usesa 4-bit S-box. The same S-box is used 16 times.PRINCE is the first lightweight block cipher thattakes latency as the main priority. The cipher isoptimized with respect to latency whenimplemented in the hardware. The internal blockcipher is based on the SP-network structure. Thecipher has an interesting feature in that one canperform decryption by reusing the encryptionprocess with a slightly different key. This featureprovides an advantage in implementations requiringencryption and decryption, but at the same timeinduces some structure.N. SIMON and SPECK: - are two families ofblock ciphers publicly released by the NationalSecurity Agency in 2013 and proposed by Beaulieuet al. [42]. SPECK is tuned for optimal performancein software implementations, whereas SIMON istuned for optimal performance in hardwareimplementations. The structure for SIMON andSPECK is the Feistel network. SIMON requires1234 GE, whereas SPECK requires 1280 GE.O.KLEINGong [43] proposed the KLEIN cipher. Thestructure of KLEIN is a typical SP-network, thesame as AES, and has a 4 bit S-box. KLEIN requires2,213 GE.P. QTL: - [44] Propose a Feistel network structuresblock cipher, QTL. Supports 64 bits block with 64or 128 bits keys. In traditional Feistel structureprocess only half the block message, but in QTL itchanged the whole message. They don’t use the keyschedule to reduce the energy consumption.Q. LiCi:- Patil, et.al. [69] proposed LiCi: alightweight block cipher. Its Feistel based networkE-ISSN: 1817-3195the input is 64 bits and the key size is 128 togenerate 64 bits cipher text. It requires 1153 GEand consumes 30mW.R. Oppel-1: presented by Ali, Arshad. [70]. nonFiestel, substitution-permutation network. inputlengths 128 bits and 128 bit key length. The keydivides into subkeys by using specially designedsubkey generation mechanism.2-2 Lightweight Cryptographic Hash FunctionsHash function takes an arbitrary input size ofmessages and produces output messages with afixed size. Although no secret is involved in thecomputation, one would like to preserve collisions(two distinct messages hashing to the same value)or (second) preimage (a message input that hashesto a given challenge output value) to becomputationally
security and lightweight properties as compared with conventional primitives. Asymmetric cryptography provides more security functionality than the symmetric cipher, but requires more computational power and is slower than symmetric cryptography [59]. Elliptic curve cryptography (ECC) [22
The Barracuda Cryptographic Software Module is a cryptographic software library that provides fundamental cryptographic functions for applications in Barracuda security products that use Barracuda OS v2.3.4 and require FIPS 140-2 approved cryptographic functions. The FIPS 140-2 validation of the Barracuda Cryptographic Software
these applications also support Kerberized connections. For the purposes of FIPS- 140- 2 validation the Module is classified as a multi-chip stand-alone Module. 2.2 Cryptographic Boundary The logical cryptographic boundary for the Module is the library itself. An in-core memory cryptographic digest (HMAC-SHA-1) is computed on the Cryptographic
the other hand are easy to crack, compromising security. In this paper a secure and efficient lightweight cryptographic algorithm for small computing devices has been proposed. It is a symmetric key block cipher, employing custom
An Empirical Study of Cryptographic Misuse in Android Applications Manuel Egele, David Brumley Carnegie Mellon University {megele,dbrumley}@cmu.edu Yanick Fratantonio, Christopher Kruegel University of California, Santa Barbara {yanick,chris}@cs.ucsb.edu ABSTRACT Developers use cryptographic APIs in Android with the intent
Cryptographic Hardware for Embedded Systems ECE 3894 / 3170 Fall 2020 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology Georgia Institute of Technology, 2018‐2020 1. Reading . Cryptographic op
A Cryptographic Suite for Embedded Systems SuiteE Scott Vanstone, svanstone@rim.com Matthew Campagna, mcampagna@rim.com 6th ETSI Security Workshop 19 - 20 January 2011 ETSI Sophia Antipolis France Research in Motion . Embedded cryptographic
An Adaptive Cryptographic and Embedded System Design with Hardware Virtualization Chun-Hsian Huang Department of Computer Science and Information Engineering, National Taitung University, Taiwan Abstract—This work proposes an adaptive cryptographic and embedded system (ACES) design that can adapt its
digest” of messages or files – Used for integrity, authentication & signatures. 3/02 -12 Cryptographic Standards Security Requirements for Cryptographic Modules . Digital Signature Std. (DSS) FIPS 186-2 – Three algorithms DSA (ANSI X9.30 P
