Content uploaded by Dr Sachin Kumar Gupta
Author content
All content in this area was uploaded by Dr Sachin Kumar Gupta on Oct 31, 2022
Content may be subject to copyright.
Received: 16 February 2022 Revised: 13 July 2022 Accepted: 27 July 2022
DOI: 10.1002/cpe.7425
RESEARCH ARTICLE
Lightweight cryptographic algorithms based on different model
architectures: A systematic review and futuristic applications
Vijesh Bhagat1Santosh Kumar1Sachin Kumar Gupta2Mithilesh Kumar Chaube1
1Department of Computer Science and
Engineering, IIIT Naya Raipur, Atal Nagar-Nava
Raipur, India
2School of Electronics and Communication
Engineering, Shri Mata Vaishno Devi
University, Katra, India
Correspondence
Sachin Kumar Gupta, School of Electronics and
Communication Engineering, Shri Mata
Vaishno Devi University, Katra-182320,
(Jammu & Kashmir), India.
Email: sachin.gupta@smvdu.ac.in
Summary
Lightweight cryptography is a rapidly developing research field. Its main goal is to
provide security for devices with fewer resources. These limited-resource devices
implement reliable ciphers that use very little power and computation. The lightweight
cipher should be built for high performance while using the fewest resources possible,
such as memory and power. In this article, we compare block ciphers and several other
stream ciphers based on criteria such as input size, output size, structure employed,
key size, number of rounds, vulnerable attacks, chip area, gate equivalent, memory
use, throughput, and security features. Moreover, this article provides a detailed anal-
ysis comparing all cryptographic algorithms and their use in day-to-day life activities.
This paper also discusses some lightweight ciphers, stream ciphers, and hybrid ciphers.
Moreover, it shows the cryptanalysis of some block ciphers like DES.
KEYWORDS
algorithm, attacks, biometrics, ciphers, encryption, lightweight cryptography, multimodal,
preservation, privacy, security
1INTRODUCTION
Lightweight cryptographic computing paradigmsare highly used for low-resource devices. These devices are such as RFID, and wireless devicessuch
aswirelesssensornetworks(WSN).1,2 Astheworldbecomesmoredigital,newgadgetsarebeingdevelopedwith a battery,outstanding performance,
low resources, and a short execution time. On such devices, new types of assaults have also occurred. Because they are often more accessible to an
attackerthan other general-purpose computing equipment, these devices are prone to hardware attacks. So, there is a requirement to provide some
kind of security. RFIDs rapidly replace barcodes in the supply chain, providing for more effective and reliable tracing of commodities and supporting
sophisticated applications such as public transit ticketing.2
Data processed and stored by electronic components should be protected from unwanted access and alteration, mainly when used in sensitive
applications.3The amount of chip area required to implement a block cipher in hardware should be small enough that the additional security feature
does not considerably increase the cost. For reducing the occupied area, there a is need to employ a scan register instead of regular flip-flops.2This
necessitates ensuring the legitimacy of packets sent from and received by the device. Another, more critical worry is the limited amount of power
available in such instruments. RFID gates are often limited to a few 100 to a few 1000 in number. Furthermore, these gadgets are often battery-free
and rely on the existing electromagnetic (EM) field to generate energy.
Theprimary role of cryptographyis toenable safe communication in the presence of malevolent third parties, referred to as adversaries. Encryp-
tion transforms an input (i.e., plaintext) into an encrypted output using an algorithm and a key (i.e., ciphertext). The type of cryptography is including
symmetric key encryption methods that have two forms (a) Block cipher and (b) stream cipher.
•A block cipher uses a single data block. The plaintext or message is broken down into blocks; each operated separately using a key and a
cryptographic mechanism (see Figure 1).
Concurrency Computat Pract Exper. 2022;e7425. wileyonlinelibrary.com/journal/cpe © 2022 John Wiley & Sons, Ltd. 1of27
https://doi.org/10.1002/cpe.7425
2of27 BHAGAT ET AL.
FIGURE 1 General idea of the cryptography field74
•The stream cipher enables algorithms to perform encryption and decryption of shared data using a symmetric key mechanism.
• Requirement of security: The basic requirement of confidentiality, availability, and Integrity is defined as follows:
1. Confidentiality: The term “confidentiality”measures prevent sensitive information from unconstitutional access attempts. It needs to preserve
the sensitive database and information from any unauthorized access to data.
2. Availability: It ensures that data is consistently and readily accessible for authorized parties along with properly maintaining connected
components including hardware and technical infrastructure, model, and systems to keep data and show the information.
3. Integrity: It defines the way to maintain the consistency, accuracy, and trustworthiness of data.
The key challenges while implementing traditional cryptography are:
1. It requires minimal memory.
2. Computing power is required at a lower level.
3. For the execution of LWC in hardware devices, small physical area is needed.
4. Requirement for a low-power battery.
5. System will provide Real-time Response.
As we know tradeoff between security, cost, and performance are a significant consideration when creating lightweight cryptographic
algorithms/models and systems. The primary aim of this study is to leverage a platform for implementation of intelligent lightweight algo-
rithms, models and system for development of edge devices. Moreover, this study provides insight for new researchers to explore better
avenues for deployments of their security leverage models for different emerging applications in security field. Also this study looks at
their security characteristics and the provides evalaution parameters to measure the performance of their hardware implementations and
working lightweight cryptography models and prototype systems. Existing algorithms on the market give good security but use a lot of
battery power.
As a result, a new encryption method must be developed that uses minimal battery power and other hardware resources while maintaining the
same levelof security as present ciphers. There are several applications for data security in these domains, such as biometric information or sensitive
health-monitoring data. Therefore, we need some lightweight cryptography algorithms to make our data secure and secure data transmission from
the device to the device controller. Figure 2shows cost performance and security for the deployment of the security system. Table 1shows the
characteristics of the advantages of the lightweight cryptography paradigm for many upcoming security applications. In this post, we’ll go through
the fundamentals of block cipher design, as well as some of the most used block ciphers, vulnerability analysis, and deep learning cryptanalysis of
them.
BHAGAT ET AL.3of27
FIGURE 2 Shows cost performance and security for deployments of security system
TABLE 1 Characteristics of lightweight cryptography model and its advantages
Characteristics Advantages of LWC paradigm
Physical (Cost) Physical area (Logic blocks) 1. Tiny key and required block
2. Minimum number of round
3. Simple computation
4. Easy and unique key generation
Memory requirement (general purpose registers[GPR],
random access memory, ROM)
Battery (Energy consumption)
System performance Computation power (Latency, Throughput)
Security Minimum bits required for security and unique key
generation
1. Robust and resilient internal structures
of the models and frameworks.
2. It provides a privacy and preservation
mechanism
Theoretical attack models (Required keys and
multi-key generation)
Side-channel required attack
Fault injection attacks
1.1 Motivation
In the traditional authentication mechanism paradigm,the cryptosystem-based system is deployed based on the possession of different keys,such as
secret keys.The private key crumbles when the generated keys are not secreting.9The unique keys can either be misplaced, or it cannot be not work-
ing correctly due to mislaid and sacked; hence, individuals cannot deny their accessto access the authentication system even though the attacker
or cryptanalyst can use the user system and easily access the user system through their generated keys.10–12 Hence, the secret keys are stored ten-
tatively and perform the validation of users based on provided shared keys to access the systems’ resources and granted that the user can now
access the system based upon proof and verification of the actual users. Sometimes, this security can be breached easily where the attackers can
gausses the passcodes and shared passwords be known confidential credentials by user’s details.5–12 It is always preferable to use encrypted and
complicated passcodes due to complex maintainability over basic passcodes.
Current trends are highly used in the cryptography field, where deep learning models are deployed to generate massive keys to protect the
systems over cloud computing and network computing paradigms. Futuristic research is gaining proliferation due to huge applications in different
fields. It shows that there has been increasing intrusion in network security and preventing possible attacks over the systems by increasing the
number of keys, size of key length, and increasing more iterations and computationally hard to breach the security aspect of the systems with time.
The durable and robust biometric verification system is also used to enable security mechanisms.12 Biometric feature characteristics are unique,
intrinsic, and immutable comprising physiology and actionable biometric characteristics,11,12 ensuring access with absolute accurateness.13 Most
4of27 BHAGAT ET AL.
biometric recognition systems and computing platforms are connected to the IoT framework. So it is necessary to keep data safe from the hands of
breachers to avoid data exploitation while not just overlooking the error committed at the human level. Today almost everything is based on cloud
and IoT framework, which entangles a lot of sensitive data sharing.9–13 Recently, lightweight cryptography has been getting attention for different
applications. The advantage of lightweight cryptography is that it provides an easy way to import a third party including programming codes and
supported files JavaScript CSS library to provide a better platform use the platform resource loader modules from the third-party library. Use this
library to enable user systems to provide security aspects as a static resource, a lightning security requirement.
Although the emphasis of this paper primarily focuses to highlight the research contribution to motivate interdisciplinary researchers, scien-
tists, and engineers to find new avenuesin privacy preservation using lightweight cryptography and threats that when sidelined could lead to a major
setback to individuals or organizations’ security.
The following is how the paper is organized the next section delves into a number of security attacks and analyses them thoroughly. Section 3
summarizes the basic design of required chippers for designing a framework and model. Section 4discusses lightweight cryptographic algorithms
their various types of security attacks, vulnerabilities, threats, and adversarialmodels that can lead to data breaches in database systems. We extend
the security model and framework-related discussion using lightweight cryptography in Section 5. Section 6deep neural network-based cryptanal-
ysis of lightweight block ciphers provides a detailed analysis of security methods and frameworks. Finally, Section 7concludes by giving additional
observations for future work.
2TYPES OF ATTACKS
This section illustrates all potential attacks on the security of the authentication system, such as biometrics-based pattern recognition systems and
other systems, proffering a great danger to the integrity and secrecy of biometric data. Recently, attackers performed severalattacks on the security
system or framework to breach security aspects. Different types of attacks are shown in Figure 3. A concise explanationof these attacks is illustrated
in the next sub-sections. Further, Table 2summarizes the current state of art methods for security int lightweight cryptography paradigm.
2.1 Spoofing attack
Illicit accessing of individual or company data is snooping. This spoofing attack is very much like eavesdropping, never restricted to racking up
permission to get a hold of illegal data during transmission. For example, the casual reading of someone’s mail or private data on which he is work-
ing or observing the letters someone else is typing. Software programs are primarily used to monitor the activities on a computer or network
incidentally.11–15,24,25
2.2 Service-based attack
Service-based attack aims to render a network service unusable. A service-based assault is depicted in Figure 4. Nodes 1, 2, 3, and 4 are adversary
nodes that provide bogus data to the target node. Each node wants to take authentication over the data and system for easy access. The four basic
forms of attacks include replaying, denial-of-service (DoS) attacks, source fraudulent attacks, and spam attacks. The following is a brief description
of each attack:
FIGURE 3 Classification of attacks
BHAGAT ET AL.5of27
TABLE 2 Summary table of current state of art methods for security in lightweight cryptography paradigm
S.N. Name of attack Vulnerability Security violation Countermeasures
1 Hidden channel attack Shared hardware component
(cache memory) among
Confidentiality •Hard isolation
•Cache flushing
•Noisy data access time
•Limiting cache switching rate
2 Theft-of-service attack Periodic sampling of VM’s
used resources
Availability non-repudiation •Fine-grain sampling using high-precision
clocks
•Random sampling
3 Insider attack Lack of trust in cloud
administrator
Confidentiality integrity •Homomorphic encryption
•Secret storage through data chopping
and permutation-based on secret key
4 VM escape attack Hypervisor software bugs Configuration of hardware
enabling issue
- Encryption is not easy
5 ECC based cryptosystems
attack
Satisfy security and
efficiency requirements
Hardware enabled
component violation
-Computational time is more -efficient
6 Generic attacks: It does not
depend on the internal
state of a cipher
Attack computationally
non-feasible
Confidentiality and integrity
loss
•Take more time to prevent attack
•More exhaustive application
7 Exhaustive key (brute force
attack)
Non-applicable to system
software debug operation
Confidentiality •High computational time
•More number of searches are possible
8Dictionary attack The database system may be
corrupted.
Confidentiality and integrity
loss
•Delayed response delay time between
original system and hacker
•Allow the slow-down process for
repeated logins.
9 Time-memory trade-off
(TMTO) attack
System-level linformation
memory
Memory requirement is huge The attackers try to get a situation similar to
the space-time tradeoff, however, with t he
requirement of tadditional parameter of
data, representing the amount of data
available to the attacker.
Non-generic attacks
10 Linear attack System-level loss Availability non-repudiation •Less time to perform computation for
security check
•Work on an individual bit
11 Differential attack -Weaknesses in the block cipher FEAL.
Work on multiple variations of input bits
and encrypted bits for ensuring system
security
12 Non-attack Maintain security of the
system
Confidentiality and integrity
loss
Used non-linear function to perform the
security analysis on generated encrypted
codes.
12 Algebraic attack It maintains the cipher
operations as a defined
complex system of
equations
May produce
non-computable codes
after subsisting
parameters or equations in
known data
-Cryptanalysis against a cipher
-Takes more time to perform computation
6of27 BHAGAT ET AL.
2.2.1 Replay attack
Node (B) requires a legal certificate, or authentication information because node (A) must authenticate its identity before exchanging data with node
(B), as illustrated in Figure 4B. Node (A) then sends node (B) a Signed Packet containing this certificate (SP). During the transaction, an opponent
who is listening in on the channel may store this SP. Once the exchange procedure is complete, the attacker attempts to contact node (B), and node
(B) requires a valid certificate from the opponent. The opponent sends the SP to node (B). Node (B) is aware that he is negotiating with node (A),
which may result in the adversary’sincapacity to deliver a service provided by node (A). A class of network attack in which an interloper breaches the
network to detect data transmission and premeditatedly delaysor repeats the message.25–30 The repetition of information is caused by intercepting
it or either accessing or modifying and then retransmitting it. It can be said as an incursion on the protocols, exploiting the data transaction by
replaying it from a different sender into the system deluding the main communicating parties to feel that data transmission has been completed
successfully.31–35
2.2.2 Denial-of-service attack
This is the most serious attack in this category. An attacker can employ a DoS attack to disable a service during social communications, such as
interrupting routing, halting a file server, depleting the limited buffer resource, or restricting the spread of secret keys. As a result, a DoS attackcan
originate at any tier, including the physical, network, transport, and application layers.
2.2.3 Source bogus attack
The insider assault is limited to the use of a fraudulent source. Figure 4shows how a node inoculates itself with fictitious data in order to deplete
the node’s limited buffer resources21 as shown in Figure 4A. Furthermore, even though the two attacks have distinct goals, the fake source attack
is comparable to the improper data attack.37 Lin et al.21 is the only paper we have seen so far that deals with fake source attacks in ad hoc social
networks. The STAP protocol21 uses single-attribute encryption to protect against false source attacks.
2.2.4 Spam attack
Spam is hitting the internet like wildfire. The purpose of an opponent is to send a huge amount of emails to a variety of recipients, all of whose
addresses were obtained from the Internet. This attack’s first purpose is to fill adverts at a lower cost. An attackercan use this technology to disrupt
data filtering and spy on ad-hoc social networks storage space. It’s worth noting that the only publication we have seen that manages spam attacks
in ad hoc social networks is Hameed et al.16 The LENS system in16 uses the concept of Gatekeepers to prevent spam transmission.
(A)
Adversary
Node 1
Adversary
Node 2
Adversary
Node 3
Adversary
Node 4
Source node
Desnaon node
Authencaon Informaon
Desnaon node
Adversary
Node
Source node
(B)
FIGURE 4 Service-based attack, (A) Source bogus attack, (B) Replay attack
BHAGAT ET AL.7of27
Legimate
Socialspot
Legimate
Network
Adversarial Network
False
Socials
p
ot
Legimate
Node
Adversary
node
M1
M2
M4
N1
N2
M3
N3
N4
M5
M6
N5
N6
Adversarial
Node
Intermediate
Node
Adversarial
Node
Source
Node
Desnaon
Node
(A) (B)
FIGURE 5 Attacks based on manipulation: (a) user manipulation; a man-in-the-middle attack
FIGURE 6 Block diagram of a man-in-the-middle attack-based cryptography framework
2.3 Manipulation-based attack
The management of ad hoc social networks (users or social spots) is the focus of this type of attack (shown in Figure 4). Manipulation of users and
man-in-the-middle attacks are two significant assaults.
2.3.1 User manipulation attack
In this process, an attacker impersonates a small or major hotspot in order to update certificates on nodes in an ad hoc social network. An adversary
delivers a packetcontaining a false hotspot, as shown in Figure 5A, and a node then undertakes the update certificates phase with this adversary. As
a result, nodes must disclose their hotspots openly.23 In addition to cryptanalytic brute force attacks, erroneous data attacks, and liability attacks,
the user manipulation attack can be utilized to carry out cryptanalytic brute force assaults.37
2.3.2 Man-in-the-middle attacks
Because the adversary manipulates the users, we haveput it here even if the assault’s basis is the same as the rest of the attack. In the Diffie–Hellman
key exchange mechanism, the man-in-the-middle attack can be used. As shown in Figure 5B, the source and destination nodes exchange public keys
to create a secure connection (messages M1, M2, M’1, M’2). An adversary intercepts communications M1, M2, M’1, and M’2 and delivers its public
key to the victims (messages M3, M4, M’3, M’4).
The adversary node encrypts the communications and sends them to the source and destination nodes using the adversary public key (mes-
sages). A man-in-the-middle attack happens when an attacker stands in the center of a data transfer and obtains access to both the client and the
server while being undetected by both ends, as shown in Figure 5B. The attacker manipulates and alters the DNS, IPs, and ARP to access the sent
data.36 By this technique, the attacker can get access to the user’s personal or secret data credentials and might exploit it or modify the data being
transmitted. The cryptographic-based frameworks are used to avoid man-in-the-middle attacks based on shared messages (M1 and M2) and key
transmission between victims and attackers (see Figure 6).
8of27 BHAGAT ET AL.
FIGURE 7 Show adversarial attacks based on generated images
2.4 Adversarial attacks
Deep learning is playing a majorly substantial role in artificial intelligence advancements. Deep NeuralNetworks (NN) have established exceptional
achievement over adversarial attacks.40,41 Human capacities are limited, making it difficult to comprehend and solve complex organized issues; as a
result, they appear prone to adversarial assaults, in which a little change in input data causes the system to predict inaccurate output values.40–42
Adversarial confusion is the error attached to correct data to makeit adversarial data. The one-step calculation is enough for One-Shot Similar-
ity(OSS)andone-step-basedlearningmethodstocreate adversarialconfusion.Thereare repetitivemethodstoperform a similar computation again
and again for the one-step confusion. In this context, other notable efforts are also contributed to the neural network frameworks to make them
robust for adversarial attacks. Zantedeschi et al.42 studied bounded ReLU neural network activation to mitigate the effectiveness of adversarial
pixel patterns in the given images.
Current work illustrated that NN-based technology and frameworks are susceptible to adversarial attacks. In the example, inputs are almost
indistinguishable from natural data and classified incorrectly by the neural network architectural frameworks. In a similar direction, the author44
studied the ’Hyper Networks’ framework that applied statistical filtering techniques to make the deep learning network robust. Figure 7presents
an adversarial attack where the image is given as examples generated by the56 for Alex Net framework.
The adversarial defense was studied from the perspective of robust optimization by the author44 to find the adversarial training samples
with a Projected Gradient Descent (PGD) adversary method that effectively shields from the various adversary. The PGD is widely regarded as a
“first-order enemy.” It is the most effective assault that uses the neural network’s local first-order information.
In a similar direction, various other authors have proposed a deep learning network that is normalized and unitedly enclosed to classify and
resemblance learning techniques. The network is criticized by the correct and equivalent adversarial enclosure difference. Moreover, an ensemble
of classification schemes was stated46 to preserve a deep learning network against the adversarial. Sturdiness is attained in the final layer of a neural
network. The author47,48 suggested a resistant mechanism against an adversary using neural networks. Author49 suggested various standardized
networks by implementing an objective function for minimizing the dissimilarity amid multilayer output of correct original and adversarial data.50–52
2.5 Targeted attacks and black-box attacks
Targeted attacks delude a learning model by wrongly forecasting a specific marker for the adversarial data.51,52 Black-box attacks the inputs of the
aimed system with incorrect data, especially while testing the system while the system is unaware of this data creation. At some part, it is presumed
that the attacker is oblivious of the constraints and parameters of the system or might have slight details of it. On the other part, using targeted
systems details instead of adversarial data is called a semi-black-box attack.52-54
2.6 Attacks of leaking privacy
Identity-based attacks, location-based attacks, eavesdropping-basedattacks, manipulation-based attacks, and service-based attacks are amongthe
five categories of privacy-breaching assaults we haveproven. These assaults have the potential to disrupt good communication across several firms,
and much work has gone into safeguarding people’s privacy.
BHAGAT ET AL.9of27
3BASIC DESIGN OF CIPHERS
In this section, we will be discussing about the basic design of lightweight block cipher.
3.1 Recap of encryption algorithms
We use two types of cryptography: (1) public-key cryptography (also known as asymmetric cryptography) and (2) private-key cryptography (com-
monly known as symmetric cryptography). Asymmetric cryptography also referred to as public-key cryptography, uses two types of keys: public
keys that are widely known and private keys that are only known by the owner. A type of encryption known as private key cryptography (also
known as symmetric cryptography) encrypts and decrypts data using the same key.4,5 In any encryption algorithm, we have some standard common
constituents, shown in Figure 8.
1. Plain text: The original Text or any readable Text that needs to be encrypted is plain Text. This is the input for the cryptographic algorithm
2. Cipher text: The end-product of the plain Text after cooperation with the encryption procedure is known as the Ciphertext. Many sections of
plain text are used in this Ciphertext, as well as the key (Confusion).
3. Encryption algorithm: This algorithm is applied to plain Text utilizing various substitutions and transposition techniques to generate
Ciphertext.
4. Decryption algorithm: The Decryption strategy is backward of the encryption calculation.
5. Key (Secret Key or Private Key or Both): This is the central core of any cryptographic algorithm, and it does not depend on the plain text that
we input, and for encryption, we use keysthat are filtered after every round of encryption, and those duplicate keys are used for decryption, this
key filtering is done by key generation algorithm which is different for all the algorithm. As we have seen, the word both is used because certain
algorithms encrypt and decrypt Plain Text using both a secret key and a public key.
3.2 Each encryption/decryption algorithm consist of some important constituents
1. S-Box: The s box structure gets a 4-bit block as input, and the substitution function provides a 4-bit output in lightweight block ciphers. In
lightweight ciphers, 4-bit s-boxes are used since 8-bit s-boxes take longer to compute and process. Kmap techniques or a fixed function can be
used to calculate the output, which results in a lot of confusion and diffusion. In general, a robust S-boxmust follow the avalanche effect property
strictly, which states that a minor change in the input bit should result in a drastic change in the final output with a probability greater than or
equal to 0.5, implying that if the i-th bit (1 bit) of Ciphertext is changed during decryption, the probability of getting original plain text is greater
than or equal to 0.5.54 Figure 9: Round key generation algorithm and the plain Text encryption.
P (j^th bit getting changed |i-th bit is already flipped) >=1/2{Strict Avalanche Criteria}
2. P-box: The input bits are shuffled to other bits in a different order in a P-box. The P-box takes input from a single round’s S-boxoutputs, reverses
the sequence of bits, and feeds it to the following round’s S-boxes. P-boxes are commonly employed in key generation algorithms if the key size
has to be increased or decreased.
3. Round function: Greater, the complexity of the Round function, means greater resistance of the algorithm to perform Cryptanalysis.
FIGURE 8 Basic encryption and decryption algorithm along with its component
10 of 27 BHAGAT ET AL.
FIGURE 9 Round key generation algorithm along with the encryption of the plaintext
4. The number of Feistel rounds: In Feistel Cipher, input is split into two blocks, which are then switched before being passed on to the next round.
Before swapping, the Right block is handed to a cryptographic function. Whatever result we get, we again perform XOR with the left part of the
input block in every round. Then we perform a switching operation, which means the earlier right block becomes left input block for the Feistel
round and the output left block of the previous Feistelround becomes right block as an input for the next Feistel round. In the encryption and
decryption of the message, everycryptographic algorithm uses a different number of rounds. Like S-AESperforms 10 rounds, ICEBERG performs
16 rounds, and PRESENT performs 32 Feistel rounds. In this paper, we will discuss other algorithms also. Figure 10: shows (A) To encrypt a
plaintextmessage, a Feistel network with four rounds is utilized. (B) As long as the round keysare utilized in reverse order, the decryption method
is similar to that of encryption.
5. Key size: Larger key sizes give better security, but they may cause encryption and decryption to take longer. To acquire more security, more resis-
tance to brute force assaults and stronger confusion are utilized. A keysize of 64 bits is now widely considered inadequate in many cryptographic
algorithms, and a key size of 128 bits has become the norm.
6. Round keygeneration algorithm: In Figure 9, the algorithm function’s complexity will mean more excellent resistance against cryptanalysis. The
round key generation method creates distinct and unique keys for each round based on the number of rounds to ensure sufficient confusion.
Figure 11 depicts various types of block cipher for security purposes. The majority of the symmetric block ciphers in this work use one of the
architectures listed below: (1) Substitution-Permutation Network (SPN), (2) Feistel Network (FN).
4CRYPTOGRAPHIC ALGORITHMS
In this section cryptography techniques are discussed. The cryptography algorithm can be divided into two groups: the first is an encryption
algorithm the second is a decryption algorithm. The encryption algorithms are used to encrypt the message or share data among different users.
They can use either one of two techniques:
BHAGAT ET AL.11 of 27
FIGURE 10 (A) Feistel network with 4 rounds being used to encrypt a plaintext message’s (B) The process of decryption is identical to the
one for encryption as long as the round keys are used in reverse order.
FIGURE 11 Depicts different types of a block cipher for security purposes
Pub lic Key or Private Key: Public Key cryptography, or asymmetrical cryptography, is a cryptography system, which employeddifferent pairs of
keys such as a public key and a private key. The public key can be shared and distributed openly among different groups of users for encryption of
shared messages or data. The private key is defined as a secret key for decrypting the shared encoded messages or data only known by users (i.e.,
owner).
Private/Secret Key Cryptography: Private/Secret key cryptography is also known as the symmetric cryptography technique. It uses a similar
key for performing both operations such as encrypting and decrypting the shared information or data.
These encryption algorithms and the techniques of encryption have been used for different applications such as security purposes and other
applications that highly used symmetric algorithms. Component: There are the following requirements for a symmetric key encryption scheme:
1. Plain text: it is the original and better understandable text or data is encrypted.
2. Encryption technique/algorithm: These algorithms have been used to the plaintext using different techniques such as substitution techniques
and transformation.
3. Secret key: the key is independent of the plaintext. Depending on the special key used each time, the algorithm produced output that may be
different.
4. Ciphertext: It is an output of the cryptography system. The output text of the algorithm is incomprehensible text, which is contingent on the
detailed plain text and key used as inputs to the procedure.
12 of 27 BHAGAT ET AL.
5. Decryption algorithm: it is defined as decoding process, which is exact reverse process of the performed encryption algorithm and it generated
and reproduced required plaintext out of the given input as ciphertext using the cryptography secret keymechanism.
4.1 Lightweight cryptographic algorithms
In comparison to asymmetric algorithms, symmetric algorithms are quicker. In comparison to the stream cipher, the block cipher is slower. Hardware
improves efficiency and throughput as compared to software.6,7 We’ll look at two sorts of ciphers in this section: block ciphers and stream ciphers.
Some of them have a hardware implementation, while others have a software implementation. AES, DES and its variants, XTEA, HIGHT, CLEFIA,
mCRYPTON, TEA, XTEA, SEA, and PRESENT are the block ciphers described in this paper. The stream ciphers described in this work are Triviumand
Grain. Hummingbird, a hybrid cipher that combines the features of both is also introduced.55–57
4.1.1 Block ciphers
A block cipher’s main principle is to accept one block of elements (nbits) at a time as an input, conduct cryptographic algorithms, and create an
output of the same size as the input. Block size may vary from algorithm to algorithm like AES uses a 128-bit block in the process.4
S-AES
All standard encryption methods are measured against S-AES. It employsa permutation substitution network (SPN). It works well in both hardware
and software environments.8AES hardware implementations can be utilized in embedded systems for low-size demands like RFID or in server
applications for high throughput.9S-AES employs a 128-bit plain text block and a 128-bit key size.10 The necessary resource for this encryption is
roughly 3600 GE, which yields a throughput of 12.4 kbps at 100 kHz and 77.7 kbps at 4 MHz. It necessitates a code size of 2606 bytes and 388 bytes
of RAM.11,12
ICEBERG
ICEBERG is designed to be implemented on hardware. It goes through 16 rounds using 64-bit text blocks and 128-bit keys.It enables you to switch
keys per clock cycle without sacrificing performance.11–13 It requires 5800 gates and a throughput of 400 Kbps.63 It is a new product that offers
low-cost encryption and decryption. It also included low-cost cryptography features.
The DES system and its variations
DES was one of the first lightweight encryption ciphers to be invented, and it has since been modified. To reduce the size of the hardware imple-
mentation, the round function employs a single S-box instead of eight and skips the beginning and final permutations.14 It takes 16 rounds and uses
a 56-bit key with a 64-t block size. Its structure is Feistel-like (design pattern). The drawback of DES over AES is its smaller key size of 56 bits, which
results in a lesser security level than AES. The first modified version of DES, DES-L, was presented. It is inherited from DES design; it uses only 1
S-box,a cryptographically stronger S-boxinstead of 8 S-boxes, which reduces chip size. WiConcerningFID applications, it takes around 45% less chip
space and 86% less fewer cycles than the best AES implementations.15 DES-L delivers a degree of security that is suitable for a wide range of appli-
cations. DES-L needs 1848 gate equivalences for performance. It is capable of encrypting a 64-bit plaintext in 144 clock cycles. DES-L can provide
a throughput of 44.4 Kbps at 100 KHz and 26.6 Kbps at 4 MHz.
DES-L is superior for RFID tags since it provides the smallest gate equivalency.16 DES-X is a modified version of DES that adds a key-whitening
procedure that was not present in the original DES. The implementation of DES-X requires 2629 GE.17 The primary motivation for developing
DES-XL was to expand the key size of DES without changing the algorithm. DES-XL is a combination of DES-X and DES-L . The DES-XL implementa-
tion results are 2169 GE. At 100 kHz, DES-XL produces the same 44.4 kbps throughput as previous DES variations; however, at 4 MHz, throughput
is somewhat higher at 30.4 kbps.12,14,18
TEA family
The TEA (Tiny Encryption Algorithm) was created to create high-performance and mathematical encryption methods without making them difficult.
It was designed with a small but fast and secure encryption method in mind. The Feistel Cipher design structure is used in TEA and its variations
(XTEA and XXTEA). TEA takes an input of 64-bit blocks, which is directly split into 32-bit blocks. The classical TEA algorithm uses a 128-bit length
key. TEA is a round-based encryption method. The number of keys needed to encrypt data might vary. As a rule, TEA prefers at least 32 rounds. TEA
can be implemented in 2100 GE, which is faster than DES (60% faster) as it has 32 rounds compared to 16 rounds of DES. S-boxes are not used
by TEA. When employed as a hash function, the performance of TEA degrades. The number of encryption cycles can be raised to improve TEA’s
BHAGAT ET AL.13 of 27
strength.19,56 The XTEA (extended TEA) algorithm is a refinement of the TEA algorithm. With a 64-bit block size and a 128-bit key with 32 rounds,
it’s the same as TEA.
1 TEA round =2×Feistel rounds.56
XTEA features a more comprehensive key management system, as well as shift, XOR, and addition operations, when compared to TEA. It also
corrects the flaw in TEA rounds. Along with the introduction of the XTEA variable-width block cipher (which does not require a set block size and
can operate with blocks of any size), XXTEA was proposed to address the problem.
Miniature CRYPTON (mCRYPTON)
mCrypton is a 64-bit block cipher with three key sizes (64 bits, 96 bits, and 128 bits) intended specifically for resource-constrained small devices
such as RFID tags and sensors19,20 are two examples. The implementation of mCryption involves both hardware and software, which necessitates
the use of 2709GE. It has a 64-bit block size and a 128-bit key size with 13 rounds. mCrypton’s hardware complexity is within the price range of
low-cost devices.11,20
PRESENT
PRESENT is a block cipher with a reputation for being extremely light. It has contributed significantly to the development of lightweight
block ciphers. It is made up of an SP network design (substitution permutation network). It’s a standard for newer lightweight ciphers, along
with AES. Due to its 1570GE, it was one of the first ciphers used in ultra-lightweight devices. A 64-bit block size is required, as well as
80-bit keys. The key feature is that the regular 8 S-boxes are replaced with a single S-box of your choosing. It is currently established as an
ISO/IEC standard.20–22
CLEFIA
Clefia is a SONY Corporation-developedlightweight block cipher that was standardized by NIST in 2007. Clefia was created with a broader applica-
tion range in mind to providegreater performance in both hardware and software implementations. It uses the Feistel network as its foundation.23,24
Through18,22, and 26 rounds, it supports a block size of 128 bits and a keysizeof128,192,and256 bits. In terms of security and performance, Clefia
is a well-balanced block cipher. When comparing Clefia against other block ciphers, Clefia outperforms the competition. Clefia 2488GE encryp-
tion and decryption need an additional 116GE overhead. Clefia may be used in 2604GE for both encryption and decryption. At 100kHz, it has a
throughput of 355.56 kbps.
High security and lightweight
The Feistel Network structure25 is used to provide high security and lightweight (HIGHT). Its implementationis hardware-based. It is mostly used
for RFID26,27 utilizing FPGA. It necessitates a 64-bit block and a 128-bit key. RFID passes over 32 rounds, making it perfect for low-cost, low power,
and ultra-light hardware systems. To put it in place, we’ll need 3408GE. It requires one round of encryption each clock cycle since its throughput is
around 150.6 Mbps at 80 MHz, 188.2 Kbps at 100kHz, and 80.3 Kbps at 4 MHz. It is well executed in 0.25μm.12
Scalable encryption algorithm
Low memory, small code size, and a constrained instruction set are the foundations of the SEA (Scalable Encryption Algorithm). It’s incredibly
adaptable since we can customize it to operate on any platform, as well as the processor, plaintext size, and key size. The major purpose is to
make implementations on various platforms more efficient. It uses a software-based implementation with a 96-bit key and a 96-bit block size,
providing 39.7 Kbps at 4 MHz and 103 at 100 KHz. Because of the 3-bit S-box, it is the smallest cipher. With 3758 GE in 0.13 μm, it is nicely
executed.28,29,56
Light block
It is a new lightweight block cipher called Light Block developed by the State Key Laboratory of Information Security, China. Like other lightweight
block ciphers, it has a block size of 64-bits and a key size of 80-bits. It can be implemented on both hardware and software with greater security. It
can be implemented well on s 8-bit microcontroller. It is implemented with 1320 GE in 0.18 μm and provides a throughput of 200 Kbps at 100 kHz.
It has a Feistel structure and consists of 32 rounds. It gives a better result than other lightweight ciphers.30
SLIM: A lightweight block cipher
The need to improve the security of resource-constrained devices like radio frequency identification (RFID) systems has lately become urgent.
Recent encryption technologies are acceptable for high-resource desktop PCs used in high-security applications. Access control, transaction bank-
ing, and payment systems are among its offerings. By deceiving RFIDs, the attacker was able to gain unlawful access to services without paying
for them or bypass security features by detecting a secret password. The most difficult task is successfully defending RFID systems from such
infringements.
14 of 27 BHAGAT ET AL.
Lightweight encryption is gaining traction to ensure feed security in these systems. For these devices and RFID systems, the research pro-
poses SLIM, a novel ultra-lightweightcryptography technique. SLIM is a 32-bit block cipher with a simple cryptographic architecture. Because block
ciphers are the most widely used cryptographic method, it employs the Feistel structure to provide integrated security for networked systems and
IoT devices.
ThearchitectureofSLIM. SLIM is a block cipher based on a Feistel structure with a 32-bit block size. SLIM uses a long key length of 80 bits to
avoid exhaustive key searches. To determine how ciphertext statistics depend on plaintext statistics, SLIM employs four 4×4 substitution boxes.
With a small implementation area of only 553 GE, SLIM is meant to enable both software and hardware implementation, resulting in an acceptable
cost/security for RFID systems. Hardware implementation achieves great speed; however, software implementation has a reduced implementa-
tion cost. The most challenging aspect of creating a lightweight block cipher is balancing performance, price, and security. Like all symmetric block
ciphers, SLIM encrypts and decrypts using the same key.69
Properties of the SLIM cipher. It has the following properties69 :
1. The Feistel structure is used to produce SLIM, a symmetric block cipher. In this situation, the encryption and decryption keys are the same.
2. The non-linear component of SLIM is made up of four 4 ×4 S-boxes that perform a non-linear operation on a 16-bit word.
3. Although SLIM has a simple implementation and design, it has a rigidity profile that makes it resistant to the most powerful malicious crypt-
analyses, such as “linear and differential attacks.” The cipher is ideal for the Internet of Health Things and can be simply deployed with
resource-constrained devices like as RFID.
Stream cipher
A stream cipher is a kind of encryption technology that encrypts the digital data stream one bit or one byte at a time. Classical Stream ciphers are
the Vigenere cipher and vernal cipher.4After the initialization of stream ciphers, they require lesser clock cycles to encrypt a bit. Those with a fast
initialization phase are best for applications with many short messages. But, stream ciphers with fast encryption are appropriate when the news is
too large to encrypt. We cannot classify stream cipher based on performance because it depends on both initialization and encryption/decryption
operations.31
Gain cipher
To maintain excellent security, the GAIN stream cipher is designed on relatively little hardware, with as few gates as 4008GE. A 1 bit/cycle requires
1857 GE, while 0.13 m requires 4617 GE for a process of 32 bits.4,32 There are two shift registers in it. Because both shift registers are appropriately
timed, cipher can produce 1 bit/clock. 128-bit keys are supported by Grain-128.4,32,33 It had a throughput of 100 Kbps and a frequency of 100Kbps.
Trivium cipher
It is a stream cipher whose construction is inspired by the design of the block cipher.4,32–34 Trivium is primarily analyzed, elegant, and with
its flexible design, but it only supports 80-bit keys.4,32–35 Trivium appears to be a strong contender in the field of stream ciphers. It also
allows for a versatile tradeoff between speed and area. By decreasing both the area and the operational frequency, the power consumption is
reduced by more than 20%. According to researchers, we did not choose this since Trivium should not be employed due to potential attacks on
the system.
Salsa-20/R cipher
Bernstein designed Salsa20 in 2005 as a candidate for a stream, which got selected for the stream software portfolio. SALSA20/rwhere ‘r’ stands for
the iterations of the round function. It uses 256-bit keys and a 128-bit initialization vector (IV). Salsa20 is implemented in 1452 bytes, which gives
the throughput 44% faster than AES, where, as other researchers state, the values are more than five times as fast as AES. The minimum state size
required is 512 bits. Salsa20 also requires 280 bytes of SRAM to function. It is implemented in 4008GE and has a throughput of 111.3 Kbps on an
operational frequency of 4 MHz.4,32-36,57 SALSA-20 providesthe maximum throughput of 990 MBps on an operating frequency of 19. 4 MHz.Salsa20
achieves the best performance. It is fast and has a short initialization phase.31
Hybrid ciphers
Hybrid Cipher includes the encryption process, which integrates the efficiency of symmetric encryption with the comfort of public-key (asymmetric)
encryption. A new symmetric key is developed and used to encrypt the plaintext data to encrypt a message. The recipient’s public key is employed
to encrypt the symmetric key only.
BHAGAT ET AL.15 of 27
Hummingbird. Hummingbird is an ultra-lightweightencryption that combines block and stream cipher structures. It has a crucial size of 256bit and
a block size of 16-bit, which goes through 20 rounds. It also provides the desired security with smaller block size, providing strict response time and
power consumption for various embedded systems.37 It can be well implemented in 3220GE with a chip area of 27,381 μm2.
PRESENT-GRP. It completes731 iterations with a 64-bit input and a 128-bit key size. It uses the SP method from PRESENT in conjunction with
Group (GRP) for even more perplexing features (instead of permutation table). The hardware implementation of PRESENT (1884 GE) is superior to
that of PRESENT-GRP (2125 GE). PRESENT is also more efficient than PRESENT-GRP in terms of software implementation.
Elliptic curve cryptography. It is a security method that includes key-based techniques. It is used for encrypting messages or data. ECC uses pairs of
public keys and private keys. These combinations of these keys are used for the decryption and encryption process. ECC is often concerned in the
context of the Rivest–Shamir–Adleman (RSA) cryptographic methods perform one-way encryption of things that are highly used for email security,
data security, and software using prime number factorization methods.
IBE based cipher method. IBE Lite is a lightweight identity-based encryption protocol that works well with body sensor networks. In this monitoring
approach, a body sensor network (BSN) is required. A BSN (Body Sensor Network) is made up of sensors that are attached to a patient’s body or
woven into their clothing and “travel” with them to collect data. IBE is a kind of asymmetric cryptography similar to RSA since BSN is constantly on
and continually captures data, posing security and privacy problems. IBE allows you to produce a public key from any string.70
It’s a lightweight (IBE) that nonetheless has the same qualities as regular IBE. The two valuable qualities are the ability to construct a public key
from an arbitrary string and the ability to generate a public key apart from the matching secret key. IBE-Lite is based on elliptic curve cryptography
(ECC), a BSN-friendly public key primitive.71
Homomorphic encryption method. The homomorphic encryption method is used to enhance the efficacy of protocols even in the case of multiple
party’s communication. While in numerous parties’ communication, it is crucial to maintain data secrecy without intrusion in the user’s area.23 In
this method, one works out on the cryptic data, the output of which beyond all is again cryptic data; on decoding it, the final result will be as exact as
if the entire computation has been done on original ordinary input data.23 It proves effective even when multiple parties work out on cryptic data.71
Decisional bilinear Diffie-Hellman assumption method. The DBDH (Decisional Bilinear Diffie–Hellman) assumption approach shows how to compute
about a certain situation. It involves discrete logarithms in cyclic groups.14 This method has acted as a base technique for significant and novel
cryptosystems. A challenger chooses a group G of prime order p based on the security parameter of the system.71,72 Leta,b,c,z∈Zp be selected
randomly, and g be a generator of G. With (g, a =ga, b =GB, c =GC), the adversary distinguishes a valid tuple e (g, g) ABC from e (g, g) z. An algorithm
B that outputs a guess μ∈{0, 1} has the advantage of(ε) in solving DBDH if the following formula is satisfied. |Pr[B(g,A,B,C,e(g,g)abc)=0] −P r[B(g,
A, B, C, e(g, g)z) =0] |>=∈. DBH assumption holds if no polynomial algorithm has a non-negligible advantage in solving the DBDH problem.
RSA security mechanism. The RSA method offers the strongest security facet, including the massive calculation of numbers in exponentiation pow-
ers. As the power increases, the calculations are required to break the code. It takes a long execution time, even with the preset key size. RSA keys
length usually is 1024 or 2048 bits. Still, there exerts a probability of 1024-bit key to be cracked hence seeing the security constraints the governing
and industrial bodies are suggesting to use at least 2048-bit key length.73
5ATTACKS ON LIGHTWEIGHT CIPHERS
Cryptanalysts worldwide are constantly evaluating the security of block ciphers, stream ciphers, and hybrid ciphers to see how resistant they are
to various types of attacks.59 As these lightweight ciphers provide good data transmission at a reasonable cost in constraint devices, they can also
be vulnerable to many different attacks. Designers of many lightweight cryptographic ciphers have to develop the tradeoff of security, cost, per-
formance, and efficiency. Designers can only make two out of three optimized, and optimizing all three is challenging. In this section, we will be
discussing the various types of attacks on these lightweight ciphers.60
A. Block ciphers: It consists of the following techniques used for different applications.
i. S-AES
Severalresearch indicates attacks on simplified AES, such as employing PSO (particle swarm optimization) to break the key via ciphertext-only
assault, resulting in PSO being widely utilized for attacking any cipher. The first and second rounds of cryptanalysis have been provento be breakable
using linear calculations utilizing linear cryptanalysis. The 192-bit and 256-bit keys are likewise vulnerable to related-key attacks. [eight] [eight]
16 of 27 BHAGAT ET AL.
[eight] [eight] [eight] It’s also vulnerable to cryptanalysis techniques like Faster and Timing Attack,38 Boomerang, and Biclique. It’s advantageous
since the pipelined idea reduces area while increasing speed.39
ii. ICEBERG
ICEBERGis a blockcipher presented at FSE 2004 and is used to construct reconfigurable hardware devices. When the ICEBERGcipherconducts
linear and differential cryptanalysis on it, it reveals that the whole 16-round encryption may be used to generate loose limits. Variants of differen-
tial and linear assaults, such as boomerang and rectangular attacks, repeated linear cryptanalyses, and non-linear approximations of outer rounds,
are extremely likely to be prevented by the security margin.13 Because of the P64 layer, which makes it very difficult to attack and such an assault
on cipher is highly exceptional; ICEBERG can enter Truncated and Impossible Differentials. In addition, ICEBERG is vulnerable to square assaults,
interpolation attacks, related-key attacks, and other types of attacks.13
iii. DES and its variants
Because it uses a single S-box repeated eight times to minimize the probability of collisions at the output of the S-boxes and thus at the output of
the f-function, DESL is generally secure against certain types of linear and differential cryptanalysis (attacks based on how differences in the input
propagate to output differences) and statistical cryptanalysis. The gate complexity is also reduced by serial hardware architecture. The application
of key-whitening technology is used to prevent brute-force attacks. To reduce gate complexity, we can also replace 8 original s-boxes with a single
s-box. It is better for RFID tags with minimum GE since it is resistant to numerous attacks.
iv. TEA family
Equivalent keys, related-key, and sliding attacks are all possible with TEA. In 2006, the related-key differential attack was the best assault on
XTEA in 26 of 64 rounds. TEA is very vulnerable to key cracking, which implies that by combining it with a known plaintext-ciphertext combination,
the number of iterations required drops dramaticallyand the attack’s effectiveness skyrockets.60 It also demonstratesthat TEA (128 bits, 32 rounds)
is 60% quicker than 56 bit DES and 4 times faster than 168 bit 3DES.55
v. mCRYPTON
With the data, time, memory, and complexity, a related-key rectangle attack on mCrypton-128 was executed on 8 rounds with a success rate of
0.94.40,41
vi. PRESENT
The most powerful approach accessible to cryptanalysts is differential and linear cryptanalysis. The number of so-called active S-boxes engaged
in a differential (or linear) feature of handling differential and linear cryptanalysis is given a lower constraint. Because the current architecture is
nearly entirely bitwise, it’s vulnerable to structuralassaults like integral and bottleneck attacks. Biclique attack on the full-round cipher outperforms
exhaustive search by a little margin. PRESENT is also prone to related-key and side attacks because it does not fulfill the requirements for resisting
key schedule-based attacks.21,43 It is Ultra lightweight as well as energy-efficient.
vii. CLEFIA
As 280 ciphertext filtering criteria, full round CLEFIA is safe against Improbable differential cryptanalysis; the attack requires 2139.38 pairings
to complete.43 It’s also resistant to Linear Cryptanalysis, as finding 12-round linear hulls that can differentiate CLEFIA from a random permutation
is challenging.23 Saturation attack is one of the most potent attacks against CLEFIA, implying that the 10-round 128-bit key CLEFIA can be cracked
with somewhat less complexity than 2128F-function computations. We can argue that full-round CLEFIA provides sufficient protection against
this attack. Other related-key assaults, such as related-key boomerang and related-keyrectangle attacks, are likewise resistant to CLEFIA. We can
infer that no assault poses a full-round danger to CLEFIA.23
viii. HIGHT
Truncated, linear cryptanalysis, boomerang, rectangle, impossible differential attacks, linear and related key variations, and Saturation attacks
are all used to assess HIGHT security.25 In 16-round HIGHT, a truncated differential characteristic was employed to recover 96 bits of the sub keys
BHAGAT ET AL.17 of 27
utilizedfrom the 11th to the 16th round. The attack takes214.1plaintextsand 2108.69 16-round HIGHT encryptions.25 In reference 45, the security
of HIGHT may be decreased to one round as reduced round height evaluations, which is somewhat better than exhaustive search.45
ix. SEA
To protect SEA from linear and differential cryptanalysis, then the number of rounds should be n(rounds) ≥3p/4 where p is the plaintext size
which is multiple of (6 ×processor size). To prevent SEA from structural attacks and statistical attacks only if the number of rounds is equal or greater
than the number of rounds needed for complete diffusion.56
x. LBLOCK
We count the number of active S-boxes of differential characteristics to perform Differential cryptanalysis against LBLOCK. We discovered
that the whole 32-round LBLOCK is resistant to differential cryptanalysis. Because there are at least 32 active S-boxes per 15-round LBLOCK,
which leads to very high complexity, LBLOCK offers enough protection against linear cryptanalysis. Impossible Differential Cryptanalysis, Integral
Attack, and Related-Key Attacks are all defeated byLBLOCK.30 As mentioned in reference 46 it also provides minimal protection against biclique
cryptanalysis.
xi. SLIM
Linear cryptanalysis is the most powerful approach for evaluating any cipher because it describes the connection between plaintext (input)
and ciphertext (output) bits as a linear approximation. In this case, we only look for differential pathways up to round 11. As a result, during
the entire number of rounds, this encryption is secure for linear cryptanalysis. The authors also used Differential cryptanalysis in a selected
plaintext-ciphertext situation, in which an intruder can retrieve the encrypted Text by picking anyplain text as input to the cipher. The authors discov-
ered a differential route up to 7 rounds, demonstrating that the encryption is safe for the entire number of rounds. SLIM has shown high resistance
and a sufficient protection margin against the most successful linear and differential cryptanalysis attacks.68
B. Stream ciphers
In a stream cipher, one byte is encrypted at a time, while 128 bits are encrypted at a time in a block cipher. Initially, a key(k) is to be provided as
input to the pseudorandom bit generator model, and then it creates a random 8-bit output known as keystream. The resulting keystream is the size
of 1 byte. It means that the 8 bits are required for each keystream generation for the following process.
•Stream cipher heeds the series of pseudorandom number streams. One of the advantages of following stream cipher is to make cryptanalysis
more complicated. Therefore, the number of bits selected in the keystream must make cryptanalysis more complex.
•Creating the more complex and extended key is also safe against brute force attacks.
•The longer the size of the key, the more robust and high-level security is accomplished, preventing any attacks.
•The keystream is created more efficiently by more binary bits, including 1 and 0 s, which helps to make the cryptanalysis process more complex.
•A considerable advantage of a stream cipher is it demands few lines of code corresponding to a block cipher.
1. Encryption process:
To create a full Cipher Text, provide the plain Text as well as the keystream. It is identical to the keystream. It is employed in decryption. The
plaintext is combined with keystream using the XOR procedure. It constructs the Ciphertext and contains a bit-by-bit process.
Example
Plain Text: 10011001.
Keystream: 11000011.
Cipher Text: 01011010
2. Decryption process:
We must provide the Ciphertext for the decryption procedure, and keystream returns the original plain text. It’s comparable to keystream. It
also contains the encryption bits that were created. The Ciphertext is combined with the resulting keystream in an XOR operation. It has a bit-by-bit
technique for generating plain text.
18 of 27 BHAGAT ET AL.
Example
Cipher Text: 01011010.
Keystream: 11000011.
Plain Text: 10011001.
The decryption process is simply the reverse encryption process, completing XOR with the Ciphertext.
GAIN: A comprehensive key recoveryattack on a Grain-128 variation with 250 initialization rounds has been confirmed to recover a substantial
portion of weak keys.47 Conditional differential cryptanalysis and related-key attacks.48 Cube testers have the strongest differentiating assault on
Grain-128’s majority of keys.62
Trivium: Cube attacks48 and cube testers49 are used to obtain the final cryptanalysis results. Defending Trivium stream ciphers using FPGA
(field-programmable gate array) implementations. Table 5of50 shows that the developed system’s injection capacity is high (consistently above38%),
and the injection efficiency for effective fault injections is much greater. The efficiency is always over 68%, and for the conventional Trivium with a
parallel load, it reaches 100 percent. FPGA is vulnerable to a fault injection attack regardless of how it is implemented on targeted devices.50
SALSA-20: Salsa20 cryptanalysis on reduced rounds does not pose any security threat against Salsa20/12 in the stream software portfolio.
The concept of PNB improves the cryptanalysis of Salsa 20. (Probabilistic NeutralBits) which provided a complexity slightly less than the exhaustive
search.58
C. Hybrid cipher
Hummingbird: Birthday attacks, structural attacks, algebraic attacks, cube attacks, differential, linear cryptanalysis, and other attacks on
block ciphers and stream ciphers are all resistant to Hummingbird.52 Slide attacks and related-key assaults cannot be used on the Hummingbird
because side attacks and related-key attacks rely on exploiting key scheduling flaws, which the Hummingbird lacks. Because Hummingbird has a
high algebraic degree, interpolation, and higher-order differential attacks are difficult to use. Hummingbird-2 is immune to chosen-IV attacks and
is impervious to all previously known cryptanalytic techniques.37
5.1 Performance of lightweight cryptography algorithm based on selected parameters
In this section, the performance of the lightweight cryptography system is evaluated based on different standard benchmark techniques. Any
lightweight cipher’s performance is judged by its lower cost, increased security, and improved encryption-decryption efficiency, which results in
higher throughput. Traditional cryptographic algorithms priorities good security, low power consumption, and low processing power,while ignori ng
resource constraints. The researchers in this sector have alteredtheir ideas in recent years as a result of the recent development of these devices,
which provide strong security in low processing power, low computation, and low-cost hardware.
We used the different simulation test cases which is used to evaluate system performance based on block size, cipher size, required
number of rounds to perform computation, clock cycles, and required memory by the aforementioned lightweight algorithms. The speed
of encryption and decryption of the chosen lightweight encryption algorithms. For each lightweight algorithms for encryption and decryp-
tion operations, the lightweight system performs the several tests that is executed the same encryption using the similar plaintext
input message for five individual times, and the average accuracy and required computation time has been compared with tested the
lightweight cryptography algorithms (shown in Tables 3, 4,and5, respectively). The key size is selected for each lightweight algorithms is
the defined maximum number of bytes in the chosen cipher, which can allow. To perform the exhaustive analysis with the fair compari-
son, we used four devices (D1 to D4) with different system configurations to evaluate different measures of the lightweight cryptography
algorithms.
We will be a discussion on few performance of the lightweight cryptography based on selected parameters of the fair comparison and compare
them which one is the best according to its use in a real-time scenario in these tables given below:
Table 4illustrates the comparison of the lightweight block cipher method based on different protocols. Table 5shows the comparison of the
stream and hybrid ciphers.
TA B L E 3 Detail description of the used computers and devices in experimental simulations
Device name Configuration #Processors # Cores and memory Frequency (GHz)
D-1 Intel Core i5–8250U 8 4, 8GB 1.8
D-2: DESKTOP-46ALQ4B x64-based processor,i7-1165G7 84, and 16GB 2.80
D-3 Intel i7-10,700 8 8, 16 GB 2.90
D-4 Intel i9-11900K 88, 16 GB 3.50
BHAGAT ET AL.19 of 27
TA B L E 4 Illustrates the comparison of the lightweight block cipher method based on different protocols
S.No Algorithm
Software Or
Hardware
Platform Key Size
Block
Size
Design Pattern
[Feistel (F)/
SP Network
(SP)] Rounds
CPU Clock
Cycle (Cycles
Per Block)
Logic
Process* Area (GE)
Chip
Area
Code Size
in byte
RAM Size
in byte
Relative Code
Size (% of AES)
Throughput at
100KHz (Kbps)
Throughput
at 4 MHz (Kbps)
Relative
Throughput
at 4KHz
(% of AES)
1S-AES both 128 128 SP 10 1032 0.35 3600 GE 4557 2606 388 100 12.4 77.1 100
2ICEBERG hardware 128 64 SP 16 5800 GE
3DES-L both 56 64 F 16 144 0.18 1848 GE 1709 468 65.57 44.4 29.6 38.4
4DES-XL both 184 64 F16 144 0.18 2168 GE 1709 468 65.57 44.4 30.4 39.4
5XTEA software 128 64 F 64 7408 2000GE 855 196 32.8 40.8 53
6mCrypton both 128 64 SP 13 13 0.13 2709 GE 492.3
7PRESENT hardware 80/128 64 SP 32 32 0.18 1886 GE 11,342 1738 274 66.69 200 23.7 30.7
8CLEFIA both 128/192/256 128 F18/22/26 36 0.09 2488GE NA NA NA NA 355.56 NA NA
9HIGHT Hardware 128 64 F 32 34 0.25 3408 GE 2964 13,476 288 517.11 188.2 80.3 104.2
10 TEA Software 128 64 F64 6271 NA 2100 GE 7408 648 196 32.8 40.8 53
11 SEA Software 96 96 F NA NA 0.13 3758 NA 2132 NA 75.3 103 39.7 51.5
12 LBlock both 80 64 F32 3955 0.18 1320 NA NA NA NA NA NA NA
13 SLIM BOTH 80 32 F 32 0.13 553 NA NA NA NA NA NA NA
20 of 27 BHAGAT ET AL.
TABLE 5 Depicts comparison of the stream and hybrid ciphers
S.No. Algorithm
Software or
Hardware
Platform KeySize Block Size Rounds
CPU Clock
Cycle (Cycles
Per Block)
Logic
Process*
Chip Area*
Logic Process
(in μm)
Code Size
in byte
Relative
Code size
(% of AES)
Throughput
at 100KHz (Kbps)
Throughput at
4 MHz (Kbps)
Relative
Throughput at
4KHz (% of AES)
1Grain Hardware 80 128 1 0.13 2599 100
2Trivium hardware 80 1 1 0.13 1294 NA NA 100 NA NA
3Salsa20 Software 128 512 NA NA 4008 1452 61.2 111.3 144.4
4Humming Bird hardware 256 16 20 3220 400 NA NA
BHAGAT ET AL.21 of 27
1. Key si ze: Larger keysizes provide more security, but they mayslow down encryption and decryption. Increased resistance to brute force attacks
and stronger confusion are used to provide greater security with greater complexity. The key size of 64 bits is now universally regarded as
insufficient, and 128 bits have become the standard in many cryptographic methods.
2. Block size: A bigger block size equals greater security but slower encryption and decryption for any technique. Greater diffusion results in
increased security. A 64-bit Block Size is a good compromise between security and speed.
3. Rounds: As in Figure 3, we know a single round provides inadequate security, but if we have multiple rounds, the algorithm’s security is
increased many folds. Ideally, many cryptographic algorithms use 16 rounds, but some algorithms like PRESENT and XTEA use 32 and 64,
respectively, more than that general algorithms.
4. Chip area and gate equivalent: A GE is equal to the area needed by two NAND gates. It also signifies a measure of complexity of computations
for lightweight ciphers. Devices that have GE of less than 2000 are considered lightweight. 1 GE =1NANDgate.
53
5. Clock cycle speed: Any lightweight cipher must have a clock cycle each block to be defined. It is calculated by dividing the number of clock
cycles by the operating frequency. To correctly determine clock cycle speed, the operational frequency should be the same.
6. Memory usage: The memory size requires the calculation of RAM or ROM used by the cipher for encryption. Flash Memory is used to store
look-up tables and program code. The program execution uses SRAM for dynamic access. If the encryption algorithm processes less data for
operations, it is more lightweight.
7. Vulnerability analysis: In this paper, we compared all the algorithms for which kind of attack they are vulnerable.
8. Throughput: We will compare the throughput of these ciphers at different frequencies when working and its relative throughput compared to
S-AES.
9. Energy consumption/power utilization: Power usage numbers are difficult to find and depend heavily on CPU and hardware.
10. Efficiency: For performance on the basis of resource requirements. For hardware, it can be calculated as follows.11
a. Hardware efficiency: Throughput [Kbps] / Complexity [KGE], where complexity is physical space.
b. Efficiency: Throughput [Kbps] / Code Size [KB]. Here, code size is the algorithm size (shown in Table 4)
Figure 12 shows the comparative analysis of the different traditional cryptography methods based on selected different parameters such as
encryption time (milliseconds), decryption time, and selected private key size (128 bytes for all the used algorithms). Based on the overall observa-
tions, it can be stated that the device 3 enabled with RSA algorithm takes more time in order to perform the decryption process of shared message
which is higher than device 1 enabled RSA method. The DES and Triple DES methods take less time as compared to all devices enabled with RSA
techniques. It means that the DES algorithm takes a lot of system requirements to perform the security analysis on the shared message or data
however, these algorithm is efficient as compared to cryptography method.
Figure 13 depicts the overall evaluation of different lightweight cryptography method to perform the analysis on chosen different parameters
such as encryption time (milliseconds), decryption time, and selected private keysize (128 bytes for all the used algorithms), memory used, efficiency
(%) and others. In Figure 13, it shows that the PRESENT-256 method is efficient as compared to other techniques; however, PRESENT-128 is also
performed well on selected memory parameters. It reveals that the block cipher techniques are better as compared to traditional techniques to
perform security analysis for smart application enabled with smart devices or lightweight systems or models.
FIGURE 12 Shows the summary of the comparative analysis of RSA and DES algorithms
22 of 27 BHAGAT ET AL.
FIGURE 13 Comparative analysis of block cipher and stream cipher techniques on different parameters
Neural Network (f)
Plaintext (p)
Cyphertext (c)
Key (k)
Loss Function
Key (k’)
FIGURE 14 Show a working model for cryptanalysis using Deep Neural Network (DNN)
Based on the overall observations, it can be asserted that all the lightweight cryptography techniques are better as compared to conventional
methods, where few constraints such as hardware related, and device related resources and computing paradigms need to addressed properly to
solve any smart application related security issues.
Based on overall observations, it is concluded the lightweight cryptography enabled us to use less memory, less requirement of computing
resource and best utilization of power supply to cater security solutions for different applications. Even though, these solutions are also feasiblefor
devices or smart systems that work over resource-limited environments to provide faster solutions as compared to conventional cryptography.
6DEEP LEARNING-BASED CRYPTANALYSIS OF LIGHTWEIGHT BLOCK CIPHERS
The use of deep learning to decode severallightweight block ciphers will be discussed in this section. The ciphertext is input into the neural network,
with the plaintext output serving as a reference. After adequate training and a large enough number of plaintext-ciphertext pairs encrypted with
the same key, the neural network will be able to recover plaintext from Ciphertext. The neural network must be set up using a number of parameters.
As illustrated in reference 68, the neural networks used in this attack are multilayer feedforward neural networks, which may be used as global
approximates. In the publication,64 a neural network was used to identify plain texts from ciphertexts, and the results for attacking the DES and
Triple DES were fantastic. The authors employed a neural network to discoverthe mapping connection between plaintexts, ciphertexts, and the key
in simplified DES.65 (S-DES). The author of66,67 developed a feedforward neural network that extracts plain text from Ciphertext without the need
of the AES cipher’s key (shown in Figure 14).
6.1 DNN structure for the cryptanalysis
Figures 14 and 15 depict the structure of a DNN model for cryptanalysis (13). As the nonlinear function, we consider a ReLU func-
tion, f(ReLU) (x)=max (0, x). At the lth hidden layer of the DNN, there are lneurons, where l=1, …, L. Each bit of plaintext and
BHAGAT ET AL.23 of 27
FIGURE 15 Shows the working of the deep neural network model
TABLE 6 shows the block chipper applied in case of studies based on block size, key size, and required number of rounds to perform the
computations in the security mechanism
Name S-DES Simon Speck
Block size (bits), n83232
Key size (bits), m10 64 64
No. of round R23222
Ciphertext is associated with each neuron in the input layer; that is, the ith neuron represents pi, and the (j+n1)th neuron represents
cj, where I j=0, 1, …, n 1. At the input layer, there are 2 n neurons. Each bit of the key is associated with each neuron in the out-
put layer; for example, the output of the ith neuron corresponds to ki, where I=0, 1, …, m – 1. As a result, the output layer’s number
of neurons is m. The DNN’s output, k, is a series of non-linear transformations of the input data, [p, c], defined mathematically as (shown
in Equation 1)
k=f([p,c];𝜃)=f(L+11)(f(L)(…,f(1)([p,c]))(1)
Where Lis the number of hidden layers and 𝛉is the weights of the DNN.
The performance of DL-based cryptanalysis is investigated for the lightweight block ciphers S-DES, Simon32/64, and Speck32/64. Tables 6
and 7provides the detailed analysis of the block chipper used in case studies to perform computations in security mechanisms depending on
block size, key size, and the number of rounds required. The author of64 employs a novel cryptanalytic attack against DES and Triple-DES.
A neural network-based known-plaintext attack is the method used. Following a successful training session for both DES and Triple-DES on
each of the 100 datasets (i.e., establishing a trained neural network for each dataset), certain computations were done to produce a com-
prehensive tabulation of findings64 (The plaintext blocks and the encrypted ciphertext blocks using the same key are called a dataset). This
attack was implemented by training a neural network to retrieve the plaintext of the Ciphertext fed into it. The attack presented here is a
known-plaintextattack that recovers most of the plaintextof a given ciphertextwithoutretrievingthekey, which was successfully implemented using
MATLAB.64
Table 7gives a full study of the DES and Triple DES algorithms depending on required factors including the number of trails, times, key size, block
size, and more. According to the findings, the triple DES method requires the fewest calculations and the least amount of memory to conduct the
procedure in order to take use of the literature’s rapid and cost-effective approach.
24 of 27 BHAGAT ET AL.
TA B L E 7 Illustrates results of implementing known-plaintext attack on DES and Triple-DES by deep learning methods
Parameters DES algorithm Triple-DES algorithm
Trails required 850 1120
Completed successful trails 205 310
Total no. of failed trails 815 1013
Avg. no. of plaintext- cipher text pairs required plain text and ciphertext pair 211 2
Required time 51 84
Taken time by failed trails 10 15
Average time required 22 60
For completion total number of trials required 7.56 10.91
Average internal error 0.025 0.030
Average externalerror 0.082 0.120
6.2 Application of LWC ciphers
The IoT applications can be enabled for low-level cryptographic solutions as follows23:
1. Smart Home applications likesmart Television, smart utensils, smart electric bulbs, also required less memory and processing. The cryptographic
algorithms used in them are: SIMON, SPECK, PICCOLO, and TWINE.
2. When there is shortage of physical space and no power backup, RFID SIMON, SPECK, PICCOLO are best for logistic applications.
3. For Smart Agriculture, which needs neat implementation, fewer processing steps, minimal power consumption, and plenty of sensors in remote
locations, SIMON, SPECK, PRESENT, and TWINE can be up to its mark.
4. In Health Care Application, which needs security and privacy to transmit the curtail data with low resources and quick response for this SIMON,
SPECK, PICCOLO, PRESENT and MIDORI are the best.
5. In Industry systems where sensors are placed on machines that are not easily accessible but transmit data wirelessly for this situation, MIDORI
and PRINCE are the best.
6. Intheworldof 5G Technology, the Auto Mobile Industryneedsvehicleandinfrastructurecommunication (signals and road signs) for this PRINCE,
PRESENT, SIMON, and MIDORI are suitable choices.
7. keeloq is also the Latest LWC cipher for securing remote keyless entries in cars and buildings.71
7CONCLUSION AND FUTURE DIRECTION
The papers portrayed the detailed analysis of lightweight cryptographic algorithms designed for various applications with resource constraints.
These ciphers are designed in such a way keeping in mind the three factors: chip area, power consumption, and time for encryption-decryption,
and there is always a tradeoff between them only two of them can be achieved and to achieve all three is a very tough task. Speed and security
are also primary features, and they should be deployed after having critical analysis depending on the application. The paper also discusses various
security attacks such as adversarial attacks, black-box attacks, presentation attacks, spoofing attacks, video attacks, and mask attacks on different
deep learning-based frameworks in computer vision and cloud computing. There has been a significant probability of attacks in these systems and
their countermeasures with learning and neural networking methods with biometrics-based systems. This paper provides prominent and relevant
work done by researchers in security. With the available research literature, it can be noticed that implementations of learning models can cause
severe threats to the system at both the client and server-side in the cloud framework and its applied areas. The study shows which cipher is best
for deployment in various applications as some cryptographic algorithms are already standardized, like PRESENT.
Although the primary goal of this paper is to highlight the research contribution and inspire interdisciplinary researchers, scientists, and engi-
neers to explore new opportunities for privacy preservation using lightweight cryptography and threats that, if ignored, could have a significant
negative impact on an individual’s or an organization’s security, it was thus essential to focus on futuristic circumstances in security aspects with
the awareness of past and current prominent work done as a base ground. The futuristic applications can be leveraged for different learning plat-
forms as follows: The lightweight cryptographycan be used for innovative home applications. It may include smart TV, smart kettle, intelligent bulbs,
etc., which need small memory and processing that require SIMON, SPECK, PICCOLO, and TWINE. It can also be used to develop tiny devices in
BHAGAT ET AL.25 of 27
agriculture to provide security to farmers while accessing their systems with low resources. It can be deployedin block chain applications to design
and develop intelligent systems. It can be used for the deployment of desktop system applications for security. Due to lack of physical space and
no power backup such as RFID-enabled system, privacy preservation can be implemented by using SLIM, SIMON, SPECK, PICCOLO, and other
advanced alight weight cryptography algorithms for futuristic applications which can be deployed securely and in the sustainable framework for
different systems using lightweight cryptography and deep learning techniques in the field of security.
DATA AVAILABILITY STATEMENT
Data sharing not applicable to this article as no datasets were generated or analyzed during the current study.
CONFLICT OF INTEREST
The authors have no conflict of interests, financial or otherwise.
ORCID
Sachin Kumar Gupta https://orcid.org/0000- 0001-8270-5853
REFERENCES
1. Sallam S, Beheshti BD. A survey on lightweight cryptographic algorithms. Paper presented at: TENCON 2018–2018 IEEE Region 10 Conference; 2018;
(pp. 1784–1789). IEEE.
2. Sehrawat D, Gill NS. Design considerations of lightweight block ciphers for low-cost embedded devices. Int J Recent Technol Eng. 2019;8(2):171-176.
3. Juels A. RFID security and privacy: a research survey. IEEE J Sel Areas Commun. 2006;24(2):381-394.
4. Stallings W. Cryptography and Network Security, 7/E . Pearson Education India; 2006.
5. Chaitra B, Kumar VGK, Shatharama RC. A survey on various lightweight cryptographic algorithms on FPGA. IOSR J Electron Commun Eng.
2017;12(1):45-59.
6. Jamuna Rani D, Light Weight Cryptographic Algorithms for Medical Internet of Things (IoT) - A Review(Accessed November 29, 2020).
7. Bansod G, Raval N, Pisharoty N. Implementation of a new lightweight encryption design for embedded security. IEEE Trans Inf Forensics Secur.
2014;10(1):142-151.
8. Osvik DA, Bos JW, Stefan D, Canright D. Fast software AES encryption. International Workshop on Fast Software Encryption. Springer; 2010:75-93.
9. Feldhofer M, Dominikus S, Wolkerstorfer J. Strong authentication for RFID systems using the AES algorithm. International Workshop on Cryptographic
Hardware and Embedded Sys tems. Springer; 2004, August:357-370.
10. McKay KA, Bassham L, Turan MS, Mouha N. Report on Lightweight Cryptography. National Institute of Standards and Technology; 10.6028/NIST.IR.8114
(Accessed by January 13, 2022).
11. Hatzivasilis G, Fysarakis K, Papaefstathiou I, Manifavas C. A review of lightweight block ciphers. J Cryptogr Eng. 2018;8(2):141-184.
12. Eisenbarth T, Kumar S, Paar C, Poschmann A, Uhsadel L. A survey of lightweight-cryptography implementations. IEEE Des Test Comput.
2007;24(6):522-533.
13. Standaert FX, Piret G, Rouvroy G, Quisquater JJ, Legat JD. ICEBERG: an involutional cipher efficient for block encryption in reconfigurable hardware.
International Workshop on Fast Software Encryption. Springer; 2004:279-298.
14. Leander G, PaarC, Poschmann A, Schramm K. A family of lightweight block ciphers based on DES suited for RFID applications. Proceedings of FSE; 2007.
15. Poschmann A, Leander G, Schramm K, Paar C. New lightweight crypto algorithms for RFID. Paper presented at: 2007 IEEE International Symposium on
Circuits and Systems; 2007; (pp. 1843–1846). IEEE.
16. Shah A, Engineer M. A survey of lightweight cryptographic algorithms for iot-based applications. Smart Innovations in Communication and Computational
Sciences. Springer; 2019:283-293.
17. El Hadj Youssef W, Abdelli A, Dridi F, Brahim R, Machhout M. An efficient lightweight cryptographic instructions set extension for IoT device security.
Secur Commun Netw. Hindawi; 2022;2022(2):1–17.
18. Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, Shirai T. Piccolo: an ultra-lightweight blockcipher. International Workshop on Cryptographic
Hardware and Embedded Sys tems. Springer; 2011:342-357.
19. Wheeler DJ, Needham RM. TEA, a tiny encryption algorithm. International Workshop on Fast Software Encryption. Springer; 1994:363-366.
20. Lim CH, KorkishkoT. mCrypton–a lightweight block cipher for security of low-cost RFID tags and sensors. International Workshop on Information Security
Applications. Springer; 2005:243-258.
21. Bogdanov A, Knudsen LR, Leander G, et al. PRESENT: an ultra-lightweight block cipher. International Workshop on Cryptographic Hardware and Embedded
Systems. Springer; 2007:450-466.
22. Rolfes C, Poschmann A, Leander G, Paar C. Ultra-lightweight implementations for smart devices–security for 1000 gate equivalents. International
Conference on Smart Card Research and Advanced Applications. Springer; 2008:89-103.
23. Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T. The 128-bit blockcipher CLEFIA. International Workshop on Fast Software Encryption. Springer;
2007:181-195.
24. McKay K, Bassham L, Sönmez Turan M, & Mouha N. Report on Lightweight Cryptography (No. NIST Internal or Interagency Report (NISTIR) 8114 (Draft)).
National Institute of Standards and Technology; 2016.
25. Hong D, Sung J, Hong S, et al. HIGHT: a new block cipher suitable for low-resource device. International Workshopon Cryptographic Hardware and Embedded
Systems. Springer; 2006:46-59.
26. Lim YI, Lee JH, You Y, Cho KR. Implementation of HIGHT cryptic circuit for RFID tag. IEICE Electron Exp. 2009;6(4):180-186.
27. Mohd BJ, Hayajneh T, Khalaf ZA, Ahmad Yousef KM. Modeling and optimization of the lightweight HIGHT block cipher design with FPGA implementa-
tion. Secur Commun Netw. 2016;9(13):2200-2216.
26 of 27 BHAGAT ET AL.
28. Standaert FX, Piret G, Gershenfeld N, Quisquater JJ. SEA: a scalable encryption algorithm for small embedded applications. International Conference on
Smart Card Research and Advanced Applications. Springer; 2006:222-236.
29. Knudsen L, Leander G, Poschmann A, Robshaw MJ. PRINTcipher: a block cipher for IC-printing. International Workshop on Cryptographic Hardware and
Embedded Systems. Springer; 2010:16-32. doi:10.1007/978-3- 642-15031- 9_2
30. Wu W, Zhang L. LBlock: a lightweight block cipher. International Conference on Applied Cryptography and Network Security. Springer; 2011:327-344.
31. Manifavas C, Hatzivasilis G, Fysarakis K, Papaefstathiou Y. A survey of lightweight stream ciphers for embedded systems. Secur Commun Netw.
2016;9(10):1226-1246.
32. Sarkar S, Banik S, Maitra S. Differential fault attack against grain family with very few faults and minimal assumptions. IEEE Trans Comput.
2014;64(6):1647-1657.
33. Hell M, Johansson T, Maximov A, Meier W. A stream cipher proposal: Grain-128.Paper presented at: 2006 IEEE International Symposium on Information
Theory; 2006; (pp. 1614–1618). IEEE.
34. Cannière CD. Trivium: a stream cipher construction inspired by block cipher design principles. International Conference on Information Security. Springer,
Berlin, Heidelberg; 2006: 171–186.
35. Cannière CD, Preneel B. Trivium. New Stream Cipher Designs. Springer; 2008:244-266.
36. Bernstein D. The Salsa20 family of stream ciphers. New Stream Cipher Designs. Vol 4986; Springer: 2008.
37. Engels D, Saarinen MJO, Schweitzer P, Smith EM. The Hummingbird-2 lightweight authenticated encryption algorithm. International Workshopon Radio
FrequencyIdentification: Security and Privacy Issues. Springer; 2011:19-31.
38. Käsper E, Schwabe P. Faster and timing-attack resistant AES-GCM. International Workshop on Cryptographic Hardware and Embedded Systems. Springer;
2009:1-17.
39. Priya SSS, Priya SSS, Kumar PK, SivaMangai NM, Rejula V. “FPGA implementation of efficient AES encryption.” Paper presented at: 2015 International
Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS); 2015; doi: 10.1109/iciiecs.2015.7193081
40. Park JH. Security analysis of mCrypton proper to low-cost ubiquitous computing devices and applications. Int J Commun Syst. 2009;22(8):959-969.
41. Mala H, Dakhilalian M, Shakiba M. Cryptanalysis of mCrypton—a lightweight block cipher for security of RFID tags and sensors. IntJCommunSyst.
2012;25(4):415-426.
42. Hernandez-Castro JC, Peris-Lopez P, Aumasson JP. On the key schedule strength of present. Data Privacy Management and Autonomous Spontaneus
Security. Springer; 2011:253-263.
43. Tezcan C. Improbable differential cryptanalysis. Proceedings of the 6th International Conference on Security of Information and Networks; 2013; (p.
457).
44. Özen O, Var𝚤c𝚤K, Tezcan C, & Kocair Ç. Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. AustralasianConference
on Information Security and Privacy. Springer; 2009:90–107.
45. Wang Y, Wu W, Yu X, Zhang L. Security on LBlock against biclique cryptanalysis. International Workshop on Information Security Applications. Springer;
2012:1-14.
46. Dinur I, Shamir A. Breaking Grain-128 with dynamic cube attacks. International Workshop on Fast Software Encryption. Springer; 2011:167-187.
47. Lee Y, Jeong K, Sung J, Hong S. Related-key chosen IV attacks on Grain-v1 and grain-128. Australasian Conference on Information Security and Privacy.
Springer, Berlin, Heidelberg; 2008:321–335.
48. Dinur I, Shamir A. Cube attacks on tweakable black box polynomials. Annual International Conference on the Theory and Applications of Cryptographic
Techniques. Springer; 2009:278–299.
49. Aumasson JP, Dinur I, Meier W, Shamir A. Cube testers and key recovery attacks on reduced-round MD6 and Trivium. International Workshop on Fast
Software Encryption. Springer; 2009:1-22.
50. Potestad-Ordóñez FE, Jiménez-Fernández CJ, Valencia-Barrero M. Vulnerability analysis of trivium fpga implementations. IEEE Trans Very Large Scale
Integr Syst. 2017;25(12):3380-3389.
51. Engels D, Fan X, Gong G, Hu H, Smith EM. Hummingbird: ultra-lightweight cryptography for resource-constrained devices. International Conference on
Financial Cryptography and Data Security. Springer, Berlin, Heidelberg; 2010:3–18.
52. Damgård K, Frederiksen TK. Lightweight Cryptography; 2019.
53. Shweta V Pawar, Pattanshetti TR “Lightweight Cryptography: A Survey”. International research journal of engineering and technology(IRJET).
2018;5(5):1-5.
54. John J. Cryptography for resource constrained devices: a survey. Int J Comput Sci Eng. 2012;4(11):1766.
55. Appel M, Bossert A, Cooper S, Kußmaul T, Löffler J, Pauer C, Wiesmaier A. Block ciphers for the iot–simon, speck, katan, led, tea, present, and sea
compared. Paper presented at: Proc. Appel Block CF; 2016; (pp. 1-37).
56. Mace F, Standaert FX, Quisquater JJ. ASIC implementations of the block cipher sea for constrained applications. Proceedings of the Third International
Conference on RFID Security-RFIDSec; 2007; (Vol. 2007, pp. 103-114).
57. Maitra S, Paul G, Meier W. Salsa20 cryptanalysis: new moves and revisiting old styles. Cryptology ePrint Archive; 2015.
58. Borghoff J. Cryptanalysis of Lightweight Ciphers; [PhD thesis]. Technical University of Denmark, DTU Mathematics, Department of Mathematics; 2011.
59. Jha VK. Cryptanalysis of Lightweight Block Ciphers. Master’s thesis. Aalto University School of Science Degree Programme of Computer Science and
Engineering; 2011.
60. Williams D. The tiny encryption algorithm (tea). Netw Secur. 2008;1-14.
61. Aumasson JP, Dinur I, Henzen L, Meier W, Shamir A. Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128.
Cryptology ePrint Archive; 2009.
62. Cheng H, Heys HM. Compact ASIC implementation of the ICEBERG block cipher with concurrent error detection. Paper presented at: 2008 IEEE
International Symposium on Circuits and Systems; 2008; (pp. 2921–2924). IEEE.
63. Alani MM. Neuro-cryptanalysis of DES and triple-DES. International Conference on Neural Information Processing. Springer, Berlin, Heidelberg;
2012:637–646.
64. Danziger M, Henriques MAA. Improved cryptanalysis combining differential and artificial neural network schemes. Paper presented at: 2014 Interna-
tional Telecommunications Symposium (ITS); 2014; (pp. 1–5). IEEE.
65. Hu X, Zhao Y. Research on plaintext restoration of AES based on neural network. Secur Commun Netw. 2018;2018:6868506.
BHAGAT ET AL.27 of 27
66. So J. Deep learning-based cryptanalysis of lightweight block ciphers. Secur Commun Netw. 2020;2020:3701067.
67. Hornik K, Stinchcombe M, White H. Multilayer feedforward networks are universal approximators. Neural Netw. 1989;2(5):359-366.
68. Aboushosha B, Ramadan RA, Dwivedi AD, El-Sayed A, Dessouky MM. SLIM: a lightweight block cipher for internet of health things. IEEE Access.
2020;8:203747-203757.
69. Boneh D, Franklin M. Identity-based encryption from the Weil pairing. Annual International Cryptology Conference. Springer, Berlin, Heidelberg;
2001:213–229.
70. Tan CC, Wang H, Zhong S, Li Q. IBE-lite: a lightweight identity-based cryptography for body sensor networks. IEEE Trans Inf Technol Biomed.
2009;13(6):926-932.
71. Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T. The 128-Bit block cipher CLEFIA (Extended Abstract). Paper presented at: International Workshop
on Fast Software Encryption; 2007; (pp. 181–195).
72. Lightweight Cryptography Working Group. Cryptographic Technology Guideline (Lightweight Cryptography); 2017. https://www.cryptrec.go.jp/report/
cryptrec-gl-2003-2016en.pdf
73. Bogdanov A. Attacks on the KeeLoqblock cipher and authentication systems. Paper presented at: 3rd Conference on RFID Security; 2007; (Vol. 2007).
74. Singh P, Kaur S, Singh S. Cryptography: an art of data hiding. IntJComputCommunSystEng(IJCCSE). 2015;2(1):117-120.
How to cite this article: Bhagat V, Kumar S, Gupta SK, Chaube MK. Lightweight cryptographic algorithms based on different model
architectures: A systematic review and futuristic applications. Concurrency Computat Pract Exper. 2022;e7425. doi: 10.1002/cpe.7425
