Recent Advances and Trends in Lightweight Cryptography for IoT Security

—Lightweight cryptography is a novel diversion from conventional cryptography to minimise its high level of resource requirements, thus it would impeccably ﬁt in the internet-of-things (IoT) environment. The IoT platform is constrained in terms of physical size, internal capacity, other storage allocations like RAM/ROM and data rates. The devices are often battery powered, hence maintenance of the charged energy at least for a few years is essential. However, provision of sufﬁcient security is challenging because the existing cryptographic methods are too heavy to adopt in the IoT. Consequently, an interest arose in the recent past to construct new cryptographic algorithms in a lightweight scale, but the attempts are still struggling to gain robustness against improved IoT threats and hazards. There exists a lack of literature studies to offer overall and up-to-date knowledge on lightweight cryptography. Therefore, this effort is to bridge the areas in the subject by summarising the content we explored during our complete survey recently. This work contains the development of lightweight cryptographic algorithms, its current advancements and futuristic enhancements. In contrast, this covers the history, parametric limitations of the invented methods, research progresses of cryptology as well as cryptanalysis.


I. INTRODUCTION
In modern cryptography, AES (Advanced Encryption Standard), DES (Data Encryption Standard) and RSA (Rivest-Shamir-Adleman) are effective in general purpose computing due to their compatibility with the resource requirements, i.e., high-end processors, large internal capacities in Giga/TeraByte, etc.The nature of the internet-of-things (IoT) is quite distinct because of its constrained resource management, i.e., low-end processors, small data rates in kbps, etc.Therefore, execution of the conventional methods on IoT devices would cause degradation of device performance and/or malfunction over the overall application deliverables, i.e., fast battery drainage, high latency, etc.Thus, a whole new perspective of cryptographic vision towards lightweight inventions for IoT security is crucial.
The interest in lightweight cryptography has been there in research for about ten years now.Nevertheless, the conventional cryptography also initially began on a lightweight scale a few decades back, compatible with the very first microprocessor which was 4b, i.e., A5/1, CMEA, DSC, etc [1].Each of those method was either broken or reverse engineered eventually, due to simplicity of their operations.
IoT threats and hazards are probably much more advanced and sophisticated, hence the aim must be increased security for decreased resource requirements.In contrast, safety assurance over IoT transmission technologies/protocols is an unavoidable necessity for accurate encryption/decryption and encoding/decoding, i.e., ZigBee, BLE, LoRaWAN, etc.
Lightweight cryptography is categorised as symmetric, asymmetric and hash.In the present, many symmetric and hash implementations are available to try in practical systems, i.e., PRESENT, KLEIN, PHOTON, etc., whereas a few asymmetric algorithms are accessible in comparison, i.e., elliptic light (ELLI) derived from elliptic curve cryptography (ECC).Because of the difficulties associated with traditional public key methods in such a constrained platform, it is extremely challenging to innovate ways to gain asymmetric adaptability.Even so, researchers continue to conduct asymmetric approaches in order to provide a better quality-of-service (QoS) via post-quantum1 as well as lattice-based2 cryptography, i.e., cryptoGPS, ALIKE, etc.
The predictions in 2000s were that it would be problematic to implement lightweight hash functions, but hybrid techniques via a combination of conventional hash methods and lightweight block ciphers would be a solution [2].However, several lightweight hash inventions have been introduced theoretically later, yet their performance to be verified practically.There has been an immense attention given to block ciphers from the beginning, and stream ciphers became trending after a while.Moreover, sponge-based (SP) hash/message authentication code (MAC), individual authenticated ciphers (authenticated encryption -AE), SP based AE and block cipher (BC) based AE are available in academic and industrial researches [3].Fig. 1 illustrates the scale of the lightweight algorithms published from 1994 -2019.
Lightweight cryptography is subdivided considering its applications/limitations as follows [4]; • Ultra-lightweight: Tailored in specific areas of the algorithm, i.e., selected microcontrollers (µC)/cipher sections/operations -PRESENT, Grain (low gate count in hardware), Quarma (low latency in hardware) and Chaskey (high speed on µCs) • Ubiquitous lightweight: Compatible with wide variety of platforms, i.e., 8b to 32b µCs -Ascon, GIMLI and Inventions, observations and adaption of lightweight cryptography are still emerging, so that the outcomes are rapidly being updated over vastly distributed areas.Therefore, literature studies are very useful references for researchers to acquire up-to-date information.Recent survey publications are mainly regarding a narrowed down subject area (specific algorithmic group/experimental type).Thus, our effort is to bridge all areas associated in lightweight cryptography to offer a comprehensive overview.
This complete survey summarises the history, development of all available algorithm types followed by standardisation process, benchmarking and finally, security analysis including side-channel leakage.This work also mentions the identified research gaps to be improved in the future.

II. LIGHTWEIGHT CRYPTOGRAPHY A. History
The preliminary applications of lightweight algorithms go back to late 1980s.Many of those were broken just after those were published.Their upgraded versions continued in use, but eventually many were replaced by AES due to its superior strength and flexibility.Table 3 of [1] includes some ciphers used in history that were in lightweight scale.

B. Development
The trends in cryptography contain both linear and nonlinear operations.Non-linearity offers unpredictability to cryptographic outputs whereas linearity is for provision of diffusion, i.e., absolute dependability in round-based functionalities.In lightweight primitives, the impending trends are as in Table I along with some of the examples.
The gain of small hardware footprints depends on the programming language too.Consequently, attention has been refocused on the use of assembly language in implementations.In fact, the ultimate level of lightweight-ness would be possible if security functions are executed by lightweight scripting languages, i.e., lo, wren, squirrel, etc.There is no evidence of any initial attempt taken regarding the matter.

A. Block ciphers
These take the highest contribution.The most common block ciphers along with their ordinary parameters are in Table II.Additional ones may be referred in [1], [2], [9]- [11].Among all, KLEIN, Lilliput, PRESENT, Rectangle and Skinny are known as ultra-light-weight because their key sizes, block sizes and computational rounds are in the least range.Also, XTEA which an extended version of TEA, is contemplated to be super-fast.Simon and Speck families [12] used to be very promising due to their satisfying scalability, but dissatisfaction in the security later.

B. Stream ciphers
The current implementations are as in Table III.Enocoro-80, Grain and Trivium [2] are known to be well suited in terms of light-weight primitives.Even though A2U2 has the smallest key size, it would probably be insecure at this stage as sufficient robustness is benchmarked above 72-bit size in cryptography.

C. Dedicated AE
Available AE methods are as in Table IV.A greater interest can be seen in ARCON, Ascon and Hummingbird-2 in the present because of their promising functionalities towards adequate security measures [14].Nonetheless, Hummingbiard-2 is still vulnerable to differential attacks in a related key setting.Nonce misuses could be identified in Helix and FIDES was broken shortly after its publication.Full-round NORX v2 could be affected by forgery and key recovery attacks, thus, a later version was introduced to prevent those [15], [16].

D. MAC
These are the least contributors.However, the widely accepted one here is Chaskey which has 128b of IS, key and block sizes.It is an ARX based method which requires 3334.33 of GE plus an operating clock frequency of 1MHz for signing.The other one is SipHash which has 64b of key and block sizes along with 256 IS.The latest report of NIST [3] approves TuLP and LightMAC as well.

IV. ASYMMETRIC LIGHTWEIGHT CRYPTO
Research outcomes of asymmetric implementations are still at a preliminary stage.Satisfactory theoretical impacts can be seen in ECC [9], [17]- [19], ELLI [11] and hyper-elliptic curve cryptography (HECC) [20] that are based on mathematical elliptic curve.Those are approved by both ISO/IEC and NIST standards.Alternative efforts are seen in ALIKE and cryptoGPS recommended by ISO/IEC, post-quantum basis multivariate quadratic (MQ) algorithmic attempts by the NIST and N-th degree truncated polynomial ring (NTRU) which is a lattice crypto technique.
Among those, ECC is known to have short key length, low processing time on 8-bit µC and small signatures [19].NTRU is more efficient on 3000 of GE while maintaining short signatures in general, but flexibility is highly required due to its instability [21].On the other hand, MQ algorithms are struggling with robustness, enormous key lengths and unaffordability yet.
V. HASH FUNCTIONS Numerous lightweight hashing resolutions exist where families of Keccak, Quark and SPONGENT [22] are enhancing their versions to improve their performance.Keccak is highly demanding due to its small digest and code size.Although PHOTON [23] is equally considered, its code is slightly longer.Table V contains typical parametric values of those.Some other methods are Armadillo, QUARK, Lesamnta-LW, GLUON and SPN-Hash [1], [3], [14].The step-by-step internal mathematical process of lightweight hashing is available in [11].standards in issues of NISTIR 8268 and NISTIR 8114 The NIST is conducting a global lightweight cryptography competition to verify performances [14].The winners will be finalised before end of this year.In addition, post-quantum cryptography standardisation competition of theirs would probably provide useful insights on asymmetric lightweight cryptography.

VII. BENCHMARKING
Although there are not any defined threshold levels for lightweight-ness, the following are generally considered by the standardisation bodies [24]; • 80b is the minimum security strength whereas 112b is advocated for long time security requirements • 25% -30% of minimum security margin adaption • Hardware implementation to be up to standardised levels, i.e., chip area, etc. • Software execution to be verified through standardised benchmarking tools, i.e., FELICS • Clear licensing and liability where necessary • Maturity of the cryptographic mechanism, i.e., entropy Fair Evaluation of Lightweight Cryptographic Systems (FELICS) [25] is the utmost benchmarking tool that is being upgraded regularly for software benchmarking.It compares code size, RAM consumption and throughput across algorithms over a variety of strategies.Then it summarises into a parameter called the figure of merit (FoM) where the lower, the better.Table 1 of [11] is an example for counter mode encryption of 128b.In addition, eXternal Benchmarking extension (XBX), BLOC project and CRYPTREC contribute in the field [1].
In hardware benchmarking, the metrics depend on the exact technological platform.The ATHENa (Automated Tool for Hardware EvaluatioN) project and CRYPTREC are the main partners in the arena.

VIII. SECURITY ANALYSIS A. Cryptological Approaches
A survey [10] mentions that it is possible to gain a 12% reduction in area and a 20% increase in speed via AES optimisation.Another study [6] emphasises on an AES-128 modification on LoRaWAN by reducing rounds from 10 to 5, where 26.2% of encryption power consumption was minimised.It further proves its resistance to known-key, replay and eavesdropping attacks theoretically.The researches [5] and [26] propose trustworthy neighbourhood mechanisms to enhance effective security schemes depending on the connection history.
Successful trials can be seen in cryptographic key management methodologies that encourage each node on the network to have a different key [27], [28].Then once a key is leaked, only that particular node would be at risk without compromising the entire network.The updatability over keys offers a better quality of service (QoS) which was impossible for some time in the past.In fact, a reduced number of GE enhances energy efficiency.The studies [29] and [27] prove the possibility of battery life maintainability from 5 to 10 years via their lightweight scheduling mechanisms.The study [29] faced an introduction of overheads when the security was better upgraded, but further optimisation lessened 43% of the overheads from the end devices and 48% from the network server edge.

B. Cryptanalysis Approaches
A study [30] presents the first third-party cryptanalysis of BORON block cipher against differential and linear criteria.The studies [31], [32] and [33] analyse the robustness of Ascon v1.2, COMET and ESTATE respectively.
The researches [34] and [13] observe that KLEIN is an ultra-lightweight side-channel resistant crypto because of its Substitution-Permutation Network (SPN) structure.The analysis [34] validates its results up to first-order attacks, also stating that it may be still vulnerable to higher-order incidents due to the exponential growth in data complexity.An AIbased approach over AES and PRESENT was taken by [35] concludes that there is not any significant difference in sidechannel vulnerability between AES and PRESENT in comparison to both 4b and 8b S-box constructions.Another study [36] demonstrates optimal leakage models for ciphertext-only fault attacks (CFA) for SIMON, PRINCE and AES.A correlation power analysis (CPA) on PRESENT [37] was able to derive the first 8B of the encryption key.The highest percentage of work involves either CAP or differential power analysis (DPA).Only a few studies on electromagnetic (EM) analysis are available.One of the successful experiments is a differential EM analysis (DEMA) of PRESENT [38].It verifies the tamper resistance using several selection functions.Other vital impactors like optical, clock, cache and so on, based work are yet unavailable.

IX. CONCLUSIONS
Adequate IoT security still struggles to provide compatible cryptographic primitives in terms of lightweight to cope with possible and futuristic IoT hazards and threats.The concept of lightweight cryptography was introduced to overcome the challenge.
Lightweight cryptographic functions are still emerging to deliver precise privacy and data protection via accurate encryption and decryption models.There exist numerous proposed lightweight ciphers in all forms (symmetric, asymmetric and hash) though, many are still under verification and commercially not available, i.e., PRESENT, KLEIN, Grain v2, ECC, etc.This work particularly identifies a lack of consideration over physical leakage analysis at the current status.
Government agencies, regional organisations and international associations are involved in standardisation process where ISO/IEC and NIST are the leading contributors.FELICS is the predominating benchmarking tool for software implementations whereas hardware implementations are case dependent.Also, improvement of lightweight scripting languages would probably cause achieving the ultimate level of lightweight-ness.

Fig. 1 .
Fig. 1.Published lightweight algorithms from 1994-2019 III. SYMMETRIC LIGHT-WEIGHT CRYPTOThese are usually adopted from a conventional algorithm and their improved light-weight architecture is introduced as either versions or in a new name, i.e., AES based light-weight techniques [5]-[7], Prince and PRESENT derived from AES s-box[8].The majority is still in their trial phases because of deficiency, inadaptability in IoT devices and inaccuracy in decryption results.

TABLE I LIGHTWEIGHT
CIPHERS BASED ON TRENDING METHOD Look Up Table, ARX: Addition-Rotation-XOR, MDS: Maximum Distance Separable