Towards Designing Efficient Lightweight Ciphers for Internet of Things

Muhammad Tausif¹, Javed Ferzund², Sohail Jabbar³* and Raheela Shahzadi⁴

¹Department of Computer Science, COMSATS Institute of Information Technology
Vehari, Pakistan
[e-mail: raotausif@ciitvehari.edu.pk]

² Department of Computer Science, COMSATS Institute of Information Technology
Sahiwal, Pakistan
[e-mail: jferzund@ciitsahiwal.edu.pk]

³Department of Computer Science, National Textile University,
Faisalabad, Pakistan
[e-mail : sjabbar.research@gmail.com]

⁴Department of Computer Science, COMSATS Institute of Information Technology
Sahiwal, Pakistan
[e-mail: raheela@ciitsahiwal.edu.pk]
*Corresponding author: Sohail Jabbar

Received December 28, 2016; revised March 20, 2017; accepted April 23, 2017;
published August 31, 2017

Abstract

Internet of Things (IoT) will transform our daily life by making different aspects of life smart like smart home, smart workplace, smart health and smart city etc. IoT is based on network of physical objects equipped with sensors and actuators that can gather and share data with other objects or humans. Secure communication is required for successful working of IoT. In this paper, a total of 13 lightweight cryptographic algorithms are evaluated based on their implementation results on 8-bit, 16-bit, and 32-bit microcontrollers and their appropriateness is examined for resource-constrained scenarios like IoT. These algorithms are analysed by dissecting them into their logical and structural elements. This paper tries to investigate the relationships between the structural elements of an algorithm and its performance. Association rule mining is used to find association patterns among the constituent elements of the selected ciphers and their performance. Interesting results are found on the type of element used to improve the cipher in terms of code size, RAM requirement and execution time. This paper will serve as a guideline for cryptographic designers to design improved ciphers for resource constrained environments like IoT.

Keywords: Internet of Things, Smart Objects, Information Security, Lightweight Cryptography, Ciphers, Association Rule Mining

https://doi.org/10.3837/tiis.2017.08.014
1. Introduction

The Internet of Things (IoT) is a concept of universally identifiable physical things (or objects), their integration with the Internet, and their demonstration in the digital or simulated world. In order to construct the Internet of Things, a comprehensive range of technologies are elaborated for example, Radio Frequency Identification (RFID) for device and location recognition and Wireless Sensor Networks (WSN) for freely connecting with intelligent systems and among each other. With the assistance of these technologies, we can construct an environment where things talk to each other. Because of sensitivity of applications, security in physical deployments of the Internet of Things is the key constraint [1,2]. In the Internet of Things, the subsequent security facilities like Confidentiality, Data Integrity, Source Integrity or Authentication, and Availability are needed [3]. Smart things may be small computing devices, containing constrained resources such as low computation capabilities, small size RAM and limited battery power. Communication with smart things in resource constrained situation need consideration with these harsh limitations.

LightWeight Cryptography (LWC) is a very active research domain by targeting at the plan of novel ciphers whose strong point is to fulfill the requirements set by the use of constrained objects . The word “lightweight” talks about a family of cryptographic ciphers with smaller code size, low computational power and low energy consumption. Because of these hard resource limitations there is a growing need for security solutions based on lightweight cryptography that are designed according to IoT requirements. Lightweight cryptography emphasizes on efficient implementations of cryptographic algorithms and it is a comparatively young scientific sub-field that is positioned at the intersection of computer science, electrical engineering, and cryptography. All people working at the research area of lightweight cryptography has to manage with the compromise between performance, security and cost. Commonly, two out of the three design aims, can be easily improved, however at the same time it is very difficult to boost all three design objectives, as shown in Fig. 1 taken from [4].

![Fig. 1. Trade-off among Security, Cost and Performance [4]](image)

For resource constrained objects, the selection of the cryptographic algorithm is a key part that can disturb performance[5]. When efficient energy consumption and low cost are harsh requirements, computational power must essentially be reduced consequently [6, 7]. Using 8
bit microcontrollers (such as AVR microcontrollers, which have restricted abilities in terms of storage and computing power), it is needed that implemented algorithms must be kept simple, having low footprint. This could result in lower energy consumption and faster execution which might be important for battery powered objects [8, 9]. Even though maximum symmetric ciphers have been established by concentrating on good software executions, the placement of smart objects will lead to growing attention to those cryptographic algorithms that will have efficient implementations for hardware in terms of energy consumption and speed [10]. During this study we have tabulated the thorough benchmarking results of 13 lightweight cryptographic algorithms, namely PRINCE, RC5 AES, Fantomas, Speck Piccolo, PRESENT HIGHT, L Block, LED, Robin, Simon, and TWINE. Our motivations for choosing these cryptographic algorithms are first, each of these ciphers has a distinct property that makes it motivating for IoT applications. Secondly, they cover extensive range of approaches and different design strategies. Our evaluation considers one use case that is a simple challenge handshake authentication which covers the need of authentication for applications such as access control or object identification in IoT.

In this article, lightweight cryptographic algorithms are evaluated with an analysis of their software implementation results on 8-bit, 16-bit, and 32-bit microcontroller. This study focusses on three parameters: binary code size, execution time and runtime RAM usage. These parameters are investigated with respect to the structural elements of different lightweight ciphers. Results of this study give novel understandings to the query of which cipher is more suited to the IoT scenario. Association Rule Mining have been used to find the associations among the constituent elements of different ciphers and the performance parameters. Based on the results, interesting information has been inferred about cipher behavior on different platforms under the same scenario. Finally, guidelines are formulated for designing efficient lightweight ciphers.

The rest of the paper is organized as follows. Related work is presented in Section 2. Performane evaluation and comparison of cryptographic algorithms is presented in Setion 3. Results are discussed in Section 4 and finally paper is concluded in Setion 5.

2. Related Work

For wireless sensor networks (WSN) Law et al. present a survey on cryptographic algorithms [11]. They consider properties like energy-efficiency and storage capacity of different cryptographic algorithms including Twofish, MISTY1 Skipjack [12], RC5, RC6, AES, KASUMI, MISTY1 and Camellia. In this work the consequence of examination delivers us standard of picking cryptographic algorithm appropriate for wireless sensor networks. Memory efficient cryptographic algorithms are necessary in a situation where security is significant and energy efficient cryptographic algorithm has to be used in a situation where availability of network is vital, since sensor hops whose consumption of battery is more are no longer available in the network.

Karlof et al. [13], considered de-facto standard of security design for WSN, concluded that RC5 and Skipjack are suggested cryptographic algorithms in a particular scenario of WSN. Each candidate has their own characteristics security, memory and energy efficiency. Consequently, if several nominees of cryptographic algorithm are practically applied, user can select easily for according to the condition for wireless sensor networks.

Woo et al. consider another candidate HIGHT on Mica2 [9], designed to be suitable to ubiquitous 8 bit devices for wireless sensor networks. They examine the performance between Skipjack, RC5 and HIGHT cryptographic algorithm on TinySec. Finally, author...
show performance evaluation on the basis of memory efficiency and power usage. The author concluded that as compared with traditional ciphers on TinySec, HIGHT is suitable candidate for ubiquitous devices.

Swernendu et al. [14] has provided a survey of a number of current lightweight cryptographic algorithms. The author described with the fast developments in wireless networks and low end devices such as Radio frequency identification tags, WSN nodes are positioned in growing numbers every day. Such devices are used in several situations and applications important to a constantly increasing requirement to deliver security. When picking Cryptographic algorithms for resource constrained devices the implementation cost should be considered. In order to fulfill these requirements, efficient and secure authentication and encryption arrangements have to be established. In the resource constrained environment symmetric key ciphers, particularly lightweight block ciphers still play a significant part to deliver confidentiality.

Parbhat et al. [15] did a comparative examination of unlike symmetric-key lightweight cryptographic algorithms such as PRINT, EPCBC, DESL PRESENT, KATAN, LED Puffin, KLEIN, RECTANGLE, LBLOCK and TWINE. It focuses on the tradeoffs between throughput, area and cycle per block of unlike algorithms. Even though the cost is little, the symmetric-key lightweight algorithms are required to be better in numerous directions like Gate Equivalents (throughput and area) and number of cycles per block.

Katagi et al. [16] described that lightweight cryptography is the backbone to the security of smart objects networks because of its smaller footprint and efficiency. Authors believe that lightweight cryptography should be deliberated to be executed in the networks. Specifically, lightweight block ciphers are used now days. They presented a summary of the state of the art technology and normalization position of lightweight cryptography, which can be executed efficiently in resource constrained devices. This technology allows protected and efficient communication among smart objects.

3. Light Weight Cryptographic Algorithms

Our objective is to know the link between the cryptographic algorithm structure and the performance result on the particular platforms and devices in the Internet of Things scenario. We have carefully chosen lightweight cryptographic algorithms demonstrating an enormous variety of design results from the two big families of Substitution Permutation Networks (SPN) and Feistel Networks (FN).

In the following sub sections, we shortly describe the selected lightweight ciphers. A summary of the selected ciphers is presented in Table 1.

3.1 AES-128

The AES is the present day lightweight block cipher [17]. AES was designed by V. Rijmen in 1997 and selected as a standard in 2000. It is the widely used cryptographic algorithm. The AES is based on SPN structure. AES block size is 128 bits under three different key sizes 128, 192, or 256 bits. We focus here on the case of AES 128 bit block size under a key of length 128 bits. This Advance encryption standard version consists of 10 rounds that reiterate four basic steps:

1. Sub Bytes
2. Shift Rows
3. Mix Columns
4. Add Round Key on blocks seen as $4 \times 4$ byte matrices
3.2 Fantomas
Fantomas is a 128 bits lightweight cryptographic algorithm. It is similar to Robin. It is based on LS-design. In LS-design linear layer includes in the parallel applications of so-called L boxes. The S box configuration makes simpler the operation of masking. Master key is added at every round [18]. There is no key schedule.

3.3 HIGHT
HIGHT has been good candidate for light weight cryptography by seeing low resource hardware performance [19]. HIGHT practices very simple arithmetic and logic operations such as addition and exclusive OR and bitwise rotation. HIGHT has 64-bit block length and 128-bit key length. HIGHT was considered to be suitable for application in the low resource atmosphere such as Radio Frequency Identification tag or small universal devices. HIGHT comprises of 4 key steps:
1. Key schedule
2. Initial transformation
3. 32 iterative round operations
4. Final transformation

3.4 L Block
L block is based on Feistel Network structure. It consists of 32 rounds. The Feistel function consists of XOR with the round sub key, substitution layer of 8 different S-boxes and a permutation of 8 nibbles. Furthermore, the content of one of the branches is rotated by 8 bits in each round. The design trade-offs between security and performance led not only to hardware efficiency but also software efficiency [20]. The best cryptanalysis of this primitive is an impossible differential attack on 23 out of 32 rounds [21].

3.5 LED (Light Encryption Device)
LED (Light Encryption Device) [22] has provided sound performance background for software aspects. LED has 64 bits block size with four different key sizes 64 bits, 80 bits, 96 bits, and 128 bits. Light Encryption Device algorithm practices PRESENT cipher s-box. It consists of following steps:
1. Add Round Key (Key XOR with cipher.)
2. Add Constants-Round (constants are combined with cipher using bitwise XOR).
3. Sub Cells- (Each nibble is replaced by the generated nibble using PRESENT s-box.)
4. Shift Rows Serial

3.6 Piccolo
Piccolo is a comprehensive Feistel construction with four 16 bit branches. Piccolo uses a byte permutation among rounds to increase diffusion. The Feistel function contains two S-box layers separated by a diffusion matrix [23]. The superlative attack on Piccolo is a Meet in the Middle attack described by its creators in the article in which cipher is introduced.

3.7 PRESENT Cipher
PRESENT cipher focused on the hardware performance [24]. It has been considered to be efficient lightweight cryptographic algorithm in hardware. It functions on 64 bit block size and with the key size of 80 bits. It has 32 rounds of iteration. PRESENT is an example of SPN structure. One round contain following steps:
1. Add Round Key: Key XOR with cipher.

S-box used in PRESENT cipher is:
\[ S(x) = \{C, 5, 6, B, 9, 0, A, D, 3, E, F, 8, 4, 7, 1, 2\} \]

<table>
<thead>
<tr>
<th>CIPHER</th>
<th>Key Size</th>
<th>Block Size</th>
<th>Rounds</th>
<th>Structure</th>
<th>S-Box</th>
<th>Round Function</th>
<th>Key Scheduling</th>
</tr>
</thead>
<tbody>
<tr>
<td>Speck</td>
<td>64</td>
<td>96</td>
<td>26</td>
<td>FEISTEL</td>
<td>Not based</td>
<td>XOR, Left, Right, Shift</td>
<td>Based on Round Function</td>
</tr>
<tr>
<td>Simon</td>
<td>64</td>
<td>96</td>
<td>42</td>
<td>FEISTEL</td>
<td>Not based</td>
<td>XOR, AND, Circular Shift</td>
<td>Based on Round Function</td>
</tr>
<tr>
<td>AES</td>
<td>128</td>
<td>128</td>
<td>10</td>
<td>SPN</td>
<td>4*4 s-box</td>
<td>Shift Rows, Mix Column, add Keys</td>
<td>Based on S-Box</td>
</tr>
<tr>
<td>RC5</td>
<td>64</td>
<td>128</td>
<td>20</td>
<td>FEISTEL</td>
<td>8 bit s-box</td>
<td>XOR, Left Rotation, Right Rotation</td>
<td>Use Magic Constant</td>
</tr>
<tr>
<td>Fantomas</td>
<td>128</td>
<td>128</td>
<td>12</td>
<td>SPN</td>
<td>Bit slice S-Box</td>
<td>N/A</td>
<td>Depend on Master Key</td>
</tr>
<tr>
<td>Robin</td>
<td>128</td>
<td>128</td>
<td>16</td>
<td>FEISTEL</td>
<td>Bit slice S-Box</td>
<td>N/A</td>
<td>Depend on Master Key</td>
</tr>
<tr>
<td>L block</td>
<td>64</td>
<td>80</td>
<td>32</td>
<td>FEISTEL</td>
<td>4*4 s-box</td>
<td>XOR, addition Subtraction</td>
<td>Based on Round Function</td>
</tr>
<tr>
<td>HIGHT</td>
<td>64</td>
<td>128</td>
<td>32</td>
<td>FEISTEL</td>
<td>not based</td>
<td>XOR, Add, Sub</td>
<td>Key Whitening, Sub Keys</td>
</tr>
<tr>
<td>PRESENT</td>
<td>64</td>
<td>80</td>
<td>31</td>
<td>SPN</td>
<td>4*4 s-box</td>
<td>XOR, Add</td>
<td>Key Register</td>
</tr>
<tr>
<td>Piccolo</td>
<td>64</td>
<td>80</td>
<td>25</td>
<td>FEISTEL</td>
<td>2 S-box</td>
<td>NOR,XOR,XNOR</td>
<td>key Whitening,</td>
</tr>
<tr>
<td>Twine</td>
<td>64</td>
<td>80</td>
<td>36</td>
<td>FEISTEL</td>
<td>4*4 s-box</td>
<td>XOR, modolu2 add</td>
<td>GFS</td>
</tr>
<tr>
<td>PRINCE</td>
<td>64</td>
<td>128</td>
<td>12</td>
<td>SPN</td>
<td>4 bit S-box</td>
<td>AND,XOR,XNOR</td>
<td>Key Whitening</td>
</tr>
<tr>
<td>LED</td>
<td>64</td>
<td>80</td>
<td>48</td>
<td>SPN</td>
<td>4*4 s-box</td>
<td>Shift Rows, Mix Column, Sub Cells</td>
<td>Based on S-Box</td>
</tr>
</tbody>
</table>

3.8 PRINCE

PRINCE uses an FX construction. It has SPN structure where the key whitening is used in first two sub keys, whereas for the 12 rounds third sub key is the 64 bit key called PRINCE core. PRINCE applies distinctive stuff called \( \alpha \)-reflection [25]. On 10 out of 12 rounds the best attack on this cipher is a multiple differential attack [26]. PRINCE is a good candidate for light weight cryptography by seeing low resource hardware performance.

3.9 RC5

RC5 is a Feistel network Structure and it uses data dependent rotations [27]. However RC5 was intended before lightweight cipher strategy became general. It is clearly lightweight as confirmed by its extensive use in WSN. The block, number of rounds and key size can be selected without restrictions, so we study RC5 32/20/16 i.e. a type of RC5 functioning on
two 32 bit words, using 20 rounds and a 16 byte key.

3.10 Robin
Robin is a 128-bits block cipher. Robin is comparable to Fantomas. The look-up table created diffusion layers and the construction of the S boxes makes the robin lightweight cryptographic algorithm good nominee for software applications [18].

3.11 Simon
Simon uses a Feistel structure. It consists of simple arithmetic and logic operations with a simple round function left circular shifts, bitwise XOR and bitwise AND. It has good performance in hardware implementations, but accomplishes decent consequences in software as well [28].

3.12 Speck
Speck is planned to deliver admirable outcomes in both software and hardware, but is adjusted for software execution on embedded devices. Its design structure is Feistel Network. It consists of simple arithmetic and logic operations with a simple round function left circular shift bitwise XOR and bitwise AND [28].

3.13 TWINE
With 16 branches twine is a comprehensive Feistel Network structure. The major step contains key adding and a 4 bit S box. With considerable advanced diffusion, the linear layer is a nibble permutation. It has good performance in hardware in terms of small foot print implementations, but accomplishes decent consequences in software as well in terms of RAM consumption [29].

4. Experimental Results and Discussion

In this section, first we present the performance analysis of implementing the lightweight cryptographic algorithm on three platforms: AVR microcontroller, MSP microcontroller and ARM microcontroller. Specification of these microcontrollers are given in Table 2. The analysis is based on three factors: code size, RAM foot print, and execution time. Secondly, we present the results of Association Rule Mining applied on constituent elements of lightweight cryptographic algorithms.

Table 2. Specification of Targeted Devices

<table>
<thead>
<tr>
<th>Device</th>
<th>Flash Memory (KB)</th>
<th>SRAM (KB)</th>
</tr>
</thead>
<tbody>
<tr>
<td>8-bit AVR</td>
<td>128</td>
<td>4</td>
</tr>
<tr>
<td>16-bit MSP</td>
<td>48</td>
<td>10</td>
</tr>
<tr>
<td>32-bit ARM</td>
<td>512</td>
<td>96</td>
</tr>
</tbody>
</table>

4.1 Scenario and Performance Metrics
Test handshake authentication covers the requirement of confirmation in the Internet of Things. The scenario considers an authentication protocol, where the lightweight cipher is
used in CTR mode of operation to encode 128 bits of information. Cipher round keys are kept in Flash memory while the master key is kept into the device. The information that has to be encoded is kept in random access memory along with the counter value. To decrease the random access memory usage, the process to encode the information is done in place. This situation is appropriate for actual constrained situations where random access memory usage and binary code size have to be very low, although the execution time should be sufficiently fast to avoid reducing the device’s battery. A detailed performance comparison of the selected ciphers on three different platforms is presented in Table 3.

### 4.1.1 Code Size

The code size is measured in bytes and corresponds to the program footprint which is stored in the flash memory of the target device. The code size for each cipher implementation is computed using the size tool on object files generated by the compiler.

<table>
<thead>
<tr>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Speck</td>
<td>1628</td>
<td>618</td>
<td>666</td>
<td>196</td>
<td>58</td>
<td>54</td>
<td>3763</td>
<td>6054</td>
<td>3251</td>
</tr>
<tr>
<td>Simon</td>
<td>2156</td>
<td>732</td>
<td>772</td>
<td>216</td>
<td>72</td>
<td>62</td>
<td>4564</td>
<td>10930</td>
<td>5341</td>
</tr>
<tr>
<td>AES</td>
<td>1056</td>
<td>1438</td>
<td>1410</td>
<td>152</td>
<td>80</td>
<td>79</td>
<td>11623</td>
<td>4190</td>
<td>3175</td>
</tr>
<tr>
<td>RC5</td>
<td>1240</td>
<td>700</td>
<td>1712</td>
<td>172</td>
<td>54</td>
<td>58</td>
<td>10236</td>
<td>20543</td>
<td>8449</td>
</tr>
<tr>
<td>Fantomas</td>
<td>2260</td>
<td>1920</td>
<td>2496</td>
<td>216</td>
<td>78</td>
<td>108</td>
<td>41758</td>
<td>3646</td>
<td>5919</td>
</tr>
<tr>
<td>Robin</td>
<td>920</td>
<td>1942</td>
<td>2530</td>
<td>168</td>
<td>80</td>
<td>108</td>
<td>175092</td>
<td>4935</td>
<td>7813</td>
</tr>
<tr>
<td>L block</td>
<td>4124</td>
<td>976</td>
<td>1440</td>
<td>248</td>
<td>58</td>
<td>64</td>
<td>14365</td>
<td>18988</td>
<td>11183</td>
</tr>
<tr>
<td>HIGHT</td>
<td>988</td>
<td>982</td>
<td>1202</td>
<td>184</td>
<td>60</td>
<td>59</td>
<td>18418</td>
<td>23016</td>
<td>11335</td>
</tr>
<tr>
<td>PRESENT</td>
<td>676</td>
<td>1244</td>
<td>1416</td>
<td>128</td>
<td>58</td>
<td>54</td>
<td>1751</td>
<td>12226</td>
<td>15245</td>
</tr>
<tr>
<td>Piccolo</td>
<td>2160</td>
<td>966</td>
<td>1298</td>
<td>216</td>
<td>70</td>
<td>70</td>
<td>6195</td>
<td>21448</td>
<td>25745</td>
</tr>
<tr>
<td>Twine</td>
<td>636</td>
<td>1922</td>
<td>1528</td>
<td>128</td>
<td>136</td>
<td>64</td>
<td>1930</td>
<td>23938</td>
<td>21701</td>
</tr>
<tr>
<td>PRINCE</td>
<td>560</td>
<td>3418</td>
<td>4420</td>
<td>120</td>
<td>70</td>
<td>68</td>
<td>925</td>
<td>25340</td>
<td>17271</td>
</tr>
<tr>
<td>LED</td>
<td>1228</td>
<td>4422</td>
<td>2602</td>
<td>164</td>
<td>104</td>
<td>91</td>
<td>20531</td>
<td>148334</td>
<td>143317</td>
</tr>
</tbody>
</table>
4.1.2 RAM

The RAM consumption is divided into stack consumption and data consumption. The size of the data stored in the RAM is computed using the implementation information file and the size tool. It includes scenario specific RAM data such as data to encrypt keys, round keys or initialization vectors. The stack consumption is measured using gdb.

4.1.3 Execution Time

The execution time is expressed in number of processor cycles spent executing a set of instructions. The number of processor cycles is given by the number of cycles of the processor’s clock. The metric is extracted for the four basic operations performed by a block cipher. To measure the execution time on AVR, cycle accurate simulator Avrora is used [30]. For MSP, the cycle accurate simulator MSP Debug is used.

4.2 Association Rule Mining

After having a performance analysis, we tried to investigate the relationships between the performance parameters and the constituent elements of the lightweight ciphers. For this purpose, we used the association rule mining. It is a popular and well researched method for discovering interesting relations between variables in large databases. It is intended to identify strong rules discovered in databases using different measures of interestingness. We used Weka tool for extracting the association rules. To apply the association rule mining, we divided the data into two groups: constituent elements of ciphers (key size, block, S box, round function, rounds, key scheduling) and performance parameters (code size, RAM size, execution time). We labeled the data before applying association rule mining. The labels used are presented in Table 4.

The values of key size block size, number of rounds, round function, S-box table and key scheduling vary in different lightweight cryptographic algorithms. So, it would be interesting to know which value of these parameters results in good performance of lightweight ciphers.

Table 4. Labels used for Different Parameters

<table>
<thead>
<tr>
<th>Parameter</th>
<th>Value</th>
<th>Label</th>
</tr>
</thead>
<tbody>
<tr>
<td>Key Size</td>
<td>64 bit</td>
<td>A</td>
</tr>
<tr>
<td></td>
<td>128 bit</td>
<td>B</td>
</tr>
<tr>
<td>Block Size</td>
<td>96 bit</td>
<td>A</td>
</tr>
<tr>
<td></td>
<td>128 bit</td>
<td>B</td>
</tr>
<tr>
<td></td>
<td>80 bit</td>
<td>C</td>
</tr>
<tr>
<td>S box</td>
<td>Not Based</td>
<td>A</td>
</tr>
<tr>
<td></td>
<td>4*4</td>
<td>B</td>
</tr>
<tr>
<td></td>
<td>8 bit</td>
<td>C</td>
</tr>
<tr>
<td></td>
<td>Bit Slice</td>
<td>D</td>
</tr>
<tr>
<td></td>
<td>2 S box</td>
<td>E</td>
</tr>
<tr>
<td><strong>Round Function</strong></td>
<td>A</td>
<td>B</td>
</tr>
<tr>
<td>------------------------------</td>
<td>---</td>
<td>---</td>
</tr>
<tr>
<td>XOR, LEFT, RIGHT SHIFT</td>
<td></td>
<td></td>
</tr>
<tr>
<td>SHIFT ROW, MIX COLOUMS, ADD CONS</td>
<td></td>
<td></td>
</tr>
<tr>
<td>XOR, ADD, SUB</td>
<td></td>
<td></td>
</tr>
<tr>
<td>XOR, XNOR</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>Number of Rounds</strong></th>
<th>A</th>
<th>B</th>
<th>C</th>
<th>D</th>
<th>E</th>
<th>F</th>
</tr>
</thead>
<tbody>
<tr>
<td>10 to 15</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>15 to 20</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>20 to 30</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>31 to 36</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>36 to 40</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Above=F</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>Structure</strong></th>
<th>A</th>
<th>B</th>
<th>C</th>
<th>D</th>
<th>E</th>
<th>F</th>
</tr>
</thead>
<tbody>
<tr>
<td>Fiestal</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>SPN</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>Key Scheduling</strong></th>
<th>A</th>
<th>B</th>
<th>C</th>
<th>D</th>
<th>E</th>
<th>F</th>
<th>G</th>
</tr>
</thead>
<tbody>
<tr>
<td>Based on Round Function</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Based on S Box</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Use Magic Constant</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Depend on Master Key</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Key Whiting</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Key Register</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>GFS</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>Code Size</strong></th>
<th>S</th>
<th>M</th>
<th>L</th>
<th>VL</th>
</tr>
</thead>
<tbody>
<tr>
<td>500 to 1000 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>1000 to 1500 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>1500 to 2200 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Above</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>RAM Size</strong></th>
<th>S</th>
<th>M</th>
<th>L</th>
<th>VL</th>
</tr>
</thead>
<tbody>
<tr>
<td>120 to 160 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>160 to 200 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>200 to 300 bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>300 above bytes</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>Execution Time</strong></th>
<th>S</th>
<th>M</th>
<th>L</th>
<th>VL</th>
</tr>
</thead>
<tbody>
<tr>
<td>900 to 2500 cycles</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>2500 to 5000 cycles</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>5000 to 10000 cycles</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>10000 above cycles</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
4.2.1 Rules for Code Size

For code size the extracted rules are presented below:

| 1. S-Box = A Round Function = A  ==> CODE SIZE = S |
| 2. Block Size = A Round Function = A  ==> CODE SIZE = S |
| 3. Round Function = A Key Scheduling = A  ==> CODE SIZE = S |
| 4. Block Size = A Key Scheduling = A  ==> CODE SIZE = S |
| 5. S-Box = A Round Function = A  ==> CODE SIZE = S |

Rules to keep the code size small on AVR

| 1. Key Size = B Structure = A  ==> CODE SIZE = S |
| 2. Key Size = B Round Function = A  ==> CODE SIZE = S |
| 3. Block Size = A Structure = A  ==> CODE SIZE = S |
| 4. Block Size = A S-Box = A  ==> CODE SIZE = S |
| 5. Structure = A Round Function = A  ==> CODE SIZE = S |

Rules to keep the code size small on MSP

| 1. Key Size = B Structure = A  ==> CODE SIZE = S |
| 2. Key Size = B Round Function = A  ==> CODE SIZE = S |
| 3. Block Size = A Structure = A  ==> CODE SIZE = S |
| 4. Block Size = A S-Box = A  ==> CODE SIZE = S |
| 5. Structure = A Round Function = A  ==> CODE SIZE = S |

Rules to keep the code size small on ARM

We have found that to keep the code size of a cipher small, four elements are important including block size, S-box, round function and key scheduling. Although the elements are used in different associations but their type is almost same. For example, on all the three platforms block size is common that is “96 bits” and round function also common that is using simple arithmetic functions “XOR, Left Shift, Right Shift”. The similarities are more evident in Table 5, where the extracted rules are presented in tabular form.
Table 5. Summary of Rules to keep the code size small

<table>
<thead>
<tr>
<th>Platform</th>
<th>Key Size</th>
<th>Block Size</th>
<th>Structure</th>
<th>S-Box</th>
<th>Round Function</th>
<th>Key Scheduling</th>
<th>Code Size</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>AVR CODE</strong></td>
<td></td>
<td></td>
<td>A</td>
<td>A</td>
<td>S</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>A</td>
<td>A</td>
<td>S</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td><strong>MSP CODE</strong></td>
<td>B</td>
<td>A</td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>ARM CODE</strong></td>
<td>B</td>
<td>A</td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td>S</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

S BOX and Key Scheduling also have same type by using S box “Not based” and Key Scheduling is “based on round function”. On AVR platform key size is not found in the extracted rules for code size. However, for MSP and ARM key size is same for keeping code size small that is “128 bits”. So, it is concluded from the extracted association rules that when block size is “96 bits”, round function is “XOR, Left Shift, Right Shift”, S box is “Not based”, key Scheduling is “based on round function”, and block size is “96”, the resultant cipher will have small code size that can be used for resource constrained environment.

4.2.2 Rules for RAM Size

For RAM foot print, the extracted rules are presented below:

1. Rounds=D => RAM=S
2. Round Function=C => RAM=S
3. Key Size=A Rounds=D => RAM=S
4. Key Size=A Round Function=C => RAM=S
5. Rounds=D Round Function=C => RAM=S

Rules to keep the RAM size small on AVR

1. Block Size=B => RAM=S
2. Key Size=A Block Size=B => RAM=S
3. Block Size=B Structure=A => RAM=S
4. Key Size=B 3 => RAM=S
5. Rounds=A => RAM=S

Rules to keep the RAM size small on MSP

1. S-Box=A => RAM=S
2. Round Function=A => RAM=S
3. Structure=A S-Box=A => RAM=S
4. Structure=A Round Function=A => RAM=S
5. Block Size=A => RAM=S

Rules to keep the RAM size small on ARM

There are some variations with respect to different platforms. However, key size, block size, no of rounds and round function are important elements for keeping RAM footprint small. When we look at the Association Rule Mining results, we find that to keep the Ram size of a cipher small, four elements are important including key size, Block size, no of rounds and round function. Although the elements are used in different associations but their type is almost same as evident from Table 6, where the extracted rules are presented in tabular form.

**Table 6.** Summary of rules on all platforms to keep the RAM size small

<table>
<thead>
<tr>
<th>Platform</th>
<th>Key Size</th>
<th>Block Size</th>
<th>Rounds</th>
<th>Structure</th>
<th>S-Box</th>
<th>Round Function</th>
<th>RAM Size</th>
</tr>
</thead>
<tbody>
<tr>
<td>AVR RAM</td>
<td></td>
<td></td>
<td>D</td>
<td></td>
<td>C</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>B</td>
<td>D</td>
<td></td>
<td>C</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>B</td>
<td>D</td>
<td></td>
<td>C</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td>MSP RAM</td>
<td>B</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>B</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>B</td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td></td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td>ARM RAM</td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
</tbody>
</table>
4.2.3 Rules for Execution Time

For Execution time, the extracted rules are presented below:

1. Key Scheduling=D  ==> EXE TIME=M
2. Block Size=B S-Box=D  ==> EXE TIME=M
3. S-Box=D  ==> EXE TIME=M

Rules to keep the Execution Time Medium on AVR

1. Block Size=B Structure=B  ==> EXE TIME=S
2. Key Scheduling=D  ==> EXE TIME=S
3. S-Box=D  ==> EXE TIME=S

Rules to keep the Execution Time Small on MSP

1. Structure=A S-Box=A Round Function=A Key Scheduling=A  ==> Execution Time=S
2. Block Size=A Structure=A S-Box=A Round Function=A Key Scheduling=A  ==> Execution Time=S
3. Block Size=A Structure=A Key Scheduling=A  ==> Execution Time=S
4. Block Size=A S-Box=A Round Function=A  ==> Execution Time=S
5. S-Box=A Round Function=A Key Scheduling=A  ==> Execution Time=S

Rules to keep the Execution Time Small on ARM

There are similarities between the AVR and MSP platform. However, on ARM platform different values are identified. To keep the execution time low, important elements are: block size, S box, round function, structure and key scheduling. In case of AVR and MSP S box “Bit Slice” is important while in case of ARM S box “not based” is important, as can be seen above. Similarly, for AVR and MSP block size “128 bits” is important whereas for ARM block size “64 bits” is important to keep the execution time low. On all the three platforms key size “64 Bits”, no of rounds “31 to 36”, block size “128 bits” and structure “Fiestal” are common constituent elements. Although round function may vary a little bit when platform has changed from AVR 8 bit to ARM 32 bit. In case of AVR round function “XOR, ADD, SUB” is important while in case of ARM “XOR, LEFT, RIGHT shift” is vital as evident from Table 7.
Table 7. Summary of rules on all platforms to keep the EXE TIME small

<table>
<thead>
<tr>
<th>Platform</th>
<th>Block Size</th>
<th>Structure</th>
<th>S-Box</th>
<th>Round Function</th>
<th>Key Scheduling</th>
<th>EXE Time</th>
</tr>
</thead>
<tbody>
<tr>
<td>AVR EXE TIME</td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td>M</td>
<td></td>
</tr>
<tr>
<td>B</td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td>M</td>
<td></td>
</tr>
<tr>
<td>MSP EXE TIME</td>
<td>B</td>
<td>B</td>
<td>S</td>
<td>D</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td>ARM EXE TIME</td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>A</td>
<td>S</td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>A</td>
<td></td>
<td>A</td>
<td>S</td>
<td></td>
</tr>
<tr>
<td></td>
<td>A</td>
<td>A</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

4.3 Recommendations

Keeping in view all the rules and findings for each element, following recommendations are made:

- **Key Size**: not important for execution time. 128 bits can be used to keep code size small. 64 bits can be used to keep RAM foot print small.
- **Block Size**: 96 bits can be used to keep code size small and keep execution time low on ARM. 128 bits can be used to keep RAM foot print small and keep execution time low on AVR and MSP.
- **Rounds**: it is not found significant for execution time and code size. 31-36 can be used to keep RAM foot print small.
- **Structure**: Fiestal can be used to keep code size, RAM foot print small and execution time low.
- **S-Box**: Not based can be used to keep code size, RAM foot print small and execution time low. For AVR and MSP, Bit Slice can be used to keep execution time low.
- **Round Function**: “XOR, LEFT, RIGHT SHIFT” can be used to keep code size, RAM foot print small and execution time low. “XOR, ADD, SUB” can be used on AVR to keep RAM foot print small.
- **Key Scheduling**: not important for RAM foot print. “Based on round function” can be used for keeping code size small. Same value can be used to keep execution time low on ARM, whereas “depend on master key” can be used to keep execution time low on AVR and MSP.

5. Conclusion

In this paper, we presented an evaluation of 13 light weight block ciphers used for secure communication in Internet of Things. We compared and ranked the ciphers based on three metrics: code size, RAM foot print and execution time. We analyzed the performance of these ciphers on three different platforms: 8 bit, 16 bit and 32 bit. We further dissected these
ciphers into their constituent elements and investigated the role of these elements in the performance of ciphers. We used association rule mining to find associations among the constituent elements. Based on the results, we come up with few guidelines regarding the design of lightweight ciphers. Designer must always remember the algorithm prerequisites to be implemented into the devices. So, intention must be to consume less device resource e.g. memory (RAM), code size, execution time etc. The S-box have to be small generally (4 × 4) bits for compact operation. Simultaneously, it must deliver compulsory non-linearity to the algorithms. Key schedule have to be easy so that it take small space, hence the recently planned cipher keep the keys fixed. As the algorithms are straightly implemented into the device, therefor no need for re-keying. The permutation has to be designed in such a way that it attains optimum stability among mixing of bits and areas. The designer must attempt to accomplish an optimum balance amid the different parameters of cost, security and performance. In short, this research work aimed to provide basement to improve the cipher in several ways like code size, size of memory (RAM Requirement), and execution time. This paper will serve as a guideline for cryptographic designers to design improved ciphers for resource constrained environment like Internet of Things.

References


[10] Kerckhof, Stéphanie, François Durvaux, Cédric Hocquet, David Bol, and François-Xavier Standaert, "Towards green cryptography: a comparison of lightweight ciphers from the energy viewpoint,” in Proc. of International Workshop on Cryptographic Hardware and Embedded


Muhammad Tausif is currently working as Lecturer with the department of Computer Sciences COMSATS Institute of Information Technology (CIIT), Vehari, Pakistan where he teaches course on Computer Sciences and Software Engineering. He has completed his MS degree in Computer Sciences from COMSATS Institute of Information Technology, Sahiwal, Pakistan in 2016. He received his B.Sc degree in Computer Engineering from Bahauddin Zakariya University, Multan, Pakistan in 2011. His main research interests include Internet of Things and sensor networks. He has published one international journal paper. He has also supervised many Final year projects in different domains of Computer Sciences. He has led different research and development projects in COMSATS Institute of Information Technology Vehari.

Javed Ferzund is an associate professor at Department of Computer Science, COMSATS Institute of Information Technology, Sahiwal, where he served as Head of Department from 2013-2015. He received PhD degree from Graz University of Technology, Austria in 2009. His main research interests include Big Data Analytics, Internet of Things and Machine Learning. Particularly, he is interested in applications of IoT and Big Data in the Agro-Informatics and Bioinformatics fields. Currently, he is leading the Big Data Analytics Research Group at COMSATS Institute Sahiwal.

Sohail Jabbar is an Assistant Professor at Department of Computer Science, National Textile University, Faisalabad, Pakistan. He has been Post-Doctorate Researcher at Network Lab, Kyungpook National University, Daegu, South Korea. He also served as Assistant Professor with the Department of Computer Science, COMSATS Institute of Information Technology (CIIT), Sahiwal and headed Networks and Communication Research Group there. He received many awards and honors from Higher Education Commission of Pakistan, Bahria University, CIIT, and the Korean Government. He received the Research Productivity Award from CIIT in 2014 and 2015. He has been engaged in many National and International Level Projects. His research work is published in various renowned journals and magazines of IEEE, Springer, Elsevier, MDPI, Old City Publication and Hindawi, and conference proceedings of IEEE and ACM. He has been the reviewer for leading journals (ACM TOSN, JoS, MTAP, AHSWN, ATECS, among many) and conferences (C-CODE 2017, ACM SAC 2016, ICACT 2016, among others). He is currently engaged as TPC member chair in many conferences. He is guest editor of Six in Future Generation Computer Systems (Elsevier), Peer-to-Peer networking and Applications (Springer), Journal of Information and Processing System (KIPS), Cyber Physical System (Taylor & Francis). His research interests include Internet of Things, Wireless Sensor Networks and Software Defined Networking.

Raheela Shahzadi is currently working as Lecturer in department of Computer Science, COMSATS Institute of Information Technology, Sahiwal, Pakistan. She has completed her MS Degree in Computer Science from COMSATS Institute of Information Technology, Sahiwal, Pakistan in 2015 with Distinction. She has completed her bachelor degree COMSATS Institute of Information Technology, Sahiwal, Pakistan in 2013 with Distinction. She has two and half year teaching experience at COMSATS Institute of Information Technology, Sahiwal, Pakistan. She has published one international conference article. Her research interests include Data mining, internet of things (IoT), wireless sensor network (WSN), expert system (ES) and digital image processing (DIP).