Received December 9, 2020, accepted January 9, 2021, date of publication January 19, 2021, date of current version February

22, 2021.
Digital Object Identifier 10.1109/ACCESS.2021.3052867

Lightweight Cryptography Algorithms for

Resource-Constrained IoT Devices: A Review,
Comparison and Research Opportunities
VISHAL A. THAKOR1 , MOHAMMAD ABDUR RAZZAQUE 1 , (Member, IEEE),
AND MUHAMMAD R. A. KHANDAKER 2 , (Senior Member, IEEE)
1 School of Computing, Engineering, and Digital Technologies, Teesside University, Middlesbrough TS1 3BX, U.K.
2 School of Engineering and Physical Sciences, Heriot-Watt University, Edinburgh EH14 4AS, U.K.
Corresponding author: Mohammad Abdur Razzaque (m.razzaque@tees.ac.uk)
This research was partially funded by the Newton Fund - Institutional Links from British Council and National Research Council of
Thailand with the grant ID is 527643161.

ABSTRACT IoT is becoming more common and popular due to its wide range of applications in various
domains. They collect data from the real environment and transfer it over the networks. There are many
challenges while deploying IoT in a real-world, varying from tiny sensors to servers. Security is considered
as the number one challenge in IoT deployments, as most of the IoT devices are physically accessible in
the real world and many of them are limited in resources (such as energy, memory, processing power and
even physical space). In this paper, we are focusing on these resource-constrained IoT devices (such as
RFID tags, sensors, smart cards, etc.) as securing them in such circumstances is a challenging task. The
communication from such devices can be secured by a mean of lightweight cryptography, a lighter version
of cryptography. More than fifty lightweight cryptography (plain encryption) algorithms are available in
the market with a focus on a specific application(s), and another 57 algorithms have been submitted by the
researchers to the NIST competition recently. To provide a holistic view of the area, in this paper, we have
compared the existing algorithms in terms of implementation cost, hardware and software performances and
attack resistance properties. Also, we have discussed the demand and a direction for new research in the area
of lightweight cryptography to optimize balance amongst cost, performance and security.

INDEX TERMS IoT, lightweight, cryptography, sensors, RFID, smart cards.

I. INTRODUCTION
A. IoT OVERVIEW
Internet of Things (IoT) has already become a dominant
research era because of its applications in various domains
such as smart transport & logistics, smart healthcare, smart
environment, smart infrastructure (smart cities, smart homes,
smart offices, smart malls, Industry 4.0), smart agriculture
and many more. Many researchers and industry experts have
FIGURE 1. Two main categories of IoT Devices.
given various definitions of IoT depending on their applica-
tions and implementation area, but in simple words, IoT is
a network of connected things, each with a unique identifi- rich in resources such as servers, personal computers, tablets
cation, able to collect and exchange data over the Internet and smartphones, etc. and limited in resources (resource-
with or without human interaction [1]–[5]. In any IoT solution constrained) such as industrial sensors or sensor nodes, RFID
or application, IoT devices are the key elements. These IoT tags, actuators, etc., [6]. In this paper, we focus on the second
devices could be divided into two main categories (Figure 1): category of IoT devices. These connected devices are becom-
ing more popular due to their use in various application and
The associate editor coordinating the review of this manuscript and will flood the market with the emergence of IoT [6], leading
approving it for publication was Kim-Kwang Raymond Choo . an enormous data exchange rate amongst [7].

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 28177
 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

TABLE 1. List of Abbreviations and Acronyms.

FIGURE 2. IoT Security Challenges.

B. SECURITY CONCERNS OF RESOURCE-CONSTRAINED

IoT DEVICES: CHALLENGES AND SECURITY
FIGURE 3. Key Challenges with Conventional Cryptography.
REQUIREMENTS
When billions of smart devices (connected devices) work-
ing in a diverse set of platforms, especially when shifting
cryptography, can address these challenges to secure the com-
from server to sensors, gives birth to various unprecedented
munication in resource-constrained IoT devices.
challenges to their owners or users [6] such as security &
privacy, interoperability, longevity & support, technologies
C. KEY CHALLENGES WHILE IMPLEMENTING
and many more [8]. Also, IoT devices are easily accessible
CONVENTIONAL CRYPTOGRAPHY IN
and exposed to many security attacks [9] as they interact
RESOURCE-CONSTRAINED IoT DEVICES
directly with the physical world to collect confidential data or
The key challenges while implementing conventional cryp-
to control physical environment variables, which makes them
tography in IoT devices (Figure 3) are as follows [11]:
an attractive target for attackers [10]. All these circumstances
make cybersecurity as a major challenge in IoT devices with • Limited memory (registers, RAM, ROM)
demands of confidentiality, data integrity, authentication & • Reduced computing power
authorization, availability, privacy & regulation standards and • Small physical area to implement the assembly
regular system updates [8]. The Figure 2 depicts IoT security • Low battery power (or no battery)
challenges and its security requirements. • Real-time response
In this scenario, cryptography could be one of the effec- Most of the IoT devices (such as RFIDs and sensors) are small
tive measures to guarantee confidentiality, integrity and in size and are equipped with limited resources such as small
authentication & authorization of the traversing data through memory (RAM, ROM) to store and to run the application,
IoT devices [7]. It could also be a solution to secure the low computing power to process the data, limited battery
stored or traversing data over the network. However, con- power (or no battery in case of passive RFID tags) [6], small
ventional PC based cryptography algorithms do not fit into physical area to fit-in the assembly [6], [11]. Moreover, most
resource-constrained IoT devices due to their high resource of the IoT devices deal with the real-time application where
demands. A lighter version of these solutions, lightweight quick and accurate response with essential security using

28178 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

available resources is a challenging task [12], [13]. IoT device TABLE 2. LWC Characteristics.
designers face several risks and challenges, including energy
capacity [14], and data security [9].
In these circumstances, if conventional cryptography stan-
dards are applied to IoT devices (mainly RFIDs and sen-
sors), their performance may not be acceptable [6]. The
above issues with conventional cryptography are very well
addressed by its sub-discipline, lightweight cryptography,
by introducing lightweight features such as small memory,
compares 41 existing symmetric key lightweight cryptogra-
small processing power, low power consumption, real-time
phy (plain encryption) algorithms over 7 performance metrics
response even with resource-constrained devices [6].
(Block/Key size, Memory, Gate Area, Latency, Throughput,
Another important aspect of lightweight cryptography is
Power & Energy requirements along with hardware and soft-
that it is not just applicable to resource-constrained devices
ware efficiency) as recommended by the NIST report for
(RFID tags, sensors, etc.), but readily applicable to other
resource-constrained IoT devices [6]. These LWC algorithms
devices rich in resources that it directly or indirectly interacts
are widely adopted by the industries and the article reveals
with (such as servers, PCs, tablets, smartphones, etc.) [6].
the top ten amongst them based on their mapping (met-
rics). These analyses could be useful to researchers/scientists
D. MOTIVATION AND CONTRIBUTION
in choosing the right algorithm based on their application
Recently, many algorithms have been proposed for LWC
requirement(s). Also, demonstrating various IoT applications
by the researchers. Besides, many works have revealed the
in real-world along with their lightweight key requirements
security attacks on particular LWC algorithm(s) [15]–[31].
and their best suite LWC options is a unique contribution
A number of published papers have done a fair compari-
in the field of lightweight cryptography. In addition, our
son of hardware and/or software implementations of these
paper evaluates various attacks on different LWC algorithms
algorithms on different platforms as well as in different
in a grid form. Such comparison eases users to identify
circumstances [9], [32]–[39]. Most of these works have
the security strength of any LWC algorithm as well as to
considered the algorithms which are applicable in certain
identify common attacks on LWC algorithms. A recent call
domains or suitable for certain applications. However, a holis-
from NIST [43] (to create new LWC algorithms for easy and
tic view of the proposed LWC algorithms in terms of their
efficient implementation on resource-constrained circuitry)
hardware-software performances along with cryptanalysis is
and the results derived from the study (none of the algorithms
missing in these works. Authors in [40] have reviewed a
meets all the criteria of lightweight in terms of cost and
list of different LWC algorithms with their performances on
performance along with strong security), really encourage to
different platforms but missing an inclusive view on their
explore the existing list of LWC algorithms from different
applications and lightweight key demands of cost (mem-
perspectives for further research.
ory, physical area, battery, power) and performance (quick
response) along with the security concerns. Also, [40] does
not include a number of key algorithms, e.g., Keeloq and E. PAPER OUTLINE
Midori. In addition, it just provides a list of attacks on LWC Considering the significance of IoT security, this article takes
algorithms without any security comparison, and thus a clear an inclusive view on symmetric key lightweight cryptography
view of various security attacks on different LWC algorithms algorithms and i) defines hardware and software performance
is missing. metrics based on identified key characteristics of LWC and
More recently, [41] discusses on the algorithms, especially gives a broad classification of LWC based on their internal
submitted to the NIST competition (round 2), which are structure (Section II), ii) a comprehensive study of existing
compliant with LWC Hardware API (proposed by the NIST LWC algorithms along with their performances, cryptanal-
in 2019) and evaluates them on FPGA platform (Xilinx, ysis and real-time use cases (Section III), iii) outlines open
Intel, and Lattice). The paper considers only two performance research challenges, recommending future research direc-
metrics: Throughput and Speed (clock-cycles/byte) which tions (Section IV), and finally iv) concludes in (Section V).
could be its limitation as others (Block/Key size, Memory,
Gate Area, Power & Energy requirements) are missing. Also, II. LIGHTWEIGHT CRYPTOGRAPHY FOR
these algorithms are running in a competition through several RESOURCE-CONSTRAINED IoT DEVICES
rounds (32 out of 57 (in round 1) are competing in the 2nd A. CHARACTERISTICS OFFERED BY LWC
round). The three main characteristics of Lightweight cryptography
With a unique aspect in this paper, we have clearly clas- algorithms and their offerings are listed in Table 2 [9], [11]:
sified the key characteristics of LWC algorithms (missing in As shown in the above table, physical cost, performance
the existing survey papers) proposed by the leading research and security are the main characteristics to look into while
groups [6], [42] in the fields of cryptography along with how implementing cryptography to any resource-constrained IoT
LWC satisfies these properties (Table 2). Secondly, our paper device. Each of these characteristics is further observed where

VOLUME 9, 2021 28179

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

physical space occupied, memory demand and energy con-

sumption as a cost to implement, processing power in terms
of latency and through as performance (speed) and block/key
length and different attack models including side-channel
& fault-injection attacks as a security measure. First two
characteristics are satisfied by LWC algorithms by offering
simple round functions on the tiny block (≤ 64bit) using a
tiny key (≤ 80bit) with simple key scheduling. The last but
important characteristic, security, is fulfilled by the adoption
of one of the six internal structures (SPN, FN, GFN, ARX,
NLFSR, Hybrid) to immune against the security attacks.

B. HARDWARE AND SOFTWARE PERFORMANCE METRICS

Based on first two characteristics (physical and performance)
offered by any LWC algorithms, hardware and software spe-
cific resource requirement could be measured in terms of FIGURE 4. Structure wise Classification of LWC.
memory requirements, gate area, latency, throughput, and
power and energy consumption as follows:
7) EFFICIENCY
1) MEMORY REQUIREMENTS Gives performance over resource requirements. For hard-
Generally, measured in KB [40]. RAM is required to store ware, it can be calculated as follows [40]:
intermediate values that can be used in computations and
Hardware Efficiency
ROM is required to store the program/algorithm, and static
data, such as algorithm key, S-box (in some cases), etc., [6]. = Throughput[Kbps]/Complexity[KGE]
Here, complexity means physical space.
2) GATE AREA
Similarly, software efficiency can be determined as fol-
It is the physical area required to implement/run the algorithm
lows [40]:
on a board/circuit, measured in µm2 . This space can be spec-
ified using logical blocks for FPGA or using GE for ASIC Software Efficiency = Throughput[Kbps]/CodeSize[KB]
(1GE = 2 input-NAND Gate) [6]. Normally, 200 to 2000 GE
Here, code size is the algorithm size.
(out of 1000 to 10,000 GE of total available) are allocated for
security reasons in an economical RFID tag [44].
C. STRUCTURE WISE CLASSIFICATION OF LWC
Cryptographic algorithms can be classified into two main
3) LATENCY
categories, symmetric key and asymmetric key (Figure 4)
It is the time to produce the cipher from the original text
cipher. Symmetric key uses a single key for both encryption
in terms of hardware performance [6] whereas the amount
and decryption of the data, whereas asymmetric cipher uses
of clock cycles per block (during encryption) defines the
two different keys to encrypt and to decrypt the data [46].
software latency.
Symmetric key cryptography is safe and comparatively fast,
the only downside of symmetric key encryption is the sharing
4) THROUGHPUT
of key between the communicating parties without compro-
Throughput, in hardware, can be measured in terms of plain
mising it [32]. But this could be overcome by pre-sharing
text processed per time unit (bits per second) at 100 KHz
the key through a trusted third party. Also, it ensures con-
frequency, whereas in software, it is the average amount
fidentiality, data integrity and authentication (using authenti-
of plaintext processed per CPU clock cycle at 4 MHz
cation encryption mode (AEAD)) of the data. Asymmetric
frequency [45].
cryptography uses two private-public key pairs. It ensures
confidentiality and integrity by making use of the public key
5) POWER REQUIREMENTS
of the receiver and further ensures authentication by using
The amount of power required by the circuit to process the the sender’s private key (as a digital signature) to encrypt
algorithm can be measured in µW. the data. At the other end, the receiver decrypts it by using
the sender’s public key first and then using his/her private
6) ENERGY CONSUMPTION
key [46]. The only disadvantage of asymmetric encryption is
Energy consumption per bit can be calculated as follows [40]: its large key which increases the complexity and slows down
Energy[µJ ] = (Latency[cycles/block] ∗ Power[µW ]) the process [32].
In block cipher, both encryption and decryption take place
/blocksize[bits]
on a fixed size block (64 bits or more) at a time whereas
Here, latency is in terms of software implementation. stream cipher continuously processes the input elements bit

28180 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

by bit (or word by word) [46]. There are two fundamen- requires more round function compared to SPN structures for
tal properties of any cryptography, confusion and diffusion, safety reasons [48]. When there is a choice between fewer
introduced by Claude Shannon [35], [40] to strengthen the SPN function rounds and higher Feistel function rounds with
cipher. The confusion makes the relationship between the the same level of security and similar energy costs, SPN
ciphertext and the key as complex as possible using substitu- function could be a smarter choice [48].
tion (S-box) whereas diffusion dissipates the statistical struc-
ture of plaintext over the bulk of ciphertext using permutation III. EXISTING LWC ALGORITHMS
[35], [46]. The stream cipher uses only confusion property More than fifty symmetric LWC algorithms (plain encryp-
whereas block cipher uses both confusion and diffusion with tion) are proposed by various academia, proprietaries and
simple design compared to the stream one. Following the government bodies with a focus on reducing cost (memory,
reverse of encryption process to extract the original text is processing power, physical area (GE), energy consumption)
hard in a block cipher whereas stream cipher performs XOR and enhanced hardware and software performance (latency,
function(s) to encrypt the data that could be easily reverted throughput). However, many of them do not concentrate on
to its original form. In contrary, Hash is a one-way mathe- security attacks explicitly and only care about performance
matical function that transforms unspecified length data into and/or implementation cost [13]. The structure-wise categori-
a specified-length bit string (short string) which cannot be sation of these algorithms is summarised in Table 3. The
inverted. following subsections unfold these LWC algorithms category
For the above reasons, a block cipher is preferred in wise.
resource-constrained IoT devices over stream cipher. This
paper concentrates on block cipher, mainly symmetric TABLE 3. Structure wise LWC algorithms.
lightweight block ciphers. It uses one of the following
structure:
• Substitution-Permutation Network (SPN)
• Feistel Network (FN)
• General Feistel Network (GFN)
• Add-Rotate-XOR (ARX)
• NonLinear-Feedback Shift Register (NLFSR)
• Hybrid
Substitution-Permutation network (SPN) tweaks the
data through a set of substitution box and permutation table
and formulates them for the following round. A Feistel net-
work (FN) breaks the input block into equal halves and A. STRUCTURE WISE LWC ALGORITHMS
applies diffusion in each round to just one half. In addition, 1) SUBSTITUTION PERMUTATION NETWORK (SPN)
swapping of two halves happens at the beginning of each AES [49] is a classic example of SPN based algorithm,
round. The generalized Feistel network (GFN) is an extrap- standardized by NIST, performs on 128-bit block with 128,
olated version of the classic Feistel network. It splits the input 192 and 256-bit key variants [50]. The minimum GE require-
block into a number of sub-blocks and applies the Feistel ment recorded for AES is around 2400 GEs (23% smaller
functions to every pair of sub-blocks, followed by a cyclic than the usual one) [50], which is still heavy for some
shift proportional to the number of sub-blocks [47]. ARX small scale real-time applications [35]. It shows the compar-
performs encryption-decryption using addition, rotation and atively efficient performance when supplied with additional
XOR functions without making use of S-box. Implementation resources [38].
of ARX is fast and compact but limits in security properties Another, most hardware and software efficient and
compared to SPN and Feistel ciphers. Nonlinear feedback ISO/IEC(29192-2P:2012) approved algorithm is PRESENT.
shift register (NLFSR), applies to both stream and block It is Substitution-Permutation network based, uses 64-bit
ciphers, utilizes the building blocks of stream ciphers whose block on two key variants: 80-bit and 128-bit keys with the
current state is derived from its prior state which is a nonlinear GE requirements of 1570 and 1886, respectively [51]. The
feedback value [20]. Hybrid cipher combines any three types minimum GE requirement noted for a version of PRESENT
(SPN, FN, GFN, ARX, NLFSR) or even mixes block and is approx. 1000 GE (encryption only) [52], where it takes
stream property to improve specific characteristics (for exam- 2520-3010 GE to provide an adequate level of security [35].
ple, throughput, energy, GE, etc.) based on its application It is a hardware efficient algorithm and uses 4-bit S-boxes
requirements. (substitution layer - replaces eight S-boxes with single S-box)
Out of these structures, SPN and FN are the most popular whereas it takes large cycles in software (permutation layer)
choice due to their flexibility to implement, based on applica- which demands an improved version of this [32], [35], [40],
tion requirements [40]. Although Feistel structures are incor- [51], [53].
porated easily into low-average power hardware (due to the GIFT [54], an improved version of the PRESENT, was
absence of round function in one-half of the states), it usually presented in CHES-2017. It offers lighter S-Box with smaller

VOLUME 9, 2021 28181

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

physical space. Also, the number of rounds is less and gives of 533.3 Kb/s. It shows the low energy consumption
high throughput along with the simpler and faster key sched- of 5.53 µJ/bit [72].
ule. There are two versions of GIFT: GIFT-64, 28-round with PRIDE [70] exhibits low latency and low energy demand
64-bit block size and GIFT-128, 40-round with 128-bit block with a 128-bit key to perform 20 iterations on 64-bit input.
size. Both use a 128-bit key. Also, lighter version, GIFT- PRINT [73] is a domain-specific cipher designed for two
64 found more vulnerable than GIFT-128 [55], [56]. Very applications: PRINT-48 for IC-printing applications which
limited documents have been found with the micro-controller make use of an 80-bit key to perform 48 iterations on 48-bit
implementation of GIFT [57], [58]. input (402GE) and PRINT-96 for EPC encryption which
SKINNY [59] has two versions: SKINNY-64 and uses a 160-bit key to perform 96 iterations on 96-bit input
SKINNY-128. SKINNY-64 uses 64-bit block with 64/128/ (726GE). It uses 3-bit operations where an odd number of bit
192-bit key variants to perform 32/36/40 rounds whereas and operation is not feasible, actual deployment of the algorithm
SKINNY-128 uses 128-bit block with 128/256/384-bit key is not ready yet.
variants to perform 40/48/56 rounds. Klein [74] works on 64-bit input using 64-bit, 80-bit and
RECTANGLE is an ultra-lightweight block cipher that 96-bit keys through 12 (1220 GE), 16 (1478 GE), and 20
can be used with various application. With little changes (1528 GE) iterations, respectively. It was designed with a
in SPN structure, the rounds are reduced to 25 (compared focus on software implementation, mainly for sensors.
to 31 rounds in PRESENT) to meet with the competitive To obtain efficient hardware and software footprints,
environment [53]. LED [75] borrows features from PRESENT (S-box), Lighter
TWINE achieves good overall status as PRESENT and version of AES (row-wise data processing) [50] and PHO-
also overcomes many of its implementation issues. It operates TON (mix column approach) [76]. There is an absence of
64-bit input with two key variants, 80-bit and 128-bit [60]. key scheduling in LED which is a unique feature. This
It requires around 2000 GE and a larger circuit size per approach reduces the chip area but increases the security
throughput compared to AES [12]. In speed comparison, risk like related key attacks [77]. It processes 64-bit input
when 1KB or more ROM is available, AES is faster than using various keys such as 64-bit (966 GE), 80-bit (1040 GE),
TWINE, but when only 512bytes of ROM is available, 96-bit (1116 GE) and 128-bit (1265 GE) keys for either 32 or
AES can’t be implemented and works 250% faster than 48 times [75].
PRESENT [12]. PICARO [78] is a novel cipher with a good balance
Midori was designed with a focus on low/tight energy between performance and security (by an adequate choice of
budget, for instance, medical implants. It comes with S-box). It has 4 different masking levels with faster hardware
two different versions, Midori64 and Midori128. Both performance compare to AES. It uses 128-bit key through
of these use a 128-bit key on two different block 12 rounds and shows high resistance to side-channel attacks.
size 64-bit and 128-bit through 16 and 20 iterations, Zorro [79] is based on AES, suitable for embedded sys-
respectively [48], [61]. tems and more efficient than PICARO. It takes a similar size
mCrypton (miniature of Crypton) [62] is a cost and of block and key (128-bit) through 24 rounds.
energy-efficient, lightweight edition of Crypton [63], suitable EPCBC (Electronic Product Code Block Cipher) [80] is
for both hardware and software deployments. It performs a lightweight cipher, inspired by PRESENT, supports 96-bit
13 iterations on the 64-bit block using a variety of keys key with the input of 48-bit and 96-bit block to perform
(64-bit, 96-bit and 128-bit). 32 iterations. The most compact version needs 1008GE. The
NOEKEON [64] works on the same block and key optimized sub-key generation technique of EPCBC enhances
size, 128 bit, via 16 iterations. The cipher was rejected by its immunity against related-key differential attacks.
the NESSIE project due to its less resistance against the I-PRESENT [81] is an involutive version of PRESENT
attacks [65]. inspired by PRINCE and NOEKEON. It takes a similar size
ICEBERG [66] is optimized for re-configurable hardware of the block and key to perform 30 rounds with two addi-
deployment with a property of modifying the key at each tional 4 × 4 S-boxes (16 times). The most compact hard-
clock cycle without compromising quality. Here, the round ware implementation requires about 2769 GE (encryption and
keys are derived on-the-fly. It performs on 64-bit input with decryption).
128-bit key via 16 iterations with a demand of 5800 GE at a
throughput of 400 Kb/s [67]. 2) FEISTEL NETWORK (FN)
PUFFIN-2 [68] is a compact edition of PUFFIN (2303GE) The lightweight DES (Data Encryption Standard) is known
[69]. It uses 80-bit key to perform 34 iterations on 64-bit data as DESL. It works on a similar size of the block (64-bit), key
using serialized SPN structure. It requires only 1083 GEs for (56-bit) and a similar number of rounds as DES. The reduced
both encryption and decryption. number of S-box (eight to only one [82]) and multiplexer [83]
PRINCE is both hardware and software efficient used in DESL distinguishes it from DES. It demands 1850 GE
lightweight algorithm [70] which performs on 64-bit input which is 20% compact compare to DES (2310 GE) [83].
using a 128-bit key for 12 times [71]. The smallest hard- DESL also discards the initial and final permutation of DES
ware implementation demands 2953GE at a throughput to make it lighter [84]. DESXL is another lighter edition of

28182 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

DES with a key whitening feature to strengthen the cipher and executes on 64-bit input with a 256-bit key for 32 times. The
with 2170 GE demands [83]. It performs the same number of S-Box in this version is adopted from PRESENT [103] with
cycles and uses the same block size as DESL but larger key, the demands of 651 GE.
184-bit (k = 56, k1 = 64, k2 = 64) [84]. ITUbee [104] is a software efficient cipher with a code
Tiny Encryption Algorithm (TEA) is suitable for size of 586 bytes and 2937 cycles (the most compact version
very small, computationally weak and low-cost hard- of encryption). It takes the same size of key and block (80-
ware [85]. It operates 128-bit key on 64-bit input to perform bit). Here, key scheduling is replaced by round-dependent
32 rounds [86] with GE requirements of 3872 [87]. Its simple constants to reduce software overload.
key scheduling is vulnerable to brute force attack [88], [89]. FeW [105] processes 64-bit input with two varieties of the
Another limitation of TEA structure is it’s three equivalent key, 80-bit and 128-bit for 32 times. It makes use of S-box
keys for decryption which makes it vulnerable to the attackers of Humminbird-2 and follows the key expansion process
[88]. The improved version of TEA is (XTEA) which uses from the PRESENT. There no cryptanalytic attack found on
the same size of key and block but with more iterations FeW [105].
(64 rounds), demanding 3490 GE [90]. It offers more com-
plex key scheduling with little change in Shift, XOR and 3) GENERALISED FEISTEL NETWORK (GFN)
addition functions [91]. XTEA was further modified with
Introduced by SONY corporation and approved by NIST,
XXTEA [92] to immune against related-key rectangle attack
CLEFIA offers 128-bit block with choice of 128, 192, 256 bit
(on 36 rounds) [91].
key through 18, 22, 26 round, respectively [106], [107].
Camellia [93] is an ISO/IEC, IETF, NESSIE and CRYP-
It shows high performance and strong immunity against var-
TREC recognised cipher. It was designed by Nippon Tele-
ious attacks [40], [106] [108], [109] with comparative high
graph and Telephone Corporation and Mitsubishi Electric
cost as the most compact version requires 2488 GE (encryp-
Corporation. Camellia offers a similar level of security by
tion only) for 128-bit key [107]. The strong immunity of
processing the same size of key and block as AES with two
CLEFIA against security attacks is grateful to its dual confu-
round variants, 18 and 24. It is known for its fast software
sion and diffusion properties. In contrary, this demands higher
implementations [94] whereas the hardware implementation
memory and limits its use in ultra-small applications [35].
requires 6511 GE.
Piccolo [110] is another ultra-lightweight cryptography
NSA designed SIMON [95], which is known for its small
algorithm suitable for extremely restricted environmental
footprint in hardware. It offers various keys of size (64-bit,
devices (RFID, sensors, etc.). It processes 64-bit input to
72-bit, 96-bit, 128-bit, 144-bit, 192-bit, 256-bit) over the
perform two iterations, 25 and 31, using two key sets, 80-bit
block of 32-bit, 48-bit, 64-bit, 96-bit, 128-bit through 32, 36,
and 128-bit, respectively. The smallest hardware deployment
42, 44, 52, 54, 68, 69, 72 rounds [95]. The most compact
(80-bit key) requires 432 GE and an additional 60 GE to
version requires 763GE for execution [95].
perform decryption.
SEA [96] is designed for tiny IoT devices, especially
TWIS [111], derived from CLEFIA, takes equal size block
for memory-constrained devices [97], with the concept of
and key (128-bit) to perform 10 iterations. It is a victim of
on-the-fly key generation [96]. It uses 96-bit key on two rec-
differential distinguisher with probability one [112].
ommended block size 96-bit and 8-bit with the requirement
TWINE [60], derived from LBlock, performs 36 iterations
of 3758GE [97] for the most lightweight hardware version.
on 64-bit state along with two key options, 80-bit and 128-
The optimised software execution demands 426 bytes with
bit. The most compact hardware implementation requires
encryption cycle of 41604 on 8-bit micro-controllers [98].
1866 GE. TWINE uses nibble permutation instead of bit
KASUMI [99] takes 64-bit input to performs 8 iterations
permutation (for sub-key generation) of LBlock. Also, it uses
using a 128-bit key. It demands 3437GE for deployment on
a single S-box instead of ten S-Boxes of LBlock.
hardware [100]. It is mainly designed for GSM, UMTS and
HISEC [113] performs 15 iterations on 64-bit input along
GPRS systems.
with an 80-bit key, demanding 1695 GE. It shows good
MIBS [101] takes 64-bit input to perform 32 iterations
resistance against different attacks, and the characteristics are
using two variants of keys, 64-bit (1396 GE) and 80-bit
more like to PRESENT except bit-permutation.
(1530 GE). It is Feistel based structure, makes use of S-box
from mCrypton [62] and uses PRESENT’s keys extraction
technique to derive the sub-keys. 4) ADD-ROTATE-XOR (ARX)
LBlock [102] is an ultra-lightweight cipher, performs SPECK [95], sibling of SIMON and designed by NSA, is a
32 iterations on 64-bit input along with 80-bit keys. The software-oriented cipher. It supports the similar size of blocks
smallest hardware deployment needs 1320 GE for a through- and keys as SIMON to perform 22, 23, 26, 27, 28, 29, 32,
put of 200 Kb/s whereas 3955 clock cycles are taken by most 33 and 34 iterations. The most compact hardware imple-
efficient software implementation to encrypt a single block mentation recorded uses 48-bit block with 96-bit key with
(on the 8-bit microcontroller). requirements of 884 GE whereas the most efficient software
The designed and developed by the government of the implementation requires 599 cycles with 186-byte of ROM
Soviet Union (1989), the lightweight version of GOST for 64-bit block with 128-bit key [95].

VOLUME 9, 2021 28183

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

IDEA [114], designed by Lai and Massey, makes use of a 6) HYBRID

128-bit key on 64-bit input to perform 8.5 iterations, mainly Hummingbird [126] is an ultra-lightweight algorithm, intro-
used for high-speed networks [115]. It uses 16-bit unsigned duces a hybrid structure (block and stream). It takes 16-bit
integer and performs data operations such as XOR, addition input with a 256-bit key to perform 20 iterations. It was
and modular multiplication without using S-box or P-box. vulnerable to several attacks [127].
It is known for its best performance on embedded systems Hummingbird-2 [128], designed for low-end microcon-
(such as PGP v2.0.) with memory needs of 596 bytes at a trollers, takes 64-bit input (initial vector) with a 128-bit key.
throughput of 94.8 Kb/s (the smallest software version) [116]. It performs well on both the platforms (hardware/software).
HIGHT [117], an ultra-lightweight algorithm, processes It also satisfies the ISO 18000-6C protocol. It gives better per-
64-bit data using a 128-bit key for 32 times. It performs com- formance compare to PRESENT (on 4-bit microcontrollers)
pact round function (no S-boxes) using simple computational but have few drawbacks: 1) Initialization is necessary before
operations. The most compact version acquires 2608 GE for encryption (or decryption) due to its stream property 2) Dif-
188 Kbps throughput [118]. ferent encryption and decryption functions and due to that
BEST-1 [119], an ultra-lightweight cipher, targets Wire- full version is 70% heavier than only encryption. Moreover,
less Sensor Networks and RFID tags. It takes 64-bit input its performance degrades while processing small messages.
with a 128-bit key through 12 rounds on 8-bit processors, PRESENT-GRP [35] works on 64-bit input with a
demanding 2200 GE. The core functions of BEST-1 are mod 128-bit key to perform 31 iterations. It makes use of
28 addition and subtraction, bitwise shift and XOR. the substitution-permutation technique from PRESENT
LEA [120] is a software-oriented cipher and was intro- along with a group(GRP) operation for additional con-
duced by the ETRIK for 32-bit common processor. It pro- fusion properties (in replacement of permutation table).
cesses 128-bit input to perform 24, 28, and 32 iterations using The hardware implementation of PRESENT (1884 GE) is
128-bit, 192-bit and 256-bit keys, respectively. On the ARM slightly better than PRESENT-GRP (2125 GE). Similarly,
platform, LEA performs 326.94 cycles/byte with a storage PRESENT is more efficient than PRESENT-GRP in software
demand of 590 bytes (code) and 32 bytes for execution. The implementation too.
most compact version requires 3826 GE for 76.19 Mbps
throughput [121].
B. HARDWARE AND SOFTWARE PERFORMANCE
COMPARISON
5) NONLINEAR-FEEDBACK SHIFT REGISTER (NLFSR) Various experiments have been carried out by many
With focus on automobile industry, KeeLoq [22] is designed researchers using different platforms such as NXP [35],
with an aim to keyless authentication (remote access) in AVR [129], ARM [35] micro-controllers to evaluate the
cars [122] by Gideon Kuhn. It takes 32-bit input with a performance of the popular lightweight cryptography algo-
64-bit key to perform 528 rounds. Even though KeeLoq was rithms [35], [38] [13], [40] [50], [83] [129], [130]. During
developed in the ’80s, the cryptanalysis report was issued in these experiments, various characteristics such as area (GE),
February 2007 for the first time by Bogdanov [123]. logic process (µm), power consumption (µW), through-
KATAN/KTANTAN [124], inspired by KeeLoq, cipher put, RAM/ROM (bytes) requirements, latency (cycle/block),
family applies 80-bit key on various block size (32-bit, 48-bit etc. have been compared for different lightweight cryp-
and 64-bit) through 254 iterations. They could be executed tography algorithms in different circumstances (file types
on small-scale hardware (KATAN 802 GE and KTANTAN (C/C++, Java, Python), message size, etc.). Table 4 sum-
462 GE), as mainly designed for RFID tags and sensor marizes the hardware and software performance of the
networks. They follow a linear structure (LFSR) instead of listed LWC algorithms evaluated on 0.09/0.13/0.18/0.35 µm
NLFSR of KeeLoq. KATAN has a very simple key schedul- technologies (hardware implementation) and on 8/16/32 bit
ing compare to KeeLoq, whereas KTANTAN exhibits no micro-controllers (software implementation) platforms.
key generation operations (reduce GE requirement). As the According to the graph (Figure 5), software efficiency
key remains unchanged once initialized, the applications of competition is won by SPECK, followed by SIMON and then
KTANTAN is limited. KTANTAN-48 (588 GE) is more PRIDE. Also, ITUbee, LEA, IDEA and AES show better
appropriate for RFID tags. In software, both shows poor software efficiency compare to the other LWC algorithms.
performance (low throughput and high energy consumption) Memory (RAM and ROM) requirements by various LWC
due to overuse of bit manipulation [98]. algorithms can be studied from the above graph (Figure 6)
Halka [125] performs well on both hardware and software. which reveals the first ten, most memory-efficient LWC algo-
It takes 64-bit input with an 80-bit key to perform 24 iter- rithms. The competition is again won by SPECK and SIMON
ations. The multiplicative inverse based S-boxes (8-bit) with less than 200 bytes of ROM and zero bytes of RAM
with LFSR makes Halka more secure than PRESENT. requirement, closely followed by PRIDE.
It demands 138 GE (7% less GE than PRESENT) [125]. Another important software metrics, latency and through-
Also, the software performance is 3 times more efficient than put, lead by again SPECK and SIMON with lowest latency
PRESENT [125]. rate (408 and 594 cycles/block) and highest throughput

28184 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

TABLE 4. Hardware and Software performances of LWC algorithms.

FIGURE 5. Software Efficient LWC algorithms (Top 10). FIGURE 6. Memory Efficient LWC algorithms (Top 10).

(470.5 and 323 Kb/s) unceasingly followed by PRIDE.

ITUbee and IDEA also secure their places in the list of first The list accommodates PRINT, EPCBC, SIMON/SPECK,
ten performers (Figure 7). PRESENT and RECTANGLE with either 48-bit or 64-bit
In terms of hardware efficiency, Midori is on the top of block along with 80-bit or 96-bit key.
the list, by PICCOLO as runners-up with a minor difference From the graph (Figure 10), we can say that KTAN-
with GOST. Figure 8 visualizes the first ten hardware efficient TAN demands the smallest area (462 GE) to implement,
LWC algorithms. with a minor difference from PRINT (41 GE more).
SEA leads the key and block wise hardware efficiency SPECK/SIMON shows their presence in top 5 lists with less
competition with very little block size (only 8-bit), followed than 900 GE needs. All of these performances are noticed
by Hummingbird-2 with a double-size block (and the largest either on 0.13 µm or 0.18 µm technologies.
key in this top-10 list) and further by KATAN/KTANTAN In terms of energy consumption, Midori shows the low-
with 4 times bigger block compared to the leader (Figure 9). est energy requirement (1.61µJ/bit), followed by Piccolo,

VOLUME 9, 2021 28185

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

FIGURE 7. Latency Efficient LWC algorithms (Top 10). FIGURE 10. Physical Area wise Hardware Efficient LWC algorithms
(Top 10).

FIGURE 8. Hardware Efficient LWC algorithms (Top 10).

FIGURE 11. Energy Efficient Hardware Efficient LWC algorithms (Top 10).

requirements and shows distinct performances in different

circumstances.

C. CRYPTANALYSIS OF LWC ALGORITHMS

Along with performance and cost, security is an important
and essential measure for any lightweight cryptography algo-
rithm. Attack resistance property of any lightweight cryp-
tography algorithm can be measured through cryptanalysis.
Cryptanalysis aims at detecting algorithm vulnerabilities by
attempting various attacks and decryption techniques [38].
FIGURE 9. Key & Block size wise Hardware Efficient LWC algorithms The main 4 types of cryptanalysis on block cipher are [38],
(Top 10). [51], [53], [131]: Differential cryptanalysis, Linear crypt-
analysis, Integral cryptanalysis and Algebraic cryptanalysis.
Differential cryptanalysis is an analysis of outputs against
PRINCE, TWINE and RECTANGLE with small differences various inputs. The special types are higher-order, truncated,
amongst (Figure 11). impossible and boomerang. Linear cryptanalysis postu-
In summary, SIMON and SPECK shine by their most effi- lates a linear approximation based on the piling-up lemma
cient software implementation but disappears from the top- principle (introduced by Mitsuru Matsui) between plaintext,
10 list of hardware efficient LWC algorithms. Also, derived ciphertext and key by characters or individual bits. Integral
version of AES such as PRESENT and derived lighter ver- cryptanalysis is especially pertinent to block ciphers with
sions of DES such as DESL/DESLX, CLEFIA are widely substitution-permutation networks. It is documented with two
recognised algorithms (by the standardising bodies) due to other names such as Square attack and saturation attack too.
high-security reasons. Overall, none of the LWC algorithms Algebraic cryptanalysis is based on equation-solving algo-
meets all the efficiency metrics of the hardware and software rithms and has been proven effective on lightweight versions

28186 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

due to its simple structure (less number of rounds with less

algebraic complexity).
These cryptanalyses are based on Ciphertext only, Known
plaintext, Chosen plaintext and Chosen ciphertext along with
MITM, Brute force and side channel. Differential Fault
Attacks, a type of side-channel attack, analyzes the internal
structure and finds an exploitable place to attack the algorithm
[132], [133]. Table 5 demonstrates the security analysis of
various LWC algorithms in a grid form. The study shows FIGURE 12. Cost, Performance and Security.

that almost all existing lightweight block cipher solutions

suffer from various attacks, especially, related-key attack,
followed by various differential and MITM attacks. More- batteries (in case of an implanted device) and quick response
over, the lighter versions (with reduced rounds) are more time. In this constrained environment, SIMON, SPECK, PIC-
vulnerable to various attacks compared to their standard one. COLO, PRESENT and Midori are the best suit solutions to
secure the communication in health care applications due to
D. STANDARDIZATION OF LWC ALGORITHMS their overall compact hardware and software implementation
The organizations/research groups, who are actively con- to match with a real-time response while in-body and/or
tributing in the field of cryptography to improve the out-body (wearable) implantation. For industrial systems
lightweight standards for resource-constrained devices are s (Industry 4.0) where sensors could be attached to equip-
follows: ment at various places (not easily accessed by the opera-
• National Institute of Standards and Technology, USA tors), to transmit the data wirelessly for specific distances.
(NIST) In this state, real-time processing is the key element with
• International Organization of Standardization and the adequate security (without bothering about energy consump-
International Electrotechnical Commission (ISO/IEC) tion). Midori and PRINCE show the best performance in a
• Cryptography Research and Evaluation Committees, demanding scenario. In an era of 5G technology, automobile
Japan (Cryptrec) industry demands not only in-vehicle communication but
• European Network of Excellence in Cryptology (Ecrypt) also with infrastructures such as traffic signals and road signs
• National Security Agency of USA (NSA) (V2X). This communication demands a prompt response
• CryptoLUX (University of Luxembourg) (low latency) on a tiny circuitry with high security. Midori,
PRESENT [51] and CLEFIA [106] are the only two algo- PRINCE, PRESENT, and SIMON are the right choices for
rithms approved by the ISO/IEC 29192 standard whereas auto industries. Keeloq is another powerful LWC algorithm
AES, CLEFIA, TDES, Camellia, PRESENT, PRINCE, Pic- for secure remote keyless entry in cars and buildings [171].
colo, LED, TWINE, SIMON & SPECK, Midori are targeted
by Cryptrec. IV. OPEN RESEARCH CHALLENGES AND RESEARCH
DIRECTIONS
E. REAL-TIME USE CASES: APPLICATIONS & THEIR The ideal algorithm should maintain a proper balance among
LIGHTWEIGHT DEMANDS cost, performance and security (Figure 12). Any two of
The wide range of IoT applications in various fields cre- these three can be easily optimized, whereas achieving all of
ates the demand for lightweight cryptography algorithms these together is challenging [38]. For example, an increas-
with different requirements [174]. Smart home appliances ing number of rounds [131] or key size results in degra-
such as smart TV, smart fridge, smart kettle, smart bulbs, dation of algorithm performance. These could be achieved
etc., demands for small memory and small processing. The by design focus on less memory and less computing power
best suit algorithms in this scenario are SIMON, SPECK, requirement, leading to less Gate Equivalent (physical area)
PICCOLO and TWINE. Due to tiny physical space and a requirements along with low power (energy) consumption
little or no power backup in RFID tags, SIMON, SPECK, without compromising strong security [35]. Based on the
Piccolo and PRINCE are the best options for logistics above study, we have identified the following research issues,
applications. Nowadays, smart agriculture is an emerging which require further attention to make the LWCs algorithms
field that demands compact implementation, less process- effective in IoT security:
ing cycles, little power consumption with plenty of sen- 1) One of the two fundamental properties of cryptography,
sors in a remote location. SIMON, SPECK, PRESENT and confusion, could be achieved by choosing an efficient
TWINE fulfil the requirements of smart agriculture. A per- and adequate number of S-boxes to demonstrate a
son under medical treatment in a hospital or at a resi- proper balance between performance and security [78].
dence could be monitored for pulse count, level of pressure, So designing simple and fast but strong confusion (Sub-
sugar and oxygen in the blood, using IoT sensors where stitution, S-box) and diffusion (Bit Permutation) prop-
security and privacy of the transmitting data are crucial erties with right balance amongst cost, performance
along with tiny circuitry, little processing power and limited and security is of practical interest, e.g., How to reduce

VOLUME 9, 2021 28187

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

TABLE 5. Security Analysis of LWC Algorithms.

the number of S-boxes as they increase the demands for We are currently working on substitution-permutation
memory (to store) and computing power (to produce) methods with main focus on S-Box to design a generic
while maintaining the same security level? (motivation: lightweight cryptography algorithm, with the right blend of
PRESENT is designed from AES and replaces eight three main characteristics namely, cost, performance and
S-boxes with just one. Similarly, many researchers security.
have derived the lighter versions from the standard
cryptography algorithms with a few modifications by V. CONCLUSION
reducing substitution-permutation (counter-effect on Due to the exponential growth in the number of IoT devices
security level)). But how to replace S-boxes with some in various domains, IoT security is one of the main concerns.
other confusion techniques with the same level of secu- As a consequence, there is a need for a lightweight algo-
rity and less overhead of memory and processing cost rithm(s) with trade-offs amongst cost and performance and
is still an open problem. security. For resource-constrained IoT devices, lightweight
2) Making key scheduling lighter with smaller key size cryptography is an effective way to secure communication by
and adequate strength, i.e., How to generate random transforming the data. The well-defined LWC characteristics
sub-keys from the provided initial key for all n rounds? (cost, performance and security) by NIST are compared, and
3) Increase in the number of rounds adversely affects further research gaps and open research challenges are high-
the performance and cost, i.e., How to decrease (or lighted in this paper. From the literature review, PRESENT
increase) number of rounds without compromising per- and CLEFIA are the approved block ciphers by NIST due to
formance as well as security level? security reasons along with accepted performance and cost.

28188 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

On the other side, SIMON and SPECK impress by their [19] M. Ågren, ‘‘Some instant-and practical-time related-key attacks
most compact implementations. In general, none of the LWC on ktantan32/48/64,’’ in Proc. 18th Int. Workshop Sel. Areas
Cryptogr. (SAC). Berlin, Germany: Springer-Verlag, Aug. 2011,
algorithms fulfils all the criteria of hardware and software pp. 213–229. [Online]. Available: https://link.springer.com/chapter/10.
performance metrics but performs at their best in the specified 1007/978-3-642-28496-0_13
environment. However, new attacks are reported with the [20] A. Bogdanov, ‘‘Cryptanalysis of the KeeLoq block cipher,’’ in Proc.
IACR, 2007, p. 55.
growth of new LWC algorithms which is an inevitable and [21] N. T. Courtois, G. V. Bard, and D. Wagner, ‘‘Algebraic and slide attacks
never-ending process. The war between cybersecurity experts on Keeloq,’’ in Proc. 15th Int. Workshop Fast Softw. Encryption (FSE).
and attackers always opens a door of opportunities for new Berlin, Germany: Springer, Feb. 2008, pp. 97–115.
[22] S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and B. Preneel,
research in the field of cybersecurity, especially lightweight ‘‘A practical attack on Keeloq,’’ in Proc. 27th Annu. Int. Conf. The-
cryptography. ory Appl. Cryptograph. Techn. Berlin, Germany: Springer, Apr. 2008,
pp. 1–18. [Online]. Available: https://link.springer.com/chapter/10.1007/
978-3-540-78967-3_1
REFERENCES [23] M. Walter, S. Bulygin, and J. Buchmann, ‘‘Optimizing guessing strategies
[1] G. Kortuem, F. Kawsar, V. Sundramoorthy, and D. Fitton, ‘‘Smart objects for algebraic cryptanalysis with applications to EPCBC,’’ in Proc. 8th
as building blocks for the Internet of Things,’’ IEEE Internet Comput., Int. Conf. Inf. Secur. Cryptol. Berlin, Germany: Springer, Nov. 2012,
vol. 14, no. 1, pp. 44–51, Jan. 2010. pp. 175–197. [Online]. Available: https://link.springer.com/chapter/10.
[2] N. P. Moldón, ‘‘Security in IoT ecosystems,’’ Univ. Oberta de Catalunya 1007/978-3-642-38519-3_12
(UOC), Barcelona, Spain, Tech. Rep. 10609/97707, 2016. [Online]. [24] X.-J. Zhao, T. Wang, and Y. Zheng, ‘‘Cache timing attacks on camellia
Available: http://hdl.handle.net/10609/97707 block cipher,’’ in Proc. IACR, 2009, p. 354.
[3] E. Brown, 21 Open Source Projects For IoT, vol. 23. Linux.com, [25] K. Jeong, C. Lee, and J. I. Lim, ‘‘Improved differential fault analy-
2016. [Online]. Available: https://www.linux.com/news/21-open-source- sis on lightweight block cipher LBlock for wireless sensor networks,’’
projects-iot/ EURASIP J. Wireless Commun. Netw., vol. 2013, no. 1, p. 151, Dec. 2013.
[4] S. Charmonman and P. Mongkhonvanit, ‘‘Internet of Things in [26] H. Yoshikawa, M. Kaminaga, A. Shikoda, and T. Suzuki, ‘‘Secret key
E-business,’’ in Proc. 10th Int. Conf. E-Bus. King Mongkut’s Univ. Tech- reconstruction method using round addition dfa on lightweight block
nol. Thonburi, 2015, pp. 1–9. cipher lblock,’’ in Proc. Int. Symp. Inf. Theory Appl., 2014, pp. 493–496.
[5] (Aug. 2015). The Trouble With the Internet of Things. [Online]. Available: [27] Y. Kim and H. Yoon, ‘‘First experimental result of power analysis attacks
https://data.london.gov.uk/blog/the-trouble-with-the-internet-of-things on a FPGA implementation of LEA,’’ in Proc. IACR, 2014, p. 999.
[6] K. McKay, L. Bassham, M. S. Turan, and N. Mouha, Report on [28] K. Jeong, H. Kang, C. Lee, J. Sung, and S. Hong, ‘‘First experimental
Lightweight Cryptography (Nistir8114). Gaithersburg, MD, USA: NIST, result of power analysis attacks on a FPGA implementation of LEA,’’ in
2017. Proc. IACR, 2012, p. 621.
[29] H. AlKhzaimi and M. M. Lauridsen, ‘‘Cryptanalysis of the Simon family
[7] B. J. Mohd and T. Hayajneh, ‘‘Lightweight block ciphers for IoT:
of block ciphers,’’ in Proc. IACR, 2013, p. 543.
Energy optimization and survivability techniques,’’ IEEE Access, vol. 6,
[30] R. Rabbaninejad, Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, ‘‘Cube
pp. 35966–35978, 2018.
and dynamic cube attacks on SIMON32/64,’’ in Proc. 11th Int. ISC Conf.
[8] A. Banafa, ‘‘Three major challenges facing IoT,’’ IEEE IoT Newslett.,
Inf. Secur. Cryptol., Sep. 2014, pp. 98–103.
Mar. 2017. [Online]. Available: https://iot.ieee.org/newsletter/march-
[31] F. Abed, E. List, S. Lucks, and J. Wenzel, ‘‘Differential and
2017/three-major-challenges-facing-iot.html
linear cryptanalysis of reduced-round Simon,’’ Citeseer, Cryptol.
[9] S. Singh, P. K. Sharma, S. Y. Moon, and J. H. Park, ‘‘Advanced
ePrint Arch., Tech. Rep. 2013/526, 2013. [Online]. Available:
lightweight encryption algorithms for IoT devices: Survey, challenges and
https://eprint.iacr.org/2013/526.pdf
solutions,’’ J. Ambient Intell. Hum. Comput., vol. 4, pp. 1–18, May 2017.
[32] I. Bhardwaj, A. Kumar, and M. Bansal, ‘‘A review on lightweight cryptog-
[10] W. Feng, Y. Qin, S. Zhao, and D. Feng, ‘‘AAoT: Lightweight attestation raphy algorithms for data security and authentication in IoTs,’’ in Proc.
and authentication of low-resource things in IoT and CPS,’’ Comput. 4th Int. Conf. Signal Process., Comput. Control (ISPCC), Sep. 2017,
Netw., vol. 134, pp. 167–182, Apr. 2018. pp. 504–509.
[11] B. J. Mohd, T. Hayajneh, and A. V. Vasilakos, ‘‘A survey on lightweight [33] W. Diehl, F. Farahmand, P. Yalla, J.-P. Kaps, and K. Gaj, ‘‘Comparison
block ciphers for low-resource devices: Comparative study and open of hardware and software implementations of selected lightweight block
issues,’’ J. Netw. Comput. Appl., vol. 58, pp. 73–93, Dec. 2015. ciphers,’’ in Proc. 27th Int. Conf. Field Program. Log. Appl. (FPL),
[12] O. Toshihiko, ‘‘Lightweight cryptography applicable to various IoT Sep. 2017, pp. 1–4.
devices,’’ NEC Tech. J., vol. 12, no. 1, pp. 67–71, 2017. [34] N. Hanley and M. ONeill, ‘‘Hardware comparison of the ISO/IEC 29192-
[13] A. Biryukov and L. P. Perrin, ‘‘State of the art in lightweight sym- 2 block ciphers,’’ in Proc. IEEE Comput. Soc. Annu. Symp., Aug. 2012,
metric cryptography,’’ Univ. Luxembourg Library, Esch-sur-Alzette, pp. 57–62.
Luxembourg, Tech. Rep. 10993/31319, 2017. [Online]. Available: [35] G. Bansod, N. Raval, and N. Pisharoty, ‘‘Implementation of a new
https://orbilu.uni.lu/handle/10993/31319 lightweight encryption design for embedded security,’’ IEEE Trans. Inf.
[14] Z. Sheng, S. Yang, Y. Yu, A. Vasilakos, J. Mccann, and K. Leung, Forensics Security, vol. 10, no. 1, pp. 142–151, Jan. 2015.
‘‘A survey on the ietf protocol suite for the Internet of Things: Standards, [36] S. Kerckhof, F. Durvaux, C. Hocquet, D. Bol, and F.-X. Standaert,
challenges, and opportunities,’’ IEEE Wireless Commun., vol. 20, no. 6, ‘‘Towards green cryptography: A comparison of lightweight ciphers
pp. 91–98, Dec. 2013. from the energy viewpoint,’’ in Proc. 14th Int. Workshop Crypto-
[15] L. Wen, M. Wang, A. Bogdanov, and H. Chen, ‘‘Multidimensional graph. Hardw. Embedded Syst. Berlin, Germany: Springer, Sep. 2012,
zero-correlation attacks on lightweight block cipher HIGHT: Improved pp. 390–407. [Online]. Available: https://link.springer.com/chapter/10.
cryptanalysis of an ISO standard,’’ Inf. Process. Lett., vol. 114, no. 6, 1007/978-3-642-33027-8_23
pp. 322–330, Jun. 2014. [37] A. Shah and M. Engineer, ‘‘A survey of lightweight cryptographic
[16] D. Khovratovich, G. Leurent, and C. Rechberger, ‘‘Narrow-bicliques: algorithms for iot-based applications,’’ in Proc. Smart Innov. Commun.
Cryptanalysis of full idea,’’ in Proc. 31st Annu. Int. Conf. Theory Comput. Sci. Singapore: Springer, 2019, pp. 283–293, doi: 10.1007/978-
Appl. Cryptograph. Techn. Berlin, Germany: Springer, Apr. 2012, 981-13-2414-7.
pp. 392–410. [Online]. Available: https://link.springer.com/chapter/10. [38] S. Sallam and B. D. Beheshti, ‘‘A survey on lightweight cryptographic
1007/978-3-642-29011-4_24 algorithms,’’ in Proc. IEEE Region Conf., Oct. 2018, pp. 1784–1789.
[17] E. Biham, O. Dunkelman, and N. Keller, ‘‘A related-key rectangle attack [39] C. G. Thorat and V. S. Inamdar, ‘‘Implementation of new hybrid
on the full KASUMI,’’ in Proc. 11th Int. Conf. Theory Appl. Cryptol. lightweight cryptosystem,’’ Appl. Comput. Informat., vol. 16, nos. 1–2,
Inf. Secur. Berlin, Germany: Springer, Dec. 2005, pp. 443–461. [Online]. pp. 195–206, May 2018.
Available: https://link.springer.com/chapter/10.1007/11593447_24 [40] G. Hatzivasilis, K. Fysarakis, I. Papaefstathiou, and C. Manifavas,
[18] T. Saito, ‘‘A single-key attack on 6-round KASUMI,’’ in Proc. IACR, ‘‘A review of lightweight block ciphers,’’ J. Cryptograph. Eng., vol. 8,
Dec. 2011, p. 584. no. 2, pp. 141–184, 2018.

VOLUME 9, 2021 28189

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

[41] K. Mohajerani, R. Haeussler, R. Nagpal, F. Farahmand, A. Abdulgadir, [59] C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki,
J.-P. Kaps, and K. Gaj. (2020). FPGA Benchmarking of Round 2 P. Sasdrich, and S. M. Sim, ‘‘The skinny family of block ciphers and its
Candidates in the Nist Lightweight Cryptography Standardization Pro- low-latency variant mantis,’’ in Proc. 36th Annu. Int. Cryptol. Conf., Part
cess: Methodology, Metrics, Tools, and Results. [Online]. Available: II. Berlin, Germany: Springer, Aug. 2016, pp. 123–153. [Online]. Avail-
https://eprint.iacr.org/2020/1207 able: https://link.springer.com/chapter/10.1007/978-3-662-53008-5_5
[42] C. L. C. W. Group et al., ‘‘Creptrec cryptographic technology guideline [60] T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, ‘‘Twine:
(lightweight cryptography),’’ CRYPTREC, Japan, Tech. Rep., Mar. 2017. A lightweight, versatile block cipher,’’ in Proc. ECRYPT Workshop
[Online]. Available: https://www.cryptrec.go.jp/en/tech_guidelines.html Lightw. Cryptogr., 2011, pp. 1–5.
[61] S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, and
[43] Lightweight Cryptography|CSRC. Accessed: Oct. 30, 2020. [Online].
T. Akishita, ‘‘Regaz Zoni, F.: Midori: A block cipher for low energy
Available: https://csrc.nist.gov/projects/lightweight-cryptography
(extended version),’’ Cryptol. ePrint Arch., Tech. Rep. 2015/1142, 2015.
[44] A. Juels and S. A. Weis, ‘‘Authenticating pervasive devices with [Online]. Available: https://eprint.iacr.org/2015/1142.pdf
human protocols,’’ in Proc. 25th Annu. Int. Cryptol. Conf. Berlin, [62] C. H. Lim and T. Korkishko, ‘‘mCrypton—A lightweight block cipher for
Germany: Springer, Aug. 2005, pp. 293–308. [Online]. Available: security of low-cost RFID tags and sensors,’’ in Proc. Int. Workshop Inf.
https://link.springer.com/chapter/10.1007/11535218_18 Secur. Appl. Berlin, Germany: Springer, 2005, pp. 243–258.
[45] W. J. Okello, Q. Liu, F. A. Siddiqui, and C. Zhang, ‘‘A survey of the [63] C. H. Lim, ‘‘A revised version of crypton: Crypton V1. 0,’’ in Proc.
current state of lightweight cryptography for the Internet of Things,’’ Int. Workshop Fast Softw. Encryption. Berlin, Germany: Springer, 1999,
in Proc. Int. Conf. Comput., Inf. Telecommun. Syst. (CITS), Jul. 2017, pp. 31–45.
pp. 292–296. [64] J. Daemen, M. Peeters, G. Assche, and V. Rijmen, ‘‘The Noekeon block
[46] W. Stallings. (2017). Cryptography and Network Security: Principles cipher,’’ in Proc. 1st Open NESSIE Workshop, 2000, pp. 1–5.
and Practice. [Online]. Available: https://www.pearson.com/us/higher- [65] L. Knudsen and H. Raddum, ‘‘On Noekeon. Public reports of the
education/product/Stallings-Cryptogra%phy-and-Network-Security- Nessie project. Report: NES,’’ New Eur. Schemes Signatures, Integrity
Principles-and-Practice-6th-Edition/9780133354690.htm%l Encryption (NESSIE Project), NES Rep. DOC/UIB/WP3/009/1, 2001.
[Online]. Available: https://www.cosic.esat.kuleuven.be/nessie/reports/
[47] T. Suzaki and K. Minematsu, ‘‘Improving the generalized feistel,’’
phase1/uibwp3-009.pdf
in Proc. 17th Int. Workshop Fast Softw. Encryption. Berlin,
Germany: Springer, Feb. 2010, pp. 19–39. [Online]. Available: [66] F.-X. Standaert, G. Piret, G. Rouvroy, J.-J. Quisquater, and J.-D. Legat,
https://link.springer.com/chapter/10.1007/978-3-642-13858-4_2 ‘‘ICEBERG: An involutional cipher efficient for block encryption in
reconfigurable hardware,’’ in Proc. Int. Workshop Fast Softw. Encryption.
[48] S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishita, Berlin, Germany: Springer, 2004, pp. 279–298.
and F. Regazzoni, ‘‘Midori: A block cipher for low energy,’’ in Proc. [67] H. Cheng and H. M. Heys, ‘‘Compact ASIC implementation of the
21st Int. Conf. Theory Appl. Cryptol. Inf. Secur., Part II. Berlin, ICEBERG block cipher with concurrent error detection,’’ in Proc. IEEE
Germany: Springer, Nov./Dec. 2015, pp. 411–436. [Online]. Available: Int. Symp. Circuits Syst., May 2008, pp. 2921–2924.
https://link.springer.com/chapter/10.1007/978-3-662-48800-3_17 [68] C. Wang and H. M. Heys, ‘‘An ultra compact block cipher for serialized
[49] N. Pub, ‘‘197: Advanced encryption standard (AES),’’ Federal Inf. Pro- architecture implementations,’’ in Proc. Can. Conf. Electr. Comput. Eng.,
cess. Standards, vol. 197, no. 441, p. 0311, 2001. May 2009, pp. 1085–1090.
[50] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, ‘‘Push- [69] H. Cheng, H. M. Heys, and C. Wang, ‘‘PUFFIN: A novel compact block
ing the limits: A very compact and a threshold implementation of cipher targeted to embedded digital systems,’’ in Proc. 11th EUROMI-
AES,’’ in Proc. 30th Annu. Int. Conf. Theory Appl. Cryptograph. Techn. CRO Conf. Digit. Syst. Design Archit., Methods Tools, 2008, pp. 383–390.
Berlin, Germany: Springer, May 2011, pp. 69–88. [Online]. Available: [70] M. R. Albrecht, B. Driessen, E. B. Kavun, G. Leander, C. Paar, and
https://link.springer.com/chapter/10.1007/978-3-642-20465-4_6 T. Yalçın, ‘‘Block ciphers–focus on the linear layer (feat. pride),’’ in Proc.
[51] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, Annu. Cryptol. Conf. Cham, Switzerland: Springer, 2014, pp. 57–76.
M. J. Robshaw, Y. Seurin, and C. Vikkelsoe, ‘‘Present: An ultra- [71] J. Borgho et al., ‘‘PRINCE—A low-latency block cipher for per-
lightweight block cipher,’’ in Proc. 9th Int. Workshop Crypto- vasive computing applications,’’ in Proc. Int. Conf. Theory Appl.
graph. Hardw. Embedded Syst. Berlin, Germany: Springer, Sep. 2007, Cryptol. Inf. Secur. (ASIACRYPT), Adv. Cryptol. Springer, 2012,
pp. 450–466. [Online]. Available: https://link.springer.com/chapter/10. pp. 208–225. [Online]. Available: https://link.springer.com/chapter/10.
1007/978-3-540-74735-2_31 1007/978-3-642-34961-4_14
[72] L. Batina, A. Das, B. Ege, E. B. Kavun, N. Mentens, C. Paar,
[52] C. Rolfes, A. Poschmann, G. Leander, and C. Paar, ‘‘Ultra-lightweight I. Verbauwhede, and T. and Yalçın, ‘‘Dietary recommendations for
implementations for smart devices-security for 1000 gate equivalents,’’ lightweight block ciphers: Power, energy and area analysis of recently
in Proc. 8th IFIP WG 8.8/11.2 Int. Conf. Smart Card Res. Adv. Appl. developed architectures,’’ in Proc. Int. Workshop Radio Freq. Identificat.,
Berlin, Germany: Springer, Sep. 2008, pp. 89–103. [Online]. Available: Secur. Privacy Issues. Berlin, Germany: Springer, 2013, pp. 103–112.
https://link.springer.com/chapter/10.1007/978-3-540-85893-5_7
[73] L. Knudsen, G. Leander, A. Poschmann, and M. Robshaw,
[53] W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, and I. Verbauwhede, ‘‘Printcipher: A block cipher for IC-printing,’’ in Proc. Int. Workshop
‘‘RECTANGLE: A bit-slice lightweight block cipher suitable for multiple Cryptograph. Hardw. Embedded Syst. (CHES). Springer, 2010,
platforms,’’ Sci. China Inf. Sci., vol. 58, no. 12, pp. 1–15, Dec. 2015. pp. 16–32. [Online]. Available: https://link.springer.com/chapter/10.1007/
[54] S. Banik, S. K. Pandey, T. Peyrin, Y. Sasaki, S. Sim, and Y. Todo. (2007). 978-3-642-15031-9_2
Gift: A Small Present Towards Reaching the Limit of Lightweight Encryp- [74] Z. Gong, S. Nikova, and Y. W. Law, ‘‘KLEIN: A new family of
tion (Full Version). [Online]. Available: https://infoscience.epfl.ch/record lightweight block ciphers,’’ in Proc. Int. Workshop Radio Freq. Identi-
[55] S. Banik, A. Chakraborti, T. Iwata, K. Minematsu, M. Nandi, T. Peyrin, ficat., Secur. Privacy Issues. Berlin, Germany: Springer, 2011, pp. 1–18.
Y. Sasaki, S. M. Sim, and Y. Todo, ‘‘GIFT-COFB,’’ Submission Round, [75] J. Guo, T. Peyrin, A. Poschmann, and M. Robshaw, ‘‘The LED block
vol. 1, p. 29, Mar. 2019. cipher,’’ in Proc. Int. workshop Cryptograph. Hardw. Embedded Syst.
Berlin, Germany: Springer, 2011, pp. 326–341.
[56] Y. Liu and Y. Sasaki, ‘‘Related-key boomerang attacks on gift
[76] J. Guo, T. Peyrin, and A. Poschmann, ‘‘The PHOTON family of
with automated trail search including bct effect,’’ in Proc.
lightweight hash functions,’’ in Proc. Annu. Cryptol. Conf. Berlin,
24th Australas. Conf. Inf. Secur. Privacy (ACISP). Cham,
Germany: Springer, 2011, pp. 222–239.
Switzerland: Springer, Jul. 2019, pp. 555–572. [Online]. Available:
[77] E. Biham, ‘‘New types of cryptanalytic attacks using related keys,’’
https://link.springer.com/chapter/10.1007/978-3-030-21548-4_30
J. Cryptol., vol. 7, no. 4, pp. 229–246, Dec. 1994.
[57] C. A. Lara-Nino, A. Diaz-Perez, and M. Morales-Sandoval, ‘‘FPGA- [78] G. Piret, T. Roche, and C. Carlet, ‘‘Picaro—A block cipher allowing
based assessment of Midori and GIFT lightweight block ciphers,’’ efficient higher-order side-channel resistance,’’ in Proc. Int. Conf. Appl.
in Proc. 20th Int. Conf. Inf. Commun. Secur. (ICICS) Cham, Cryptogr. Netw. Secur. Berlin, Germany: Springer, 2012, pp. 311–328.
Switzerland: Springer, Oct. 2018, pp. 745–755. [Online]. Available: [79] B. Gérard, V. Grosso, M. Naya-Plasencia, and F.-X. Standaert, ‘‘Block
https://link.springer.com/chapter/10.1007/978-3-030-01950-1_45 ciphers that are easier to mask: How far can we go?’’ in Proc. Int. Work-
[58] A. Adomnicai, Z. Najm, and T. Peyrin, ‘‘Fixslicing: A new gift represen- shop Cryptograph. Hardw. Embedded Syst. Berlin, Germany: Springer,
tation,’’ in Proc. IACR, 2020, p. 412. 2013, pp. 383–399.

28190 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

[80] H. Yap, K. Khoo, A. Poschmann, and M. Henricksen, ‘‘EPCBC—A block [102] W. Wu and L. Zhang, ‘‘LBlock: A lightweight block cipher,’’ in Proc.
cipher suitable for electronic product code encryption,’’ in Proc. Int. Conf. Int. Conf. Appl. Cryptogr. Netw. Secur. Berlin, Germany: Springer, 2011,
Cryptol. Netw. Secur. Berlin, Germany: Springer, 2011, pp. 76–97. pp. 327–344.
[81] M. R. Z’aba, N. Jamil, M. E. Rusli, M. Z. Jamaludin, and A. A. M. Yasir, [103] A. Poschmann, S. Ling, and H. Wang, ‘‘256 bit standardized crypto for
‘‘I-PRESENT: An involutive lightweight block cipher,’’ J. Inf. Secur., 650 GE–GOST revisited,’’ in Proc. Int. Workshop Cryptograph. Hardw.
vol. 2014, p. 25, Jul. 2014. Embedded Syst. Berlin, Germany: Springer, 2010, pp. 219–233.
[82] A. Poschmann, G. Leander, K. Schramm, and C. Paar, ‘‘New light-weight [104] F. Karakoç, H. Demirci, and A. E. Harmancı ‘‘ITUbee: A software ori-
crypto algorithms for RFID,’’ in Proc. IEEE Int. Symp. Circuits Syst., ented lightweight block cipher,’’ in Proc. Int. Workshop Lightw. Cryptogr.
May 2007, pp. 1843–1846. Secur. Privacy. Berlin, Germany: Springer, 2013, pp. 16–27.
[83] T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, and L. Uhsadel, [105] M. Kumar, S. K. Pal, and A. Panigrahi, ‘‘Few: A lightweight block
‘‘A survey of lightweight-cryptography implementations,’’ IEEE Des. cipher,’’ Turkish J. Math. Comput. Sci., vol. 11, no. 2, pp. 58–73, 2014.
Test. Comput., vol. 24, no. 6, pp. 522–533, Nov. 2007. [106] T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, ‘‘The 128-bit
[84] P. Kumarkushwaha, M. P. Singh, and P. Kumar, ‘‘A survey on lightweight blockcipher CLEFIA (extended abstract),’’ in Fast Software Encryption
block ciphers,’’ Int. J. Comput. Appl., vol. 96, no. 17, pp. 1–7, (FSE) (Lecture Notes in Computer Science), vol. 4593. Springer, 2007.
Jun. 2014. [Online]. Available: https://link.springer.com/chapter/10.1007/978-3-
[85] M. Appel, A. Bossert, S. Cooper, T. Kußmaul, J. Löffler, 540-74619-5_12
C. Pauer, and A. Wiesmaier, ‘‘Block ciphers for the IoT-SIMON, [107] T. Akishita and H. Hiwatari, ‘‘Very compact hardware implementations
SPECK, KATAN, LED, TEA, PRESENT, and SEA compared,’’ of the blockcipher CLEFIA,’’ in Proc. Int. Workshop Sel. Areas Cryptog-
Tech. Univ. Darmstadt, Darmstadt, Germany, Tech. Rep., 2016. raphy. Berlin, Germany: Springer, 2011, pp. 278–292.
[Online]. Available: http://download.mmag.hrz.tu-darmstadt.de/media/ [108] C. Tezcan, ‘‘The improbable differential attack: Cryptanalysis of reduced
FB20/Dekanat/Publikationen/CDC/2016-09-05_TR_ round CLEFIA,’’ in Proc. Int. Conf. Cryptol. India. Berlin, Germany:
SimonSpeckKatanLedTeaPresentSea.pdf Springer, 2010, pp. 197–209.
[86] B. Andrews, S. Chapman, and S. Dearstyne, ‘‘Tiny encryption algo- [109] J. Hosseinzadeh and M. Hosseinzadeh, ‘‘A comprehensive survey on
rithm (TEA) cryptography 4005.705. 01 graduate team ACD final evaluation of lightweight symmetric ciphers: Hardware and software
report,’’ Rochester Inst. Technol., Rochester, NY, USA, Tech. Rep. implementation,’’ Adv. Comput. Sci., Int. J., vol. 5, no. 4, pp. 31–41, 2016.
33695183, 2020. [Online]. Available: https://www.coursehero.com/file/ [110] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai,
33695183/TEApdf/ ‘‘Piccolo: An ultra-lightweight blockcipher,’’ in Proc. Int. Workshop
[87] P. Israsena and S. Wongnamkum, ‘‘Hardware implementation of a TEA- Cryptograph. Hardw. Embedded Syst. Berlin, Germany: Springer, 2011,
based lightweight encryption for RFID security,’’ in RFID Security. pp. 342–357.
Boston, MA, USA: Springer, 2008, pp. 417–433. [111] S. K. Ojha, ‘‘TWIS—A lightweight block cipher,’’ in Proc. Int. Conf. Inf.
[88] D. Williams, ‘‘The tiny encryption algorithm (TEA),’’ Netw. Secur., Syst. Secur. Berlin, Germany: Springer, 2009, pp. 280–291.
vol. 26, pp. 1–14, Apr. 2008. [112] B. Su, W. Wu, L. Zhang, and Y. Li, ‘‘Full-round differential attack on
[89] G. Sekar, N. Mouha, V. Velichkov, and B. Preneel, ‘‘Meet-in-the-middle TWIS block cipher,’’ in Proc. Int. Workshop Inf. Secur. Appl. Berlin,
attacks on reduced-round XTEA,’’ in Proc. Cryptograph. Track RSA Germany: Springer, 2010, pp. 234–242.
Conf. Berlin, Germany: Springer, 2011, pp. 250–267. [113] S. S. M. AlDabbagh, I. F. T. Al Shaikhli, and M. A. Alahmad, ‘‘HISEC:
[90] J.-P. Kaps, ‘‘Chai-tea, cryptographic hardware implementations of A new lightweight block cipher algorithm,’’ in Proc. 7th Int. Conf. Secur.
XTEA,’’ in Proc. Int. Conf. Cryptol. India. Berlin, Germany: Springer, Inf. Netw., 2014, pp. 151–156.
2008, pp. 363–375. [114] X. Lai and J. Massey, ‘‘A proposal for a new block encryption standard,’’
[91] J. Lu, ‘‘Related-key rectangle attack on 36 rounds of the XTEA block in Proc. Workshop Theory Appl. Cryptograph. Techn., 1991, pp. 389–404
cipher,’’ Int. J. Inf. Secur., vol. 8, no. 1, pp. 1–11, Feb. 2009. [115] O. Tigli, ‘‘Area efficient ASIC implementation of IDEA (international
[92] D. J. Wheeler and R. M. Needham, Correction to XTEA. Cambridge, data encryption standard),’’ Best Des. ASIC Implement. IDEA, GMU,
U.K.: Cambridge Univ. Press, 1998. 2003.
[93] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, [116] S. Mukherjee and B. Sahoo, ‘‘A survey on hardware implementation of
and T. Tokita, ‘‘Camellia: A 128-bit block cipher suitable for multiple IDEA cryptosystem,’’ Inf. Secur. J., Global Perspective, vol. 20, nos. 4–5,
platforms—Design and analysis,’’ in Proc. Int. Workshop Sel. Areas pp. 210–218, Jan. 2011.
Cryptogr. Berlin, Germany: Springer, 2000, pp. 39–56. [117] D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, and B. Koo, ‘‘Hight: A new
[94] A. Satoh and S. Morioka, ‘‘Hardware-focused performance comparison block cipher suitable for low-resource device,’’ in Proc. Int. Workshop
for the standard block ciphers aes, camellia, and triple-des,’’ in Proc. Int. Cryptograph. Hardw. Embedded Syst. Berlin, Germany: Springer, 2006,
Conf. Inf. Secur. Berlin, Germany: Springer, 2003, pp. 252–266. pp. 46–59.
[95] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and [118] Y.-I. Lim, J.-H. Lee, Y. You, and K.-R. Cho, ‘‘Implementation of HIGHT
L. Wingers, ‘‘The simon and speck families of lightweight block cryptic circuit for RFID tag,’’ IEICE Electron. Exp., vol. 6, no. 4,
ciphers,’’ IACR Cryptol. ePrint Arch., vol. 2013, no. 1, pp. 404–449, pp. 180–186, 2009.
2013. [119] J. John, ‘‘BEST-1: A light weight block cipher,’’ IOSR J. Comput. Eng.,
[96] F.-X. Standaert, G. Piret, N. Gershenfeld, and J.-J. Quisquater, ‘‘SEA: vol. 16, no. 2, pp. 91–95, 2014.
A scalable encryption algorithm for small embedded applications,’’ in [120] D. Hong, J.-K. Lee, D.-C. Kim, D. Kwon, K. H. Ryu, and D.-G. Lee,
Proc. Int. Conf. Smart Card Res. Adv. Appl. Berlin, Germany: Springer, ‘‘LEA: A 128-bit block cipher for fast encryption on common pro-
2006, pp. 222–236. cessors,’’ in Proc. Int. Workshop Inf. Secur. Appl. Cham, Switzerland:
[97] F. Mace and F. Standaert, ‘‘ASIC implementations of the block cipher sea Springer, 2013, pp. 3–27.
for constrained applications,’’ in Proc. 3rd Int. Conf. RFID Secur., 2007, [121] D. Lee, D.-C. Kim, D. Kwon, and H. Kim, ‘‘Efficient hardware imple-
pp. 103–114. mentation of the lightweight block encryption algorithm LEA,’’ Sensors,
[98] T. Eisenbarth, Z. Gong, T. Güneysu, and S. Heyse, ‘‘Compact implemen- vol. 14, no. 1, pp. 975–994, Jan. 2014.
tation and performance evaluation of block ciphers in attiny devices,’’ [122] N. Courtois, G. V. Bard, and D. A. Wagner, ‘‘Algebraic and slide attacks
in Proc. Int. Conf. Cryptol. Afr. Berlin, Germany: Springer, 2012, on KeeLoq,’’ in Proc. IACR, 2007, p. 62.
pp. 172–187. [123] A. Bogdanov, ‘‘Linear slide attacks on the KeeLoq block cipher,’’ in
[99] C. Rizzo and C. Brookson, Security for ICT-the Work of ETSI. Sophia Proc. Int. Conf. Inf. Secur. Cryptol. Berlin, Germany: Springer, 2007,
Antipolis, France: ETSI, 2009. pp. 66–80.
[100] A. Satoh and S. Morioka, ‘‘Small and high-speed hardware architectures [124] C. De Canniere, O. Dunkelman, and M. Knežević, ‘‘KATAN and
for the 3GPP standard cipher KASUMI,’’ in Proc. Int. Conf. Inf. Secur. KTANTAN—A family of small and efficient hardware-oriented block
Berlin, Germany: Springer, 2002, pp. 48–62. ciphers,’’ in Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst.
[101] M. Izadi, B. Sadeghiyan, S. S. Sadeghian, and H. A. Khanooki, ‘‘MIBS: Berlin, Germany: Springer, 2009, pp. 272–288.
A new lightweight block cipher,’’ in Proc. Int. Conf. Cryptol. Netw. Secur. [125] S. Das, ‘‘Halka: A lightweight, software friendly block cipher using ultra-
Berlin, Germany: Springer, 2009, pp. 334–348. lightweight 8-bit s-box,’’ in Proc. IACR, 2014, p. 1104.

VOLUME 9, 2021 28191

 V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

[126] D. Engels, X. Fan, G. Gong, H. Hu, and E. M. Smith, ‘‘Humming- [148] P. Zhang and W. Zhang, ‘‘Differential cryptanalysis on block cipher
bird: Ultra-lightweight cryptography for resource-constrained devices,’’ skinny with MILP program,’’ Secur. Commun. Netw., vol. 2018, pp. 1–11,
in Proc. Int. Conf. Financial Cryptogr. Data Secur. Berlin, Germany: Oct. 2018.
Springer, 2010, pp. 3–18. [149] J. Ge, Y. Xu, R. Liu, E. Si, N. Shang, and A. Wang, ‘‘Power attack and
[127] M.-J. O. Saarinen, ‘‘Cryptanalysis of hummingbird-1,’’ in Proc. Int. protected implementation on lightweight block cipher SKINNY,’’ in Proc.
Workshop Fast Softw. Encryption. Berlin, Germany: Springer, 2011, 13th Asia Joint Conf. Inf. Secur. (AsiaJCIS), Aug. 2018, pp. 69–74.
pp. 328–341. [150] B. Nallathambi and K. Palanivel, ‘‘Fault diagnosis architecture for
[128] D. Engels, M.-J. O. Saarinen, P. Schweitzer, and E. M. Smith, SKINNY family of block ciphers,’’ Microprocessors Microsyst., vol. 77,
‘‘The hummingbird-2 lightweight authenticated encryption algorithm,’’ Sep. 2020, Art. no. 103202.
in Proc. Int. Workshop Radio Freq. Identificat., Secur. Privacy Issues. [151] J. H. Park, ‘‘Security analysis of mCrypton proper to low-cost ubiquitous
Berlin, Germany: Springer, 2011, pp. 19–31. computing devices and applications,’’ Int. J. Commun. Syst., vol. 22, no. 8,
[129] D. Dinu, A. Biryukov, J. Großschädl, D. Khovratovich, Y. Le Corre, and pp. 959–969, Apr. 2009.
L. Perrin, ‘‘Felics–fair evaluation of lightweight cryptographic systems,’’ [152] Y. Sun, M. Wang, S. Jiang, and Q. Sun, ‘‘Differential cryptanalysis
in Proc. NIST Workshop Light. Cryptogr., 2015, p. 128. of reduced-round ICEBERG,’’ in Proc. Int. Conf. Cryptol. Afr. Berlin,
[130] D. Dinu, Y. L. Corre, D. Khovratovich, L. Perrin, J. Großschädl, and Germany: Springer, 2012, pp. 155–171.
A. Biryukov, ‘‘Triathlon of lightweight block ciphers for the Internet of [153] C. Blondeau and B. Gérard, ‘‘Differential cryptanalysis of puffin and
Things,’’ J. Cryptograph. Eng., vol. 9, no. 3, pp. 283–302, Sep. 2019. puffin2,’’ in Proc. ECRYPT Workshop Lightw. Cryptogr., 2011, p. 1.
[131] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and [154] G. Zhao, B. Sun, C. Li, and J. Su, ‘‘Truncated differential cryptanalysis
L. Wingers, ‘‘The SIMON and SPECK lightweight block ciphers,’’ in of PRINCE,’’ Secur. Commun. Netw., vol. 8, no. 16, pp. 2875–2887,
Proc. 52nd Annu. Design Autom. Conf., Jun. 2015, pp. 1–6. Nov. 2015.
[132] Differential Fault Analysis—Wikipedia. Accessed: Oct. 10, 2020. [155] Y. Lee, K. Jeong, C. Lee, J. Sung, and S. Hong, ‘‘Related-key cryptanal-
[Online]. Available: https://en.wikipedia.org/wiki/Differential_fault_ ysis on the full PRINTcipher suitable for IC-printing,’’ Int. J. Distrib.
analysis Sensor Netw., vol. 10, no. 1, Jan. 2014, Art. no. 389476.
[156] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, ‘‘Biclique cryptanalysis
[133] J. Breier, X. Hou, and Y. Liu, ‘‘Fault attacks made easy: Differential fault
of the full round KLEIN block cipher,’’ IET Inf. Secur., vol. 9, no. 5,
analysis automation on assembly code,’’ in Proc. IACR Trans. Crypto-
pp. 294–301, Sep. 2015.
graph. Hardw. Embedded Syst., May 2018, pp. 96–122.
[157] J.-P. Aumasson, M. Naya-Plasencia, and M.-J. O. Saarinen, ‘‘Practical
[134] A. Bogdanov, D. Khovratovich, and C. Rechberger, ‘‘Biclique cryptanal-
attack on 8 rounds of the lightweight block cipher KLEIN,’’ in Proc. Int.
ysis of the full AES,’’ in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur.
Conf. Cryptol. India. Berlin, Germany: Springer, 2011, pp. 134–145.
Berlin, Germany: Springer, 2011, pp. 344–371.
[158] M. Gruber and B. Selmke, ‘‘Differential fault attacks on klein,’’ in Proc.
[135] F. Zhang, Y. Zhang, H. Jiang, X. Zhu, S. Bhasin, X. Zhao, Z. Liu, D. Gu,
Int. Workshop Constructive Side-Channel Anal. Secure Design. Springer,
and K. Ren, ‘‘Persistent fault attack in practice,’’ in Proc. IACR Trans.
2019, pp. 80–95.
Cryptograph. Hardw. Embedded Syst., Mar. 2020, pp. 172–195.
[159] G. Zhao, B. Sun, R. Li, L. Cheng, and C. Li, ‘‘Differential fault analysis
[136] K. K, I. Roy, C. Rebeiro, A. Hazra, and S. Bhunia, ‘‘FEDS: Comprehen- on LED using super-sbox,’’ IET Inf. Secur., vol. 9, no. 4, pp. 209–218,
sive fault attack exploitability detection for software implementations of Jul. 2015.
block ciphers,’’ in Proc. IACR Trans. Cryptograph. Hardw. Embedded [160] E. Yarrkov, ‘‘Cryptanalysis of XXTEA,’’ in Proc. IACR, 2010, p. 254.
Syst., Mar. 2020, pp. 272–299. [161] H. Tupsamudre, S. Bisht, and D. Mukhopadhyay, ‘‘Differential fault
[137] S. Bhasin, J. Breier, X. Hou, D. Jap, R. Poussier, and S. M. Sim, ‘‘SITM: analysis on the families of Simon and speck ciphers,’’ in Proc. Workshop
See-in-the-middle side-channel assisted middle round differential crypt- Fault Diagnosis Tolerance Cryptogr., 2014, pp. 40–48.
analysis on SPN block ciphers,’’ in Proc. IACR Trans. Cryptograph. [162] A. Bay, J. Nakahara, and S. Vaudenay, ‘‘Cryptanalysis of reduced-round
Hardw. Embedded Syst., Nov. 2019, pp. 95–122. MIBS block cipher,’’ in Proc. Int. Conf. Cryptol. Netw. Secur. Berlin,
[138] K. Jeong, Y. Lee, J. Sung, and S. Hong, ‘‘Improved differential fault Germany: Springer, 2010, pp. 1–19.
analysis on PRESENT-80/128,’’ Int. J. Comput. Math., vol. 90, no. 12, [163] Y. Wang, W. Wu, X. Yu, and L. Zhang, ‘‘Security on LBlock against
pp. 2553–2563, Dec. 2013. biclique cryptanalysis,’’ in Proc. Int. Workshop Inf. Secur. Appl. Berlin,
[139] C. Blondeau and K. Nyberg, ‘‘Links between truncated differential and Germany: Springer, 2012, pp. 1–14.
multidimensional linear properties of block ciphers and underlying attack [164] H. Soleimany, ‘‘Self-similarity cryptanalysis of the block cipher
complexities,’’ in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. ITUbee,’’ IET Inf. Secur., vol. 9, no. 3, pp. 179–184, May 2015.
Techn. Berlin, Germany: Springer, 2014, pp. 165–182. [165] T. Isobe, ‘‘A single-key attack on the full GOST block cipher,’’ in Proc.
[140] O. Özen, K. Varıcı, C. Tezcan, and C. C. Kocair, ‘‘Lightweight Int. Workshop Fast Softw. Encryption. Springer, 2011, pp. 290–305.
block ciphers revisited: Cryptanalysis of reduced round PRESENT and [166] N. T. Courtois, ‘‘An improved differential attack on full gost,’’ in The New
HIGHT,’’ in Proc. Australas. Conf. Inf. Secur. Privacy. Berlin, Germany: Codebreakers. Berlin, Germany: Springer, 2016, pp. 282–303.
Springer, 2009, pp. 90–107. [167] S. A. Azimi, Z. Ahmadian, J. Mohajeri, and M. R. Aref, ‘‘Impossible
[141] M. Renauld and F.-X. Standaert, ‘‘Algebraic side-channel attacks,’’ in differential cryptanalysis of piccolo lightweight block cipher,’’ in Proc.
Proc. Int. Conf. Inf. Secur. Cryptol. Berlin, Germany: Springer, 2009, 11th Int. ISC Conf. Inf. Secur. Cryptol., Sep. 2014, pp. 89–94.
pp. 393–410. [168] J. Song, K. Lee, and H. Lee, ‘‘Biclique cryptanalysis on lightweight block
[142] L. Yang, M. Wang, and S. Qiao, ‘‘Side channel cube attack on cipher: HIGHT and piccolo,’’ Int. J. Comput. Math., vol. 90, no. 12,
PRESENT,’’ in Proc. Int. Conf. Cryptol. Netw. Secur. Berlin, Germany: pp. 2564–2580, Dec. 2013.
Springer, 2009, pp. 379–391. [169] J. Huang, S. Vaudenay, and X. Lai, ‘‘On the key schedule of lightweight
[143] B. Zhu, X. Dong, and H. Yu, ‘‘Milp-based differential attack on round- block ciphers,’’ in Proc. Int. Conf. Cryptol. India. Cham, Switzerland:
reduced gift,’’ in Proc. Cryptograph. Track RSA Conf. Cham, Switzerland: Springer, 2014, pp. 124–142.
Springer, 2019, pp. 372–390. [170] B. Koo, D. Hong, and D. Kwon, ‘‘Related-key attack on the full HIGHT,’’
[144] Y. Sasaki, ‘‘Integer linear programming for three-subset meet-in-the- in Proc. Int. Conf. Inf. Secur. Cryptol. Berlin, Germany: Springer, 2010,
middle attacks: Application to gift,’’ in Proc. Int. Workshop Secur. Cham, pp. 49–67.
Switzerland: Springer, 2018, pp. 227–243. [171] A. Bogdanov, ‘‘Attacks on the KeeLoq block cipher and authentication
[145] M. Cao and W. Zhang, ‘‘Related-key differential cryptanalysis systems,’’ in Proc. 3rd Conf. RFID Secur., 2007, pp. 1–5.
of the reduced-round block cipher gift,’’ IEEE Access, vol. 7, [172] B. Zhu and G. Gong, ‘‘Multidimensional meet-in-the-middle attack and
pp. 175769–175778, 2019. its applications to KATAN32/48/64,’’ Cryptography Commun., vol. 6,
[146] B. Zhao, X. Dong, W. Meier, K. Jia, and G. Wang, ‘‘Generalized related- no. 4, pp. 313–333, Dec. 2014.
key rectangle attacks on block ciphers with linear key schedule: Applica- [173] M.-J. O. Saarinen, ‘‘Related-key attacks against full Hummingbird-2,’’ in
tions to SKINNY and GIFT,’’ Des., Codes Cryptogr., vol. 13, pp. 1–24, Proc. Int. Workshop Fast Softw. Encryption. Berlin, Germany: Springer,
Dec. 2020. 2013, pp. 467–482.
[147] L. Dalmasso, F. Bruguier, P. Benoit, and L. Torres, ‘‘Evaluation [174] (Mar. 2017). Cryptographic Technology Guideline (Lightweight Cryptog-
of SPN-based lightweight crypto-ciphers,’’ IEEE Access, vol. 7, raphy). [Online]. Available: https://www.cryptrec.go.jp/report/cryptrec-
pp. 10559–10567, 2019. gl-2003-2016en.pdf

28192 VOLUME 9, 2021

V. A. Thakor et al.: Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices

VISHAL A. THAKOR is currently pursuing MUHAMMAD R. A. KHANDAKER (Senior

the Ph.D. degree in lightweight cryptography Member, IEEE) received the Ph.D. degree
to improve security in resource-constrained IoT from Curtin University, Perth, WA, Australia.
devices from Teesside University, U.K. He is also He worked as a Postdoctoral Research Fellow with
working as a part-time Lecturer with Teesside University College London, U.K., in July 2013 to
University. He is having more than ten years June 2018. He is currently an Assistant Professor
of teaching and around more than two years of with the School of Engineering and Physical Sci-
industrial experience. Along with his passion to ences, Heriot-Watt University. He is an Associate
teach, he loves coding using C/C++, VB, C#, Editor of the IEEE WIRELESS COMMUNICATIONS
and Python. His areas of research interests include LETTERS, IEEE COMMUNICATIONS LETTERS, and
information security, cyber security, computer networks, algorithm design, IEEE ACCESS.
data structure, the Internet of Things, and also Web designing. He is a lifetime
member of Computer Society of India (CSI), India.

MOHAMMAD ABDUR RAZZAQUE (Member,

IEEE) received the Ph.D. degree from UCD, Ire-
land. He worked as a Senior Research Fellow with
the Trinity College Dublin, from October 2014
to January 2018, and a Senior Lecturer with
UTM, Malaysia, from September 2011 to Septem-
ber 2014. He is currently a Senior Lecturer with
the School of Computing, Engineering, and Digital
Technologies, Teesside University. His research
interests include centered on end-to-end IoT solu-
tions and cybersecurity. He is an Editor of the International Journal of
Distributed Sensor Networks and IOT JOURNAL.

VOLUME 9, 2021 28193