IIoTBC: A Lightweight Block Cipher for Industrial IoT Security

Abstract

The number of industrial Internet of Things (IoT) users is increasing rapidly. Lightweight block ciphers have started to be used to protect the privacy of users. Hardware-oriented security design should fully consider the use of fewer hardware devices when the function is fully realized. Thus, this paper designs a lightweight block cipher IIoTBC for industrial IoT security. IIoTBC system structure is variable and flexibly adapts to nodes with different security requirements. This paper proposes a 4×4 S-box that achieves a good balance between area overhead and cryptographic properties. In addition, this paper proposes a preprocessing method for 4×4 S-box logic gate expressions, which makes it easier to obtain better area, running time, and power data in ASIC implementation. Applying it to 14 classic lightweight block cipher S-boxes, the results show that is feasible. A series of performance tests and security evaluations were performed on the IIoTBC. As shown by experiments and data comparisons, IIoTBC is compact and secure in industrial IoT sensor nodes. Finally, IIoTBC has been implemented on a temperature state acquisition platform to simulate encrypted transmission of temperature in an industrial environment.

1. Introduction

Industrial IoT is the largest and most important component of the IoT. It integrates various mobile intelligent terminals and communication technologies to upgrade traditional industrial models [1]. The enterprise centralizes the data collected in the industrial production process, equipment operation status information, etc. Then these data are exchanged, analyzed, and processed through various communication networks. However, the massive collection and processing of sensor data also raises some privacy concerns [2].

Xie et al. noted that due to the nature of wireless sensor networks (WSNs), they are vulnerable to many types of attacks [3]. Various security measures for the network layer have been proposed. Popoola et al. proposed a federated deep learning (FDL) approach for unknown (zero-day) botnet attack detection without any data privacy concerns [4]. This is important for improving network security. Zhao et al. proposed a novel network intrusion detection (NID) method for IoT based on the lightweight deep neural network (LNN) [5]. This not only has excellent performance in intrusion detection, but can also significantly reduce computational cost and model size. Xenofontos et al. proposed an attack taxonomy that considers the unique structure and operational constraints of IoT ecosystems [6]. According to the classification results, security countermeasures and best practices can be used to mitigate threats and vulnerabilities before they evolve into catastrophic attacks. Additionally, Xenofontos et al. reported nine IoT-based attacks, three of which belonged to the industrial IoT. Sengupta et al. reported the industrial IoT architecture, security issues, and types of attacks encountered in detail [7]. A variety of security protection schemes for the industrial IoT have been proposed [8-11]. Protecting data in transit is necessary, and many attacks more often target terminal devices. After contacting the hardware, attackers can use tools to extract data directly from nodes, or even install malicious devices, bypassing various security measures in the software and destroying data security. It is worth noting that nodes cannot provide enough hardware resources to support traditional encryption methods solidified into hardware circuits.

One of the methods of industrial IoT defense is to build a defense mechanism directly on the sensor node device. Dalmasso et al. noted that there is an inevitable trend to using secure and efficient lightweight block ciphers to protect the privacy of any resource-constrained device [12].

As shown in Fig. 1, a lightweight block cipher is deployed at the perception layer, which allows sensor data to circulate as ciphertext. Then build the first line of defense for the entire industrial IoT. Therefore, this paper mainly studies a secure lightweight block cipher with low hardware overhead and a simple structure. Specifically, it addresses the security requirements of the industrial IoT perception layer.

Fig. 1. Industrial IoT encryption model

2. Related Work

Lightweight block ciphers can be divided into two categories based on their nonlinear components. The nonlinear components in the first category are mainly 4 x 4 S-boxes. Representative lightweight block ciphers include ULC [13], PRESENT [14], GIFT [15], Midori [16], Piccolo [17], and RECTANGLE [18]. The nonlinear components in the second category are mainly modular addition operations (⊞), AND operations (&), etc., such as HIGHT [19], SIMON and SPECK [20], Simeck [21], CHAM [22], Shadow [23], and SAND [24].

S-box is an important component of a lightweight block cipher. It has a direct impact on the overall security of the design. S-box is usually implemented in two ways: lookup table (LUT) and logic gates. The memory overhead required by the LUT method is high, which is not ideal for some devices with limited memory (such as smart cards and embedded devices) [25]. Logic gates are the basic structure of a digital system, which are usually combined to realize more complex logic operations. Easy logic implementation means that its S-box is only realized by a simple combination of a few logic gates.

At present, the main idea of S-box lightweight is to reduce the number of logic gates used. Some ciphers use only a few logic gates and then generate S-boxes based on iterative architecture, such as Piccolo, SKINNY [26]. For S-box designers, it is not easy to strike a good balance between hardware overhead and safety. For example, the two S-boxes used in the Midori trade security for low area. Piccolo and SKINNY trade latency for low area. Their special iterative architecture can result in relatively high S-box latency, which is undesirable in low-latency devices. At the same time, the SKINNY cipher S-box has a fixed point. The lightweight of the S-box should not be limited to sacrificing other S-box indicators. Therefore, this paper intends to explore a lightweight method for the 4×4 S-box without changing its cryptographic nature.

Modular addition and AND operations are simple and easy to implement, but they cannot be proven to meet the security requirements of the industrial IoT. In addition, as the most important part of the IoT, the industrial IoT also has higher requirements for the economy and efficiency of industrial production [27].

Feistel and SPN are the main structures used in lightweight block ciphers. SPN structure-based decryption generally consumes too much extra resources. For example, the decryption process needs to allocate resources for the inverse S-box. The Feistel structure uses the feature that XOR twice equals itself, and the decryption process can share the encryption structure highly. This does not require resource allocation for the inverse S-box, and the decryption hardware implementation does not consume too many additional resources. In resource-constrained embedded devices, area consumption is a major consideration.

It is worth noting that designers need to deal with the trade-off between security, lightweight, and performance of lightweight block ciphers [28]. As shown in Fig. 2, key size, rounds, and hardware architecture are the main balancing factors. The key size offers a trade-off between security and lightweight. It ranges from 56-bit to 256-bit. In terms of long-term protection requirements, the key size is set to 128-bit, which can achieve a better balance. The number of encryption rounds provides a balance between security and operational performance. In general, the higher the number of rounds, the higher the security achieved. But it inevitably increases the running time and energy. The hardware architecture provides a balance between lightweight and performance. The main cryptographic hardware architectures include serial and parallel architectures. Serial architectures consume less area but have lower throughput. However, parallel architectures have high throughput but a large area. The choice of architecture depends on the actual needs of the application scenario.

Fig. 2. The balance between security, lightweight, and performance

Our contribution This paper focuses on a lightweight block cipher IIoTBC for the security requirements of the industrial IoT sensor layer. IIoTBC accepts 128-bit keys with a block size of 64-bit and consists of 10 rounds. Secondly, the IIoTBC has a variable structure. Compared with a fixed cryptographic system, it can be better adapted to sensor nodes with different security requirements. In addition, a 4×4 S-box can be regarded as a non-repeating arrangement of elements on GF(2⁴). Only part of the arrangement does not have the better cryptographic properties of the S-box. This paper randomly generates such permutations and uses the cryptographic properties of the S-box as a filtering condition. Randomly selected from eligible permutations, the area overhead is then used to assess their suitability for use as S-boxes. The S-box, which achieves a compromise between area overhead and cryptographic properties, will be selected as the nonlinear layer of IIoTBC. Also, this paper finds a preprocessing method for 4×4 S-box logic expressions. This can achieve better area, runtime, and energy in ASIC implementations without changing its cryptographic properties. Applying it to IIoTBC S-box and 14 classic lightweight block cipher S-boxes. The experimental results show that it is feasible. ASIC hardware implementation, avalanche test, impossible differential cryptanalysis, side channel cryptanalysis, and algebraic cryptanalysis are done for IIoTBC. As experiments and data comparisons show, IIoTBC is compact and secure in industrial IoT sensor nodes. Finally, this paper constructs an end-to-end temperature state acquisition platform. IIoTBC has been successfully applied to simulate encrypted transmission of temperature in an industrial environment.

3. Specification of IIoTBC

As shown in Fig. 3, the IIoTBC system structure is variable. The MCU size is used as a control signal to select one of them. Also, the widely used controller area network (CAN) bus size is generally 64-bit. Therefore, IIoTBC accepts 128-bit keys with a block size of 64-bit. Meanwhile, the number of encryption rounds r=32. This paper denotes the 64-bit plaintext as M₀, M₁,⋯, M₆, M₇. Each round subkey is represented by key_jⁱ(1 ≤ i ≤ 4, 1 ≤ j ≤ r).

Fig. 3. The encryption process of IIoTBC

3.1 System Structure A

The embedded systems with 8-bit MCU are more common in the industrial IoT. Therefore, this paper focuses on the research based on System A. It is based on an 8-branch generalized Feistel structure. The approximate encryption process of it can be described by the pseudocode in Algorithm 1.

Algorithm1. IIoTBC System Structure A Encryption Routine

Input: Plaintext, key

Output: Ciphertext

1: (M₀, M₁, M₂, M₃, M₄, M₅, M₆, M₇) ← Plaintext

2: for j = 1 to r do

3: M₀' = M₀, M₁' = f₁(M₀, key_j¹) ⊕ M₁

4: M₂' = M₂, M₃' = f₁(M₂, key_j²) ⊕ M₃

5: M₄' = M₄, M₅' = f₁(M₄, key_j³) ⊕ M₅

6: M₆' = M₆, M₇' = f₁(M₆, key_j⁴) ⊕ M₇

7: if ( j%2! = 0)

8: M_state = PA1(M₀', M₁', M₂', M₃', M₄', M₅', M₆', M₇')

9: else

10: M_state = PA2(M₀', M₁', M₂', M₃', M₄', M₅', M₆', M₇')

11: else if j==r

12: Ciphertext ← (M₀', M₁', M₂', M₃', M₄', M₅', M₆', M₇')

13: end for

Return Ciphertext

System structure A mainly includes 1f function, PA1, and PA2. Among them, PA1 and PA2 mainly realize the exchange of branch data positions. The specific exchange process has been given in Fig. 3. The operation process of the 1f function includes AddRoundkey, S-box permutation, and 1-bit left roation (⋘ 1), as shown in Fig. 4. The values of S-box elements are shown in Table 1.

Fig. 4. The operation process of f₁

Table 1. The 4×4 bijection S-box of IIoTBC

3.2 System Structure B

Currently, 8-bit MCUs still dominate the mainstream low-end market. Compared with this, 16-bit MCUs have better data processing capability and more memory. If advanced security features are needed, it may be wise to use 16-bit. Thus, this paper provides a more complex system B for 16-bit MCUs. System B is based on a 4-branch generalized Feistel structure. System B is designed based on bit-slice technology, and each branch is a 4×4 matrix. PB1 is to convert the 64-bit data to be processed into 4 slices, as shown in Fig. 5. Taking the first branch as an example, the illustrated f₂ function operation process is shown in Fig. 6. PB2 and PB3 are used for odd and even rounds, respectively. Their operation process is shown in Fig. 7 and Fig. 8.

Fig. 5. The operation process of PB1

Fig. 6. The operation process of f₂

Fig. 7. The operation process of PB2

Fig. 8. The operation process of PB3

3.3 Subkey Generation

In this paper, the key size supported by IIoTBC is 128-bit. Firstly, for the convenience of description, k₀||k₁||k₂⋯k₁₂₅||k₁₂₆||k₁₂₇ is used to represent the primary 128-bit keys. Secondly, the relationship between reg₁, reg₂, reg₃, reg₄, and 128-bit keys can be expressed by (1).

reg₁ = k₀||k₁⋯k₃₀||k_31, reg₂ = k₃₂||k₃₃⋯k₆₂||k₆₃

reg₃ = k₆₄||k₆₅⋯k₉₄||k_95, reg₄ = k₉₆||k₉₇⋯k₁₂₆||k₁₂₇       (1)

reg₁, reg₂, reg₃, and reg₄ are used sequentially for rounds 1 to 4 of the AddRoundkey operation. For rounds 5 to r, the subkey generation method satisfies (2). In the first round of AddRoundkey, the 8-bit k₀||k₁⋯k₆||k₇ serves as key₁¹, the 8-bit k₈||k₉⋯k₁₄||k₁₅ serves as key₁², the 8-bit k₁₆||k₁₇⋯k₂₂||k₂₃ serves as key₁³, and the lowest 8-bit k₂₄||k₂₅⋯k₃₀||k₃₁ serves as key₁⁴.

reg_u = f₃(reg_u-4) ⊕ reg_u-1, 5 ≤ u ≤ r       (2)

Among them, the f₃ function includes P₃ permutation and 4×4 S-box permutation. The operation process of f₃ is shown in Fig. 9.

Fig. 9. The operation process of f₃

The 4 × 4 S-box used by the f₃ function is the same as the S-box used by the encryption round function. The position transformation corresponding to the specific P₃ permutation is shown in Table 2.

Table 2. The values of P₃ permutation

3.4 Decryption Algorithm

IIoTBC is based on the generalized Feistel structure, which is highly consistent in encryption and decryption. There is no difference between the decryption round function and the encryption round function. It should be noted that the permutation operation connects the upper and lower rounds. In addition to controlling logical resources, it will not consume too many additional resources. The reverse order of the round key in the encryption process is used in the decryption process.

4. Design Rationale of IIoTBC

4.1. The structure of IIoTBC

IIoTBC system structure is variable, including A and B. In view of the wide application of 8-bit MCU, A is our main structure. Its round function only involves AddRoundkey, S-box permutation, and 1-bit left rotation (⋘1). The AddRoundkey operation prevents attackers from using potential cryptanalysis methods to bypass the S-box operation and bring security risks to the cipher. Nonlinear S-box is an important part of lightweight block cipher, and its cryptographic properties directly affect the security of the overall algorithm. The 1-bit left rotation makes the influence of a 1 bit on the branch propagate to the remaining bits. IIoTBC cipher uses a 4×4 lightweight S-box. 1-bit left rotation can be realized through wire during hardware implementation. Therefore, IIoTBC round function has the characteristics of simple operation and less resource consumption.

For Feistel structure, P permutation is often used to connect the upper and lower rounds of encryption operations. A good P permutation can make each branch data in the cryptographic structure affect all the remaining branch data. In particular, this process does not involve the AddRoundkey operation. An involutive P permutation can usually make the encryption and decryption of the cipher with Feistel structure consistent. Similarly, for an 8-branch generalized Feistel structure, one branch data can affect at most four branches if only involutive permutations are used in successive rounds of encryption. Although encryption and decryption are consistent, confusion and diffusion are less effective. Of course, in the 8-branch generalized Feistel structure, it is possible to use only non-involutive P permutation, such as HIGHT. However, without the effect of AddRoundkey operation, HIGHT usually requires 6 to 8 rounds to achieve full diffusion. IIoTBC cipher system A alternately uses involute PA1 permutation and non-involute PA2 permutation. As shown in Fig. 10, full diffusion can be achieved in round 6. In addition, the IIoTBC cipher system A dynamically selects one of the 𝑃 permutation methods for each round encryption. After 32 rounds of iteration, the attack difficulty coefficient increased to a certain extent.

Fig. 10. IIoTBC cipher system A P permutation effect

4.2. Nonlinear Layer

Most lightweight block ciphers use S-boxes for their nonlinear layers. The security of ciphers also mainly depends on this. An n x m S-box can be seen as the mapping S : F₂ⁿ → F₂^m or as an n-element Boolean function S(X) = (f₁(X), f₂(X),⋯, f_m(X)). The rapid growth of resource-constrained devices in the context of industrial IoT applications has spawned the need for lightweight implementation of S-box. Therefore, this paper mainly considers the situation of the bijective S-box when n = m = 4 .

Our goal is to get a safe and lightweight 4×4 S-box. In fact, the 4×4 S-box can be seen as a possible arrangement of 0 to 15. It is just that some of the permutations do not have the S-box security attributes. S-box security attributes are usually evaluated by indicators such as nonlinearity, differential uniformity, fixed-point numbers, and algebraic degree. This paper randomly generates 0 to 15 possible permutations, using the security properties of the S-box as a filter condition. Within the eligible permutations, one is randomly selected to test its area overhead. The S-box, which achieves a compromise between area overhead and cryptographic properties, will be selected as the nonlinear layer of IIoTBC. These security attributes of the S-box are described below.

Differential uniformity (DU) of n-bit S-box f is defined as follows [29].

\(\begin{aligned}D U(F)=\max _{\Delta I, \Delta Y \in G F\left(2^{n}\right)}\left|\left\{x \in G F\left(2^{n}\right): f(x+\Delta I)+f(x)=\Delta Y\right\}\right|\end{aligned}\)       (3)

x denotes all possible input values, ΔI denotes input difference, and ΔY denotes output difference. The maximum value in the differential distribution table (not considering the case of ΔI = ΔY = 0) is the DU value of an S-box. The smaller the DU, the stronger the ability of S-box to resist differential cryptanalysis.

Nonlinearity of f_x can be seen by Walsh spectrum [30].

\(\begin{aligned}\begin{array}{l}N(f)=2^{n-1}\left(1-2^{-n} \max _{\omega \in G F\left(2^{n}\right)} \mid S_{f}(\omega)\right) \\ S_{f}(\omega)=\sum_{\omega \in G F\left(2^{n}\right)}-1^{f(x) \oplus x^{*} \omega} \\ \omega \in G F\left(2^{n}\right) \Rightarrow x * \omega=x_{1} * \omega_{1} \oplus \cdots \oplus x_{n} * \omega_{n}\end{array}\end{aligned}\)       (4)

A n-bit Boolean function f can be expressed as a multivariate polynomial on the field GF(2), which is the algebraic normal form (ANF) as shown below [29].

f(x₁,⋯, x_n) = a₀ + a₁ · x₁ + ⋯ + a_1,2 · x₁ · x₂ + a_1,2,⋯,n · x₁ · x₂ ⋯ x_n      (5)

Where a₀, a₁,⋯, a_n, a_1,2,⋯, a_1,⋯,n ∈ GF(2). The number of variables in the largest monomial of ANF is called algebraic degree (AD), as shown in the (6). The optimal number of algebras for each component function of an excellent S-box is n-1. The number of algebraic terms is determined by the sum of the algebraic terms between all the component functions.

AD(f) = max{deg(f₁), deg(f₂),⋯, deg(f_n)}       (6)

Let x₀, x₁, x₂, and x₃ represent the input of the S-box. Let y₀, y₁, y₂, and y₃ represent the output of S-box. The algebraic norms of the components y₀, y₁, y₂, y₃ of IIoTBC S-box are shown as (7).

y₀ = x₀*x₁*x₂ + x₀*x₁*x₃ + x₀*x₁ + x₀*x₂*x₃ + x₀*x₂* + x₀*x₃ + x₀ + x₁*x₂*x₃ + x₁*x₃ + x₂ + x₃;

y₁ = x₀*x₁ + x₀ + x₁*x₂*x₃ + x₁*x₂ + x₁*x₃ + x₂*x₃ + x₂ + 1;

y₂ = x₀*x₁*x₂ + x₀*x₁*x₃ + x₀*x₁ + x₀*x₃ + x₀ + x₁*x₂*x₃ + x₁;

y₃ = x₀*x₁*x₂ + x₀*x₁*x₃ + x₀*x₁ + x₀*x₂ + x₀*x₃ + x₁*x₂ + x₁*x₃ + x₁ + x₂*x₃ + 1;        (7)

In addition, this paper compares the security properties of 14 classical cipher S-boxes with those of IIoTBC. The test results are shown in Table 3.

Table 3. Comparison of cryptographic properties between IIoTBC S-box and other cipher S-boxes

Satisfy that the differential uniformity is 4. The maximum differential probability and the maximum linear probability are 2⁻² . There is no fixed point. The algebraic degree of y₀, y₁, y₂, y₃ are 3. And the algebraic terms, the higher the better. A 4×4 S-box satisfying the above conditions can be considered to have good cryptographic properties. As shown in Table 3, most S-boxes achieve ideal values for differential uniformity and nonlinearity. The algebraic degree of each component function of IIoTBC, Midori-Sb1, mCryption, KLEIN, PRINCE, and TWINE has reached the ideal value of 3. At the same time, IIoTBC has the largest number of algebraic terms and no fixed point. Therefore, it can be considered that the IIoTBC S-box has good cryptographic properties.

5. Hardware Implementation

It is particularly important to study nonlinear and linear components that have a small hardware overhead and achieve optimal cryptographic properties for lightweight block ciphers. 1-bit left rotation and P permutation can be realized by wire in the hardware implementation, so that no much additional hardware resources are consumed. Therefore, the 4×4 S-box is the main resource consuming component in the round function.

The physical area required by the cipher is usually expressed in μm². It can be represented by GE in ASIC, and a 2-input NAND gate is equal to 1 GE. IIoTBC has been synthesized using Synopsys Design Compiler version L-2016.03-SP1, which is based on the SMIC 0.13μm technology library. In this subsection, an S-box logic expression preprocessing approach proposed in this paper will be presented, followed by the overall hardware overhead of the IIoTBC.

5.1 An S-box Logic Expression Preprocessing Approach

The "set_max_area 0" command can be set during ASIC synthesis, so that the design area after synthesis is as small as possible. Although the designer may specify the S-box logic gate expression, the actual circuit after ASIC synthesis does not necessarily match that specified by the designer. It can be found that the logical expression of the S-box is simplified to a minimum by the Karnaugh map method. Then through the "set_max_area 0" instruction, the synthesized result is not necessarily optimal. The ASIC synthesis cannot be guaranteed to match the logic gates specified by the designer. But it can be used as a basis for synthesis optimization. Therefore, ASIC synthesis results depend on the form of logic gate expressions.

In hardware circuits, AND gates, OR gates, and NOT gates are the basic logic gates. It is worth noting that in most process libraries, the GE number of NAND gates and NOR gates is smaller than that of AND gates and OR gates, such as UMCL18G212T3 technology library. This paper combines these two phenomena and proposes a method for preprocessing S-box logic gate expressions. That is, try to use NAND gates, NOR gates, NOT gates, etc. to describe the logic gate expression of the S-box. Then send it to the ASIC platform for synthesis. This paper tested 14 classical lightweight block cipher S-boxes and the IIoTBC cipher S-box to confirm the effectiveness of this method. The test results are shown in Table 4. Where “✓” indicates that our method is feasible, and “〇” indicates that the data are consistent before and after processing.

Table 4. Comparison of area, time and power of each S-box before and after processing

According to Table 4, 10 of the 15 S-boxes obtained better power, area, and running time data. In addition, Table 4 shows that more than half of S-boxes have larger area, running time, and power data than the IIoTBC S-box. The Midori-S0 hardware test data is the best, and the RECTANGLE, SKINNY data is close to that of the IIoTBC S-box. However, combined with the test of the cryptographic properties of the S-box in the previous chapter, it can be seen that Midori-S0 has four fixed points. Therefore, it can be said that the IIoTBC S-box has achieved a good balance between hardware overhead and encryption performance.

5.2 The Hardware Overhead of the IIoTBC Cipher

Similarly, this paper synthesizes IIoTBC system A on the ASIC platform. Fig. 11 is a system diagram of it. The result of system A area implementation is 8123.38 μm², which is equal to 1769.80GEs. Also, latency is 32. At 100MHz, the throughput is (100MHz x 64)/32 = 200Kbps . The amount of power required by the circuit to process system A is 1.77 μW. The result of system B area implementation is 2338.12GEs. Latency is 32. At 100MHz, the throughput is 200Kbps. The amount of power required by the circuit to process system B is 2.34 μW.

Fig. 10. The system diagram of system A

In this paper, appropriate ciphers are selected for comparison to give a fair indication of the overall hardware resource consumption of the IIoTBC. First, select ciphers with 64-bit block size and 128-bit key size. Then select the ciphers for simulation under the SIMC 0.13μm technology library. Ciphers meeting the above conditions are listed in Table 5. It can be seen from Table 5 that the hardware resources consumed by IIoTBC have certain advantages in the same area.

Table 5. Comparison between the hardware resources of the IIoTBC and other ciphers

6. Security Analysis

6.1 Avalanche test

In cryptography, the avalanche effect means that when a binary bit of the input is inverted, 1/2 of the binary in the output is inverted. A block cipher is considered to have poor randomization properties if it does not exhibit a certain degree of avalanche characteristics. This can lead to partial or even complete cracking of the algorithm. For designers, satisfying the avalanche effect is an essential criterion.

This paper randomly selects 10,000 64-bit samples to test the change in output bits when the IIoTBC cipher system A input changes by 1 bit. When the input bits change 1-bit, the number of output bits change ω is expected to be 1/4~3/4 of the output size, and the mean value ω_a is approximately 1/2. The Strict Avalanche Criterion (SAC) is a formalization of avalanche effects. It states that when any input bit is inverted, every output bit has a 1/2 probability of changing. When the input bits change by 1 bit, the mean value of the output change ω_a is close to 32, and the mean probability of output change Pr_a is close to 0.5. It can be considered that the encryption algorithm has a good avalanche effect and can resist statistical analysis.

The test results are shown in Table 6. IIoTBC cipher system A reaches full dependency after 10 rounds. For the 32-round IIoTBC cipher system A, the input changes 1-bit, and the average value of the number of digits changed by the output ω_a is close to 32. The value range of the probability Pr of each bit output change is between 0.497775~0.501569. The average probability Pr_a of each bit output change is 0.499992, which is very close to 0.5.

Table 6. IIoTBC cipher avalanche effect test results

In addition, this paper uses the 10,000 test samples to test the changes in the output bits of algorithms such as CHAM, HIGHT, Piccolo when the input bits change 1 bit in each round as shown in Fig. 11. The experimental test results are compared with IIoTBC system A, as shown in Table 7.

Fig. 11. Changes of output bits of IIoTBC, CHAM, HIGHT and Piccolo in each round

Table 7. Comparison of avalanche effect test results of IIoTBC with CHAM, HIGHT and Piccolo

As can be seen from Table 7, the input of system A changes by 1 bit, and the mean value and mean probability of the output change are closest to the ideal value. Therefore, it can be considered that the avalanche effect of IIoTBC cipher system A has certain advantages in the algorithm of the same type of GFN structure, and can resist statistical analysis.

6.2 Impossible differential cryptanalysis

The main idea of impossible differential analysis is to reduce the number of key searches using differential features with probability 0. That is, if under a certain guessing key, a plaintext ciphertext pair of the cipher can make the differential feature with a probability of 0 appear. Then this guessing key must be wrong and will be eliminated. Assuming that E is a lightweight block cipher encryption algorithm, Δα and Δβ are its input difference and output difference, respectively. Perform r₁ rounds of encryption operation on Δα, and find a differential feature E₀ : Δα → Δγ₁ with a probability of 1. Perform r₂ rounds of decryption on Δβ, and at the same time find a differential feature E₁: Δγ₂ ← Δβ with a probability of 1. Using the meet-in-the-middle technique, if there is always a contradiction between γ₁ and γ₂, then \(\begin{aligned}\Delta \alpha \nrightarrow \Delta \beta\end{aligned}\) is called an impossible differential feature of r₁ + r₂ rounds of encryption algorithm E .

Table 8 is the differential distribution table of the IIoTBC S-box. According to Table 8, when the input difference or output difference of the S-box is a fixed value, the output difference or input difference ****, where * means the difference is unknown. A 6-round impossible differential feature of the IIoTBC cipher system A is found, as shown in (8).

Table 8. Differential distribution table for IIoTBC S-box

\(\begin{aligned}\begin{array}{l}(0,0),(0,0),(0,0),(0,0),(0,0),(0,0),(a, 0),(0,0) \nrightarrow \\ (0,0),(0,0),(0, c),(0,0),(0,0),(0,0),(0,0),(0,0)\end{array}\end{aligned}\)       (8)

According to the 6-round impossible difference, the difference propagation characteristics are studied from the direction of encryption 3-round and the direction of decryption 4-round. Then the 13-round impossible difference is obtained as shown in Table 9.

Table 9. 13-round impossible differential path of IIoTBC

Choose the N² plaintext structures shown in (9).

P_M0⁰ = (α₁, α₂), P_M1⁰ = (x₁, x₂), P_M2⁰ = (x₃, α₃), P_M3⁰ = (x₄, x₅),

P_M4⁰ = (x₆, α₇), P_M5⁰ = (x₈, x₉), P_M6⁰ = (α₄, α₅), P_M7⁰ = (α₆, α₇)       (9)

Among them, α_i (1 ≤ i ≤ 7) takes a fixed value, and x_i(1 ≤ j ≤ 9) takes all possible values. Obviously, each plaintext structure has 2³⁶ plaintexts, and the number of plaintext pairs that can be formed is 2⁷¹. Then 2^N plaintext structures undergo 13 rounds of encryption, correspondingly, 2^N+71 ciphertext pairs can be obtained. After 13 rounds of encryption, select the ciphertext pair that satisfies the difference form shown in (10).

ΔC_M0¹³ = (d₁, d₂), ΔC_M1¹³ = (0, 0), ΔC_M2¹³ = (d₅, d₆), ΔC_M3¹³ = (d₃, d₄),

ΔC_M4¹³ = (0, 0), ΔC_M5¹³ = (0, 0), ΔC_M6¹³ = (d₇, d₈), ΔC_M7¹³ = (0, C)       (10)

Among them, c and d_i(1 ≤ i ≤ 8) are non-zero values. Under this 13-round impossible differential feature path, the data complexity of the attack is 2^N+36 selected plaintexts.

6.3 Side channel cryptanalysis

Many lightweight block ciphers are less likely to be designed with side channel immunity in mind. However, sensor nodes will inevitably leak side channel information in actual deployment such as heat, electromagnetic, and energy. Attackers can use these to analyze and attack industrial IoT sensor nodes. Rabie A et al. noted that the bit-slice implementation supports immunity against side channel analysis [33]. Therefore, this paper extends system A to obtain system B and implements it with bit-slicing technology. This applies to nodes with higher level security requirements and relatively relaxed device resources. Nodes that are extremely resource sensitive can simply use system A for encryption.

Let x₀, x₁, x₂, and x₃ represent the four n-bit inputs of the S-box. Let y₀, y₁, y₂, and y₃ represent the four n-bit outputs of S-box. Let t_i denote the 4-bit temporary variables, i =0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 18, 19, 20, 21. The bit-slice implementation codes of the IIoTBC cipher S-box are shown in Algorithm2. Where “∼” is bitwise NOT, “&” is bitwise AND, “ | ” is bitwise OR. Of course, the immunity of resource-constrained nodes to side channel analysis can also be improved by the first-order mask technique, which will not be discussed here.

Algorithm2. IIoTBC S-box bit-slice implements code

Input: x₀, x₁, x₂, x₃

Output: y₀, y₁, y₂, y₃

1 : t₀ =~x₁; 2 : t₁ = t₀ ⊕ x₂; 3 : t₂ = t₁ | x₂;

4 : t₁ = x₂ ⊕ x₃; 5 : t₄ = t₃ & t₂; 6 : t₅ = t₁ & x₀;

7 : y₀ = t₅ | t₄; 8 : t₇ = x₁ | x₂; 9 : t₈ =~t₇;

10 : t₉ = x₀ | x₁; 11 : t₁₀ = t₈ | x₃; 12 : y₁ = t₁₀ ⊕ t₉;

13 : t₁₂ = x₀ ⊕ x₃; 14 : t₁₃ = t₁₂ & x₀; 15 : t₁₄ = t₁₂ & x₂;

16 : t₁₅ = t₁₄ ⊕ t₁₃; 17 : t₁₆ = t₁₅ | x₁; 18 : y₂ = t₁₆ ⊕ t₁₄;

19 : t₁₈= x₂ | x₃; 20 : t₁₉ = t₃ | x₁; 21 : t₂₀ = ~t₁₉;

22 : t₂₁ = t₂₀ | x₀; 23 : y₃ = t₂₁ ⊕ t₁₈;

6.4. Algebraic cryptanalysis

Algebraic attack transforms the analytical problem of block ciphers into solving multivariate higher order algebraic equations in finite fields. The attacker can obtain the unknown key by solving the equation system. Finding the polynomial of the entire cipher takes a lot of time. Therefore, this paper mainly understands the complex multivariate algebraic equations of nonlinear components to analyze whether the entire cryptosystem can resist algebraic attacks. The nonlinear component of IIoTBC is S-box. In general, a 4×4 S-box is described by 21 quadratic equations with 8 input/output bit variables. IIoTBC requires 10 S-boxes for one round of encryption. After 32 rounds, there will be 320 S-boxes. In this case, IIoTBC can be described as 6720 quadratic equations of 2560 variables. According to this, IIoTBC is able to resist algebraic attacks.

7. Temperature condition monitoring application

Industrial companies can use IoT to implement predictive maintenance and condition-based monitoring. Sensors such as temperature, humidity, speed, and position play a vital role in this. This paper constructs an end-to-end temperature status acquisition platform to simulate temperature monitoring in industrial environments. At the same time, IIoTBC is deployed to the platform. Initially, the temperature transducer collects temperature data, which is transmitted to the receiver via the can bus. It worth noticed that temperature data is transmitted in plaintext. After deploying the IIoTBC, the temperature data collected by the transducer will be encrypted first. The receiver receives the temperature data in ciphertext via the can bus, and performs the IIoTBC cipher decryption process. Then display the actual temperature data. The specific process is shown in Fig. 13.

Fig. 13. Temperature status collection and encryption platform

The successful implementation of the real-time temperature state acquisition encryption platform shows that IIoTBC encryption is feasible. In general, we have deployed a lightweight encryption method at the endpoint perception layer, so that the sensing data can be transmitted and stored in ciphertext form. It provides a solution for building the first line of defense for industrial IoT systems.

8. Conclusion

This paper designs a lightweight block cipher IIoTBC for industrial IoT sensor nodes. IIoTBC adopts a variable system structure. Flexible support for MCUs of different sizes and levels of security requirements. Secondly, this paper proposes a 4×4 S-box, which strikes a good balance between hardware overhead and cryptographic properties. At the same time, this paper proposes a preprocessing method for 4×4 S-box logic gate expressions. In addition, ASIC hardware implementation, avalanche effect test, impossible differential cryptanalysis, side channel cryptanalysis, and algebraic cryptanalysis are performed on IIoTBC. As our experiments and data comparison show, IIoTBC is compact and safe in industrial IoT sensor nodes. Finally, this paper has built an end-to-end temperature acquisition platform to simulate temperature monitoring in industrial environments, and IIoTBC is successfully applied to it. At present, it is meaningful to use machine learning technology to solve the cryptanalysis problem. For example, the minimum number of active S-boxes is predicted based on deep learning [34]. A given block cipher output is classified as secure or insecure using machine learning classification and the number of active S-boxes [35]. In future work, this paper will study the security of lightweight block cipher under the background of machine learning technology.