DOI QR코드

DOI QR Code

DABC: A dynamic ARX-based lightweight block cipher with high diffusion

  • Wen, Chen (College of Computer Science and Technology, Hengyang Normal University) ;
  • Lang, Li (College of Computer Science and Technology, Hengyang Normal University) ;
  • Ying, Guo (College of Computer Science and Technology, Hengyang Normal University)
  • Received : 2022.11.17
  • Accepted : 2023.01.20
  • Published : 2023.01.31

Abstract

The ARX-based lightweight block cipher is widely used in resource-constrained IoT devices due to fast and simple operation of software and hardware platforms. However, there are three weaknesses to ARX-based lightweight block ciphers. Firstly, only half of the data can be changed in one round. Secondly, traditional ARX-based lightweight block ciphers are static structures, which provide limited security. Thirdly, it has poor diffusion when the initial plaintext and key are all 0 or all 1. This paper proposes a new dynamic ARX-based lightweight block cipher to overcome these weaknesses, called DABC. DABC can change all data in one round, which overcomes the first weakness. This paper combines the key and the generalized two-dimensional cat map to construct a dynamic permutation layer P1, which improves the uncertainty between different rounds of DABC. The non-linear component of the round function alternately uses NAND gate and AND gate to increase the complexity of the attack, which overcomes the third weakness. Meanwhile, this paper proposes the round-based architecture of DABC and conducted ASIC and FPGA implementation. The hardware results show that DABC has less hardware resource and high throughput. Finally, the safety evaluation results show that DABC has a good avalanche effect and security.

Keywords

1. Introduction

With the development of technologies such as wireless communication and the Internet of Things (IoT), many sensor devices were widely used in our daily life [1]. However, IoT devices usually work in a wireless sensor network environment where sensor nodes can be easily captured by attackers [2]. It leads to some information leakage. Li et al. [3] considered the importance of providing security services in IoT, which makes people begin to pay attention to security in resource-constrained environments. At the same time, traditional block cipher (such as AES) cannot adapt to the resource-constrained environment due to high hardware resource consumption. Cipher designers have begun studying lightweight block ciphers to address this challenge. Different from traditional block ciphers, lightweight block ciphers with low resource and energy consumption are suitable for resource-constrained environments. The Feistel and the substitution-permutation networks (SPN) structure are its two mainstream cipher structures, respectively. Encryption and decryption of the Feistel structure are consistent, but the diffusion effect is poor, such as Piccolo [4], TWINE [5], QTL [6], etc. The SPN structure has a good diffusion speed but generally consumes additional resources when decrypting, such as PRESENT [7], Midori [8], RECTANGLE [9], SKINNY [10], etc.

Most of these mainstream ciphers use S-box to enhance confusion. There are ARX-based lightweight block ciphers without S-boxes in addition to these mainstream ciphers. ARX-based lightweight block ciphers are generally designed with simple operations, such as Addition, AND, Rotation, and XOR. It is superior to other ciphers with S-box according to the test results of the "Fair Evaluation of Lightweight Cryptography System (FELICS) [11]" platform designed by researchers at the University of Luxembourg. Some classical ARX-based lightweight block ciphers have been proposed in recent years. D. Hong et al. [12] proposed HIGHT by ARX operations, which is adapted to low-resource environments. R. Beaulieu et al. [13] proposed SIMON and SPECK with good performance in hardware implementation and software implementation, respectively. However, proof of their theoretical security has always been a difficult task. G. Yang et al. [14] combined the advantages of SIMON and SPECK to propose the Simeck, which is less than the SMION in terms of hardware resources and power consumption. Y. Guo and L. Li et al. [15] proposed Shadow to protect the security of sensory layer nodes in IoT, which overcomes the problem of poor diffusion of ARX-based lightweight block cipher. S. Chen and M. Wang et al. [16] proposed SAND. The authors used equivalent S-box-based representation to evaluate the security of SAND, which provides a new way to analyze the security of ARX-based lightweight block ciphers. In general, these ARX-based lightweight block ciphers are competitive in terms of hardware and software implementations. However, except for Shadow, these ARX-based lightweight block ciphers generally have the weakness of slow diffusion (only half the data can be changed in one round). For Shadow, it solves the weakness by combining four ARX operations and branch swapping. Therefore, Shadow is not as impressive in terms of latency. Furthermore, ARX-based lightweight block cipher generally suffers from poor diffusion when the initial plaintext and key are all 0 or all 1.

The lightweight ARX-based block ciphers currently designed are all static structures. Some security analysis of them has been carried out by cryptographers. B. Koo et al. [17] and J. Song et al. [18] proposed a correlation key attack and a biclique attack for the HIGHT full-round, respectively. B. Ryabko and A. Soskov [19] proposed an integral attack on Simeck 48/96 full-round. J. Lu et al. [20] proposed Simeck64/128 to construct 17-round neural discriminators (NDs) and 21-round correlated key neural discriminators (RKNDs). K. Fu et al. [21] proposed a mixed integer linear program (MILP)-based method to automatically search for differential features and linear approximations of SPECK. They also use this feature to improve the differential analysis of SPECK, which improves the analysis effect. It can be seen that the security provided by static structures is limited. Therefore, this paper attempts to improve the resistance of ARX-based lightweight block ciphers to potential attacks by adding less dynamic control logic and dynamic calling of some components. There are also some current designs for dynamic ciphers. J. Yang and L. Li et al. [22] proposed an SPN-based dynamic lightweight block cipher DULBC, which is a dynamic variation of the overall structure of the cipher. A. D. Dwivedi [23] proposed BRISK, which uses two different cryptographic components to encrypt data. It is worth noting that dynamic changes to the overall structure of the cipher will require more hardware resources. In contrast to these cipher design ideas, this paper is a dynamic variation on the linear component of the cipher. It does not consume excessive additional hardware resources in hardware implementation. In each round of encryption, the non-linear operations are still performed first and then the diffusion of the cipher is enhanced by different linear permutation operations.

For ARX-based lightweight block ciphers, this paper summarizes three of their currently prevalent weaknesses. 1) Only half of the data is changed in one round, which is poorly diffused. It also makes them require a large number of iterative rounds to improve the security of the cipher. 2) Traditional ARX-based lightweight block ciphers are usually a static structure. The security of their encryption is usually not particularly high. 3) ARX-based lightweight block ciphers have poor diffusion when the initial plaintext and key are all 0 or all 1. It is mainly due to the nature of the AND operation. To overcome the above three weaknesses, this paper proposes a new dynamic ARX-based lightweight block cipher, called DABC. Our contributions mainly include the following aspects:

• This paper combines ARX operation and Feistel structure to design a new variant of the generalized Feistel network (GFN) structure. The structure can change all data in one round, which overcomes the weakness of traditional ARX-based lightweight block cipher that only changes half of the data in one round. Meanwhile, its encryption and decryption are highly consistent.

• The dynamic permutation layer is proposed by combining the generalized two-dimensional cat map with the key. The first 2 bits of the key are used as the parameters of the generalized two-dimensional cat map. The dynamic permutation layer with four different permutation effects is constructed by circular shift and iterative operations on the generalized two-dimensional cat map, which improves the uncertainty between different rounds of the cipher. It can implement by wiring and does not consume excessive resources in hardware implementation.

• The odd and even rounds use round functions 𝐹1 and 𝐹0 for encryption, respectively. 𝐹0 uses AND operation as a non-linear component, while 𝐹1 uses the NAND operation. The approach increases the complexity of the attack without consuming too many hardware implementation resources. It solves the weakness of poor diffusion well when the initial plaintext and the key are all 0 or all 1.

• This paper conducts ASIC implementation and FPGA implementation on DABC. Avalanche effect tests and safety analysis are also performed in this paper. The results show that DABC is safe, efficient, and adaptable to resource-constrained environments.

The rest of the paper is organized as follows. This paper introduces the cipher specifications of DABC in Section 2 and the design principles of DABC in Section 3. The hardware implementation of DABC and the avalanche effect test are arranged in Section 4. Section 5 is the security analysis of the DABC. Finally, Section 6 concludes this paper.

2. Specification of DABC

DABC is based on a variant of the GFN structure with four branches, which has a 64-bit block with a 96-bit or 128-bit key block. The number of encryption rounds (𝑅𝑅) for DABC64/96 and DABC64/128 is 27 and 33, respectively.

2.1 Encryption algorithm

The plaintext is divided into four blocks of the same size in the encryption process of DABC. Then the operations such as the round function, AddRoundKey, and P1 permutation are performed sequentially. DABC mainly uses NAND and AND operations as non-linear components, while the P1 permutation layer is used as a linear component. In odd rounds, the encryption process calls the round function 𝐹1 and the key update calls the round function 𝐹0. The opposite is true in even rounds. Fig. 1 shows the encryption process of DABC. Algorithm 1 shows the detailed process of DABC.

Algorithm 1 DABC Encryption Routine.

Input: Plaintext, Key;

Output: Ciphertext;

1: (𝑋0, 𝑋1, 𝑋2, 𝑋3) ⟵ Plaintext;

2: for 𝑟 = 1 to 𝑅 do

3: 𝑋0′ = 𝑋0 ⊕ 𝑋2 ⊕ 𝑘𝑖𝑟;

4: if (𝑟 % 2 == 0) then

5: 𝑋1′ = 𝑋1 ⊕ 𝐹0(𝑋0) ⊕ 𝑘𝑖𝑙;

6: 𝑋3′ = 𝑋3 ⊕ 𝐹0(𝑋0) ⊕ 𝑋1;

7: 𝑋2′ = 𝑋2 ⊕ 𝐹0(𝑋3′) ⊕ 𝑘𝑖𝑟;

8: else

9: 𝑋1′ = 𝑋1 ⊕ 𝐹1(𝑋0) ⊕ 𝑘𝑖𝑙;

10: 𝑋3′ = 𝑋3 ⊕ 𝐹1(𝑋0) ⊕ 𝑋1;

11: 𝑋2′ = 𝑋2 ⊕ 𝐹1(𝑋3′) ⊕ 𝑘𝑖𝑟;

12: end if

13: if (𝑟 ≤ (𝑅 − 1)) then

14: state = P1(𝑋0′||𝑋1′||𝑋2′||𝑋3′);

15: else

16: state = 𝑋0′||𝑋1′||𝑋2′||𝑋3′;

17: end if

18: end for

19: Ciphertext ⟵ state;

20: Return Ciphertext;

E1KOBZ_2023_v17n1_165_f0001.png 이미지

Fig. 1. The encryption process of DABC.

2.2 Round function

The main difference between the round functions 𝐹0 and 𝐹1 is that 𝐹1 uses the NAND operation (!&) as a nonlinear component, while 𝐹0 uses the AND operation (&). Fig. 2 shows the round functions 𝐹0 and 𝐹1. They together include three operations: left circular shift by 3 bits (⋘ 3), left circular shift by 1 bit (⋘ 1), and an XOR operation (⊕).

E1KOBZ_2023_v17n1_165_f0002.png 이미지

Fig. 2. The operation process of round function.

The 𝐹0 as described in formula (1), where 𝑛 = 64:

\(\begin{aligned}\left\{\begin{array}{c}\{0,1\}^{n / 4} \times\{0,1\}^{n / 4} \rightarrow\{0,1\}^{n / 4} \\ X^{\prime}=X \\ Y^{\prime}=F_{0}(X) \oplus Y=\left(\left(X \&\left(X^{<<< 3}\right)\right) \oplus X^{<<< 1}\right) \oplus Y .\end{array}\right.\end{aligned}\)       (1)

The 𝐹1 as described in formula (2):

\(\begin{aligned}\left\{\begin{array}{c}\{0,1\}^{n / 4} \times\{0,1\}^{n / 4} \rightarrow\{0,1\}^{n / 4} \\ X^{\prime}=X \\ Y^{\prime}=F_{1}(X) \bigoplus Y=\left(\left(X ! \&\left(X^{<<< 3}\right)\right) \bigoplus X^{<<<1}\right) \bigoplus 1\end{array}\right.\end{aligned}\)       (2)

2.3 P1 permutation layer and AddRoundKey

P1 permutation layer: The P1 permutation layer of DABC is dynamic. It performs different bit-level permutation operations on the input data according to the value of the key. More details are described in Section 3.3.

AddRoundKey: The AddRoundKey means that two 16-bit block data are XORed with the round keys of this encryption round.

2.4 Key generator and AddRoundconstant

Key generator: The key generator of DABC supports two different versions of keys, 96-bit and 128-bit. The 96-bit initial key 𝑘0||𝑘1||. . . ||𝑘95 is divided into six 16-bit blocks 𝐾0||𝐾1||𝐾2||𝐾3||𝐾4||𝐾5. Then proceed as follows, where 𝑛 takes 0 in odd rounds and 1 in even rounds, 0 ≤ 𝑖 ≤ 𝑅 − 1, 0 ≤ counter ≤ 𝑅 − 1:

• 𝐾0||𝐾1||𝐾2||𝐾3||𝐾4||𝐾5 = (𝑘0||𝑘1|| ⋯ ||𝑘94||𝑘95)<<<37;

• 𝑘60||𝑘61||𝑘62||𝑘63||𝑘64 = 𝑘60||𝑘61||𝑘62||𝑘63||𝑘64 ⊕ counter;

• 𝑘𝑖𝑙 = 𝐹𝑛(𝐾0) ⊕ 𝐾2, 𝑘𝑖𝑟 = 𝐹𝑛(𝐾1) ⊕ 𝐾3.

The 128-bit initial key 𝑘0||𝑘1|| ⋯ ||𝑘127 is divided into eight 16-bit blocks 𝐾0||𝐾1||𝐾2||𝐾3||𝐾4||𝐾5||𝐾6||𝐾7. The following operations are performed in turn:

• 𝐾0||𝐾1||𝐾2||𝐾3||𝐾4||𝐾5||𝐾6||𝐾7 = (𝑘0||𝑘1|| ⋯ ||𝑘127)<<<38;

• 𝑘60||𝑘61||𝑘62||𝑘63||𝑘64||𝑘65 = 𝑘60||𝑘61||𝑘62||𝑘63||𝑘64||𝑘65 ⊕ counter;

• 𝑘𝑖𝑙 = 𝐹0(𝐾0) ⊕ 𝐾2 ⊕ 𝐹1(𝐾4), 𝑘𝑖𝑟 = 𝐹0(𝐾1) ⊕ 𝐾3 ⊕ 𝐹1(𝐾5).

𝐾ey′ = 𝐾0||𝐾1||𝑘𝑖𝑙||𝑘𝑖𝑟||𝐾4||𝐾5(for 128-bit initial key, 𝐾ey′ = 𝐾0||𝐾1||𝑘𝑖𝑙||𝑘𝑖𝑟||𝐾4||𝐾5||𝐾6||𝐾7) as the input value for next round of key updates. The generated 𝑘𝑖𝑙 and 𝑘𝑖𝑟 are round keys used for the AddRoundKey operation. Fig. 3 shows the core process of the DABC64/96 key generator.

E1KOBZ_2023_v17n1_165_f0003.png 이미지

Fig. 3. The core operation process of key generator (left: odd rounds, right: even rounds).

AddRoundconstant: The current number of encryption rounds is used as the round constant (counter) of DABC, which is described as 𝑐0||𝑐1||𝑐2||𝑐3||𝑐4 (for 128-bit initial key, counter = 𝑐0||𝑐1||𝑐2||𝑐3||𝑐4||𝑐5). The round constant is XORed with the corresponding bits of the key.

2.5 Decryption algorithm

It is necessary to perform linear rP1 and NP1 permutations on the encryption data to make the encryption and decryption structures highly reusable. See section 3.3 for the principle of NP1. In addition, the round keys are used in reverse order during decryption. The two round keys 𝑘𝑖𝑙 and 𝑘𝑖𝑟 of the same round also need to be swapped in the AddRoundKey operation. rP1 permutation means that the branches are output in reverse order, which is performed before and after the round function operation. In the hardware implementation, the rP1 and NP1 permutations can be implemented by wiring operations. Therefore the decryption process does not consume many additional resources.

3. Design rationale of DABC

DABC is designed mainly to solve the poor diffusion of traditional ARX-based lightweight block ciphers and increases security through a dynamic encryption structure. In order to avoid continuous linear operations, this paper chooses dynamic changes in some components instead of dynamic changes in the overall structure of the cipher. It also reduces the resources consumed in hardware implementation. The specific design details of DABC are described next.

3.1 Cipher structure

The DABC proposed in this paper has the following characteristics. Firstly, it can change all data in one round of encryption, which overcomes the slow diffusion of the traditional ARX-based lightweight block cipher. Secondly, the round functions 𝐹1 and 𝐹0 are used alternately in DABC encryption, which is safer than a single round function. At the same time, a dynamic permutation layer P1 is designed based on the generalized two-dimensional cat map, which increases the randomness of the cipher structure. Finally, DABC retains the advantage that the decryption process of the Feistel structure can highly reuse the encryption process. Therefore, the decryption process does not consume many additional resources.

3.2 Round function F0 and F1

The ARX-based lightweight block cipher suffers from poor diffusion when the plaintext and the key are all 0 or all 1. For example, the first 4 rounds of SIMON, SPECK, and SAND ciphertext change very little when plaintext and key are all 0 or all 1. It is not until rounds 5 or 6 that the ciphertext changes significantly, which is caused by the nature of the AND operation. This paper introduces the NAND operation to break the effect of AND operation. The purpose of using round functions alternatively is also to solve this problem. DABC changed significantly in the second round of ciphertext when the plaintext and the key are all 0 or all 1, so it can be considered that DABC has high diffusion. AND and NAND operations are used as non-linear components for the round functions 𝐹0 and 𝐹1, respectively. NAND gate resources in most standard libraries are less than AND gate resources. Compared to traditional ARX-based lightweight block ciphers, the alternate use of round functions can increase the complexity of the attack without increasing too many hardware resources. The round function also involves left circular shift and XOR operations. Overall, it is beneficial to hardware implementation.

3.3 Key generator

DABC supports two key sizes to accommodate resource-constrained environments with different security strengths. For high-security environments, the 128-bit version of the key meets the security key length requirements in the NIST standard. The order of round function calls in the key generator is the opposite of the encryption process. It effectively improves the problem of poor diffusion when the plaintext and the key are all 0 or all 1.

3.4 P1 and NP1 permutation layer

The two-dimensional cat map is a pixel shuffling scheme that goes through multiple iterations to upset the pixel positions in the image, which happens to be similar to the effect of a linear permutation layer in a grouping cipher. However, the first position coordinate does not change when position coordinates are transformed through the two-dimensional cat map. To avoid this situation, a left-loop operation is added after each iteration in this paper.

This paper designs a key-related dynamic permutation layer P1 based on the generalized two-dimensional cat map. P1 increases the randomness of the cipher structure more than the traditional static permutation layer. It can be implemented with wiring operations, which do not consume excessive hardware resources. The generalized two-dimensional cat map used by DABC is shown in formula (3):

\(\begin{aligned}\left[\begin{array}{l}x_{1} \\ y_{1}\end{array}\right]=\left[\begin{array}{cc}g+2 & g+1 \\ 1 & 1\end{array}\right]\left[\begin{array}{l}x_{0} \\ y_{0}\end{array}\right] \bmod N\end{aligned}\)       (3)

where 𝑔 is the control parameter of the generalized two-dimensional cat map. 𝑁 is the number of digits of input data, which is 8. Let 𝑥0 and 𝑦0 be the original position coordinates of the data, and let 𝑥1 and 𝑦1 be the position coordinates after being scrambled by the generalized two-dimensional cat map.

The input data of the P1 is arranged in the form of 8 × 8 two-dimensional matrix, as shown in formula (4):

\(\begin{aligned}\left[\begin{array}{cccc}Y_{0,0} & Y_{0,1} & \cdots & Y_{0, y_{0}} \\ Y_{1,0} & Y_{1,1} & \cdots & Y_{1, y_{0}} \\ \vdots & \vdots & \vdots & \vdots \\ Y_{x_{0}, 0} & Y_{x_{0}, 1} & \cdots & Y_{x_{0}, y_{0}}\end{array}\right]\end{aligned}\)       (4)

The position coordinates of data in the matrix are used as the input values of generalized two-dimensional cat map. The results of map are used as the new position coordinates of data. The above operation is iterated 16 times. In the first 15 iterations, the result is subjected to a 3-bit left circular shift operation after each iteration is completed. The permutation relationship between the final permutation result and the position coordinates of initial data is used as the P1 permutation. It should be noted that the first 2 bits of the key are used as the value of map control parameter 𝑔. Four permutation tables are generated by the above method based on different values of the control parameter 𝑔. Select one of the tables to replace the data based on the first 2 bits of the key. Tables 1 to 4 show the different elemental values of P1, respectively.

Table 1. P1 permutation table when 𝑔 = 0.

E1KOBZ_2023_v17n1_165_t0001.png 이미지

Table 2. P1 permutation table when 𝑔 = 1

E1KOBZ_2023_v17n1_165_t0002.png 이미지

Table 3. P1 permutation table when 𝑔 = 2.

E1KOBZ_2023_v17n1_165_t0003.png 이미지

Table 4. P1 permutation table when 𝑔 = 3.

E1KOBZ_2023_v17n1_165_t0004.png 이미지

The NP1 permutation layer is constructed from the inverse map of the generalized two-dimensional cat map. Formula (5) shows its inverse map.

\(\begin{aligned}\left[\begin{array}{l}x_{0} \\ y_{0}\end{array}\right]=\left[\begin{array}{cc}1 & -g-1 \\ -1 & g+2\end{array}\right]\left[\begin{array}{l}x_{1} \\ y_{1}\end{array}\right] \bmod N\end{aligned}\)       (5)

The NP1 layer is constructed in a similar way to the P1 layer. The difference is that in the first 15 of the 16 iterations, a 3-bit right circular shift operation is performed after each completion.

4. Performance evaluation

4.1 Avalanche effect

The avalanche effect is an indicator of the diffusion effect, which is related to the randomness of the cipher. If the avalanche effect is too poor, the cipher can be easily cracked by an attacker. Therefore, the designed cipher needs to meet the avalanche effect. Half of the output binary bits change when one of the binary bits of the cipher input changes. It can be considered the cipher with a good avalanche effect. The strict avalanche criterion means that every bit in the output has a 50% probability of changing when any input bit is inverted.

This paper assesses average change digit (𝑤𝑣), average change probability (𝑃𝑟𝑣), avalanche effect degree (𝐴𝑑), and strict avalanche criterion degree (𝐴𝑐d) of the output change when the input 1-bit changes. In addition, 𝑤𝑣 ≈ 𝑛/2 (𝑛 is the bit width of the plaintext), 𝐴𝑑 ≈ 1, and 𝐴cd ≈ 1 indicate that the avalanche effect of the cipher is splendid. 𝑃𝑟𝑣 ≈ 0.5 indicates that the cipher satisfies the strict avalanche criterion.

In order to make the experimental data results more accurate and scientific, this paper has carried out 10,000 sample tests on DABC, Piccolo64/128, HIGHT64/128, Simeck64/128, SIMON64/96, and SPECK64/96 according to the same avalanche effect test method. Table 5 shows that 𝑤𝑣, 𝑃𝑟𝑣, 𝐴𝑑, and 𝐴cd of DABC are as close to ideal as the compared ciphers. In summary, DABC can be considered to have a good avalanche effect.

Table 5. Comparison of avalanche effect data of various ciphers.

E1KOBZ_2023_v17n1_165_t0005.png 이미지

4.2 Hardware implementation

The throughput of cipher is important, which is related to the efficiency of data transfer in the network. At the same time, it is also necessary to consider the hardware resource and energy consumption of the cipher in a resource-constrained environment. This paper proposes a round-based architecture for DABC. Fig. 4 shows the round-based architecture for DABC64/96. The architecture is conducive to the low-resource implementation of DABC for resource-constrained environments. The design idea of round-based architecture is repeatedly invoking the components of encryption. One round of encryption is one clock cycle. Twenty-seven and thirty-three clock cycles are required for DABC64/96 and DABC64/128, respectively.

E1KOBZ_2023_v17n1_165_f0004.png 이미지

Fig. 4. Round-based architecture for DABC.

4.2.1 ASIC implementation

The ASIC implementation of DABC has been synthesized by the UMCL18G212 Synchronous Design Compiler A-2007.12-SP1T3 standard cell library. The logic process of the library is UMCL180 0.18µm 1P6M with a clock frequency of 100KHz and a standard voltage of 1.8V.

The round-based architecture of DABC mainly includes the following operations: round function, AddRoundKey, AddRoundconstant, and dynamic P1 permutation. Among them, the circular shift operation in the round function module can be realized by wiring operation without spending additional hardware resources. The dynamic effect of P1 permutation is achieved by adding a 4-to-1 multiplexer. Use the first 2 bits of each 𝐾ey as a control signal to select the permutation table corresponding to 𝑔=0, 1, 2, or 3 in the order, when the 2 bits are "00", "01", "10", or "11". The specific hardware resource consumption of DABC is as follows (in 0.18µm standard process library): an AND gate consumes 1.33GE, a NAND gate consumes 1GE, and an XOR gate consumes 2.67GE. The round function module includes a 16-bit XOR gate, a 16-bit AND gate, and a 16-bit NAND gate, which require a total of 80GE. Two 16-bit AddRoundKey is equivalent to two 16-bit XOR gates, which require 85.44GE. The encryption process includes four 16-bit XOR operations and two round function modules, which require a total of 330.88GE. 5-bit AddRoundconstant is equivalent to 5-bit XOR operation, which requires 13.35GE (which requires 16.02GE for DABC64/128). The 96-bit and 128-bit key generators require 245.44GE and 405.44GE, respectively. The 64-bit plaintext and 96-bit key registers require a total of 832.32GE. The 64-bit plaintext and 128-bit key registers require a total of 981.76GE. The control logic requires 20GE. In total, DABC64/96 and DABC64/128 require 1527.43GE and 1839.54GE, respectively. For better performance comparison, this paper also implemented DABC64/96 and DABC64/128 under IBM 130µm standard process library (for 0.13µm, an AND gate consumes 1.25GE, a NAND gate consumes 0.75GE, and an XOR gate consumes 2GE). Table 6 shows the resource comparison of DABC with other lightweight packet ciphers. In general, DABC has certain advantages in hardware implementation.

Table 6. Comparison of hardware resources between DABC and other ciphers.

E1KOBZ_2023_v17n1_165_t0006.png 이미지

4.2.2 FPGA implementation

The round-based RTL file of DABC was obtained through ISE Design Suite 14.6 and mapped to the Xilinx Virtex-5 FPGA development board to evaluate its hardware performance. Table 7 shows the hardware performance of the DABC.

Table 7 Hardware performance of DABC on Virtex-5.

E1KOBZ_2023_v17n1_165_t0007.png 이미지

This paper implements DABC on Virtex-5 FPGA and tries its best to find some lightweight block ciphers implemented on Virtex-5 FPGA. Table 8 shows the FPGA implementation performance with different ciphers, where 𝑇ℎ𝑟 is the throughput at the maximum frequency (𝐹). This paper also counts the throughput 𝑇ℎ𝑟* under a unified 13.56MHz to better compare the throughput. Although the 𝑇ℎ𝑟* of LEA128/128 [29] and LEA128/128 [30] are higher than DABC64/128, the LUT of LEA128/128 [29] and LEA128/128 [30] are 47% and 52% higher than DABC64/128, respectively. The Flip Flop, Slice, and LUT of other ciphers are not much different from DABC, but 𝑇ℎ𝑟* is lower than DABC. Fig. 5 shows the comparison of Flip Flop, Slice, and LUT parameters implemented on Virtex-5 FPGA. Fig. 6 shows the throughput comparison of each cipher at the 13.56MHz frequency on Virtex-5 FPGA. In Fig. 5 and Fig. 6, 𝑎, 𝑏, 𝑐, 𝑑, 𝑒, 𝑓, 𝑔, ℎ, 𝑖, 𝑗, 𝑘, and 𝑙 represent the lightweight block ciphers IPRESENT, PRESENT64/80, RPRESENT64/128, PRESENT64/128, LEA128/128 [28], LEA128/128 [29], LEA 128/128 [30], RAMRECTANGLE, QTL64/64, XTEA, DABC64/96, and DABC64/128, respectively. In summary, it can be seen that DABC achieves a good balance between throughput and hardware implementation resources from the above comparison results.

E1KOBZ_2023_v17n1_165_f0005.png 이미지

Fig. 5. Flip Flop, Slice and LUT comparison of various ciphers on Virtex-5.

E1KOBZ_2023_v17n1_165_f0007.png 이미지

Fig. 6. Throughput comparison of various ciphers at 13.56MHz onVirtex-5.

Table 8. Hardware performance comparison of various ciphers on Virtex-5.

E1KOBZ_2023_v17n1_165_t0008.png 이미지

𝑇ℎ𝑟*: represents the parameter calculated at a fixed frequency of 13.56 MHz. 𝐹: represents maximum frequency. -: represents uncertainty. I: represents the Iterative architecture. R: represents the Round-based architecture. RAM: represents the RAM based architecture.

5. Security analysis

5.1 Differential analysis

Differential analysis is the analysis method introduced by E. Biham and A. Shamir [36] in the cryptanalysis of FEAL, which was the classical analysis method in cryptanalysis. The main idea of differential analysis is to take a pair of plaintexts and analyze the propagation of their differences by the iterative process.

This paper refers to the method of K. Fu et al. [21] to calculate the differential probability of DABC. Differential analysis modeling of DABC using MILP automatic analysis method with the help of Gurobi optimizer. The best differential characteristics were obtained, as shown in Table 9. It can be seen that the differential probability for the first 10 rounds of DABC is 2−146, which is much smaller than 2−64. Therefore, DABC64/96 for 27 rounds and DABC64/128 for 33 rounds can be considered to resist differential analysis.

Table 9. Differential characteristic for DABC.

E1KOBZ_2023_v17n1_165_t0009.png 이미지

5.2 Linear analysis

Linear analysis is a new attack method proposed by M. Matsui [37] for the DES. Similar to differential analysis, linear analysis is also a classical analysis method in cryptanalysis. It recovers the key by studying the linear relationship between plaintext and ciphertext. This paper assumes its input mask value and tracks the iterative process of the DABC round function to obtain the corresponding linear characteristic probabilities. Its value is sufficiently small by calculating its linear probability. Therefore, DABC is considered to resist linear analysis.

5.3 Impossible differential analysis

Impossible differential analysis [38] is a variant of differential analysis. In this section, impossible differential analysis is performed for DABC. This paper finds two differential paths 𝐸0 and 𝐸1 of DABC with a differential probability of 1. 𝐸0: Δ𝛼 → Δ𝛽 is the path of encryption direction. 𝐸1: Δ𝛾 → Δ𝜁 is the path of decryption direction. "1" means that the bit difference value is 1, "0" means that the bit difference value is 0, and "*" means that the bit difference value is uncertain. The input difference Δ𝛼 of 𝐸0 is (0000, 0001, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000). Carrying out two rounds of encryption operation, the output difference Δ𝛽 is obtained as (0*0*, *0**, ****, ****, 0*00, 00**, 0*0*, ***0, 00**, 0***, ****, 0**0, ****, 0*1*, 000*, ****). The input difference Δ𝛾 of 𝐸1 is (1000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000). After two rounds of decryption operations, the output difference Δ𝜁 is obtained as (00*1, 0*00, 0000, 0000, 0000, 0001, 0000, 0010, 0100, 0000, 0000, 0000, 0*00, *0*1, 0000, 0000). Fig. 7 shows the impossible differential path for 4 rounds of DABC. It can be seen from Fig. 7 that there is a contradiction when 𝐸0 and 𝐸1 meet, as shown in the red box in Fig. 7. The contradiction is the difference value for the 33rd position of Δ𝛽 is not equal to the 33rd position of Δ𝜁. It constitutes a 4-round impossible difference path of DABC.

E1KOBZ_2023_v17n1_165_f0006.png 이미지

Fig. 7. Impossible differential path for 4 rounds of DABC.

One round of forwarding decryption and two rounds of backward encryption based on the 4-round impossible difference path. The 7-round impossible difference path of DABC is obtained, as shown in Fig. 8.

E1KOBZ_2023_v17n1_165_f0008.png 이미지

Fig. 8. Impossible differential path for 7 rounds of DABC.

According to the 7-round impossible differential path, the plaintext input differential is set as:

𝑋0 = (0000,1 ∗ 00,000 ∗ ,0100);

𝑋1 = (0000,0000,0000,0000);

𝑋2 = (0000,0000,0000,0000);

𝑋3 = (0000,0000,0000,0000).       (6)

Setting the plaintext structure as follows:

𝑊𝑋00 = (𝛼1𝛼2𝛼3𝛼4, 𝛼5𝛽1𝛼6𝛼7, 𝛼8𝛼9𝛼10𝛽2, 𝛼11𝛼12𝛼13𝛼14);

𝑊𝑋10 = (𝛼15𝛼16𝛼17𝛼18, 𝛼19𝛼20𝛼21𝛼22, 𝛼23𝛼24𝛼25𝛼26, 𝛼27𝛼28𝛼29𝛼30);

𝑊𝑋20 = (𝛼31𝛼32𝛼33𝛼34, 𝛼35𝛼36𝛼37𝛼38, 𝛼39𝛼40𝛼41𝛼42, 𝛼43𝛼44𝛼45𝛼46);

𝑊𝑋30 = (𝛼47𝛼48𝛼49𝛼50, 𝛼51𝛼52𝛼53𝛼54, 𝛼55𝛼56𝛼57𝛼58, 𝛼59𝛼60𝛼61𝛼62),       (7)

where 𝛼𝑖(1 ≤ 𝑖 ≤ 62) is a constant, 𝛽𝑗(1 ≤ 𝑗 ≤ 2) is an arbitrary value.

Then, the ciphertext pairs satisfying the following differential forms are selected after 7 rounds of encryption:

Δ𝐶𝑋07 = (𝜏1𝜏20𝜏3, 0𝜏400,000𝜏5, 𝜏60𝜏70);

Δ𝐶𝑋17 = (00𝛿10, 𝛿2100, 𝛿3𝛿401,00𝛿5𝛿6);

Δ𝐶𝑋27 = (0𝜁1𝜁2𝜁3, 𝜁4𝜁5𝜁6𝜁7, 00𝜁8𝜁9, 𝜁10𝜁1110);

Δ𝐶𝑋27 = (𝜂1𝜂211,0𝜂30𝜂4, 00𝜂5𝜂6, 00𝜂7𝜂8).       (8)

It can be seen from formula (8) that the plaintext structure contains 262 plaintexts, forming a total of 2123 plaintext pairs. If 2𝑁 structures are selected, there are 262 plaintexts and 2𝑁+62 data pairs. Finally, the data complexity of the attack is 2𝑁 × 262 = 2𝑁+62 selected plaintext.

5.4 Biclique analysis

Biclique analysis [39] is a variant of the meet-in-the-middle (MITM) attacks, which is widely used in cryptanalysis for key recovery attacks based on a two-party matrix. Reducing the complexity of MITM attacks by constructing biclique structures is the basic idea behind biclique analysis.

\(\begin{aligned}K\left\{\begin{array}{c}K[0]=k_{0}\left\|k_{1}\right\| k_{2}\left\|k_{3}\right\| k_{4}\left\|k_{5}\right\| k_{6} \| k_{7} \\ K[1]=k_{8}\left\|k_{9}\right\| k_{10}\left\|k_{11}\right\| k_{12}\left\|k_{13}\right\| k_{14} \| k_{15} \\ \vdots \\ K[10]=k_{80}\left\|k_{81}\right\| k_{82}\left\|k_{83}\right\| k_{84}\left\|k_{85}\right\| k_{86} \| k_{87} \\ K[11]=k_{88}\left\|k_{89}\right\| k_{90}\left\|k_{91}\right\| k_{92}\left\|k_{93}\right\| k_{94} \| k_{95}\end{array}\right.\end{aligned}\)       (9)

The initial key of DABC is divided into the form shown in formula (9). Table 10 shows the initial keys involved in each round of round keys. The 4-round Δ𝑖 differential path is obtained by backward encrypting 4 rounds using the 18th round key 𝐾[6]. The 4-round ∇𝑗 differential path is obtained by forward decrypting 4 rounds using the 19th round key 𝐾[1]. The active bytes in the Δ𝑖 differential path are inactive bytes in the ∇𝑗 differential path and vice versa (active bytes refer to bytes with a difference other than 0, and inactive bytes refer to bytes with a difference of 0). The two differential paths are combined to form an 8-round biclique structure from rounds 15 to 22. Formula (10) shows parting the key. It is represented by a 4 × 2 matrix to simplify the key space, where 𝐾[•] represents an 8-bit block of data.

Table 10. The initial keys involved in each round of round keys.

E1KOBZ_2023_v17n1_165_t0010.png 이미지

\(\begin{aligned}\left[\begin{array}{cc}K[1], K[2] & K[3], K[4] \\ K[5], \boldsymbol{K}[\mathbf{6}] & K[7], K[8] \\ K[10], K[11] & K[0], \boldsymbol{K}[\mathbf{1}] \\ K[2], K[3] & K[4], K[5]\end{array}\right]\end{aligned}\)       (10)

The 8-round biclique structure consists of 2𝑑 ciphertexts 𝐶𝑛(0 ≤ 𝑛 ≤ 2d) , 2𝑑 intermediate states 𝑆𝑛(0 ≤ 𝑛 ≤ 2𝑑) , and keys 𝐾(𝐾(𝑖,𝑗)) . The difference Δ𝑖 and the difference ∇𝑗 are derived from ∆𝑖𝐾 and ∇𝑗𝐾 respectively. In this paper, the difference corresponding to 𝐾[6] is 𝑖 and the difference corresponding to 𝐾[1] is 𝑗. The remaining 80-bit will iteratively take all possible values.

The non-linear component in this paper refers to the AND operation and the NAND operation, but these differential components do not share active non-linear components. This paper uses the formula (11) to express the difference relation between (𝑆0, ∆𝑖𝐾, ∇𝑗𝐾, 𝐶0).

\(\begin{aligned}S_{0} \oplus \Delta_{i}^{K} \frac{K_{[0,0]} \oplus \Delta_{i}^{K} \oplus \nabla_{j}^{K}}{f} \rightarrow C_{0} \oplus \nabla_{j}^{K}\end{aligned}\)       (11)

This paper has successfully constructed an 8-dimensional double factorial structure for DABC. Corresponding plaintext pair 𝑃𝑖 is obtained when the ciphertext pair 𝐶𝑛 is decrypted with the key 𝐾hide. Formula (12) holds when 𝐾[𝑖,𝑗] = 𝐾hide. Meanwhile, \(\begin{aligned}\vec{v}\end{aligned}\) and \(\begin{aligned}\overleftarrow{v}\end{aligned}\) are called matches, which means 𝐾[𝑖,𝑗] is a candidate key for 𝐾hide. Then the full round of DABC keys is recovered.

\(\begin{aligned}P_{i} \frac{K_{[i, j]}}{\varepsilon_{1}} \rightarrow \vec{v} \stackrel{?}{=} \overleftarrow{v} \leftarrow \frac{K_{[i, j]}}{\varepsilon_{2}} S_{j}\end{aligned}\)       (12)

5.4.1 Complexity of recovering the key

The time complexity is usually used to measure the effectiveness of a biclique attack. Formula (13) shows the time complexity calculation process of key recovery:

𝐶full = 2𝐾−2𝑑(𝐶Biclique + 𝐶precomp + 𝐶recomp + 𝐶falsepas),       (13)

where 𝐶full represents the time complexity of recovering the key. 𝐾 is the bit size of the key. 𝑑 is the dimension of the constructed biclique structure, where 𝑑 = 8. 𝐶biclique represents the complexity of constructing the biclique structure. It is at most 8-rounds of calculation after our analysis, Cbiclique = 2𝑑+1 × (8/27) = 27.25. 𝐶precomp represents the pre-calculated complexity of matching detection. Pre-calculating the remaining rounds of DABC, the obtained complexity result is 28 × (19/27) ≈ 27.49. 𝐶recomp represents the complexity of the recalculation process. Recalculation requires sixteen 16-bit AND operations and sixteen 16-bit NAND operations in our analysis. DABC requires a total of fifty-two 16-bit AND operations and fifty-four 16-bit NAND operations, \(\begin{aligned}C_{\text {recomp }}=2^{16} \times \frac{16 \times 16}{52 \times 54} \approx 2^{12.54}\end{aligned}\). Cfalsepas refers to the complexity of matching 𝑣 at the wrong position. The value is 28 when matching a single byte. The matching in formula (12) is performed on a single byte. Finally, 𝐶full = 296−2×8 × (27.25 + 27.49 + 212.54 + 28) ≈ 292.68.

5.5 Side-channel analysis

Side-channel analysis is a current attack against hardware implementations of cryptographic algorithms. It takes advantage of the correlation between the physical leakage generated by the encryption device at runtime and the intermediate state operations. The correlation is analyzed by mathematical-statistical methods. The key is recovered according to the results of the analysis. A variety of attack methods have been proposed, such as power analysis, time analysis, electromagnetic analysis, and so on. The defense against such attacks is generally by adding mask countermeasures to the algorithm. For example, Y. Ou and L. Li [40] resist side-channel analysis by adding the first-order mask to AES. The n-order mask can prevent n-order side-channel analysis. Its attack cost increases exponentially for each additional order of attack. Considering that lightweight block ciphers are generally applied in resource-constrained environments, they are generally protected by adding first-order masks. Since mask technology is mature, this paper will not discuss it too much here.

6. Conclusion

This paper proposes a new dynamic ARX-based lightweight block cipher to address the slow diffusion and low security of ARX-based lightweight block ciphers, called DABC. Firstly, DABC adopted a new variant of the GFN structure, which has high diffusion and can change all data in one round. It overcomes the weakness that the traditional ARX-based lightweight block cipher only changes half of the data in one round. Second, the generalized two-dimensional cat map and the key are combined to construct a dynamic linear permutation layer. The data is subjected to different permutation operations according to different values of the key in each round. Compared with a single linear permutation layer, it increases the randomness of the cipher structure and improves the poor security of the traditional ARX-based lightweight block cipher. In the round function part, NAND and AND operations are used as nonlinear components for odd and even rounds, respectively, which further increases the complexity of the attack. It also overcomes the weakness of poor diffusion when the initial plaintext and key are all 0 or all 1. This paper proposes a round-based architecture of DABC and conducted ASIC implementation and FPGA implementation. The results show that DABC consumes fewer hardware resources and has a high throughput, which is suitable for a resource-constrained environment. This paper performs avalanche tests on DABC, Piccolo, HIGHT, Simeck, SIMON, and SPECK by the same test methods. DABC has a good avalanche effect while satisfying the strict avalanche criterion after comparison. Finally, this paper conducts a security analysis of DABC. The analysis results show that DABC has good security and can resist differential analysis, linear analysis, impossible differential analysis, biclique analysis, and side-channel analysis.

Acknowledgement

This research is supported by the Hunan Provincial Natural Science Foundation of China(2022JJ30103, 2022JJ50016), the Science and Technology Innovation Program of Hunan Province (2016TP1020), Open fund project of Hunan Provincial Key Laboratory of Intelligent Information Processing and Application for Hengyang Normal University (2022HSKFJJ011), “the 14th Five-Year Plan” Key Disciplines and Application-oriented Special Disciplines of Hunan Province (Xiangjiaotong [2022] 351).

References

  1. J. Cheng, S. Guo, J. He, "An extended type-1 generalized feistel networks: Lightweight block cipher for iot," IEEE Internet of Things Journal, vol. 9, no. 13, pp. 11408-11421, 2022.  https://doi.org/10.1109/JIOT.2021.3126317
  2. X. Li, M. H. Ibrahim, S. Kumari, et al., "Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks," Computer Networks, vol. 129, pp. 429-443, 2017. https://doi.org/10.1016/j.comnet.2017.03.013
  3. H. Shin, H. K. Lee, H.-Y. Cha, et al., "Iot security issues and light weight block cipher," in Proc. of 2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), IEEE, Okinawa, Japan, pp. 381-384, 2019.
  4. K. Shibutani, T. Isobe, H. Hiwatari, et al., "Piccolo: an ultra-lightweight block cipher," in Proc. of International workshop on cryptographic hardware and embedded systems, Springer, Berlin, Heidelberg, pp. 342-357, 2011.
  5. T. Suzaki, K. Minematsu, S. Morioka, et al., "Twine: A lightweight block cipher for multiple platforms," in Proc. of International Conference on Selected Areas in Cryptography, Springer, Berlin, Heidelberg, pp. 339-354, 2012.
  6. L. Li, B. Liu, H. Wang, "Qtl: a new ultra-lightweight block cipher," Microprocessors and Microsystems, vol. 45, pp. 45-55, 2016. https://doi.org/10.1016/j.micpro.2016.03.011
  7. A. Bogdanov, L. R. Knudsen, G. Leander, et al., "Present: An ultra-lightweight block cipher," in Proc. of International workshop on cryptographic hardware and embedded systems, Springer, Berlin, Heidelberg, pp. 450-466, 2007.
  8. S. Banik, A. Bogdanov, T. Isobe, et al., "Midori: A block cipher for low energy," in Proc. of International Conference on the Theory and Application of Cryptology and Information Security, Springer, Berlin, Heidelberg, pp. 411-436, 2015.
  9. W. Zhang, Z. Bao, D. Lin, et al., "Rectangle: a bit-slice lightweight block cipher suitable for multiple platforms," Science China Information Sciences, vol. 58, no. 12, pp. 1-15, 2015.  https://doi.org/10.1007/s11432-015-5459-7
  10. C. Beierle, J. Jean, S. Kolbl, et al., "The skinny family of block ciphers and its low-latency variant mantis," in Proc. of Annual International Cryptology Conference, Springer, Berlin, Heidelberg, pp. 123-153, 2016.
  11. D. Dinu, A. Biryukov, J. Grossschadl, et al., "Felics-fair evaluation of lightweight cryptographic systems," in Proc. of NIST Workshop on Lightweight Cryptography, Vol. 128, 2015. 
  12. D. Hong, J. Sung, S. Hong, et al., "Hight: A new block cipher suitable for low-resource device," in Proc. of International workshop on cryptographic hardware and embedded systems, Springer, Berlin, Heidelberg, pp. 46-59, 2006.
  13. R. Beaulieu, D. Shors, J. Smith, et al., "The simon and speck lightweight block ciphers," in Proc. of the 52nd annual design automation conference, Association for Computing Machiner, New York, NY, USA, pp. 1-6, 2015.
  14. G. Yang, B. Zhu, V. Suder, et al., "The simeck family of lightweight block ciphers," in Proc. of International Workshop on Cryptographic Hardware and Embeddedm Systems, Springer, Berlin, Heidelberg, pp. 307-329, 2015.
  15. Y. Guo, L. Li, B. Liu, "Shadow: A lightweight block cipher for iot nodes," IEEE Internet of Things Journal, vol. 8, no. 16, pp. 13014-13023, 2021. https://doi.org/10.1109/JIOT.2021.3064203
  16. S. Chen, Y. Fan, L. Sun, et al., "Sand: an and-rx feistel lightweight block cipher supporting s-box-based security evaluations," Designs, Codes and Cryptography, vol. 90, no. 1, pp. 155-198, 2022. https://doi.org/10.1007/s10623-021-00970-9
  17. B. Koo, D. Hong, D. Kwon, "Related-key attack on the full hight," in Proc. of International Conference on Information Security and Cryptology, Springer, Berlin, Heidelberg, pp. 49-67, 2010. 
  18. J. Song, K. Lee, H. Lee, "Biclique cryptanalysis on lightweight block cipher: Hight and piccolo," International Journal of Computer Mathematics, vol. 90, no. 12, 2013, pp. 2564-2580, 2013.  https://doi.org/10.1080/00207160.2013.767445
  19. B. Ryabko, A. Soskov, "The distinguishing attack on speck, simon, simeck, hight and lea," IACR Cryptol. ePrint Arch, vol. 47, pp. 1-9, 2018.
  20. J. Lu, G. Liu, Y. Liu, et al., "Improved neural distinguishers with (related-key) differentials: Applications in simon and simeck," Cryptography and Security, 2022.
  21. K. Fu, M. Wang, Y. Guo, et al., "Milp-based automatic search algorithms for differential and linear trails for speck," in Proc. of International Conference on Fast Software Encryption, Springer, Berlin, Heidelberg, pp. 268-288, 2016.
  22. J. Yang, L. Li, Y. Guo, et al., "Dulbc: A dynamic ultra-lightweight block cipher with high-throughput," Integration, vol. 87, pp. 221-230, 2022. https://doi.org/10.1016/j.vlsi.2022.07.011
  23. A. D. Dwivedi, "Brisk: Dynamic encryption based cipher for long term security," Sensors, vol. 21, no. 17, pp. 5744, 2021.
  24. J. Borghoff, A. Canteaut, T. Guneysu, et al., "Prince-a low-latency block cipher for pervasive computing applications," in Proc. of International conference on the theory and application of cryptology and information security, Springer, Berlin, Heidelberg, pp. 208-225, 2012. 
  25. T. P. Berger, J. Francq, M. Minier, et al., "Extended generalized feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput," IEEE Transactions on Computers, vol. 65, no. 7, pp. 2074-2089, 2016.
  26. M. R. Zaba, N. Jamil, M. E. Rusli, et al., "I-present tm: An involutive lightweight block cipher," Journal of Information Security, vol. 5, no, 3, pp. 114-122, 2014. https://doi.org/10.4236/jis.2014.53011
  27. R. Beaulieu, D. Shors, J. Smith, et al., "Simon and speck: Block ciphers for the internet of things," Cryptology ePrint Archive, 2015.
  28. D. Lee, D.-C. Kim, D. Kwon, et al., "Efficient hardware implementation of the lightweight block encryption algorithm lea," Sensors, vol. 14, no. 1, pp. 975-994, 2014. https://doi.org/10.3390/s140100975
  29. Z. Mishra, G. Ramu, B. Acharya, "Hight speed low area vlsi architecture for lea encryption algorithm," in Proc. of the third international conference on microelectronics, computing and communication systems, Springer, Singapore, pp. 155-160, 2019.
  30. Z. Mishra, P. K. Nath, B. Acharya, "High throughput unified architecture of lea algorithm for image encryption," Microprocessors and Microsystems, vol. 78, pp. 103214, 2020. 
  31. C. A. Lara-Nino, A. Diaz-Perez, M. Morales-Sandoval, "Lightweight hardware architectures for the present cipher in fpga," IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 64, no. 9, pp. 2544-2555, 2017. https://doi.org/10.1109/TCSI.2017.2686783
  32. N. Hanley, M. ONeill, "Hardware comparison of the iso/iec 29192-2 block ciphers," in Proc. of 2012 IEEE computer society annual symposium on VLSI, IEEE, Amherst, MA, USA, pp. 57-62, 2012.
  33. L. Li, J. Feng, B. Liu, et al., "Implementation of prince with resource-efficient structures based on fpgas," Frontiers of Information Technology & Electronic Engineering, vol. 22, no. 11, pp. 1505-1516, 2021. https://doi.org/10.1631/FITEE.2000688
  34. N. Shrivastava, B. Acharya, A. S. Raghuvanshi, "Vlsi implementation of esf and qtl lightweight ciphers," in Proc. of the Fourth International Conference on Microelectronics, Computing and Communication Systems, Springer, Singapore, pp. 513-525, 2021.
  35. Z. Mishra, S. Mishra, B. Acharya, "Lea: 128 high frequency architecture with image analysis," in Proc. of 2020 International Conference for Emerging Technology (INCET), IEEE, Belgaum, India, pp. 1-5, 2020.
  36. E. Biham, A. Shamir, "Differential cryptanalysis of des-like cryptosystems," Journal of CRYPTOLOGY, vol. 4, no. 1, pp. 3-72, 1991. https://doi.org/10.1007/BF00630563
  37. M. Matsui, "Linear cryptanalysis method for des cipher," in Proc. of Workshop on the Theory and Application of Cryptographic Techniques, Springer, Berlin, Heidelberg, pp. 386-397, 1993. 
  38. D. Yang, W.-F. Qi, H.-J. Chen, "Impossible differential attacks on the skinny family of block ciphers," IET Information Security, vol. 11, no. 6, pp. 377-385, 2017. https://doi.org/10.1049/iet-ifs.2016.0488
  39. Z. Ahmadian, M. Salmasizadeh, M. R. Aref, "Biclique cryptanalysis of the full-round klein block cipher," IET Information Security, vol. 9, no. 5, pp. 294-301, 2015. https://doi.org/10.1049/iet-ifs.2014.0160
  40. Y. Ou, L. Li, "Research on a high-order aes mask anti-power attack," IET Information Security, vol. 14, no. 5, pp. 580-586, 2020. https://doi.org/10.1049/iet-ifs.2019.0602