Enhanced Message Authentication Encryption Scheme Based on Physical-Layer Key Generation in Resource-Limited Internet of Things

Abstract

The Internet of Things (IoT) is facing growing security challenges due to its vulnerability. It is imperative to address the security issues using lightweight and efficient encryption schemes in resource-limited IoT. In this paper, we propose an enhanced message authentication encryption (MAE) scheme based on physical-layer key generation (PKG), which uses the random nature of wireless channels to generate and negotiate keys, and simultaneously encrypts the messages and authenticates the source. The proposed enhanced MAE scheme can greatly improve the security performance via dynamic keyed primitives construction while consuming very few resources. The enhanced MAE scheme is an efficient and lightweight secure communication solution, which is very suitable for resource-limited IoT. Theoretical analysis and simulations are carried out to confirm the security of the enhanced MAE scheme and evaluate its performance. A one-bit flipping in the session key or plain texts will result in a 50%-bit change in the ciphertext or message authentication code. The numerical results demonstrate the good performance of the proposed scheme in terms of diffusion and confusion. With respect to the typical advanced encryption standard (AES)-based scheme, the performance of the proposed scheme improves by 80.5% in terms of algorithm execution efficiency.

1. Introduction

As a promising cyber-physical system used in various scenarios, the Internet of Things (IoT) has attracted massive attention from industry and academia. IoT integrates a large number of resource-limited devices from the physical world into a vast network to provide monitoring, positioning, and other services. Due to its open nature and large scale, IoT facessevere security threats from external attackers [1], [2]. Meanwhile, there are some potential eavesdroppers to intercept the key negotiation or message signals, and further to crack the secret key or cipher messages, which may lead to severe security issues. Therefore, efficient and lightweight secure communication schemes are needed to protect the IoT from attacks.

Conventionally, secure communication is implemented by cryptographic algorithms [3]: generating secret keys from some randomness sources, distributing or negotiating keys via asymmetric cryptography algorithms, and encrypting messages by symmetric ones, such as random number generator, Rivest-Shamir-Adleman (RSA) algorithm, and advanced encryption standard (AES) algorithm. These algorithms can achieve different secure services [3], e.g., confidentiality, integrity, source authentication, and so on. However, it is challenging to deploy these traditional application-layer cryptographic algorithms on resource-limited IoT devices because of their high computational complexity and large storage memory requirements. For example, these algorithms often perform a large number of iterative rounds to encrypt messages and at least two times to authenticate the source. Chaotic cryptographic algorithms [4], [5], [6] or elliptic curve algorithms [7] are alternative solutions, but the tremendous float-point operations make them impractical on resource-limited IoT devices.

The randomness sources are the cornerstone of the key’s secrecy which also determines the security of a cryptography algorithm. Fortunately, physical layer security (PLS) can be considered a promising solution, which exploits the random nature of wireless channels to provide secrecy [8]. To this end, based on the reciprocity of the electromagnetic waves’ propagation and the spatial uncorrelation of the wireless signals’ statistical properties, physical-layer key generation (PKG) technologies have been proposed to efficiently and securely negotiate secret keys from wireless channels [9], [10]. The reciprocity of the electromagnetic waves’ propagation and the spatial uncorrelation of the wireless signals’ statistical properties result in the uniqueness and secrecy of physical characteristics of legal users, which makes it proper for randomness sources. In the past few years, various schemes of PKG have been proposed in different communication scenarios, such as vehicle Ad hoc networks [11], backscatter communications [12], in-band full-duplex multiple-input multiple-output communications [13], dynamic meta-surface antennas [14], time division duplexing system [15] and so on. However, the key generation schemes mentioned above have not yet been integrated with encryption or authentication algorithms to give a complete, secure communication solution to resource-limited IoT.

In addition to physical-layer key generation techniques, there are some other solutions to encryption or authentication for resource-limited IoT. On the one hand, current research on encryption schemes for resource-limited IoT can be generally divided into two categories: 1) conventional encryption algorithms [4], [7] with hardware special designing and 2) burgeoning cryptographic schemes such as attribute-based encryption (ABE) [16], [17]. However, these conventional algorithms are based on one-way mathematical problems, that is, problems that are easy to perform but difficult to reverse. These algorithms require specially designed hardware to accelerate on resource-limited IoT devices. At the same time, the burgeoning ABE paradigm is not suitable for large amounts of data transmission. On the other hand, the schemes dedicated only to authentication can be divided into two categories: 1) trust-based authentication, e.g., in consensus style [18] or federated style [19], and 2) characteristic-based authentication, such as physical channel characteristics [20], [21]. However, the present trust-based schemes employ complex authenticating processes, making them unsuitable for IoT with dense data transmissions. In addition, many schemes are designed in physical-layer to provide message encryption and integrity authentication. For example, these encryption schemes are schemes based on orthogonal frequency division multiplying [22], on frequency hopping spread spectrum [23], on chirp spread spectrum [24], and on phase shift keying [25], while these authentication schemes are based on received signal strength [26], on channel state information [27], on channel frequency response [28]. To achieve data confidentiality, data integrity, and source authentication simultaneously, different message authentication encryption (MAE) algorithms have been proposed to improve security and efficiency performance. These MAE schemes either artfully combine an encryption scheme and an authentication scheme [29], [30], [31] or achieve authentication based on encryption [32].

However, these schemes mentioned above generally need a second pass to authenticate messages and demand too many computational resources, so they are not suitable for resource-limited IoT devices. These problems motivate us to design a secure communication scheme that can encrypt and authenticate messages efficiently in a lightweight way and that has enough secrecy and security to defend eavesdroppers and attackers. Therefore, we propose an efficient and lightweight secret communication scheme to simultaneously implement key generation, encryption, and authentication for IoT devices, named the enhanced MAE scheme based on PKG. The main contributions are as follows:

• We proposed a new secure communication architecture integrating the PKG with the enhanced MAE. This architecture can meet the secure requirements of IoT devices. The PKG exploits the random nature of wireless channels to generate and negotiate keys, which are further utilized in the enhanced MAE to encrypt and authenticate users' data.

• An enhanced MAE algorithm is further proposed to improve the security performance in a lightweight way. On the one hand, the security of the enhanced MAE algorithm is strengthened by the PKG. On the other hand, the enhanced MAE algorithm adopts a dynamic keyed primitives construction (KPC) algorithm. The enhanced MAE takes one round and single pass structure to encrypt and authenticate messages simultaneously in a lightweight way.

• The security performance of the proposed enhanced MAE algorithm is evaluated using theoretical analysis and computer simulations. The simulation results confirm the validity and reliability of PKG. They also show that the enhanced MAE algorithm can provide data confidentiality and integrity and significantly outperform the AES algorithm by 80.5% in terms of execution efficiency. Finally, the cryptographic analysis further confirms that the enhanced MAE algorithm can resist attacks on confidentiality and authentication.

The rest of the paper is organized as follows. The system model is presented in Section II. The proposed enhanced MAE based on PKG is presented in Section III. Simulation results and analysis are presented in Section IV. Section V concludes this paper.

2. System Model

We consider an IoT network with devices having limited computing power and memory. The IoT architecture is divided into three components: core network, gateways, and sub-networks, as depicted in Fig. 1. Devices are grouped into sub-networks and communicate with other sub-networks via gateways. These gateways are linked together via a core network. The proposed schemes are deployed at the device end and gateway end, as shown in Fig. 1. The PKG is executing on the physical layer of the network protocol stack, while the enhanced MAE is executing on the application protocol layer.

Fig. 1. The system model of the proposed scheme. Both external eavesdroppers and internal undesired users can be the attacker of a secure communication session.

Herein, we consider an abstract uniform attack model extracted from Fig. 1, as shown in Fig. 2. The abstraction is reasonable because we assume that Eve can move freely in space, but it is difficult to reach within a few half-wavelengths of Bob. Thus, these two cases are equivalent. We denote Alice and Bob as the legal users and Eve as the illegal user, e.g., the external eavesdropper or internal undesired user. The channel between Alice and Bob is assumed to be approximately static in a coherence duration. Alice and Bob must accomplish key negotiation and secret communication in the public wireless channel; that is, Eve can eavesdrop on their signals.

Fig. 2. The basis of physical key generation: reciprocity and spatial uncorrelation

According to Kerchkoff’s principle, a cipher system’s security should rely only on the secrecy of keys. The secret key is generated from some randomness sources either at one end and then transmitted to another (i.e., key distribution) or derived at two ends simultaneously (i.e., key negotiation). By using the fundamental idea of PLS, the PKG technology is a good candidate for key negotiation. The PKG technology is based on the reciprocity, spatial uncorrelation and temporal variation of physical-layer channels. Reciprocity guarantees that two users can get duplicate secret keys, spatial uncorrelation provides legal users with information advantages over illegal users, and temporal variation is the randomness source. Consequently, Alice and Bob can generate strongly correlated data from channels while keeping weakly correlated to Eve's, as shown in Fig. 2. This information advantage is derived from the physical properties of wireless channels. We will present the proposed enhanced MAE algorithm based on physical layer key generation in the next section.

3. The Proposed Enhanced Message Authentication Encryption Based on Physical-Layer Key Generation

The security of the proposed scheme is strengthened by the PKG technology and dynamic KPC procedure. The efficiency of the proposed scheme is guaranteed by the fixed-point operations and one-round architecture of the enhanced MAE algorithm. In this section, we will explicitly show the details of the PKG technology and the enhanced MAE algorithm.

3.1 A Complete Communication Session

We call a complete transmission process of data as a session and a unit of bits in a transmission procedure as a message, which will carry control information or data information. The operation process of a complete communication session is described as shown in Fig. 3. To be specific, 1) Alice firstly sends a request message, and then Bob replies with a response message, and a communication session will be established. 2) Both Alice and Bob send known pilot frequencies for channel probing, and then they quantify their probing data individually. 3) Alice sends correcting information to Bob for information reconciliation, and then they amplify privacy separately to derive keys. Thus, Alice and Bob obtain the same key. 4) Alice transmits encrypted data to Bob with the resulting key. Specifically, Alice divides the session key into subkeys and constructs cryptographic primitives. Alice further performs encryption and authentication algorithms to generate the cipher text and message authentication code (MAC). Finally, the cipher texts and MACs are sent to Bob. 5) Bob decrypts the cipher texts and verifies the MACs. A complete secure communication session is finished. Alice can decide whether to update the primitives and continue communicating or terminate the session.

Fig. 3. The running schematic diagram of the proposed communication scheme.

3.2 Physical-Layer Key Generation

The proposed scheme incorporates the classical architecture of PKG, which consists of four steps: channel probing, quantization, information reconciliation, and privacy amplification.

• Channel Probing: First, Alice and Bob broadcast known pilot signals to enable each other to estimate the physical-layer channel characteristics [11]. In our case, received signal strength at the antenna of the radio frequency frontend is exploited since it can be measured and read directly by present IoT devices. The temporally variant electromagnetic environment gives randomness of the probing data, which is assumed in statistical channel models, such as the Rayleigh fading model or the Rician fading model.

• Quantization: The second step is quantization in which the bit sequences are generated from channel measurements [33]. In the proposed scheme, we perform lossless multi-level quantile-based quantization for its trade-off between computation complexity and quantization efficiency. The quantization performs as follows:

Quantize(h_i) = k if Q_k-1 < h_i ≤ Q_k, 1 ≤ k ≤ q, ∀_i.       (1)

where ℎ_𝑖 ∈ H is channel measurements, 𝑞 is quantization level, and 𝑄_𝑖, 1 ≤ 𝑖 ≤ 𝑞 is quantiles of H. Then the decimal quantization results will be coded through Gray code to reduce the mismatching ratio.

• Information Reconciliation: Alice and Bob need to eliminate mismatching bits due to previous steps and reconcile bit sequences they owned. In our case, we use low-density parity code (LDPC) to reconcile bit sequences because it inherently has the correcting capability and requires lower computation resources. The bit sequences will be divided into groups to be reconciled.

• Privacy Amplification: The final step of PKG is to extract a sequence with higher entropy and security from the previous sequences. In this paper, we offer two candidates to amplify the privacy, a 512-bit secure hash function (SHA-512) and a 128-bit photon hash function (PHOTON-128) [34], depending on the highlight of more security or more execution efficiency.

3.3 Enhanced Message Authentication Encryption

In our proposed scheme, the enhanced MAE algorithm consists of four parts: session key splitting, primitives construction, round keys expansion, and authentication and encryption/decryption algorithms. After obtaining a session key generated from PKG, the enhanced MAE first divides the session key into subkeys, then constructs cryptographic primitives such as substitution tables and permutation tables via Rivest cipher 4 keyed setup algorithm (RC4-KSA) [35]. Finally, authentication and encryption are performed using constructed primitives and expanded round keys to generate cipher texts and MACs.

3.3.1 Session Key Splitting

In each session, the enhanced MAE algorithm takes a 512-bit session key (SK) as input, and then the SK will be divided into eight parts, each with 64 bits, to construct primitives of cryptography algorithm as shown in Table 1. The three updating subkeys are optional: if Alice demands more security in one session, Alice can inform Bob to update primitives using these subkeys.

Table 1. The division of session key.

3.3.2 Primitives Construction

Dynamic cryptographic primitives can reduce the number of rounds to the minimum possible value of just one round, which minimizes the computational overhead without degrading the security level [36]. Therefore, RC4-KSA is performed to construct primitives. The size of the table built by RC4-KSA is 256 for S1, S2, or the length in bytes of the plain text or round keys for π, π_RK [35].

3.3.3 Round Keys Expansion

Round keys expansion is the procedure that uses KRK to expand to round keys. In the proposed algorithm, the key expansion algorithm in AES is utilized for its efficiency and lightweight.

3.3.4 Authentication and Encryption Algorithm

The proposed enhanced MAE algorithm authenticates and encrypts the messages in a single-pass way. By padding zeros at the end, the Tb bytes plain text 𝑀 can be divided into two equal parts with length of 𝑛/2 bytes. These two parts will be operated in an efficient parallel mode to generate cipher text 𝐶, as shown in Algorithm 1. MAC_tx is MAC generated at the transmitter, while MAC_rx is at the receiver. 𝐼𝑉₀ is the initial vector to generate the final MAC. 𝑀[𝜋(𝑖)] refers to the 𝜋(𝑖)-th input plain text block, similar to RK[𝜋_RK(𝑖)]. In the 𝑖-th round (1 ≤ 𝑖 ≤ 𝑛/2), two input blocks (𝑀[π(𝑖)] and 𝑀[𝜋(𝑖 + 𝑛/2)]) are encrypted and stored at the cipher text blocks 𝐶[𝑖] and 𝐶[𝑖 + 𝑛/2] by doing the following operations:

• The π(𝑖)-th plain text block 𝑀[π(𝑖)] is mixed (exclusive-or) with the π_RK(𝑖)-th round key RK[π_RK(𝑖)].

• Substitute 𝑀[π(𝑖)] ⊕ RK[π_RK(𝑖)] by 𝑆1 to produce tp1.

• Mix the plain text block 𝑀[π(𝑖 + 𝑛/2)] with the round key RK[π_RK(𝑖 + 𝑛/2)] and tp1.

• Substitute 𝑀[π(𝑖 + 𝑛/2)] ⊕ RK[π_RK(𝑖 + 𝑛/2)] ⊕ tp1 by 𝑆2 to produce tp2.

• Mix tp1 and tp2 to produce the 𝑖-th cipher text block 𝐶[𝑖].

• The (𝑖 + 𝑛/2)-th cipher text block 𝐶[𝑖 + 𝑛/2] is tp2.

• Mix tp1 and tp2 and the previous IV to produce the current IV.

• The last IV block IV[𝑛/2] is mixed with (𝑛/2) -th cipher text block 𝐶[𝑛/2], then substituted by S1 and S2 to produce MAC_tx.

The decryption algorithm follows the same steps; however, 1) it uses the inverse round function 𝑅𝐹⁻¹, which operates in reverse order and 2) 𝑅𝐹⁻¹ employs inverse substitution tables S1⁻¹ and S2⁻¹. The decryption algorithm is described in Algorithm 2. In particular, line 1 to 4 is to construct inverse substitution tables S1⁻¹ and S2⁻¹. In a single pass of encryption and decryption, the primitives keep no change.

Algorithm 1 The enhanced MAE algorithm: encryption.

#####

Algorithm 2 The enhanced MAE algorithm: decryption

#####

Compared with the AES algorithm which operates the input text block many rounds to generate cipher texts; the enhanced MAE encrypts each plain text block in one round. The MAC is produced simultaneously with the cipher texts through a single pass. The efficiency of the enhanced MAE is improved by the architecture of one round and single pass.

3.4 Complexity Analysis

The computation and memory consumption of the PKG scheme are determined after configuring the system. We analyze the complexity of the enhanced MAE algorithm. The proposed enhanced MAE takes 𝑛 bytes plain texts as input, performs 𝑛 + 2 times look-up operation, and produces 𝑛 bytes cipher texts while using 3 single-byte temporary variables (IV, ~tp2 and tp2), so the computation complexity is 𝑂(𝑛 + 2) . In the meantime, AES algorithm will perform 10 iterations for every 16 bytes; in each iteration, there are 16 times look-up and a 16-byte state temporary variable, as well as other operations, so the computation complexity is 𝑂(10𝑛). The MAE algorithm proposed in [37] has computation complexity of 𝑂(3𝑛 + 1), 𝑂(3𝑛 + 2) and 𝑂(2𝑛 + 1) for the three variants, respectively. In summary, the proposed enhanced MAE algorithm has low computation complexities and low memory consumption compared to AES and conventional MAE algorithms.

4. Simulation Results and Analysis

4.1 Numerical Results of PKG

We numerically simulate the PKG on the MATLAB R2023a platform in Windows 11 with 12th Gen Inter® Core™ i5-1240P CPU. We set the quantization level 𝑞 = 8. By standard [11], We utilize LDPC with the 168 × 672 generation matrix, which will take 𝑛 = 672 bit sequence as input and generate 𝑘 = 168 bit parity code. The coding rate, by definition, is (𝑛 − 𝑘)/𝑛 = (672 − 168)/672 = 3/4. The generation matrix is shown in Table 2, and the example of the cyclic permutation matrix is in Table 3. Note: the -1 represents matrices with all 0s.

Table 2. The LDPC generation matrix with rate 3/4 of block size.

Table 3. Two examples of cyclic permutation matrix P^Z_n, where Z = 4 and n = 0,1.

The simulation is performed 100 times. Fig. 4 shows the mutual information between Alice and Bob and between Alice and Eve at the point of quantization and privacy amplification. From Fig. 4 (a), we can see that the mutual information between Alice and Bob increases to 1.000 after privacy amplification from an average of 0.883 after quantization. From Fig. 4 (b), we can see that the mutual information between Alice and Eve decreased to 0.000 after amplification from an average of 1.434 × 10⁻³ after quantization. That is, Eve almost possesses no information about Alice’s bit sequence after the process of PKG. It can be confirmed from Fig. 4 that the PKG technology guarantees the privacy and secrecy of Alice and Bob.

Fig. 4. Mutual information (a) between Alice and Bob, (b) between Alice and Eve.

To compare the execution time of PKG utilizing SHA-512 and PHOTON-128 hash algorithms, we performed 10000 PKG trials, and the result is shown in Table 2. For the SHA-512 hash algorithm, the input length is 672, and the hash value length is 512. For the PHOTON-128 hash algorithm, the input sequence is divided into 4 168-bit subsequences to be separately hashed, and the 4 128-bit hash value is appended to a 512-bit output. Thus, if we assume the attacker can generate 𝑝 messages in the lifetime of the key (a secure communication session), the collision probability of SHA-512, CP_SHA is

\(\begin{align}C P_{S H A}=\frac{p(p-1) / 2}{2^{512+1}}\end{align}\)       (2)

while the collision probability of PHOTON-128, CP_PHOTON is

\(\begin{align}C P_{PHOTON}=\frac{p(p-1) / 2}{2^{128+1}} \times 4\end{align}\)       (3)

The latter is about 2^{512+1−(128+1−2)} = 2³⁸⁵ ≈ 7.8804 × 10¹¹⁵ times the former. SHA-512's security is highly more significant than that of PHOTON-128. Meanwhile, as shown in Table 4, SHA-512’s execution time is about 119 times that of PHOTON-128. So, according to the highlight on security or efficiency, we can choose to use one of these two hash functions.

Table 4. The statistical results of execution time (seconds) of SHA-512 and PHOTON-128.

In addition, we perform the NIST SP 800-22 randomness test for keys generated by the proposed PKG scheme, and the results are shown in Table 5. It confirmed that our PKG scheme can produce secret keys with sufficient randomness and can be utilized in cipher algorithms.

Table 5. The results of NIST SP 800-22 randomness tests.

4.2 Numerical Results of Enhanced MAE

4.2.1 Performance Analysis

To demonstrate the efficiency, the enhanced MAE is compared with a PKG-assisted AES scheme in terms of running time. For fairness, both the enhanced MAE and AES [40] are implemented on the MATLAB platform. Both of them encrypt the same plain texts in each trial, and the simulation is performed in 10,000 trials. The running time of the two schemes is shown in Fig. 5. It can be seen from Fig. 5 that the running time of the enhanced MAE is an average of 1.489 ms per encryption, while the PKG-assisted AES takes an average of 7.639 ms to perform one encryption. It can be proven from Fig. 5 that the performance of the proposed scheme improves by 80.5% in terms of algorithm execution efficiency with respect to the typical AES scheme.

Fig. 5. Running times of enhanced MAE v.s. typical AES

4.2.2 Statistical Analysis

To resist statistical attacks, the occurrence probability of all symbols in the cipher texts should be close to 1/𝑠, where 𝑠𝑠 denotes the symbols’ space. The symbols’ space in the enhanced MAE is 256 since the cipher texts and MACs are operated in bytes. Similarly, the occurrence probability of all symbols in the MAC should also be close to 1/𝑠 because the number of bytes in MAC is equal to the number in cipher text blocks. This could be assessed statistically, in particular by visualizing the probabilistic density function (PDF) of the encrypted message and the generated MACs. The same plain text is encrypted with 10,000 random session keys. The statistical results at the byte level are shown in Table 6, Fig. 6 and Fig. 7.

Fig. 6. Statistical analysis results: the recurrence of the plain texts(a) and cipher texts (b), the corresponding PDF of the plain texts (d) and produced cipher texts (e), and recurrence histogram distribution (c) and histogram distribution (f) of MAC in hexadecimal format.

Table 6. The statistical results of MAE algorithm.​​​​​​​

Fig. 7. Statistical analysis results: (a) PDF of the cipher texts entropy, (b) PDF of the unique MAC values, (c) PDF of the correlation coefficient, and (d) PDF of the percentage difference between plain and cipher texts.

Table 6 shows the numerical characteristics of plain texts, produced cipher texts, and MACs at the byte level, compared with theoretical values. It is seen that the produced cipher texts obey a uniform distribution from 0 to 255.

From Fig. 6, it is seen that the PDF of the original plain texts is not uniform, but the PDF of corresponding produced cipher texts and MACs follows the uniform distribution. At the same time, all symbols have a probability of occurrence close to (1/256) = 0.039.

The results are also validated by the entropy and difference ratio at the data message level. If the entropy value of the produced cipher texts is close to (− log₂ 1/256) = 8 , the uniformity of texts is satisfied. Fig. 7 (a) illustrates the PDF of the entropy values of 10,000 cipher texts. The result shows clearly that the encrypted ciphers always have an entropy close to the desired value of 8. Fig. 7 (b) demonstrates the repetition counts of each unique symbol of the 10,000 produced MACs. The result shows that the produced MACs are arbitrarily distributed in the symbols' space.

On the other hand, in addition to the previous recurrence results, two additional tests can be performed to evaluate the randomness level of the cipher texts: 1) the correlation between plain and cipher texts and 2) the difference ratio (DR) of the original texts and the produced cipher texts. The DR between plain and cipher texts is calculated by (4).

\(\begin{align}\operatorname{DR}\left(S_{A}, S_{B}\right)=\frac{\sum_{i=1}^{m} D_{i}}{T b} \times 100 \%\end{align}\)       (4)

where 𝑆_𝐴, 𝑆_𝐵 is two sequences of bits, 𝑚 is the length in bits of 𝑆_𝐴, 𝑆_𝐵, and

\(\begin{align}D_{i}=\left\{\begin{array}{ll}1, & S_{A}(i) \neq \mathrm{S}_{B}(i) \\ 0, & S_{A}(i)=S_{B}(i)\end{array}\right.\end{align}\)       (5)

The PDF of the correlation coefficient of plain and cipher texts is illustrated in Fig. 7 (c). It is seen that the correlation coefficients concentrate highly around 0. The PDF of the DRs of plain and cipher texts is shown in Fig. 7 (d). It is clear that the DR also concentrates highly around 50%. The coefficient and DR results validate the randomness of cipher texts since the desired results are derived from simulation tests.

In conclusion, Fig. 6 and Fig. 7 confirm the randomness and uniformity of the proposed enhanced MAE algorithm. Simulation results confirm the good diffusion and confusion properties of this scheme, which enable the enhanced MAE to resist statistical attacks.

The key avalanche effect (KAE), or the key sensitivity, refers to the effect that a 1-bit flipped in session key should result in 50% of bits changed in produced cipher texts and MACs. Similarly, the plain avalanche effect (PAE) refers to the effect that a 1-bit flipped in plain texts should result in 50% of bits changed in MACs (the cipher texts should change one block because it is a one-round algorithm). The test of KAE is performed in 5,000 trials. Within each KAE test trial, the same plain text is encrypted with a random key and another key with one bit changed in the former one. The test of PAE is also performed in 5,000 trials. Within each PAE test trial, a plain text and another plain text with one bit changed in the former one are encrypted with the same random key.

The results of the PAE and KAE tests are shown in Fig. 8. Fig. 8 (a) illustrates the PDF of the DR of cipher texts in each KAE test trial. It is clear that the DR of cipher texts encrypted with only one-bit changed keys is 50%, i.e., totally different. Fig. 8 (b) illustrates the PDF of the DR of MACs in KAE and PAE tests. It shows that the DR of MACs is almost all 50%. It is seen that the produced MAC will change randomly at each bit when the input keys (KAE) or plain texts (PAE) have only one-bit change. Fig. 8 (c) exhibits the probability of 1 occurrence at each position in MACs produced by PAE tests. It is seen that at each position of MAC, 1 or 0 appear with equal probabilities.

Fig. 8. The statistical results of key avalanche and plain avalanche test:(a) PDF of difference ratio of ciphers, (b) PDF of difference ratio of MACs of key and plain avalanche effect (c) the probabilities of each position in MAC with 1-bit flipping in plain.​​​​​​​

In conclusion, the enhanced MAE is very sensitive to changes in input plaint texts and keys, which will strengthen its capability of resistance to statistical attacks.

4.3 Cryptographic Analysis of the Enhanced MAE

The key space of the proposed enhanced MAE algorithm is 2²⁵⁶, which can prevent brute force attacks since it is greater than 2¹²⁸ [41]. The proposed scheme is of great resistance against linear attacks and differential attacks, which is guaranteed by

• the independence of plain texts and cipher texts (Fig. 6 (c) and (d)), and

• the nonlinear relationship enhanced by the permutation table π and π_RK, and

• secret key sensitivity (Fig. 8) [37].

At the same time, the key-related attacks are tough to perform since a one-bit change in the session key will produce enormously different ciphers and MACs. In Summary, the proposed encryption algorithm is secure enough to resist attacks on confidentiality.

The resistance against attacks on authentication of the proposed scheme is ensured by 1) that the MAC is produced by all the plain texts and session keys, 2) that the dynamic primitives and variable session keys of each new session, and 3) that each MAC incorporates all the nonlinear tables as the compressive function. Given a message with n blocks and Tb bytes per block, 𝑀 = [𝑚₁, 𝑚₂, … , 𝑚_𝑛×Tb]. The birthday attack seeks two messages with identical MAC values in less than 2^8×Tb/2 trials [37], but Tb can be easily expanded to make brute force attacks impossible. The meet-in-the-middle attack is to find a plain text block 𝑚_𝑖 to be replaced without changing the produced MAC value [42]. According to Fig. 8 (b) and (c), the plain text sensitivity of the enhanced MAE will resist meet-in-the-middle attack. Moreover, the number of bytes per block Tb and the length of plain text 𝑛 are large in practice. The space to find collisions for MACs is vast, making the meet-in-the-middle attack extremely difficult. In conclusion, the proposed enhanced MAE algorithm can resist attacks on authentication.

5. Conclusion

In this paper, a lightweight and efficient PKG-based enhanced MAE algorithm has been proposed to ensure the security of resource-limited IoT. On the one hand, the PKG has been used to improve the security performance in a lightweight way. On the other hand, the low-complexity variant of the MAE algorithm has been proposed and further strengthened by the PKG. The enhanced MAE algorithm is based on the keyed primitives construction, in which we construct permutation tables and substitution tables by the RC4-KSA algorithm. The statistical results of simulations proved that the PKG technology meets the secure and secret demand. The quantitative statistical results and qualitative cryptography analysis confirm the security of the enhanced MAE algorithm in resistance against attacks on confidentiality and authentication. Compared to the benchmark, i.e., the PKG-based AES scheme, the proposed scheme improves by 80.5% in terms of execution efficiency. The lightweight and high efficiency of the proposed scheme make it applicable for resource-limited IoT networks.