Lightweight Cryptography: A Review

Prof. (Dr.) Mohammad Ubaidullah Bokhari1, Shabbir Hassan2

Department of Computer Science
Aligarh Muslim University, Aligarh, India
Email: mubokhari@gmail.com1, Email: hassan.analyst@gmail.com2

Abstract:-The classical cryptosystem only meets the requirements of desktop

computing epoch. Alternative lightweight cryptography (LWC) algorithms are
design to overcome the limitation of classical cryptosystem which provide
tradeoff among attack immune, key size, throughput and performance. The
implementation of LWC algorithms is done on keeping in mind that it must be
implemented in low power consumption, less space requirement and enough
efficiency so that it become suitable for resource constrain devices such as RFID
tags and wireless sensor node. This paper discusses numerous LWC algorithms
that provide a better insight about the advantages and disadvantages of
different models. Also, discusses numerous security issues faced by these LWC
algorithms.

Keywords: Stream Cipher, Hummingbird, Grain, WG, Hitage2, PUF, LWC.

1. Introduction:
As the current scenario, use of smart devices such as credit card, smart card, Personal Digital
Assistant (PDA), Radio Frequency Identification Devices (RFID) tags, Wireless Sensor Nodes
etc are gaining significant role in our daily life. Their use is much ubiquitous. On the other hand,
security and performance is one of the severe issues for such devices. So we can need
considerable security as well as performance in these devices, having limited storage and
computational capabilities. This leads to emerging a research area called Lightweight
Cryptography. The aim of LWC is to deliver the confidential data on extremely constrain targeted
devices having limited resources. LWC algorithms possess some common characteristics such as
they should have a lower area, lower power consumption, lower energy, lower communication
cost and short processing time. The implementation of LWC is done in such a way that it
increases throughput and efficiency. The ubiquitous use of RFID tags rise concern about
equipotent security in RFID system. Since low cost tags are extremely resource constrained
device, hence common security approach are not longer applicable to them. Hence one of the
challenging topic is to design a secure lightweight cipher that is suitable for RFID tags. This
paper describes a review of some well known lightweight ciphers for researchers further in the
betters of LWC.

2. Stream Cipher
Stream cipher was invented in 1917 by Gilbert Vernam. Vernam studies Electrical Engineering at
Worcester Polytechnic Institute (WPI) in Massachusetts. Stream cipher sometime refers to
Vernam cipher. Stream cipher is a symmetric key cipher where the plaintext digits are combined
with a stream of pseudorandom cipher digit is called keystream. Stream cipher encrypt bits (of a
plaintext) individually with a corresponding digit of keystream to obtain the ciphertext digit ie
encrypted bit. The encryption of each digit (plaintext) is only depending upon current state of
cipher so it is also called state cipher. A digit is typically a bit and operation is XORed operation.
The pseudorandom key stream is generated from a primary random integer value (is called a
seed) by using digital shift register and the same seed value are served as a key for decryption of
cipher text stream [2]. The encryption and decryption in stream cipher is depicted below.

For instance suppose Alice wants to encrypt the letter A, where the letter is given in ASCII code.
The ASCII value for A is 6510 = 10000012. Let’s furthermore assume that the first key stream bits
are (s0, s1,…..,s6) = 0101100.

Note that the encryption by Alice turns the uppercase A into the lower case letter m. Oscar, the
attacker who eavesdrops on the channel, only sees the ciphertext letter m. Decryption by Bob
with the same key stream reproduces the plaintext A again. So far, stream ciphers look
unbelievably easy: One simply takes the plaintext, performs an XOR operation with the key and
obtains the ciphertext. On the receiving side, Bob does the same. Some well known stream
ciphers are available as below.

BSF-128, Bokhari Stream Cipher, GRAIN, RC4, WG-7, WG-8, WG-16, HITAG2, Sober t-
16/family, PUF, Snow and Edon80.
3. Lightweight Stream Cipher
A lightweight stream cipher is used in a device (smart phones, tabs, sensor networks) due to the
limitation of resources and power consumption. The lightweight stream ciphers are work better
and in efficient manner in such situations. The lightweight ciphers are design for targeted to
resource-constrained devices like RFID (Radio Frequency Identification) smart cards, and
wireless sensor nodes.

3.1 Lightweight Cryptographic Algorithms

These days several elegant lightweight Cryptographic Algorithms are present. Out of them some
are very efficient, some are good and also some of them have weak attack immune. Well known
lightweight stream ciphers are discussed below.

3.1.1 Grain

Grain is a cryptographic stream cipher which mainly design for hardware environment where
the resources such as memory space, power consumption, use of gates is limited, and hence
their implementation required less chip cost. Most of the stream cipher is based on linear
feedback shift register (LFSR) [3] to produce a random sequence of good statistical
properties. The three major building blocks of the grain cipher are.

 Two shifts register namely LFSR.

 A nonlinear feedback shift registers (NFSR).
 A Nonlinear filter functions for providing the best security.

Since the output of LFSR is balanced, while NFSR is used to provide nonlinearity to the cipher.
So the complex combination of balancedness and nonlinearity makes the grain cipher
cryptographically strong and more secure. However many cryptanalytic attacks [4, 5, 6 and 7]
were reported against grain due to their inherent weakness of LFSR’s. The size of LFSR, NFSR
and key is 80 bits and the size of initial vector is 64 bits. The feedback shift registers LFSR &
NFSR are implemented as a polynomial of degree 80 and their feedback function are represented
by f(x) and g(x). Initially the LFSR is loaded with a 64-bits initialization vector IV, and NFSR is
loaded with 80-bits of key and the remaining 16-bits are filled with ones so as to prevent zero
shift registers. Finally the output of LFSR is masked with the input of NFSR to get a balance state
of NFSR. The nonlinear filter function h(x) takes as an input and the preferred bits from both the
feedback shift registers. Thereafter all the seven particular bits of NFSR are XORed and its
resultant is further added to the filter function h(x). The output of h(x) is used to generate the
keysteam that acts as feedback to both the registers LFSR and NFSR.

3.1.2 Welch-Gong (WG-7)

WG-7 [8] stream cipher is based on the primitive WG Stream Cipher [9]. It was design by Y.
Luo, Q. Chai, G. Gong, and X. Lai in 2010. WG-7 is a very fast stream cipher design for the
lightweight devices (such as smart phone, RFID tags, and wireless sensor node) the WG-7 is
design. Both WG and WG-7 are hardware oriented stream cipher that usage a Word oriented
LFSR and a filter function based on WG. WG works on GF(2 29) but WG-7 in GF(27). WG-7
usage 80-bit secret key and 81-bit initialization vector (IV) and the LFSR is clocked 46 times, the
internal state consist of 161-bits and the security level claimed by the designer is 80-bits[12, 13].
3.1.2.1 Algebraic attack on WG-7

Recently, a distinguishing attack was discovered against the stream cipher WG-7. Within the time
complexity of O227 an attacker can recover both the secret key and internal state of the cipher [10,
11].

3.1.3 Welch-Gong (WG-8)

WG-8 is a lightweight variant of the well known WG stream cipher family and was submitted to
eSTREAM project. It inherits good randomness properties of WG such as exact linear
complexity, balance, ideal tuple distribution, period, and ideal two level auto correlation. On
ATmega128(8bit) from Atmel and MSP430(16 bit) from Texas low power microcontroller, WG-
8 is able to achieve a throughput of 185.5 kbps and 95.9 kbps on both microcontroller with
energy efficiency of 458 nJ/bit and 125 nJ/bit respectively. As compared to other LWC
implementation, the throughput of WG-8 is about 2≈15 times higher and energy consumption is
about 2≈220 times smaller [14].

3.1.4 Welch-Gong (WG-16)

WG-16 is an efficient variant of well known WG stream cipher family. It takes 128 bit key and
128 bit IV. This cipher was submitted to the eSTREAM project. WG-16 inherits good
randomness properties of WG stream cipher family such as balance, period, ideal tuple
distribution, ideal two level autocorrelation, and exact linear complexity. Moreover WG-16 is
able to resist most common attack against stream cipher including algebraic attack, correlation
attack, differential attack, cube attack, distinguish attack, discrete Fourier transformation attack
and time memory data tradeoff attack [19].

3.1.5 HITAG2

HITAGE2 is a lightweight LFSR based stream cipher, it consist of 48-bit key stream and 48 bit
internal state.Hitag2 is secure version of crypto-1 cipher, that has been employed in many Mifare
classic protocols. Many car manufacturers also used HITAG2 to locking and unlocking the car
doors remotely [9].

3.1.5.1 Attack on HITAG2

A cryptanalysis against HITAG2 was founded [15], which broke HITAG2 by a SAT solver
within several hours. Except the brute force attack this is only a unique cryptanalysis on HITAG2
that break the security of cipher. This attack comprises of three phase [16]

 Black-box attack of extracting 32-bits of the secret key.

 White-box attack to get several other key bits.
 Brute force search for the remaining key bits.

3.1.6 Light weight secure PUF

The Physical Unclonable Function (PUF) [17] is promising solution to mitigate the effect of
physical attacks. PUF are the physical entity that generates output (response) based on their input
 (challenges) and intrinsic physical properties of embedding hardware. It exploits only those
physical properties of embedding devices.

3.1.6.1 Drawback on PUF

Due to small hardware requirement to building a PUF, it is widely used in lightweight

applications such as RFID tags. To achieve the feature of low cost implementation, composite
PUFs are developed and are introduced in HOST2014 and RECONFIG2013. The building of
composite PUFs is based on several small primitives, on the basis of cryptanalysis the introduced
PUFs RECONFIG2013 is not secure and can be penetrated [20].

3.1.7 Hybrid Cipher

Hummingbird is the latest light weight hybrid model of block cipher and stream cipher that
provides tradeoff between cost, size and speed [18]. It is targeted for low cost smart devices and
microcontroller environment such as RFID technologies, smart cards, credit cards and wireless
sensor networks. Hummingbird is renitent to most common attacks of block ciphers and stream
ciphers including birthday attacks, linear and differential cryptanalysis, algebraic attacks, cube
attacks etc. The security in Hummingbird comes from key and internal states which makes it
applicable for embedded applications. It has a block size of 16 bit and consists of 4 Serpent like s-
boxes each having 4 bit inputs and 4 bit outputs. Hummingbird is further classified into two parts:
Hummingbird1 and Hummingbird2. Hummingbird 1 is a magnificent blend of stream cipher and
block cipher [18] with 16 bit block size, 256 bit key and 80 bits of internal states.

4. Conclusion:
In this paper we tried to analyzed different lightweight cryptographic algorithms including hybrid
model (of Hummingbird1 and Hummingbird2) several lightweight stream ciphers has been
discussed with their technologies, attack immune, features as well as drawbacks. This work will
boost the researchers for further development in the field of LWC.

References:
[1] Jacob John, “Cryptography for Resource Constrained Devices: A Survey”, In proc. Of the
International Journal on Computer Science and Engineering,2012.
[2] online reference from http://en.wikipedia.org/wiki/Stream_cipher
[3] Martin Hell, Thomas Johansson, Alexander Maximov, Willi Meier, “A Stream Cipher
Proposal: Grain-128” ,.In proc. OfIEEE International Symposium on Information
Theory,2006
[4] Maximov, A. (2006, March). Cryptanalysis of the Grain family of stream ciphers. In
Proceedings of the 2006 ACM Symposium on Information, computer and communications
security (pp. 283-288).ACM.
[5] Dinur, I., & Shamir, A. (2011, January). Breaking Grain-128 with dynamic cube attacks.In
Fast Software
Encryption (pp. 167-187). Springer Berlin Heidelberg.
[6] Bjøstad, T. E. (2013). Cryptanalysis of Grain using Time/Memory/Data Tradeoffs.
[7] Banik, S., Maitra, S., &Sarkar, S. (2012). A differential fault attack on the grain family of
stream ciphers.
In Cryptographic Hardware and Embedded Systems–CHES 2012 (pp. 122-139). Springer
Berlin Heidelberg.
[8]Orumiehchiha, Mohammad Ali, Josef Pieprzyk, and Ron Steinfeld. "Cryptanalysis of WG-
7: a lightweight stream cipher." Cryptography and Communications 4.3-4 (2012): 277-285.
[9] Nawaz, Yassir, and Guang Gong. "WG: A family of stream ciphers with designed
randomness properties." Information Sciences 178.7 (2008): 1903-1916.
[10] Orumiehchiha, Mohammad Ali, Josef Pieprzyk, and Ron Steinfeld. "Cryptanalysis of
WG-7: a lightweight stream cipher." Cryptography and Communications 4.3-4 (2012): 277-
285.
[11] Luo, Yiyuan, et al. "A lightweight stream cipher WG-7 for RFID encryption and
authentication." Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE.
IEEE, 2010.
[12] Orumiehchiha, Mohammad Ali, Josef Pieprzyk, and Ron Steinfeld. "Cryptanalysis of
WG-7: a lightweight stream cipher." Cryptography and Communications 4.3-4 (2012): 277-
285.
[13] Nawaz, Yassir, and Guang Gong. "WG: A family of stream ciphers with designed
randomness properties." Information Sciences 178.7 (2008): 1903-1916.
[14] Fan, Xinxin, KalikinkarMandal, and Guang Gong. "Wg-8: A lightweight stream cipher
for resource-constrained smart devices." Quality, Reliability, Security and Robustness in
Heterogeneous Networks.Springer Berlin Heidelberg, 2013.617-632.
[15] Courtois, Nicolas T., Sean O’Neil, and Jean-Jacques Quisquater. "Practical algebraic
attacks on the Hitag2 stream cipher." Information Security.Springer Berlin Heidelberg,
2009.167-176.
[16] Sun, Siwei, et al. "Cube cryptanalysis of Hitag2 stream cipher." Cryptology and Network
Security.Springer Berlin Heidelberg, 2011.15-25.
[17] Nguyen, Phuong Ha, and Durga Prasad Sahoo. "Lightweight and Secure PUFs: A
Survey." Security, Privacy, and Applied Cryptography Engineering.Springer International
Publishing, 2014.1-13
[18] Revini S. Shende, Mrs. Anagha Y. Deshpande, “VLSI Design Of Secure Cryptographic
Algorithm”In proc. Of the International Journal of Engineering Research and
Applications,2013.
[19] Y. Nawaz and G. Gong, \WG: A Family of Stream Ciphers with Designed Randomness
Properties", Information Science, vol. 178, no. 7, pp. 1903-1916, 2008.
[20] Nguyen, Phuong Ha, et al. "Cryptanalysis of Composite PUFs (Extended abstract-invited
talk)." VLSI Design and Test, 18th International Symposium on. IEEE, 2014.