Design of a Lightweight Cryptographic Scheme for Resource-Constrained Internet of Things Devices

Abstract

We propose an ultra-lightweight cryptographic scheme called “Small Lightweight Cryptographic Algorithm (SLA)”. The SLA relies on substitution–permutation network (SPN). It utilizes 64-bit plaintext and supports a key length of 80/128-bits. The SLA cipher includes nonlinear layers, XOR operations, and round permutation layers. The S-box serves to introduce nonlinearity in the entire scheme design. It plays a vital role in increasing the complexity and robustness of the design. The S-box can thwart attacks such as linear and differential attacks. The scheme makes it possible to breed many active S-boxes in a short number of rounds, hindering analytical attacks on the cipher. When compared to other currently used ciphers, SLA has a higher throughput. Additionally, we demonstrate the SLA’s performance as an ultra-lightweight compact cipher, and its security analysis. The SLA cipher’s design is well suited for applications where small-scale embedded system dissipation is critical. The SLA algorithm is implemented using Python.

1. Introduction

The current significant advancement in the network of intelligent objects is the Internet of Things (loT). It has various uses, such as radiation monitoring in nuclear power plants, smart cities, smart homes and smart environments in general, animal tracking, health monitoring, and many more applications. The main issues in IoT applications are energy management, IPv6 adoption, standardization, and security [1].

Any wireless cryptographic scheme has serious data security challenges. A cryptographic method is a crucial component of network security. For IoT systems, “Lightweight Cryptography (LWC)” is most suited. Lightweight cryptography is a protocol designed for use in constrained environments such as sensor networks, meters, healthcare, the Internet of Things, cyber-physical systems, intelligent energy systems, indicators, custom controls, etc. [2]. In addition, formal methods on IoT application layer protocols for improving security and detecting security issues remain an open challenge.

The motivation for developing SLA includes the following. Major standards organizations closely follow lightweight cryptographic development. Several lightweight cryptographic methods have been standardized by The International Organization for Standards (ISO) and the International Electro-technical Commission (IEC). These standard bodies are also reviewing more algorithms to include in their standards. Recently, the National Institute of Standards and Technology (NIST) made public its lightweight algorithms portfolio requirements [3]. This announcement came after the Institute held two workshops on lightweight cryptography [4,5].

Enforcing security against attacks on IoT systems is a challenging task. Once the required features of an IoT system have been added, cryptographic engineering aims to harmonize conflicting requirements to create secure yet usable embedded IoT systems. The field of LWC for IoT applications combines cryptography, computer science, and electrical engineering. Solutions to IoT security problems are converging on cryptographic engineering. This paper attempts to reconcile these conflicting requirements. In this paper, we propose a new lightweight cryptographic scheme built from finite fields, using their underlying mathematical structure. In general, this choice does not influence the security of the scheme, but influences the performance of the resulting implementation. This approach has become a major design trend in cryptography, due to the increasing importance of small-scale embedded IoT devices. In a lightweight cryptographic scheme, the construction of a strong non-linear S-box (confusion layer) uses Galois field multiplication which meets cryptographic properties, and provides a novel method to construct diffusion layers by 32-bit binary matrix. The resulting proposed SLA scheme provides a sufficient security level against most of the well-known attacks on block ciphers, such as linear and differential cryptanalysis.

This paper is organized as follows. Section 2 is a presentation of research work. Section 3 is a depiction of the block cipher SLA. Section 4 is an assessment of the block cipher SLA, and Section 5 is the conclusion.

2. Related Work

A significant number of authors, in the current literature, have undertaken investigations into how to improve IoT security and privacy. This section derives input from current solutions for small cryptographic algorithms. They also discussed how to enhance the level of security for the IoT.

In [6] a new variant lightweight cryptography algorithm for the Internet of Things is proposed, which is called New Variant Lightweight Cryptography (NVLC). The main idea of the design of NVLC is to use a 4-bit S-box with a lower signal delay in comparison to an 8-bit S-box. Additionally, it used the Whitening key idea at the beginning and end of encryption to raise the difficulty of key search and the difficulty of attacking the cipher. However, the encryption methods investigated the goal of a high level of security in the low-resource device for NVLC block cipher design.

SFN [7], a new lightweight algorithm, employs a 96-bit key on a 64-bit block. The novel idea of the design is to use a different encryption method that takes both SP network structure and Feistel network structure to encrypt. Involution related properties of the nonlinear and linear components are employed into the design of SP network structure. The modified SP network structure enables the encryption and decryption program or circuit to work as the Feistel network structure. The encryption method satisfies the security requirements of different user levels. It gave a good performance in hardware at 1876 GEs.

A study in [8] proposed a simplified new version of the round function of the original SIMON by reducing its impact by changing the shift numbers, so the first rotation is removed to enhance the speed of SIMON and execution time.

The Feistel scheme is used to encrypt the lightweight block cipher LiCi [9]. LiCi has a 128-bit key, a 64-bit block, and 31 rounds. The LiCi design uses the substitution layer derived from the Karnaugh Map that applies 4 × 4 S-boxes, which has been employed to reduce the logic gates of the S-box, and use circular shift by (3, 7). The encryption method offers good performance, both on hardware at 1153 GEs and on software platforms.

BORON, a low-power cipher proposed in [10], boasts being ultra-weight and compact. It works with 128/80-bit keys and 64-bit plaintext over the SP network. Their methods used for encryption gave excellent performance of 1939 GEs in a small area. It performs efficiently on both hardware and software platforms.

In [11], a family of low energy block ciphers called Midori is proposed, which is composed of two variants: Midori64 and Midori128. The design of Midori is to make use of cell-permutation layers 4 × 4 involutory Binary MDS matrix to optimize diffusion speed, and two types bijective 4-bit S-boxes. The encryption methods satisfy the optimization goal of low energy for block cipher design.

The study in [12] presented Simeck, a lightweight block cipher designed from components of other ciphers, SIMON and Speck. The study proved the ability to design ciphers that have less power consumption and are relatively smaller in area.

The RECTANGLE algorithm [13] proposed new design criteria for the RECTANGLE S-box. The main idea of the design of RECTANGLE makes use of the bit-slice style in a lightweight manner, and was introduced for speeding up the software speed in the design of the DES and Serpent block cipher [14,15]. It offers a very low cost in hardware but also is very competitive in software speed.

In [16], a lightweight, versatile block cipher called TWINE is proposed. The global structure of TWINE is a type-2 generalized Feistel structure (GFS). A round function of TWINE consists of a non-linear single 4-bit S-box rather than multiple ones, which can contribute to smaller (serialized) hardware and software implementations and different block shuffle from the original (cyclic shift), which can greatly improve the diffusion speed of type-2 GFS. Despite the fact that bit-shifting operations are often used in the diffusion layer of many lightweight block ciphers (e.g., PRESENT and NOEKEON), they actually lose their efficiency in software implementations. Therefore, (PRESENT-like and NOEKEON-like) diffusion techniques [17,18] are not an option for TWINE.

Bogrof et al. [19] presented PRINCE, which provides a new dimension to lightweight cryptography by achieving low latency. It also focuses on hardware implementation. It utilized a 128 bits key and was comprised of 64 bits block with 12 rounds. The S-box of this cipher was non-linear i.e., Feistel structure. The main advantage of the Feistel structure is that the same program code can be used for the encryption and decryption process. It also helps in reducing memory usage. The cipher can however be susceptible to related-key attacks if the Feistel structure uses alternating keys. Some other noteworthy mentions from this generation are Humming-Bird, KASUMI, and Piccolo

In [20], a symmetric cryptographic algorithm, KLEIN, which has the benefit of better performance of software on legacy sensor platforms, is proposed. The fact that it uses a 4-bit S-box permutation via the algebraic normal form (ANF), rather than an 8-bit S-box, whether implemented in hardware or software, results in a tiny hardware implementation. KLEIN’s design increases the available options of lightweight block ciphers for low-resource applications.

In [21], Leander et al. proposed a family of new lightweight variants of DES (data encryption standard), which are called DESL/DESX/DESXL (the lightweight modified versions of the well-known DES). The main idea of the new variants of DES is to use just one S-box recursively, instead of eight different S-boxes, to minimize the hardware implementation.

mCrypton [22] is designed by following the overall architecture of Crypton [23], but with redesign and simplifications of each component function to enable much more compact implementation in both hardware and software.

Based on the state of current small cypher results, it is essential to provide not only a small cypher footprint to fit into small memories, but also to enhance speed and cryptographic strength by making it difficult for linear and differential cryptanalysis.

3. Block Cipher SLA

To ensure difficulty in differential and linear cryptanalysis, SLA uses a substitution–permutation network [24], having 16 rounds with 16 keys. The block size is 64 bits with an 80- and 128-bit key size. The block diagram of the SLA cipher is shown in Figure 1, and Figure 2 shows the detailed SLA block cipher.

Each of the sixteen rounds includes an eXclusive OR (‘XOR’) logic operation to obtain new keys ${\mathrm{K}}_{\mathrm{r}}$ for $1\le \mathrm{r} \le 16$. They are produced by the 80/128-bit key register. Finally, one additional key will then be produced and XOR-ed to obtain the ultimate ciphertext. The confusion layer represents a non-linear substitution (box) table. The diffusion layer represents one of the durable layers between extant LWC schemes. Figure 2 depicts the block cipher, including pseudocode, with each phase.

3.1. Add_Round_Key

The Add_Round_Key performs an eXclusive OR (‘$\mathsf{⨁}$’) on a 64-bit plaintext and with a 64-bit sub-key produced from the 80/128-bit key register. ${\mathrm{K}}_{\mathrm{i}}\to {\mathrm{k}}_{63}^{\mathrm{i}}\cdots {\mathrm{k}}_0^{\mathrm{i}}$ defines sub-keys for $1\le \mathrm{i} \le 16$, and the actual output ${\mathrm{STATE}}_{64}\to {\mathrm{s}}_{63}{\mathrm{s}}_{62}\cdots {\mathrm{s}}_0$ is given as

$$\mathrm{STATE}\to \mathrm{STATE} \mathsf{⨁}{ \mathrm{K}}^{\mathrm{i}}$$

3.2. Substitution Box (S-Box_Nibble Layer)

The single S-box used in our scheme is $\mathrm{S}:{\mathbb{F}}_2^4 \to {\mathbb{F}}_2^4$ S-box. The substitution layer is represented in a hexadecimal form in

Table 1. A Sbox_Nibble Layer of our scheme.

$x$	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
$S\left(X\right)$	f	8	3	e	0	7	b	a	5	d	9	c	6	4	2	1

. Values in Table 1 are readily implemented using a table of sixteen four-bit values. This is a direct result of the search for a lightweight cryptographic algorithm.

3.3. Permutation Layer

The permutation layer creates a mixed 32-bit output from a 32-bit input. At the 32-bit number bit position, a 32-bit-sized bit is replaced by bit x. The diffusion function can be expressed as a bit permutation level of 1-bit words using the equations below. Appendix A contains a 32 by 32 one-to-one permutation matrix and its inverse. The permutation matrix performs the binary permutation operation in (1) as

$${\mathrm{P}}_{\mathrm{ij}}={\mathrm{P}}_{\mathrm{ij}}{\mathrm{X}}_{\mathrm{ij}}$$

(1)

The reason for using a one-to-one permutation matrix is to scramble the key. The desire is to rearrange the values in the key so that it looks like someone knows the original key. In a one-to-one permutation matrix, the values of the key do not change; the values only change position. A one-to-one permutation matrix is very fast because one-to-one swapping of the position is fast. For example, if the RaspberryPi device tests a 10 × 10 number, it takes more time to perform 10 multiplications by 10 in the microcontroller; however, a one-to-one permutation matrix is very fast.

Algorithm 1 summarizes the encryption process outlined in Section 3.1, Section 3.2 and Section 3.3.

Algorithm 1 Encryption

Input: Plaintext ${\mathrm{STATE}}_{64}\to {\mathrm{s}}_{63}{\mathrm{s}}_{62}\cdots {\mathrm{s}}_0,\mathrm{S}\left[16\right], \mathrm{P}\left[32\right]$ Output: Ciphertext ${\mathrm{C}}_{64}$ $\mathit{f}\mathit{o}\mathit{r} \mathrm{r}$= 0 $to$ 16 $\mathit{d}\mathit{o}$               ${\mathrm{STATE}}_{64}\to { \mathrm{s}}_{63}{\mathrm{s}}_{62}\cdots {\mathrm{s}}_0$               $\mathrm{STATE}\to \mathrm{STATE}\oplus {\mathrm{K}}^{\mathrm{i}}$               ${\mathrm{STATE}}_{\mathrm{s}} \to \mathrm{S}\left[\mathrm{STATE}\right]$                            // S-box               ${\mathrm{STATE}}_{\mathrm{p}1}\to \mathrm{P}\left[{\mathrm{STATE}}_{\mathrm{s} \mathrm{high}}\right]$              // High 32-bit P-box               ${\mathrm{STATE}}_{\mathrm{p}2} \to \mathrm{P}\left[{\mathrm{STATE}}_{\mathrm{s} \mathrm{low}}\right]$            // Low 32-bit P-box               ${\mathrm{STATE}}_{\mathrm{round} \mathrm{cipher}} \to {\mathrm{STATE}}_{\mathrm{p}1}+{ \mathrm{STATE}}_{\mathrm{p}2}$ $\mathit{e}\mathit{n}\mathit{d} \mathit{f}\mathit{o}\mathit{r}$ $C_{64} \to STATE \oplus K^{17}$

3.4. Key Schedule of 80- and 128-Bit Key Size

The key scheduling algorithm is one of the most crucial parts of any cryptographic scheme; it determines the cipher’s intricacy. Cryptography has undoubtedly evolved since the days of Kerckhoff. The key schedule of SLA is inspired by the key schedule of PRESENT [17]. No attacks have been reported to date on the PRESENT scheme key scheduling. The SLA scheme key scheduling has a total of 16 sub-keys with a 64-bit key size.

• Scheduling of 80-bit key

The key register KEY contains the 80-bit key provided by the user, specified as $\mathrm{KEY}={ \mathrm{k}}_{79}{\mathrm{k}}_{78}\cdots {\mathrm{k}}_0$. From round $\mathrm{i}$, the 64-bit sub-keys least significant bit (LSB), ${\mathrm{K}}_{\mathrm{i}}={ \mathrm{k}}_{63}{\mathrm{k}}_{62}\cdots {\mathrm{k}}_0$ obtained in (2):

$${\mathrm{K}}^{\mathrm{i}}={ \mathrm{k}}_{63}{\mathrm{k}}_{62}\cdots {\mathrm{k}}_0$$

(2)

The register KEY is updated after obtaining the 64-bit key in (3–5):

$$\mathrm{KEY}<<<13;$$

(3)

$$\left[{\mathrm{k}}_3{\mathrm{k}}_2{\mathrm{k}}_1{\mathrm{k}}_0\right]=\mathrm{S}\left[{\mathrm{k}}_3{\mathrm{k}}_2{\mathrm{k}}_1{\mathrm{k}}_0\right];$$

(4)

$$\left[{\mathrm{k}}_{63}{\mathrm{k}}_{62}{\mathrm{k}}_{61}{\mathrm{k}}_{60}{\mathrm{k}}_{59}\right]=\left[{\mathrm{k}}_{63}{\mathrm{k}}_{62}{\mathrm{k}}_{61}{\mathrm{k}}_{60}{\mathrm{k}}_{59}\right]⨁{ \mathrm{RC}}^{\mathrm{i}}$$

(5)

For 0 to 16 rounds, five bits of the round counter $\mathrm{i}$ are XOR-ed with the five bits of key register KEY, i.e., from ${\mathrm{k}}_{59}$ to ${\mathrm{k}}_{63}$.

2.

Scheduling of 128-bit key

The key register KEY contains the 128-bit key provided by the user, specified as $\mathrm{KEY}={\mathrm{k}}_{127}{\mathrm{k}}_{126}\cdots {\mathrm{k}}_0$. From the round $\mathrm{i}$, 64-bit sub-keys least significant bit (LSB), ${\mathrm{K}}_{\mathrm{i}}={\mathrm{k}}_{63}{\mathrm{k}}_{62}\cdots {\mathrm{k}}_0$ obtained in (6):

$${\mathrm{K}}^{\mathrm{i}}={\mathrm{k}}_{63}{\mathrm{k}}_{62}\cdots {\mathrm{k}}_0$$

(6)

The register KEY is updated after obtaining the 64-bit key obtained in (7–10):

$$\mathrm{KEY}<<<13;$$

(7)

$$\left[{\mathrm{k}}_3{\mathrm{k}}_2{\mathrm{k}}_1{\mathrm{k}}_0\right]=\mathrm{S}\left[{\mathrm{k}}_3{\mathrm{k}}_2{\mathrm{k}}_1{\mathrm{k}}_0\right];$$

(8)

$$\left[{\mathrm{k}}_7{\mathrm{k}}_6{\mathrm{k}}_5{\mathrm{k}}_4\right]=\mathrm{S}\left[{\mathrm{k}}_7{\mathrm{k}}_6{\mathrm{k}}_5{\mathrm{k}}_4\right];$$

(9)

$$[{\mathrm{k}}_{63}{\mathrm{k}}_{62}{\mathrm{k}}_{61}{\mathrm{k}}_{60}{\mathrm{k}}_{59}]=\left[{\mathrm{k}}_{63}{\mathrm{k}}_{62}{\mathrm{k}}_{61}{\mathrm{k}}_{60}{\mathrm{k}}_{59}\right]⨁{\mathrm{RC}}^{\mathrm{i}}.$$

(10)

3.5. The Decryption Process

The decryption process is the reverse of the encryption procedure. Each layer is reversible. The subkeys are generated in reverse order by the key schedule by using the transformation round keys. The decryption process involves the same number of rounds of encryption, where its processes are performed in each round. They are, however, the reverse of each other. In the add_round_key layer, the inverse is achieved by XORing the same round key to the block. In the S-box, and in the permutation layer, the inverse function is used in the decryption process, using the result that $A⨁A⨁B=B.$

4. Evaluation of SLA Scheme

4.1. Security Evaluation

• Linear cryptanalysis

Linear cryptanalysis [25,26] is one of the most widely used techniques for breaking block ciphers. To evaluate the difficulty of the linear cryptanalysis of the SLA scheme, we present a minimal bound on the number of so-called “active” S-boxes defined in a linear characteristic. Table 3 presents the linear characteristic for the SLA scheme, and Table 4 shows the minimal number of active S-boxes in the linear characteristic.

Theorem 1.

For sixteen rounds of SLA, it features 48 active S-boxes, and a maximum probabilistic bias linear characteristic is$2^{-55}$.

Theorem 1 is formally proved in Appendix C.

Walsh transform. The Walsh transform of the Boolean function $\mathrm{f}:{\mathbb{F}}_2^{\mathrm{n}}\to ℝ$ with $\mathrm{n}-\mathrm{variables}$ is defined as

$$\mathrm{a}\to \mathsf{Ԑ}\left(\mathrm{f}+{\mathsf{\phi }}_{\mathrm{a}}\right)={\displaystyle \sum }_{\mathrm{x}\in {\mathbb{F}}_2^{\mathrm{n}}}{\left(-1\right)}^{\mathrm{f}\left(\mathrm{x}\right)+\mathrm{a}.\mathrm{x}}$$

(11)

The Walsh coefficient of $\mathrm{f}$ at point $\mathrm{a}$ is denoted by the value $\mathsf{Ԑ}\left(\mathrm{f}+{\mathsf{\phi }}_{\mathrm{a}}\right)$, and the Walsh spectrum of $\mathbb{F}$ is denoted by the multiset consisting of all Walsh coefficients of $\mathrm{f}$.

Walsh transform. The bias (aka, correlation or imbalance) of a Boolean function $\mathrm{f}$ with $\mathrm{n}-\mathrm{variables}$ is defined as

$$\mathsf{Ԑ}\left(\mathrm{f}\right)={\displaystyle \sum }_{\mathrm{x}\in {\mathbb{F}}_2^{\mathrm{n}}}{\left(-1\right)}^{\mathrm{f}\left(\mathrm{x}\right)}=2^{\mathrm{n}}-2𝓌𝓉\left(\mathrm{f}\right)$$

(12)

$\mathrm{In} \mathrm{other} \mathrm{words},$

$${\mathrm{Pr}}_{\mathrm{X}}\left[\mathrm{f}\left(\mathrm{X}\right)=1\right]=\frac{𝓌𝓉\left(\mathrm{f}\right)}{2^{\mathrm{n}}}=\frac{1}{2}(1-\frac{\mathsf{\epsilon }\left(\mathrm{f}\right)}{2^{\mathrm{n}}})$$

(13)

2.

Differential Cryptanalysis

Differential cryptanalysis [26,27] is the main form of attack on symmetric block ciphers. Differential paths are formed by considering the differences between inputs and outputs with a high probability for each round. The S-box where the differences between the inputs or the outputs are nonzero is called the active S-box. SLA presents a minimal bound on the number of so-called “active” S-boxes defined in a differential characteristic to assess the hardness of the SLA scheme differential cryptanalysis.

Appendix E shows the linear/differential relations SLA scheme S-box. Table 5 shows the differential characteristics SLA scheme, and Table 6 shows the minimal number of active S-boxes in the differential characteristic.

Theorem 2.

For sixteen rounds of SLA, it features 48 active S-boxes, and a maximum probabilistic differential characteristic for the sixteen rounds is $2^{-96}$.

Theorem 2 is formally proved in Appendix D.

Autocorrelation. The autocorrelation transform taken concerning to $\mathrm{a}\in {\mathbb{F}}_2^{\mathrm{n}}$, of Boolean function $\mathrm{f}$ with $\mathrm{n}-\mathrm{variable}$ is denoted by ${\hat{\mathrm{r}}}_{\mathrm{f}}\left(\mathrm{a}\right)$ and defined as (14):

$${\hat{\mathrm{r}}}_{\mathrm{f}}\left(\mathrm{a}\right)={\displaystyle \sum }_{\mathrm{x}\in {\mathbb{F}}_2^{\mathrm{n}}}{\left(-1\right)}^{\mathrm{f}\left(\mathrm{x}\right)⨁\mathrm{f}\left(\mathrm{x}⨁\mathrm{a}\right)}$$

(14)

Differential uniformity. Given differential uniformity for any vectorial Boolean function $\mathbb{F}\in {Ƒ}_{\mathrm{n},\mathrm{m}}$ for any $\mathrm{a}\in {\mathbb{F}}_2^{\mathrm{n}}$ into $\mathrm{b}\in {\mathbb{F}}_2^{\mathrm{m}}$, we defined in (15):

$$\mathsf{\delta }\left(\mathrm{a},\mathrm{b}\right)=\#\left\{\mathrm{x}\in {\mathbb{F}}_2^{\mathrm{n}} :\mathrm{S}\left(\mathrm{x}+\mathrm{a}\right)+\mathrm{S}\left(\mathrm{x}\right)=\mathrm{b}\right\}$$

(15)

Then, the differential spectrum of $\mathbb{F}$ is the multi-set $\left\{\mathsf{\delta }\{\mathrm{a},\mathrm{b});\mathrm{a}\in {\mathbb{F}}_2^{\mathrm{n}}\backslash \{0\right\};\mathrm{b}\in {\mathbb{F}}_2^{\mathrm{m}}\}$, and its maximum (16):

$${\mathsf{\delta }}_{\mathbb{F}}={}_{ \mathrm{a}\ne 0,\mathrm{b}}{}^{\max } \mathsf{\delta }\left(\mathrm{a},\mathrm{b}\right)$$

(16)

3.

Algebraic degree. An algebraic degree of a vectorial Boolean function $\mathbb{F}\in {Ƒ}_{\mathrm{n},\mathrm{m}}$ is the number of variables in the longest item of its ANF, denoted by $\mathsf{Ɗ}\mathsf{Ɛ}\mathcal{G}\left(\mathbb{F}\right)$ [28].

Nonlinearity. The nonlinearity of Boolean function $\mathrm{f}\in {\mathbb{F}}_{\mathrm{m}}$ is defined as the Hamming distance between $\mathrm{f}$ and the set ${\mathcal{A}}_{\mathrm{n}}$ of all affine functions (or linear) [29] in (17)

$$\mathcal{N}{ℒ}_{\mathrm{f}}={}_{\mathsf{\phi }\in {\mathcal{A}}_{\mathrm{n}}}{}^{\min } 𝓌𝓉\left(\mathrm{f}⨁\mathsf{\phi }\right)$$

(17)

4.

Nonlinearity. The nonlinearity of the vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ is the minimal of all component functions of $\mathbb{F}$ [28], and the Walsh spectrum is used to calculate it in the manner outlined below in (18):

$$\mathcal{N}ℒ\left(\mathbb{F}\right)={}_{\mathrm{b}\ne 0\in {\mathbb{F}}_{\mathrm{m}}}{}^{\min } \mathcal{N}ℒ\left(\mathrm{b},\mathbb{F}\right)=2^{\mathrm{n}-1}-\frac{1}{2}\max \left(\mathrm{WS}\left(\mathrm{a},\mathrm{b}\right)\right)$$

(18)

5.

Correlation Immunity. The correlation immunity of a Boolean function $\mathrm{f}\in {\mathbb{F}}_{\mathrm{n}}$ is defined as a measurement of how uncorrelated outputs are with a certain subset of its inputs. If $\mathrm{f}$ is balanced, and $\mathrm{t}-\mathrm{C}ℐ$, then so-called $\mathrm{t}-\mathrm{resilient}$ [30]. This criterion is from the Walsh spectrum in the manner outlined in (19):

$${\widehat{\mathsf{\theta }}}_{\mathbb{F}}\left(\mathrm{a},\mathrm{b}\right)=0, \forall \mathrm{a}\ne 0\in {\mathbb{F}}_{\mathrm{n}},1\le 𝓌𝓉\le \mathrm{t},\forall \mathrm{b}\ne 0\in {\mathbb{F}}_{\mathrm{m}}$$

(19)

6.

Balancedness. The vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ is balanced if its outputs are distributed uniformly over ${\mathbb{F}}_2^{\mathrm{m}}$. According to the Walsh Spectrum, this property is evaluated as follows [31]:

$${\widehat{\mathsf{\theta }}}_{\mathbb{F}}\left(0,\mathrm{b}\right)=0, \forall \mathrm{b}\ne 0\in {\mathbb{F}}_{\mathrm{m}}$$

(20)

7.

Algebraic immunity. Algebraic immunity of a Boolean function $\mathrm{f}\in {\mathbb{F}}_{\mathrm{n}}$ is defined as the least degree of all annihilators of $\mathrm{f}$ or $1+ \mathrm{f}$ is designated by notation $(\mathcal{A}ℐ\left(\mathrm{f}\right))$ [32,33,34].

8.

Global avalanche criterion (GAC). The global avalanche criterion is presented through two indicators [35].

First, the $\mathrm{absolute} \mathrm{indicator}$, denoted by $\mathrm{MAXAC}$.

$${\mathrm{AC}}_{\max }\left(\mathbb{F}\right)=\max \left(\left|\mathrm{AC}\left(\mathbb{F}\right)\left(\mathrm{a},\mathrm{b}\right)\right|\right)\forall \mathrm{a}\ne 0\in {\mathbb{F}}_{\mathrm{n}}, \forall \ne 0\in {\mathbb{F}}_{\mathrm{m}}$$

(21)

Second, the $\mathrm{sum}-\mathrm{of}-\mathrm{squares} \mathrm{indicator}$, denoted by $\mathsf{\sigma }$.

$$\mathsf{\sigma }\left(\mathbb{F}\right)={{\displaystyle \sum }}_{\left(\mathrm{a},\mathrm{b}\right)\in {\mathbb{F}}_{\mathrm{n}}\mathrm{x}{\mathbb{F}}_{\mathrm{m}}}\mathrm{AC}\left(\mathbb{F}\right){\left(\mathrm{a},\mathrm{b}\right)}^2=\frac{1}{2^{\mathrm{n}}}{{\displaystyle \sum }}_{\left(\mathrm{a},\mathrm{b}\right)\in {\mathbb{F}}_{\mathrm{n}}\mathrm{x}{\mathbb{F}}_{\mathrm{m}}}\mathrm{WS}\left(\mathbb{F}\right){\left(\mathrm{a},\mathrm{b}\right)}^4$$

(22)

When cryptographic functions have achieved low values of both indicators, they reach the best diffusion.

9.

Propagation criterion. The propagation criterion of vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ satisfies the $𝒫\mathrm{C}\left(\mathrm{l}\right).$ This property is from the Walsh spectrum in the manner outlined below [36,37]:

$${\mathrm{r}}_{\mathbb{F}}\left(\mathrm{a},\mathrm{b}\right)=0, \forall \mathrm{a}\in {\mathbb{F}}_{\mathrm{n}}, 1\le 𝓌𝓉\le \mathrm{l}, \forall \mathrm{b}\ne 0\in {\mathbb{F}}_{\mathrm{m}}$$

(23)

10.

Linear potential. The linear potential of a vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ is a metric of linearity that fulfills $2^{-\mathrm{n}}\le ℒ𝒫\le 1$ [38]. Therefore, the upper bound is met when $\mathbb{F}$ is linear or affine, whereas the tight bound holds if and only if $\mathbb{F}$ exhibits maximal nonlinearity ($\mathbb{F}$ is bent), and it is defined as

$$ℒ𝒫\left(\mathbb{F}\right)=\frac{1}{2^{2\mathrm{n}}}. \max (\mathrm{WS}\left(\mathbb{F}\right){\left(\mathrm{a},\mathrm{b}\right)}^2$$

(24)

11.

Differential potential. The differential potential of a vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ is a gauge of resistance to differential attack where $2^{-\mathrm{m}}\le \mathcal{D}𝒫\le 1,$ and the lower bound is valid if $\mathbb{F}$ is bent and the upper bound is met when $\mathbb{F}$ is linear or affine, and it is defined as

$$\mathcal{D}𝒫\left(\mathbb{F}\right)=2^{-\mathrm{n}}\mathsf{\delta }\left(\mathbb{F}\right)$$

(25)

12.

Fixpoints and negated-fixpoints. A vectorial Boolean function $\mathbb{F}\in {ℱ}_{\mathrm{n},\mathrm{m}}$ represents the fixpoints of $\mathbb{F}$, that is, $\left\{\mathrm{x}\right|\mathrm{F}\left(\mathrm{x}\right)=\mathrm{x}\}$ and negated-fixpoints of $\mathbb{F}$, that is $\left\{\mathrm{x}\right|\mathrm{F}\left(\mathrm{x}\right)= \overline{\mathrm{x}}\}.$

4.2. The Effect of the Avalanche

A cipher with a strong avalanche effect has a better chance of resisting most possible attacks, since even minor input changes have a big impact on the output. In SLA, by changing just one bit in the plaintext/key bits of the input in SLA, the output was observed. It was observed that more than half of the ciphertext bits are impacted by a single bit change in the SLA cipher’s key. Tables 8 and 9 show the effect of the avalanche. This is the intended outcome in the design of SLA in this paper [39].

4.3. Performance Evaluations

Here, we analyzed the performance of SLA further. Based on the AMD Ryzen 45500U processor with 64-bit 4 GHz, Table 10 provides a thorough comparison between SLA and other contenders.

4.4. Results

An analysis of the probabilistic linear relations shows that the nonlinearity property (item $\mathcal{N}ℒ$ in

Table 2. Comparison with Respect to Cryptographic Criteria of Sbox_Nibble Layer for our design Approach and Mini AES.

Criteria	Lower Bound	Upper Bound	Our S-Box	Mini AES S-Box	Ref.
ƊԐ$𝒢$	0 (constant functions)	$n$	3	2	[40]
$\mathcal{N}ℒ$	0 (affine functions)	$2^{n-1}-2^{\frac{n}{2}-1}\left(\ge 2m and n even\right)$ $2^{n-1}-2^{\frac{n-1}{2}}(n<2m and n odd)$	4	2
$Cℐ$	0	$n$	1	1
S-box Balanced	-	-	Balanced	Balanced
$\mathcal{A}ℐ$	0	[32] ⌈$\frac{n}{2}$⌉	2	2
$MAXAC$	0 (bent functions)	$2^n$(affine functions)	8	16
$\sigma$	$2^{2n}$ (bent functions)	$2^{3n}$ (affine functions)	640	1408
$ℒ\mathcal{D}$	0 (if it has linear structures)	$2^{n-2}$	2	0
$𝓟C$	0	$n$	1	1
$ℒ𝓟$	0.0625 $(2^{-n})$	1	0.25	0.5
$\mathcal{D}𝓟$	0.0625 $\left(2^{-m}\right)$	1	0.25	0.5

) is four, while the highest value for a Sbox_Nibble is six. The linear potential (item $ℒ𝒫$ in Table 2) is 0.25 over the best known for a Sbox_Nibble with four input variables, which is 0.0625. The findings demonstrate that a 4 × 4 Sbox_Nibble Layer offers good resistance to linear attacks.

Investigation and analysis of the probabilistic differential relations of SLA were undertaken to establish its resistance to probabilistic differential attacks. The result shows that the linearity distance Sbox_Nibble (item $ℒ\mathcal{D}$ in Table 2) is two over a maximal value of four. The differential potential (item $\mathcal{D}𝒫$ in Table 2) is identical to 0.25 over the best known for a Sbox_Nibble with four input variables, which is 0.0625. These findings demonstrate that Sbox_Nibble has the best defense against differential attacks.

The robustness of our S-box design compared to the Mini AES S-box is shown in Table 2. For a 4 × 4 S-box, the Mini AES does not provide effective defense against linear attacks. In addition, it does not exhibit the best defense against differential attacks.

The algebraic degree of the Mini AES S-box is two. This number is too low for immunity against high order differential attacks. Consequently, algebraic attacks can be efficiently executed if a multivariate algebraic equations system is solved. The S-box Mini AES’s $\mathrm{absolute} \mathrm{indicator}$ reaches the upper bound of 16 and its $\mathrm{sum}-\mathrm{of}-\mathrm{squares} \mathrm{indicator}$ is close to 4096, hence its inability to achieve a great diffusion. Table 2 provides an overview of the findings for these criteria.

The range of values accepted by the Walsh transform of the Sbox_Nibble are 8, 4, 0, −4, and −8.

The range of values accepted by the linear profile are 64, 16, and 0; the range of values accepted by the differential profile are 1, 024, 512, and 0; finally, the autocorrelation has three levels: 8, 0, and −8.

The results of the linear characteristic and the differential characteristic SLA scheme are shown in

Table 3. Linear Characteristics for the SLA scheme.

Rounds	Input to S-Box	Output of S-Box
First	0000 0000 0008 0000	0000 0000 0003 0000
Second	0000 0000 5000 5000	0000 0000 c000 c000
Third	0360 0060 0300 0360	04b0 00b0 0400 04b0
Fourth	2024 2004 0040 204c	5051 5001 0010 5012

and

Table 4. Minimal Number of Active S-boxes from the Linear Characteristics.

Rounds	Min. No. of Active S-Boxes
First	1
Second	3
Third	9
Fourth	18

.

The results of the minimal number of active S-boxes in the linear and differential characteristics are shown in

Table 5. Differential Characteristics for the SLA scheme.

Rounds	Input-to-S-Box	Output-of-S-Box
First	0000 0000 000e 0000	0000 0000 0009 0000
Second	0000 0000 2000 2000	0000 0000 c000 c000
Third	0360 0060 0300 0360	0840 0040 0800 0840
Fourth	0140 0045 0120 0100	0710 0012 07c0 0700

and

Table 6. Minimal Number of Active S-boxes in the Differential Characteristics.

Rounds	Min. No. of Active S-Boxes
First	1
Second	3
Third	9
Fourth	20

.

The comparison of the linear and differential attack of SLA with the other algorithms is shown in

Table 7. Comparison of Linear and Differential Attacks.

LWC Algorithm	No. of Rounds	No. of Active S-Boxes	No. of Known Plaintext	No. of Chosen Plaintext	Ref.
SLA	16	48	$2^{110}$	$2^{96}$	This paper
BORON	18	48	$2^{98}$	$2^{96}$	[10]
ANU	18	54/48	$2^{110}$	$2^{96}$	[41]
FEW	27	45	$2^{90}$	$2^{90}$	[42]
L-Block	15	32	$2^{66}$	$2^{64}$	[43]
PICCOLO	30	30	$2^{120}$	$2^{120}$	[44]
PRESENT	25	50	$2^{102}$	$2^{100}$	[17]

. The results show that 16 rounds of SLA are secure enough against differential and linear attacks.

By changing just one bit in the input plaintext/key bits, the output seen in

Table 8. The Effect of the Avalanche on SLA-80.

Plaintext	Key	Ciphertext	No. of Bits Altered	Rate
0000 0000 0000 0000	0000 0000 0000 0000 0000	740434f796cff821
	0010 0000 0000 0000 0000	0020313a0c9157ee	34	53%
	0000 0000 0000 0000 0010	bcc58124f3b581de	34	53%

and

Table 9. The Effect of the Avalanche on SLA-128.

Plaintext	Key	Ciphertext	No. of Bits Altered	Rate
0000 0000 0000 0000	0000 0000 0000 0000 0000 0000 0000 0000	858f96a55cc4f107
	0000 0000 0000 0000 0000 0000 0000 0010	48987e3bd2bc193b	34	53%
	0000 8000 0000 0000 0000 0000 0000 0000	00f7818f94a2e296	39	60%

is produced. Each time a bit in the key is changed when using the SLA scheme; over half of the ciphertext bits are also changed.

The SLA scheme is designed in such a way that it provides optimum performance. The performance of SLA and relevant LWC algorithms in software on AMD Ryzen 45500U processor are shown in

Table 10. The Performance of SLA and Relevant LWC Algorithms in Software.

Performance on AMD Ryzen 45500U Processor
Structure	LWC Algorithm	Block Size	Key Size	Execution Time	Block Size	Key Size
SP network	SLA	64	80	0.000659451	97050.44167	1631127
	PRESENT	64	80	0.015804805	4049.401468	238283
	LED	64	64	0.020789735	3078.442315	11398908
	KLEIN	64	64	0.021051668	3040.139201	689344
	AES	128	128	0.016058415	3985.44933	727652
Feistel network	DES	64	56	0.015747033	4064.257677	37362051
	TWINE	64	80	0.02186244	2927.395138	2118524
	SPECK	48	96	0.021938369	2917.2634	228783
	SIMON	48	96	0.02201274	2907.407207	247285
	CLEFIA	128	128	0.022619188	2829.456145	1074972

. Interestingly, the execution times of SLA are small, typically less than 0.000659451 s for all of them, which would fit quite well in current IoT devices. They also require little power to process. SIMON and CLEFIA have the highest execution times of 0.02201274 s and 0.022619188 s, respectively. SLA has the highest throughput of 97,050.44167 kilobytes per second. This performance can further be improved by using faster processors in IoTs.

In the autocorrelation coefficients, the $\mathrm{absolute} \mathrm{indicator}$ for Sbox_Nibble is 8, and for the $\mathrm{sum}-\mathrm{of}-\mathrm{squares} \mathrm{indicator}$ is 640. These results show that Sbox_Nibble obtains a reasonably acceptable diffusion since its $\mathrm{absolute} \mathrm{indicator}$ is closer to the lower bound and is 0 compared to the upper bound, where 16 is. Similarly, the $\mathrm{sum}-\mathrm{of}-\mathrm{squares} \mathrm{indicator}$ has theoretical bounds of 256 and 4096, and is extremely close to the 256 lower bound.

When the cryptographic functions attain lower bound for both indicators, the ideal diffusion will be attained. The nibble S-box is represented using the algebraic normal form (ANF):

$$\begin{array}{l}\mathrm{S}\left({\mathrm{x}}_1\right)=1+{\mathrm{x}}_0+{\mathrm{x}}_2+{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1+{\mathrm{x}}_1{\mathrm{x}}_2+{\mathrm{x}}_1{\mathrm{x}}_3+{\mathrm{x}}_2{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_2+{\mathrm{x}}_0{\mathrm{x}}_2{\mathrm{x}}_3\\ \mathrm{S}({\mathrm{x}}_2)=1+{\mathrm{x}}_0+{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1+{\mathrm{x}}_0{\mathrm{x}}_3+{\mathrm{x}}_2{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_2+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_3\\ \mathrm{S}({\mathrm{x}}_3)=1+{\mathrm{x}}_0+{\mathrm{x}}_1+{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_2+{\mathrm{x}}_0{\mathrm{x}}_3+{\mathrm{x}}_1{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_2+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_2{\mathrm{x}}_3+{\mathrm{x}}_1{\mathrm{x}}_2{\mathrm{x}}_3\\ \mathrm{S}({\mathrm{x}}_4)=1+{\mathrm{x}}_1+{\mathrm{x}}_3+{\mathrm{x}}_1{\mathrm{x}}_2+{\mathrm{x}}_2{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_1{\mathrm{x}}_3+{\mathrm{x}}_0{\mathrm{x}}_2{\mathrm{x}}_3+{\mathrm{x}}_1{\mathrm{x}}_2{\mathrm{x}}_3\end{array}$$

(26)

These forms show that Sbox_Nibble, when compared with others with a maximum algebraic immunity of 2, has an algebraic immunity degree of 3, which is sufficiently high to protect it from higher-order differential attacks. As a result, carrying out algebraic attacks through solving a multivariate algebraic equation system is difficult.

The cipher structure has no visible flaws such as the absence of fixpoints/negated-fixpoints. In addition, a low-level cryptographic algorithm with a rising number of fixpoints or negated-fixpoints lacks the required randomness, so it is not considered to be well designed.

5. Conclusions

This paper has presented SLA, a lightweight scheme. Because SLA is based on the SP-network, it is faster than the Feistel-based cipher. Additionally, the proposed SLA scheme employs a novel encryption method, including finite field multiplication, to construct nonlinear S-box (confusion layer) and the effective one-to-one matrix linear permutation (diffusion layer), which leads to satisfactory security requirements without losing performance efficiency on both execution time and throughput. We exploited properties related to the nonlinear and linear components to design SP network structure. As we designed the SLA, we researched the minimal numbers of active S-boxes and good S-boxes. We also researched the hamming weight calculation for LAT and DDT entries. The proposed SLA design has achieved a small execution time, high throughput, and high level of security. This makes it suitable for small-scale embedded environments such as RFID tags and wireless sensor nodes. Advanced attacks can be used to examine the SLA scheme further. We expect our results to be applied in other domains as well.