SC-SA: Byte-Oriented Lightweight Stream Ciphers Based on S-Box Substitution

Abstract

With the rapid proliferation of the Internet of Things (IoT) in recent years, the number of IoT devices has surged exponentially. These devices collect and transmit vast amounts of data, including sensitive information. Encrypting data is a crucial means to prevent unauthorized access and potential misuse. However, the traditional cryptographic schemes offering robust security demand substantial device resources and are unsuitable for lightweight deployments, particularly in resource-constrained IoT devices. On the other hand, with the automotive industry making strides in autonomous driving, self-driving vehicles are beginning to integrate into people’s daily lives. Ensuring the security of autonomous driving systems, particularly in preventing hacker infiltrations, is a paramount challenge currently facing the industry. An emerging lightweight sequence cipher—aiming to strike a balance between security and resource efficiency—has been proposed in this paper based on S-box substitution and arithmetic addition. The designed security threshold is 2⁸⁰. It has been verified that with a slight performance disadvantage, it can reduce memory usage while ensuring the security threshold. The key stream generated by this structure exhibits excellent pseudo-randomness.

1. Introduction

With the advancement of IoT technology, an increasing array of smart devices has become part of our daily lives, including smart homes, smart watches, and smart vehicles. These devices typically have resource constraints, requiring the use of lightweight cryptographic algorithms to ensure device security while efficiently utilizing computational and storage resources. In specific application domains such as wireless sensor networks, medical devices, and industrial control systems, the requirements for cryptographic algorithms are even more stringent. Devices in these domains often have limited resources and require lightweight cryptographic algorithms to meet the demands of security and efficiency. Traditional encryption algorithms typically require significant computational resources and energy consumption. In contrast, lightweight cryptographic algorithms aim to minimize the need for computation and storage resources in their design, thereby enhancing device energy efficiency. For battery-powered mobile and IoT devices, the adoption of lightweight cryptographic algorithms can help achieve a balance in Quality of Service (QoS). Traditional sequence ciphers usually use intricate algorithms and structures, which demand substantial computational resources and time. They also require a significant amount of storage space to store keys, states, intermediate results, and other information. This leads to increased energy consumption in devices due to numerous computations and data access operations. In contrast, lightweight sequence ciphers are specifically designed for resource-constrained environments, providing greater computational efficiency. They can efficiently encrypt and decrypt data using minimal computational resources by simplifying algorithms, reducing key lengths, and minimizing storage space requirements. This effectively reduces device energy consumption and extends battery life. While lightweight sequence ciphers aim to achieve simplicity and efficiency in design, they still maintain a high level of security. They undergo thorough evaluation and analysis to defend against common attack methods and provide robust encryption protection to meet the security requirements of resource-constrained environments.

1.1. Problem Description

Symmetric cryptography, as the most widely applied and researched cryptographic scheme in everyday life, plays a crucial role in safeguarding sensitive information during transmission and processing to prevent privacy breaches; however, existing symmetric cryptographic algorithms face several challenges, including high computational complexity, resource consumption, and encryption/decryption latency. These issues stem from the following design structures:

• Cryptographic algorithms often involve intricate multiplication operations that are challenging to implement;
• The encryption process in cryptographic algorithms typically necessitates multiple iterations or rounds.

As a result, traditional cryptographic algorithms are ill-suited for deployment on microdevices and resource-constrained IoT devices. Consequently, lightweight cryptography specifically tailored for resource-constrained and low-computing-power devices has emerged. Its primary objective is to reduce the complexity of cryptographic algorithms and minimize encryption/decryption latency and energy consumption in cryptographic deployments. In situations with limited computing power, cryptographic algorithms with higher computational complexity invariably lead to longer encryption latency, resulting in increased time for data processing and transmission.

AES (Advanced Encryption Standard) serves as a typical traditional cryptographic algorithm that employs iterative round functions as design components. Subkeys, generated using the key K as the seed, participate in the iterations of the encryption/decryption process. While such symmetric algorithms exhibit high computational complexity, they provide the required strong security capabilities. In response to the call by NIST for lightweight cryptographic designs and the demand for lightweight cryptography deployments on microdevices and resource-constrained IoT devices, various cryptographic algorithms from different research fields have been proposed and adopted.

To reduce resource consumption, most of these lightweight algorithms utilize static cryptographic components, emphasizing the minimization of cryptographic iterations while ensuring security. The use of dynamic design logic can expedite the reduction in the number of iterations; however, this introduces variable encryption components (units/logic). In such cases, both software and hardware implementations may necessitate more device resources.

1.2. Current Research Status

In the late 1980s and 1990s, to meet practical application needs, A5/1 was applied in the field of mobile communications and known as the GSM encryption algorithm. While the A5/1 algorithm was once considered secure, it has since been proven vulnerable to timing attacks. WG-7 [1] is a cipher designed by Luo et al. in 2010. It is suitable for low-energy devices. It has an 80-bit key length and adopts a filter generator structure design. Its LFSR is defined in the finite field GF (2⁷), and the nonlinear filter function uses the WG transformation. However, the filter generator structure is susceptible to fast correlation attacks and algebraic attacks, and WG-7 was quickly attacked after its publication. A2U2 is a lightweight stream cipher proposed by Mathieu et al. in 2011 [2], specifically designed for encrypting RFID electronic tags. It has very low hardware implementation costs, requiring only 284 GE, making it one of the lightest stream cipher algorithms. Abdelraheem et al. [3] significantly reduced the time complexity of real-time key recovery attacks on A2U2 under known plaintext attack patterns to 224. This means that attacks against this cipher can recover the entire key within seconds on a personal PC; the A2U2 algorithm has been completely broken. In 2004, the European Science Foundation initiated a cryptography project called the eSTREAM project, aiming to design and evaluate stream cipher algorithms to provide a series of efficient, secure, and reliable stream cipher algorithms to meet various application needs. After multiple rounds of competitions and evaluations, 20 excellent stream cipher algorithms were selected as the official recommended algorithms of the eSTREAM project. Grain-v1 [4] is one of the final seven selected algorithms in the eSTREAM project. It has high security characteristics. The initial version, Grain-v0, had vulnerabilities in the logical structure of its nonlinear feedback function g(×) and nonlinear filter function h(×), which made it susceptible to correlation attacks. However, the Grain structure has received widespread attention and has been proven to be relatively secure. Trivium algorithm, proposed by Canniere et al. [5], is another excellent candidate algorithm in the eSTREAM project. It combines shift registers and Boolean functions based on block ciphers, providing efficient hardware implementation and strong security. MICKEY 2.0 algorithm, introduced by Babbage et al. [6], supports configurations with different key lengths and initialization vector lengths, allowing for flexible adjustments according to specific application security requirements. Gimli algorithm, proposed by Bernstein et al. [7], is a lightweight cipher based on permutations (such as bit-level, byte-level, and column-level permutations). It uses a triple iteration structure to enhance the security of the cipher structure. Salsa20 algorithm, introduced by Bernstein et al. [8], is a high-speed and secure stream cipher widely used in communication and data protection fields. It has a simple structure, efficient hardware implementation, and provides strong security and resistance against attacks. ChaCha [9] is a variant of the Salsa20 stream cipher. It incorporates parallel and bitwise operations and consists of a matrix permutation operation and an iteration round function in its logical design. It demonstrates efficiency in both hardware and software implementations and offers improved security and resistance against attacks.

Current research in non-lightweight cryptography spans various domains, including traditional stream ciphers, quantum cryptography, and image data encryption. In the realm of traditional stream ciphers, in 2019, Kholidy and colleagues previously proposed “ULTRA GRIDSEC”. This solution also secures data transfer within their newly developed peer-to-peer desktop grid framework “HIMAN”. In [10], the authors analyzed and evaluated the scheme, showed the different factors that affect its performance, covered the scheme’s efficiency from a security perspective, and introduced the experimental results of two encryption algorithms. In the same year, Hell and his team [11] proposed Grain-128AEAD, designed for encrypting and authenticating messages, which incorporates certain improvements to bolster security while complying with the NIST’s standardization requirements. The image encryption technology, based on high-capacity data hiding [12], was proposed by D. Xiao et al. and applies traditional stream ciphers and compression coding encryption, thereby expanding the application of stream ciphers in the field of image encryption. In 2020, Jiao L et al. [13] pointed out that stream ciphers exhibit significant advantages in terms of speed and scale in hardware implementation as cryptographic algorithms. However, with the increasingly complex application environments, challenges are posed to existing cryptographic algorithms, necessitating the development of new and suitable designs. Meanwhile, Liu et al. [14] presented a cipher algorithm, introducing innovation into the field of stream ciphers. In the domain of quantum cryptography, Tanizawa [15] and Futami [16] introduced applications of digital coherent PSK Y-00 quantum stream ciphers and Y-00 quantum-noise randomized stream ciphers. These applications highlight their potential utility in optical communications and physical layer security, underscoring the increasing interest in quantum cryptography for data protection. In the field of image data encryption, Khedr and colleagues [17] introduced a new efficient and configurable image encryption structure in 2020, while in 2022, Ding et al. [18] proposed a stream cipher generator based on deep learning for encrypting and decrypting medical images. These developments reflect the growing demand for safeguarding sensitive data, particularly in the domain of medical imaging. In the realm of cryptographic attacks, a new algebraic attack against the Trivium stream cipher was introduced [19]. In terms of research directions, probabilistic constellation shaping for quantum-noise stream key generation was utilized [20], and researchers are exploring stream ciphers for rapid Fully Homomorphic Encryption (FHE) evaluation [21], which holds significant implications for privacy protection and secure computation.

1.3. The Proposal of SC-SA

Linear Feedback Shift Register and Nonlinear Feedback Shift Register are commonly employed structures in stream ciphers. LFSR, rooted in feedback from linear shift registers, updates register bit values through XOR operations between the current state and the linear feedback function output, generating a pseudo-random sequence. Its hardware implementation requires minimal gate circuits, minimizing resource utilization and facilitating high-speed pseudo-random sequence generation.

However, LFSR-generated pseudo-random sequences exhibit periodicity, with the period length determined by the register’s size. Adjusting the register length caters to cipher design requirements. Despite its efficiency, LFSR’s predictability arises from its linear structure, allowing attackers to deduce the initial state and linear feedback function by analyzing the output sequence. Consequently, attackers can reproduce the same pseudo-random sequence.

On the contrary, NFSR introduces nonlinearity into the feedback function, enhancing resistance against attacks compared to LFSR. Complex operations like substitution boxes or Boolean functions contribute to the cryptographic security of the stream cipher. NFSR’s nonlinearity introduces a higher level of confusion and diffusion, complicating sequence analysis and prediction for potential attackers.

The Nonlinear Feedback Shift Register (NFSR) is a cryptographic structure commonly employed in stream cipher designs to augment the complexity and security of cryptographic algorithms. NFSR updates register bit values by executing operations between the current state and a nonlinear function. In contrast to LFSR-based cipher structures, NFSR employs nonlinear feedback functions, rendering the output sequence more challenging to predict. The incorporation of nonlinearity elevates the cipher algorithm’s complexity, rendering linear analysis attacks that exploit linear relationships more difficult to execute. NFSR’s nonlinear characteristics provide robust resistance against linear analysis, thereby enhancing its ability to withstand various attacks.

In stream ciphers, NFSR is frequently utilized to bolster the security of cryptographic algorithms. By introducing nonlinear functions and cascading multiple registers, NFSR enhances cryptographic strength and fortifies the algorithm’s resilience against attacks. Cipher algorithms adopting the LFSR and NFSR structures, such as RC4 [22] and Grain, find widespread use in practical applications. These algorithms carefully select register lengths and nonlinear functions to meet diverse security requirements.

The Feedback with Carry Shift Register (FCSR) shares similarities with NFSR, utilizing a nonlinear function as the feedback function to map the current register state to the subsequent moment’s state. In FCSR, each bit corresponds to a feedback function output, typically a nonlinear Boolean function with arbitrary complexity. The output of each bit undergoes XOR with the corresponding feedback function output, accumulating with a carry bit, serving as the input for the corresponding bit position in the next moment.

In practical applications, combining LFSR and NFSR enhances the security and efficiency of stream ciphers. The incorporation of both linear and nonlinear components in the resulting cipher achieves a balance between computational complexity, security, and resource utilization. This balanced approach provides robust encryption capabilities suitable for a variety of applications.

Lightweight sequence ciphers based on shift registers are better suited for hardware implementation. In software implementation, using 1-bit shifts in shift registers can significantly reduce the cipher’s efficiency. Nonlinear feedback functions in sequence ciphers based on registers also face performance degradation issues in software implementation. Directly porting shift-register-based cipher algorithms to IoT devices is not straightforward due to the underlying heterogeneity in computing architecture and word size. Software-based cipher algorithms exhibit better adaptability to this heterogeneity. By inheriting the design principles of LFSR and Feedback with Carry Shift Register (FCSRS), cipher algorithms can be designed for software platforms, leveraging mature cipher algorithm concepts.

While most lightweight ciphers are initially designed for hardware implementation, the escalating trend of heterogeneity in IoT devices poses a significant challenge. These devices utilize diverse processor platforms, architectures, and models, making it difficult to adopt a unified solution that incorporates built-in cryptographic acceleration modules. Moreover, the security of IoT devices is a paramount concern, especially for those lacking built-in cryptographic modules or relying on outdated ones. The inflexibility in deploying lightweight ciphers impedes their ability to fully exploit the advantages of cryptographic design. Designing a lightweight cryptographic algorithm with easy deployability and emphasizing software implementation emerges as an effective solution to tackle security issues such as data information leakage in heterogeneous and resource-constrained IoT devices. The objective of this paper is to design a sequence cipher algorithm (SC-SA) specifically for resource-constrained IoT devices and heterogeneous devices. SC-SA demonstrates superior software implementation performance. Moreover, the cipher algorithm incorporates nonlinear operations and transformations, such as addition and S-box substitution, to enhance resistance against stronger cryptographic attacks. Additionally, SC-SA involves only one round of iteration in the key-stream generation process after the key obfuscation phase, aligning with the requirements of real-time applications.

SC-SA utilizes an 80-bit key length, which strikes a balance between computational complexity and security in cipher design. By default, the user needs to input 80 binary values. If the user wishes to use “characters” as the key, they can be converted using a custom Hash algorithm. This key length can meet the security requirements of the majority of resource-constrained devices. In the key distribution and padding phase of SC-SA, the initial key is used to fill the 8-byte Queue T (bytes in Queue T follow the properties of a queue, where elements enter at the tail and exit at the head), the 1-byte Index Data Group A, and the State Data Group V. The overall logical structure is roughly illustrated in Figure 1.

2. SC-SA Cipher

For real-time applications and resource-constrained IoT devices, choosing a lower value for K is preferable while ensuring security requirements. As shown in Figure 2, the j-th ciphertext block $C_j$ is obtained by mixing the j-th plaintext block ${\mathrm{M}}_{\mathrm{j}}$ with the j-th generated key stream block (State Data Grouping) $V_j$. Please refer to Equation (1) for a detailed explanation of this process.

$$C_j=E_K\left(m_j\right)=m_j\oplus V_j,j=1,2,\dots ,n,$$

(1)

The generated key stream (State Data Group V) iteratively updates, with the i-th group vector updated by the (I + 1)-th group vector. The proposed stream cipher consists of two sub-functions:

• Round Function (RF): when the key is filled in, the cryptographic algorithm enters an iterative operation so that the values stored in the array can be randomized;
• Update Vector Function (UVF): a vector update is performed for every output of the State Data Group.

This section describes the initialization of the cryptographic key and the key confusion process before generating the key stream. The key confusion process in this paper is referred to as the Round Function (RF), and one round of processing is illustrated in Figure 2 above. In the cryptographic scheme proposed in this paper, the RF needs to iterate 80 times during the key confusion phase to meet the designed cryptographic security strength. In the key stream output phase, described as the Update Vector Function (UVF) in this paper, the processing is depicted in Figure 3.

Round Function (RF): During the initial key padding phase, the 80-bit initial key K is divided into 64 bits, 8 bits, and 8 bits, which are used to pad Queue T, Index Data Group A, and state group V, respectively. Subsequently, iterative processing for key confusion will take place, and the detailed process will be explained in the following text. Let T [i] represent the value of the i-th byte data in the Queue T, V [i] represent the value of the i-th bit in the State Data Group V, A [i] represent the value of the i-th bit in the Address Data Group A, and T [i][j] represent the value of the j-th bit of the i-th byte in the Queue T.

Step 1: when the Index Data Group A and State Data Group V are initialized or updated, the values of the (A + 1)-th and (V + 1)-th numbers in the S-box (with indexing starting from 0) are swapped, denoted as Swap (S[A],S [V]);

Step 2: through the previous step, the mapping (substitution) relationship represented by the S-box is obfuscated once, and the value of S [V] is used to update the State Data Group V, denoted as V = S [V];

Step 3: Through the previous step, the values in the State Data Group V are updated, and when storing them in the Queue T, they are inserted at the tail of the Queue T [7]. Before that, make sure to remove and assign the head of the Queue T [0] to the Index Data Group A, denoted as A = T.pop (), T.push (V);

Step 4: Through the previous step, the values of the Index Data Group A are updated, and the data in the Queue T are updated. In software-implemented cryptographic algorithms, arithmetic addition has a significant advantage in enhancing the nonlinearity of the cipher. The iterative update of the State Data Group V uses arithmetic addition, denoted as V = V⊕A + 0b01111111, where 0b01111111 is binary for 127. In the iterative update of the Index Data Group A, A [0]~A [7] take values from T [0][2], T [1][4], T [2][0], T [3][6], T [4][1], T [5][3], T [6][7], and T [7][5], denoted as A = T [0][2]||T [1][4]||T [2][0]||T [3][6]||T [4][1]||T [5][3]||T [6][7]||T [7][5];

Step 5: If the iteration round is less than or equal to 80, proceed to the first step; otherwise, begin the Update Vector Function (UVF) of the cryptographic algorithm, output the key stream, and perform XOR with plaintext data. Details of the Update Vector Function (UVF) will be explained later, the round function of the cipher is shown in Algorithm 1.

Algorithm 1: Round function of the cipher.

Input: Key K, Substitution Table S Output: Substitution Table S, Queue T, Address Data Group A, State Data Group V. Procedure RF(K, S)   $T\leftarrow K\left[0-63\right]$   $A\leftarrow K\left[64-71\right]$   $V\leftarrow K\left[72-79\right]$   for $\mathrm{i}=1\to 80$ do    $Swap\left(S\right[A],S[V\left]\right)$    $V=S\left[V\right]$    $\mathrm{A}=\mathrm{T}.\mathrm{p}\mathrm{o}\mathrm{p}\left(\right)$    $\mathrm{T}.\mathrm{p}\mathrm{u}\mathrm{s}\mathrm{h}\left(\mathrm{V}\right)$    $V=V\oplus A+0b01111111$    $A=T\left[0\right]\left[2\right]\left|\right|T\left[1\right]\left[4\right]\left|\right|T\left[2\right]\left[0\right]\left|\right|T\left[3\right]\left[6\right]\left|\right|T\left[4\right]\left[1\right]\left|\right|T\left[5\right]\left[3\right]\left|\right|T\left[6\right]\left[7\right]\left|\right|T\left[7\right]\left[5\right]$    end for    return S, T, A, V end procedure

Update Vector Function (UVF):

Step 1: When the iterative processing of the cipher’s Round Function is completed, at this point, the Index Data Group A and State Data Group V are in their updated states. The State Data Group is used as the key stream for encrypting the plaintext sequence. Let C represent the ciphertext and P represent the plaintext. The encryption process can be represented by Formula (2), as follows:

C = P⊕V,

(2)

Step 2: during the vector group update process, to make the update process more nonlinear, let the Index Data Group A undergo arithmetic addition with the value 0b10000000, denoted as A = A + 0b10000000, where 0b10000000 is binary for 128;

Step 3: Through the previous step, the values in the Address Data Group A are updated. The value of the State Data Group V serves as the index address for the S-box, and S [A] is inserted at the tail of the Queue T; simultaneously, S [A] is assigned to A. Before that, ensure that the head of the Queue T [0] is removed and assigned to the State Data Group V, denoted as V = T.pop (), T.push (A);

Step 4: Through the previous step, the values of the Index Data Group A are updated, the data in the Queue T are updated, and the State Data Group is updated as well. Similarly, the iterative update of the State Data Group V uses arithmetic addition, denoted as V = V⊕A + 0b01111111;

Step 5: In the iterative update of the Index Data Group A, A [0]~A [7] take values, respectively, from T [0][2], T [1][4], T [2][0], T [3][6], T [4][1], T [5][3], T [6][7], and T [7][5], denoted as A = T [0][2]||T [1][4]||T [2][0]||T [3][6]||T [4][1]||T [5][3]||T [6][7]||T [7][5].

Check if there are any plaintext sequences left to be encrypted. If so, jump to the first step; otherwise, stop the cipher algorithm, the update vector function (UVF) proposed in this paper is shown in Algorithm 2.

Algorithm 2: The Update Vector Function (UVF) proposed in this paper.

Input: Queue T, Address Data Group A, State Data Group V, Substitution Table S, Plaintext Byte P. Output: Ciphertext Byte C procedure UVF(T, A, V, S, P)  while(C != NULL)   P = C⊕V   A = A+0b10000000   A = S[A]   V = T.pop()   T.push(A)   V = V⊕A+0b01111111   A = T[0][2]||T[1][4]||T[2][0]||T[3][6]||T[4][1]||T[5][3]||T[6][7]||T[7][5]   return C end procedure

S-box is the main nonlinear component in the cryptographic scheme proposed in this paper, and linear fractional transformation (LFT) is one of the most commonly used mapping methods. However, generating dynamic S-boxes using LFT is complex and time-consuming, making it less suitable for lightweight cipher algorithm design. By modifying the cubic fractional transformation (CFT) function [23] proposed by Zahid et al., as shown in Formula (3), and using it as the S-box random generator Random () followed by screening the generated S-boxes, a well-performing S-box can be obtained.

$$C\left(z\right)={\displaystyle \frac{1}{\alpha ·z^3+\beta }}\left(MOD\left(2^n+1\right)\right),\alpha ,\beta ,z\in Z,$$

(3)

After transforming Equation (3) into operations in $GF\left(2^8\right)$ with n = 8, the specific implementation flowchart is shown in Figure 4. The S-box generation process, by setting different parameters, will be used to generate S-boxes randomly.

The S-box used in the cryptographic algorithm proposed in this paper is generated from Figure 5. The specific values of the S-box are listed in Figure 6.

An S-box is a way to substitute bits in plaintext by mapping input bits to output bits, performing both confusion and diffusion functions. Confusion ensures that there is no apparent relationship between the input and output, making the cipher algorithm more difficult to crack. A well-designed S-box in cryptography should possess good nonlinearity, uniformity, and other cryptographic characteristics. Next, this paper will analyze the S-box proposed in this paper.

• Bijectiveness

In cryptography, bijectiveness refers to the property of a cryptographic function or transformation being both injective and surjective.

A bijective cryptographic function ensures a one-to-one correspondence between the input and output, providing reversible mapping. Bijectiveness helps ensure the security and integrity of cryptographic operations, such as encryption and decryption, by allowing a clear and unique relationship between plaintext and ciphertext;

2.

Differential Probability

In cryptography, an S-box is often crucial in block cipher algorithms. The concept of “Differential Probability” is related to the probability of a specific difference in the input affecting a particular difference in the output of an S-box. Differential Cryptanalysis is a technique used to analyze the differences between pairs of plaintexts and their corresponding ciphertexts. It explores how changes in the input (plaintext) affect the changes in the output (ciphertext). Differential Cryptanalysis is particularly applicable to block ciphers. Differential probability measures the likelihood of a particular difference in the input leading to a specific difference in the output of the S-box. In other words, it quantifies the probability of a specific “input difference → output difference” scenario. High differential probability indicates that a distinct difference in input bits is likely to result in a particular difference in the output bits with high probability. Cryptographic designers aim to create S-boxes with low differential probabilities to enhance security. A lower differential probability makes it more difficult for attackers to exploit differences in plaintexts to deduce information about the key or the internal state of the cryptographic algorithm. Designing S-boxes with good differential properties is critical to creating secure block ciphers. In the cryptographic scheme proposed in this paper, the S-box used has a maximum differential probability of 5/128, indicating good differential characteristics, as calculated using Formula (4).

$${\Delta }_p\left(\Delta x,\Delta y\right)={\displaystyle \frac{\left|a\right|S(a\oplus \Delta x)\oplus S\left(a\right)=\Delta y|}{2^n}},$$

(4)

3.

Walsh Spectrum of S-box

Let $\mathrm{F}$:${\mathrm{F}}_2^{\mathrm{n}}\to {\mathrm{F}}_2^{\mathrm{m}},\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{n} {\mathrm{W}}_{\mathrm{F}}(\mathrm{u},\mathrm{v})={\sum }_{\mathrm{x}\in {\mathrm{F}}_{\mathrm{n}}^2}{(-1)}^{\mathrm{u}·\mathrm{x}\oplus \mathrm{v}·\mathrm{F}\left(\mathrm{x}\right)}$ is called the Walsh Spectrum of $\mathrm{F}$, where $\mathrm{u}\in {\mathrm{F}}_2^{\mathrm{n}}$ and $\mathrm{v}\in {\mathrm{F}}_2^{\mathrm{m}}$\{0}. In fact, the Walsh Spectrum of a Boolean function $\mathrm{F}$ indicates the degree of approximation between $\mathrm{F}$ and a linear function, so ${\mathrm{W}}_{\mathrm{F}}(\mathrm{u},\mathrm{v})$ represents the degree of approximation between the component function $\mathrm{v}\cdot \mathrm{F}\left(\mathrm{x}\right)$ of $\mathrm{F}$ and the linear function $\mathrm{u}\cdot \mathrm{x}$. The value of the Walsh transform at the point $(\mathrm{u},\mathrm{v})$ is called the Walsh coefficient of $\mathrm{F}$ at $(\mathrm{u},\mathrm{v})$.

The Walsh Spectrum of the S-box is an important step in calculating the nonlinearity of the S-box;

4.

Nonlinearity of S-box

Let $\mathrm{F}$:${\mathrm{F}}_2^{\mathrm{n}}\to {\mathrm{F}}_2^{\mathrm{m}},$ then, the linearity of $\mathrm{F}$ is the maximum linearity of the non-trivial component functions set $\left\{{\mathrm{F}}_{\mathsf{\lambda }}\right|\mathsf{\lambda }\in {\mathrm{F}}_2^{\mathrm{m}}\backslash \left\{0\right\}\}$:

$$\begin{array}{c}\mathrm{L}\left(\mathrm{F}\right)={\mathrm{m}\mathrm{a}\mathrm{x}}_{\mathsf{\lambda }\in {\mathrm{F}}_2^{\mathrm{m}}\{0\}}\mathrm{L}\left({\mathrm{F}}_{\mathsf{\lambda }}\right)={\mathrm{m}\mathrm{a}\mathrm{x}}_{\mathrm{u}\in {\mathrm{F}}_2^{\mathrm{n}},\mathrm{v}\in {\mathrm{F}}_2^{\mathrm{m}}\{0\}}\left|{\mathrm{W}}_{\mathrm{F}}\left(\mathrm{u},\mathrm{v}\right)\right|\end{array}$$

(5)

Let $\mathrm{F}$:${\mathrm{F}}_2^{\mathrm{n}}\to {\mathrm{F}}_2^{\mathrm{m}},$ then, the nonlinearity of $\mathrm{F}$ is the minimum nonlinearity of the non-trivial component functions set $\left\{{\mathrm{F}}_{\mathsf{\lambda }}\right|\mathsf{\lambda }\in {\mathrm{F}}_2^{\mathrm{m}}\backslash \left\{0\right\}\}$:

$$\begin{array}{c}\mathrm{N}\mathrm{L}\left(\mathrm{F}\right)={\mathrm{m}\mathrm{i}\mathrm{n}}_{\mathsf{\lambda }\in {\mathrm{F}}_2^{\mathrm{m}}\{0\}}\mathrm{N}\mathrm{F}\left({\mathrm{F}}_{\mathsf{\lambda }}\right)=2^{\mathrm{n}-1}-{\displaystyle \frac{1}{2}}\mathrm{L}\left(\mathrm{F}\right)\end{array}$$

(6)

Using Equations (5) and (6), the nonlinearity of the S-box proposed in this scheme can be calculated to be 96;

5.

Other characteristics of the S-box

By calculating the nonlinearity, return period, and differential uniformity of the S-box, we obtain a nonlinearity degree of 7, a return period of 256, and a differential uniformity of 10.

3. Security Analysis

3.1. NIST Randomization Test

Using all-zero as the key, the generated 20 MB key stream data were analyzed using the NIST suite, and the results are as follows (

Table 1. Randomness test results.

${\mathbf{C}}_1$	${\mathbf{C}}_2$	${\mathbf{C}}_3$	${\mathbf{C}}_4$	${\mathbf{C}}_5$	${\mathbf{C}}_6$	${\mathbf{C}}_7$	${\mathbf{C}}_8$	${\mathbf{C}}_9$	${\mathbf{C}}_{10}$	p-Value	Proportion	Statistical Test
11	10	8	12	14	11	8	9	9	8	0.935716	99/100	Frequency
14	8	13	5	13	14	9	5	11	8	0.275709	99/100	BlockFrequency
8	16	9	12	10	8	12	12	5	8	0.474986	99/100	CumulativeSums
11	12	7	8	9	8	8	15	11	11	0.798139	100/100	Runs
12	8	10	10	12	13	6	9	9	11	0.911413	99/100	LongestRun
15	10	9	9	14	13	9	7	6	8	0.514124	98/100	Rank
11	12	7	11	5	13	11	12	14	4	0.304126	99/100	FFT
9	13	6	9	13	9	13	7	8	13	0.657933	99/100	NonOverlappingTemplate
14	13	5	10	7	10	11	9	14	7	0.474986	99/100	OverlappingTemplate
9	19	6	12	16	6	7	9	11	5	0.025193	99/100	Universal
16	13	6	7	10	8	13	8	13	6	0.262249	98/100	ApproximateEntropy
6	4	6	8	5	6	5	9	7	5	0.941144	61/61	RandomExcursions
6	9	7	5	3	7	6	7	5	6	0.922036	61/61	RandomExcursionsVariant
9	11	11	11	9	8	8	10	13	10	0.987896	100/100	Serial
13	12	8	6	9	12	14	9	12	5	0.494392	99/100	LinearComplexity

). The analysis of the key stream generated from the initial key, along with the NIST randomness tests, reveals that the tested random number sequence successfully passed all 15 conducted tests, indicating a high level of randomness and security.

The NIST randomness test suite includes 15 tests—Frequency, BlockFrequency, CumulativeSums, Runs, LongestRun, Rank, FFT, NonOverlappingTemplate, OverlappingTemplate, Universal, ApproximateEntropy, RandomExcursions, RandomExcursionsVariant, Serial, and LinearComplexity—designed to assess binary sequences’ randomness by checking proportions, cumulative sums, runs, longest runs, linear dependence, periodic patterns, template matches, compressibility, complexity, and deviations in random walks.

In summary, the comprehensive results, a perfect score of 98~100, from these NIST randomness tests collectively suggest that the tested random number sequence exhibits high levels of randomness and security. This conclusion stems from the sequence’s success in passing all 15 tests, reflecting its ability to resist attacks and protect sensitive information, making it suitable for cryptographic applications.

3.2. Key Recovery Security

Assuming the last key stream output is denoted as ${\mathrm{E}}_0$, the previously output key streams are represented as ${\mathrm{E}}_{-1}{,\mathrm{E}}_{-2}$…${\mathrm{E}}_{-\mathrm{i}}$, where ${\mathrm{E}}_{-\mathrm{i}}$ represents the data of the key stream output second to last. The 8-byte blocks represented in the Data Group T are denoted as ${\mathrm{T}}_0,{\mathrm{T}}_{-1}$…${\mathrm{T}}_{-7}$,${\mathrm{T}}_{-8}$, where ${\mathrm{T}}_0$ represents the byte that is about to be dequeued from the T array; and ${\mathrm{T}}_{-8}$ represents the byte that is about to be enqueued at the end of the T array. The following is known:

$$\left\{\begin{array}{c}{\mathrm{T}}_0⨁{\mathrm{T}}_8+127={\mathrm{E}}_0\\ {\mathrm{T}}_{-1}⨁{\mathrm{T}}_7+127={\mathrm{E}}_{-1}\\ ...\\ {\mathrm{T}}_{-6}⨁{\mathrm{T}}_2+127={\mathrm{E}}_{-6}\\ {\mathrm{T}}_{-7}⨁{\mathrm{T}}_1+127={\mathrm{E}}_{-7}\\ {\mathrm{T}}_{-8}⨁{\mathrm{T}}_0+127={\mathrm{E}}_{-8}\end{array}\right.,$$

(7)

${\mathrm{T}}_{\mathrm{i}}$ and ${\mathrm{E}}_{\mathrm{i}}$ XOR in the field ${\mathrm{G}\mathrm{F}}_{2^8}$ yields the following:

$$({\mathrm{T}}_0⨁{\mathrm{T}}_8+127)⨁({\mathrm{T}}_{-8}⨁{\mathrm{T}}_0+127)={\mathrm{E}}_0\oplus {\mathrm{E}}_{-8},$$

(8)

In the worst-case scenario, if the value of the sum ${\mathrm{T}}_0⨁{\mathrm{T}}_8+127,{\mathrm{T}}_{-8}⨁{\mathrm{T}}_0+127 \mathrm{a}\mathrm{n}\mathrm{d} {\mathrm{T}}_{-16}+{\mathrm{T}}_{-8}$+127 is less than 256—that is, the sum ${\mathrm{T}}_0⨁{\mathrm{T}}_8,{\mathrm{T}}_{-8}⨁{\mathrm{T}}_0$ and ${\mathrm{T}}_{-16}+{\mathrm{T}}_{-8}$ is less than or equal to 128, then ${\mathrm{E}\prime }_{\mathrm{i}}={\mathrm{E}}_{\mathrm{i}}-127$—the formula can be simplified as follows.

$$\left\{\begin{array}{c}{\mathrm{T}}_0+{\mathrm{T}}_8={\mathrm{E}\prime }_0\\ {\mathrm{T}}_{-16}+{\mathrm{T}}_{-8}={\mathrm{E}\prime }_{-16}\\ {\mathrm{T}}_{-8}+{\mathrm{T}}_0={\mathrm{E}\prime }_{-8}\end{array}\right.,$$

(9)

Since ${\mathrm{E}\prime }_0,{\mathrm{E}\prime }_{-16} \mathrm{a}\mathrm{n}\mathrm{d} {\mathrm{E}\prime }_{-8}$ are known, the aforementioned formula can be considered to have four unknowns and three equations, with no exact solution.

3.3. The Probability of Index Swapping during the RF Phase Analysis

The RC4 algorithm has long been known to have security flaws, such as the weak key problem, and it no longer meets the security thresholds it was designed for. These issues are caused by biases in the key scheduling algorithm (KSA) that propagates through the Glimpse theorem. If the corresponding biases in the KSA can be eliminated, the biases in the key stream will also disappear. Under these circumstances, RC4 + [24] and its variants were proposed but they have security issues similar to those of RC4. SC-SA does not aim to become a variant of the RC4 algorithm but since its design ideas are similar, it should avoid similar attacks.

In sequence cipher algorithms similar to RC4, the probability of using index values to swap values inside the S-box is an important basis for measuring the security of the Key Scheduling Algorithm (KSA). If index values are used frequently, biases are likely to occur. SC-SA adopts a design approach similar to RC4, where the indices used for swapping values in the RF phase are A and V. Under ideal security conditions, in 80 iterations, the values of A and V are different, meaning each index is swapped only once, at which point the cipher’s security is at its highest. By randomly generating 10,000 keys, the SC-SA cipher algorithm calculates the probability of the number of swapped positions in the S-box under different key influences, as shown in Figure 7. It is evident that the SC-SA cipher algorithm provides a confusion capability of at least $115!$, which is significantly higher than the security protection capability of 2⁸⁰.

3.4. Avalanche Effect Analysis

Avalanche effect testing is used in cryptographic testing to evaluate the confusion properties of encryption algorithms. A good encryption algorithm should have the characteristic that a small change in the input plaintext (such as changing one bit) will lead to a significant change in the output ciphertext. By verifying the sensitivity and randomness of the cryptographic algorithm, the security of the encryption is ensured.

Using 10,000 random keys to generate 10,000 10 MB key sequences, the smaller the dataset tested, the greater the test error. A 10 MB key sequence can meet the encryption needs of most IoT devices. When one bit in the encryption key is randomly modified and the modified key is used to generate the corresponding 10,000 10 MB key sequences, the number of changed bits in these 10,000 pairs of sequence streams is calculated. Avalanche test flowchart are shown in Figure 8. The results are shown in

Table 2. Avalanche test results.

Probability	Less than 49%	49~49.5%	49.5~50.5%	50.5~51%	Greater than 51%
Num	0	1438	7213	1349	0
Proportion	0%	14.28%	72.13%	13.49%	0%

. According to the table, it can be seen that the vast majority achieve a change rate of 49.5% to 50.5%, indicating the excellent avalanche effect of SC-SA.

3.5. Differential Analysis

The SC-SA encryption algorithm draws on the design concepts of block cipher algorithms for designing stream cipher algorithms. During differential analysis, we can refer to the differential analysis methods of block cipher algorithms that use S-boxes, specifically by calculating the number of active S-boxes. In Section 2, it is stated that the maximum differential probability of the S-box is 10/256. During the 80 iterations, the diffusion layer is mainly composed of shifts and XOR operations, while the confusion layer is composed of S-box substitutions and modular addition. The number of linear diffusion branches in the iterative process is conservatively set to four. Considering the worst-case scenario, each swap of the S-box increases the maximum differential probability of the S-box. Given an S-box return period of 256, the differential probability increases by 2R/256 after each iteration. We can calculate the number of active S-boxes and the maximum linear differential probability. Let the number of rounds be RR, where R ∈ [1,80]. The maximum differential probability of the S-box in the R-th iteration is (10 + 2(R − 1))/2561 + 4(R − 1). Differential probability after iteration are shown in

Table 3. Differential probability after iteration.

R	1	2	3	4	5
Active S-boxes	1	5	9	13	17
DP	10 × 2−8	2−41.206	2−109.625	2−209.925	2−341.849

.

With the advantage of a large S-box, SC-SA can resist differential attacks after multiple iterations.

3.6. Randomness Testing

3.6.1. An 80-Bit Key Avalanche

The 1024-bit key sequence generated using an all-zero key, represented in hexadecimal, is as follows:

“D1 33 A6 F6 64 6A E6 91 C6 A4 2E 01 B6 68 21 F7 EA 30 72 3F 05 OD BD AD 74 5E A3 C4 OF 6C A8 FF 5B 42 E7 AB 80 9A 2B 32 56 8A 2B E2 39 70 BB 1D 82 1C EC 10 A7 30 30 26 C9 3E 06 1A CE BF 26 A8 F1 FA 2F 6E 4D A6 8B 54 AA 35 4B 3B 85 BA 1D 24 46 5B 24 24 BD 3D 82 F7 26 32 25 8D D8 83 60 OD 3C 84 D9 86 8A B8 35 FB E7 54 AO 53 00 BE 8C DF B6 6B 13 06 33 06 E1 6F C1 AE B3 14 66 16 2C 14”

To test how a single bit change in the key affects the ciphertext, a fixed plaintext of all zeros (1,048,576 bits) is used. A random 80-bit key is generated. For each random key, the fixed plaintext is encrypted using the original random key to obtain the original ciphertext. For each position i from 1 to 80, the i-th bit of the original key is flipped to generate a perturbed key. The fixed plaintext is encrypted with the perturbed key to obtain the perturbed ciphertext. The XOR result of the original and perturbed ciphertexts forms the derived block. This process results in 6400 binary sequences, each containing 1,048,576 (128 KB) bits.

3.6.2. Random Plaintext and Random 80-Bit Keys

To examine the randomness of the ciphertext generated from random plaintext and random 80-bit keys, 128 sequences are constructed. Each sequence consists of 1,048,576 bits of random ciphertext, generated using 1,048,576 bits of random plaintexts and a random 80-bit key. This process is repeated 128 times, each time using a different random 80-bit key, resulting in 128 binary sequences.

3.6.3. Low-Density 80-Bit Keys

• Use a fixed plaintext of all zeros (1,048,576 bits);
• Include an 80-bit key block of all 0 s;
• Obtain 80 key blocks with a single bit set to 1 and the remaining 79 bits set to 0 (each bit position from 1 to 80);
• Obtain 3160 key blocks with two bits set to 1 and the remaining 78 bits set to 0 (each possible combination of two bits within eighty bits).

Encrypt the fixed plaintext with each of the 3240 keys, resulting in corresponding ciphertext blocks of 1,048,576 bits (128 KB).

3.6.4. High-Density 80-Bit Keys

• Use a fixed plaintext of all zeros (1,048,576 bits);
• Include a key block of all 1s;
• Obtain 80 key blocks with a single bit set to 0 and the remaining 79 bits set to 1 (each bit position from 1 to 80);
• Obtain 3160 key blocks with two bits set to 0 and the remaining 78 bits set to 1 (each possible combination of two bits within eighty bits).

Encrypt the fixed plaintext with each of the 3240 keys, resulting in corresponding ciphertext blocks of 1,048,576 bits (128KB).

According to paper [25], we can determine that at a significance level of 0.01, if the sample consists of 128 sequences, the rejection rate should not exceed 4.657. For other sample sizes, the corresponding maximum number of rejections can be calculated. The parameter information is shown in

Table 4. Randomness testing parameters.

Data Category	Sample Size/Sequence Length	The Maximum Number of Rejections
80-Bit Key Avalanche	6400/1,048,576	87.86
Random Plaintext and Random 80-Bit Keys	128/1,048,576	4.65
Low-Density 80-Bit Keys	3240/1,048,576	49.38
High-Density 80-Bit Keys	3240/1,048,576	49.38

.

Through the analysis of the 0/1 balance of the sequences, it can be concluded that the SC-SA scheme passed the randomness test, with the actual number of rejections being 0 in all tests.

4. Performance

RC4 is also a software-oriented stream cipher algorithm, consisting mainly of two components, S and K, which are generally composed of two 256-byte arrays. K serves as the key input for RC4 and is used to initialize S. If K is set to 80 bits, it will decrease the security of the RC4 cipher. To ensure the minimum security threshold for RC4, S and K should be of the same size. In the performance comparison below, both K and S in RC4 are 256 bytes.

Snow3G [26] is a stream cipher algorithm used in 4G mobile communication standards to protect data privacy and security in mobile communication. It is part of the 3GPP standard and is used in 3G and 4G communication standards, making it an important encryption algorithm in the field of mobile communication. Snow3G is used to generate a key stream, which is then XORed with plaintext data to achieve encryption. The key stream is a pseudo-random number sequence generated based on an initialization vector (IV) and a key, both filled in by the user, with both being 128 bits (16 bytes) in length. Therefore, Snow3G theoretically provides 128-bit security protection.

ZUC [27] is also a stream cipher algorithm primarily used in the field of mobile communication, especially in China’s 3G and 4G mobile communication standards. ZUC was originally designed for China’s mobile communication standards but was also submitted to the International Telecommunication Union (ITU) for global use. This makes it an international encryption algorithm and it has been applied in some international mobile communication standards. Similar to Snow3G, ZUC is used to generate a key stream for encrypting and decrypting data. The generation of the key stream depends on an initialization vector (IV) and a key. Similar to Snow3G, the ZUC algorithm is 128 bits (16 bytes), and the initialization vector (IV) length is generally 64 bits (8 bytes). Therefore, ZUC can provide 128 bits of security protection regarding key length.

RC4, as a previously widely used encryption algorithm, has good performance on different platforms. Due to issues such as weak keys, some cryptographic algorithms have enhanced it, such as RC4 + [24] and other variant RC [28] algorithms.

These stream ciphers mentioned above, which are international protocol standards, are compared in terms of algorithm implementation in Figure 9. The memory usage of RC4 variant algorithms does not significantly differ from that of RC4 algorithms.

Like the other three algorithms, SC-SA also uses an S-box as the nonlinear component of the cipher algorithm. Both SC-SA and RC4 use an 8-bit substitution S-box, while the other two cipher algorithms employ two or more S-boxes. This results in significantly higher memory usage compared to SC-SA.

The performance of these six cryptographic algorithms was tested on different computing platforms. On the ×86 platform, the Intel i5-12500H (Intel, made in China) was used, while the Qualcomm Snapdragon 410—which consists of four A53 cores—was used on the ARM platform, better representing IoT devices. The experimental results based on different platforms are shown in Figure 10, Figure 11, Figure 12 and Figure 13. In the line charts, the x-axis represents the size of the encrypted data and the y-axis represents the time required to encrypt data of that size.

Different platforms have different impacts on cryptographic algorithms. Snow3G does not have an implementation advantage under software conditions, whether on the ×86 platform or the ARM platform. This is because, during their design, more consideration was given to hardware, neglecting the complexity of the implementation logic when implemented in software. The variant RC4 algorithm [28], in order to enhance the obfuscation capability of the key scheduling algorithm, embeds a loop, resulting in decreased performance.

Based on the comparison between different platforms, there is a demonstrated platform diversity between the variant RC4 and Snow3G. Snow3G has an advantage on the ×86 platform, while the variant RC4 has an advantage on the ARM platform.

Table 5. ARM performance results.

Size (Byte)	SC-SA (ms)	RC4 [22] (ms)	RC4 + [24] (ms)	ZUC [27] (ms)	Variant-RC4 [28] (ms)	Snow3G [26] (ms)
1 K	0	0	0	0	12	10
100 K	27	10	32	38	908	867
200 K	55	20	66	73	1812	1720
400 K	102	41	98	135	3618	3427
800 K	191	79	188	257	7233	6866
1600 K	369	145	333	501	14,462	13,674
3200 K	726	279	699	989	28,920	27,395
6.25 M	1439	546	1388	1966	57,838	54,751
12.5 M	2865	1078	2780	3917	115,674	109,308

and

Table 6. X86 performance results.

Size (Byte)	SC-SA (ms)	RC4 [22] (ms)	ZUC [27] (ms)	RC4 + [24] (ms)	Snow3G [26] (ms)	Variant-RC4 [28] (ms)
1 K	0	0	1	0	0	0
100 K	0	0	3	0	62	47
200 K	0	0	8	0	125	109
400 K	0	0	15	0	219	203
800 K	2	2	16	7	435	407
1600 K	7	7	31	10	938	828
3200 K	15	15	47	16	1969	1640
6.25 M	31	31	94	47	3750	3266
12.5 M	78	47	188	94	7813	6484
25 M	172	109	375	156	14,844	12,985
50 M	344	203	703	329	31,157	26,172
100 M	688	437	1531	657	63,907	52,906
200 M	1390	828	3037	1296	122,376	106,500
400 M	2750	1641	6032	2609	240,752	216,297

show the time required by different encryption algorithms to encrypt files of various sizes on the ARM and X86 platforms, respectively.

The ratio of memory usage relative to algorithm implementation for SC-SA, RC4, Snow3G, and ZUC when outputting key streams of the same size is shown in Figure 14.

Through comparison, it can be observed that the cryptographic algorithm proposed in this paper demonstrates significant advantages in terms of performance and resource utilization compared to non-lightweight stream cipher algorithms and cryptographic algorithms not designed for software-oriented implementations. Additionally, it also exhibits clear advantages when compared to lightweight cryptographic algorithms designed for both software and hardware implementations, such as RC4.

5. Conclusions

SC-SA is a software-oriented, memory-optimized, lightweight stream cipher algorithm. It uses an 80-bit key for initialization to generate the key stream array, providing at least 2⁸⁰ encryption strength. In RC4, the number of bytes used increases linearly with the key length. To reach the set security threshold, RC4 requires a longer key, but SC-SA can avoid this problem. Although RC4 has a slight advantage in terms of memory size dependency, SC-SA has certain advantages in efficiency and the memory resource usage ratio. The S-table in RC4 and the S-box in the SC-SA cipher algorithm serve similar roles in encryption and both have array-based data structures. However, due to concerns about the security of the S-box itself, this paper provides the S-box generation process. While both are algorithms for internal state changes in the S-box, users can choose to use third-party S-boxes without worrying about backdoors.