IoT Edge Device Security: An Efficient Lightweight Authenticated Encryption Scheme Based on LED and PHOTON

Abstract

IoT devices and embedded systems are deployed in critical environments, emphasizing attributes like power efficiency and computational capabilities. However, these constraints stress the paramount importance of device security, stimulating the exploration of lightweight cryptographic mechanisms. This study introduces a lightweight architecture for authenticated encryption tailored to these requirements. The architecture combines the lightweight encryption of the LED block cipher with the authentication of the PHOTON hash function. Leveraging shared internal operations, the integration of these bases optimizes area–performance tradeoffs, resulting in reduced power consumption and a reduced logic footprint. The architecture is synthesized and simulated using Verilog HDL, Quartus II, and ModelSim, and implemented on Cyclone FPGA devices. The results demonstrate a substantial 14% reduction in the logic area and up to a 46.04% decrease in power consumption in contrast to the individual designs of LED and PHOTON. This work highlights the potential for using efficient cryptographic solutions in resource-constrained environments.

1. Introduction

With the ongoing advancement of embedded systems and semiconductor technology, new devices are getting smaller and faster and consuming less power. This has led to the development of the Internet of Things (IoT) [1], whereby many “things” in our real lives are connected to the internet and to each other. These current technologies are stimulating the Fourth Industrial Revolution (Industry 4.0), in which industries have started to embrace the IoT in their industrial operations, forming the so-called Industrial IoT (IIoT). These things enhance the automation of operations in the industry by utilizing hardware and mechanical components to interact with the physical world, making them vulnerable to threats and cyber-attacks. They are usually deployed in critical infrastructures where attacks may lead to damage and casualties. Attackers might steal confidential data, slow production operations, or even interrupt and stop entire operations, as happened with the Stuxnet attack [2]. Therefore, securing IIoT edge devices is a high priority and should be taken seriously, starting from the design phase. Cryptographic primitives are often used to fortify embedded system devices during transmission and communication by ensuring the confidentiality and integrity of data, as well as guaranteeing access control, authentication, and non-repudiation [3]. Researchers have developed security protocols in computer networks and other embedded systems based on proven symmetric and asymmetric cryptographic frameworks [4]. However, IIoT edge devices normally have limited resources and power and do not have the computing resources required to handle conventional cryptographic algorithms. Their limited capabilities necessitate the need for lightweight and compact cryptographic schemes [5,6].

The field of lightweight cryptography (LWC) investigates the integration of cryptographic primitives into constrained devices [7]. LWC balances the tradeoffs of cost, energy consumption, performance, and security [7,8] to provide lightweight ciphers that consume low amounts of power and achieve an acceptable level of security. Researchers have also proposed lightweight crypto engines by reducing the complexity of the conventional algorithms, but these have the drawback of reduced security [9]. For devices with limited capabilities, energy-efficient algorithms that perform well in hardware are much more appropriate [10]. A reduction in hardware chips (Gate Equivalents—GE) is imperative in LWC as it is directly proportional to the cost and the power consumption.

Cryptography can be asymmetric (public key) or symmetric (secret key). The latter guarantees data confidentiality, integrity, and authenticity by utilizing an authentication protocol. For LWC, block ciphers are the most widely used for encryption (confidentiality) as the data can be processed in blocks rather than bit streaming. For data integrity and authenticity, hash functions are commonly used by forming message authentication codes (MACs). They take a plain message as the input and produce a fixed-length tag. For more advanced functionality, ciphers and integrity mechanisms are integrated to form authenticated encryption (AE).

Lightweight edge devices such as the Internet of Things (IoT) have been widely used in recent years either for monitoring or controlling. The incremental usage of these devices raises concerns regarding the security of the data passing through these devices. Cryptographers and cryptanalysts encounter major challenges due to the rapid spread of lightweight devices, needing to safeguard their data where these devices are installed in different critical environments. These devices usually have resource constraints. Therefore, lightweight cryptographic primitives must be integrated with these devices to ensure their security and authenticity.

Lightweight block ciphers are cryptographic primitives that utilize small design spaces and Gate Equivalents (GE). The literature defines “lightweight” as ciphers utilizing less than 3000 GE [10]. Lightweight block ciphers are mainly intended for devices that have limited computation capabilities, low power, and small footprints. The ubiquitous spread of IoT and other constrained devices has increased the demand for LWC security solutions. LWC should be designed with constraints, while maintaining a certain level of security. LWC designers must balance security and the limited resources of the constrained devices. A tradeoff between security, cost, and performance should be considered when designing any lightweight cryptographic primitive [7], as illustrated in Figure 1.

Cryptographic hardware architectures entail tradeoffs between the security level, system performance, and cost. Parallel architecture provides high performance but, in turn, increases the cost. On the other hand, serial architecture has low costs, but the system performance is degraded. The length of the secret key in the cryptographic algorithms reflects the tradeoff of security versus cost. A longer key increases the security of the system but also raises the cost because more resources are utilized. Meanwhile, reducing the key length helps to reduce the cost but lowers the level of security too. In addition, rounds in cryptographic algorithms affect the system’s performance and security. A higher number of rounds guarantees a higher level of security but reduces the throughput of the system. In contrast, reducing the number of rounds increases the system performance but reduces the security level.

Confidentiality can be guaranteed using block and stream ciphers where only authorized entities can access the message. However, encryption ciphers do not guarantee the tampering of the encrypted message will not occur [11]. Authenticated encryption (AE) schemes can overcome this problem and provide authenticity and integrity to the message on top of the confidentiality provided by the encryption cipher.

The AE can be extended to encompass some additional non-encrypted data, as in a network packet header, where both the payload and the header are authenticated but encryption is applied only to the payload.

In IPsec and transport layer security (TLS), AE techniques are commonly employed. As of August 2018, the current version of TLS no longer supports non-AE algorithms like AES in cipher block chaining (CBC) mode, although end-to-end encryption is provided by such techniques in popular messaging applications.

Three separate common methods referred to as generic composition are used to create authenticated encryption schemes [12]. The order of the encryption and authentication activities varies between these methods. The first composition, encrypt-then-MAC (EtM), is a sequential encryption and authentication. It begins with the encryption of the message followed by the authentication of the encrypted version of the message. The second composition, encrypt-and-MAC (E&M), is a concurrent encryption and authentication method whereby encryption and authentication are carried out independently for the original input messages. The third composition, MAC-then-encrypt (MtE), refers to the use of authentication then encryption. Initially, it computes a MAC for the message, then encrypts both the resulting MAC tag and the original message in combination.

When examined from numerous security perspectives, most of the current AE techniques are weak. Generic composition approaches have been subjected to a number of security attacks, and EtM proved to be the most secure [12,13].

In industries and other critical environments, the deployed devices encounter resource limitations, lacking the necessary computation and communication capabilities. Despite these conditions, and the insufficiency of the conventional cryptographic algorithms, it is important to guarantee security for these devices. Several surveys, as referenced in [11,14,15,16,17,18], have been conducted to address the importance of information protection within lightweight devices. There are several works related to the single-architecture design related to LED block ciphers [19,20,21,22,23,24,25] and the PHOTON hash function [19,23,26,27,28,29,30]. These designs were synthesized on different hardware platforms and targeting different optimization goals. Several authenticated encryption architectures based on different composition methods were presented, including the latest designs in [10,21,31,32,33,34,35]. However, some of them were synthesized and simulated on different platforms and others consume large amounts of logic resources when composing the encryption with the authentication.

The work in [10] integrated the PRESENT block cipher [36] and the SPONGENT hash function [37] to construct an authenticated encryption. Both PRESENT and SPONGENT were designed by the same group with similar permutation functions. Therefore, the authors of [10] achieved a good reduction rate of logic resources by sharing the common functions within both primitives. However, they implemented their design in ASIC and reported their results in Gate Equivalent. Additionally, their design resulted in a very low operating frequency and throughput.

The authors of [21,31] presented an authenticated encryption composed of an LED block cipher [38] and a PHOTON hash function [39], with the objective of reusing the common datapath functions and reducing the footprints. They achieved a considerable operating frequency and throughput; however, they could share only small parts of the datapath and achieved a low reduction rate of the footprints. Additionally, they implemented their design on Xilinx FPGA and reported their results in Slices.

The work reported in [33] utilized the AES block cipher with an Offset Tow Round (OTR) to create an authenticated encryption. They implemented their design on Altera Startix FPGA from the Virtex family. They achieved high speeds and reduced the logic resource utilization to almost half of the original architecture design. However, their reduced architecture design is still considered high when compared to other proposals.

The authors of [34,35] introduced an authentication framework for smart homes and industrial environments. They utilized Ascon authenticated encryption with a hash function to construct their architecture, as referenced in [34], and an AEAD encryption algorithm with a hash function, as referenced in [35]. However, their design was implemented on software and their results were reported based on the computational, communication, and storage costs.

The work reported in [40] introduced a new proposal of authenticated encryption submitted to the NIST. The work was implemented on Xilinx FPGA Sparta 6. They achieved higher speeds but at the cost of larger footprints, even compared to their competitors’ proposals.

In this study, an authenticated encryption (AE) architecture is proposed that aims to reduce its footprint compared to other existing AE architectures. This is accomplished by employing the most minimal versions of the LED block cipher (LED-64) and the PHOTON hash function (PHOTON-80/20/16) and sharing similar resources between the two. The round-dependent constants generated by the linear feedback shift register (LFSR) serve a dual purpose: they control the permutation rounds and the multiplexer selectors. Furthermore, employing look-up tables (LUTs) in place of Galois multiplications decreases the computational intensity of the MixColumns matrices, leading to the reduced utilization of logical resources. These shared resources, combined with the use of LFSR and LUTs, make a substantial impact in terms of minimizing the logic resources needed for the architecture of the AE (authenticated encryption).

Paper Organization

The first section of this paper introduces the background of lightweight cryptography and authenticated encryption, followed by an analysis of the related work in the same section. In Section 2, we provide a detailed explanation of the algorithm of the LED block cipher and PHOTON hash function, as well as their individual implementation. The design procedure of the proposed authenticated encryption is provided in Section 3, as well as the implementation of hardware architecture for the authenticated encryption, and a summary of the hardware resource utilization. Section 4 contains the results and a discussion of the proposed authenticated encryption. It discusses the outcomes of the simulation and resource utilization and benchmarking with the available related work. Finally, the summary and conclusions and the paper’s key findings are provided in Section 5.

2. Algorithm and Implementation

A design for a composite authenticated encryption system is proposed. It combines encryption by an LED block cipher with authentication by the PHOTON hash function. The primary objective of the design is to reduce the logic area utilization; thus, the variants with the smallest sizes of the LED and PHOTON were selected. We present a lightweight authenticated encryption (AE) architecture based on the primitives in Section 2.1 and Section 2.2 with generic EtM composition.

The design utilizes the shared logic resources for reusability. The internal permutation functions are designed using Verilog HDL and synthesized on several families of Altera FPGAs. The design tools of Altera Quartus II and ModelSim are used for the synthesis and simulation.

2.1. LED-64 Block Cipher

An LED-64 block cipher [38] is a lightweight symmetric security primitive, the structure and mathematical operations of which are based on the substitution permutation network (SPN). It has a 64-bit input block, 32 permutation rounds, a 64-bit encryption key, and a 64-bit output ciphertext. The arrangement of the input in the state is organized in a 4 × 4 row-based matrix. Each cell of the matrix has a 4-bit nibble within the Galois Field (GF) (2⁴) with the irreducible polynomial function of X⁴ + X + 1 (10011). The round permutation function of the LED is an AES-like function, where there are four operations in every round; these are processed sequentially, as shown in Figure 2.

The architecture of the LED is designed in a round-based mode. Figure 3 shows the architecture of LED-64 block cipher. P refers to the original input message—plaintext. K is the encryption key, STR is the state register, AC is the AddConstant block, SC is the SubCells block, SR is the ShiftRows block, MC is the MixColumns block, RC is the round constants block, and C is the output ciphertext. The input message is XORed with the encryption key after every 3 rounds for 32 rounds. Figure 4 illustrates the control flow of the encryption operation. In the first round, the input is XORed with the encryption key, and, in rounds 1, 5, 9, 13, 17, 21, 25 and 29, the output of the MC block is XORed with the key. Meanwhile, in the other rounds, the output of the MC is loaded directly to the STR register. The STR register is updated every round to hold the updated state matrix. The round constants are generated by the RC block where the RC feeds the AC and controls the inputs to STR.

2.1.1. AddConstants (AC)

AC modifies the first two columns of the state matrix. These columns are XORed with pre-defined constants. The first column is XORed with an 8-bit integer that represents the encryption key size and is denoted by (ks₇–ks₀). A 6-bit round-dependent constant (RC5 to RC0) is produced by LFSR and XORed with the second column of the state matrix. It is initialized with zeros at the beginning and updated every round, where RC0 is the result of (RC5⊕RC4⊕1). The matrix below shows the variables to be XORed with the first two columns of the state, whereas the other columns are kept unchanged. The values of the key size bits are represented by inverting the corresponding bits instead of using XOR operations.

$$\left(\begin{array}{cccc}{ks}_7\parallel {ks}_6\parallel {ks}_5\parallel {ks}_4& 0\parallel {RC}_5\parallel {RC}_4\parallel {RC}_3& 0000& 0000\\ {ks}_7\parallel {ks}_6\parallel {ks}_5\parallel {ks}_4⨁1& 0\parallel {RC}_2\parallel {RC}_1\parallel {RC}_0& 0000& 0000\\ {ks}_3\parallel {ks}_2\parallel {ks}_1⨁1\parallel {ks}_0& 0\parallel {RC}_5\parallel {RC}_4\parallel {RC}_3& 0000& 0000\\ {ks}_3\parallel {ks}_2\parallel {ks}_1⨁1\parallel {ks}_0⨁1& 0\parallel {RC}_2\parallel {RC}_1\parallel {RC}_0& 0000& 0000\end{array}\right)$$

2.1.2. SubCells (SC)

SC obscures the relationship between the utilized encryption key and the resulting ciphertext. LED reutilize the substitution box presented in PRESENT block cipher [36]. The SC process is a non-linear operation represented by look-up tables (LUTs). All the cells of the internal state matrix are matched and swapped with the corresponding values from the substitution box, as shown in

Table 1. Substitution box of the PRESENT cipher.

X	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S[x]	C	5	6	B	9	0	A	D	3	E	F	8	4	7	1	2

.

2.1.3. ShiftRows (SR)

SR shifts all the matrix rows (R0, R1, R2, R3) to the left by the value of the respective indices. The first row R0, indexed with 0, is unmodified. Row R1 is shifted one cell to the left, row R2 is shifted two cells to the left, and the last row, R3, is shifted three cells to the left. SR is a wire shift, whereby it does not consume logic resources.

2.1.4. MixColumns (MC)

MC, in addition to SR, provides data diffusion. Every column in the state matrix undergoes an individual multiplication with a specified matrix shown in Equation (1):

$$M=\left(\begin{array}{cccc}4& 1& 2& 2\\ 8& 6& 5& 6\\ B& E& A& 9\\ 2& 2& F& B\end{array}\right)$$

(1)

The MC operation requires a significant amount of logic resources due to the multiplication involved in the matrix calculation. However, the intensive computation of the column multiplication is replaced by functions of LUTs.

2.2. PHOTON Hash Function

The PHOTON hash function [39] is a lightweight security primitive designed for low-resource devices. It has a sponge-based construction, as shown in Figure 5, and its permutation function is an AES-like function, following the SP network shown in Figure 6. Sponge construction has two phases: the absorbing phase and the squeezing phase. The original input message is fully absorbed by the absorbing phase whereas the output hash is produced by the squeezing phase.

PHOTON-80/20/16 has an output hash size (n) of 80 bits, an input rate (r) of 20 bits, an output rate (r′) of 16 bits, and a (5 × 5) state matrix size (t) of 100 bits with a 4-bit cell size (s). Figure 7 shows the architecture of this variant of the PHOTON hash function. M is the input message, IV is the initialization vector, and h is the output hash. It takes 12 rounds for the absorbing phase for each 20-bit absorbed message, and another 12 rounds for the squeezing phase for each 16-bit squeezed output, as shown in the sponge construction in Figure 5 and the PHOTON control flow in Figure 8. Each cell within the matrix corresponds to an element from the Galois field GF (2⁴) with the irreducible polynomial X⁴ + X + 1.

2.2.1. AddConstants (AC)

The AC operation only affects the first column of the state matrix. There are two constants with values that depend on the permutation round and the matrix dimensions. The round constant (RC) changes with the round sequences. It is a four-bit constant generated from an initialized LFSR, as shown in

Table 2. Round dependents for PHOTON-80/20/16.

	NR	1	2	3	4	5	6	7	8	9	10	11	12
Row
1		1	3	7	E	D	B	6	C	9	2	5	A
2		0	2	6	F	C	A	7	D	8	3	4	B
3		2	0	4	D	E	8	5	F	A	1	6	9
4		7	5	1	8	B	D	0	A	15	4	3	12
5		5	7	3	A	9	F	2	8	D	6	1	E

. The other constant is the internal constant (IC_d), which depends on the size of the matrix dimensions. For PHOTON-80/20/16, the internal constant is ${IC}_d=[0,1,3,6,4]$. These two constants are XORed only with the cells of the first column of the state matrix.

2.2.2. SubCells (SC)

The SC obscures the correlation of the encryption key and the output ciphertext nonlinearly. The substitution box of the PRESENT block cipher [36] is reused by the LED. Each cell of the internal state matrix is matched and replaced by its corresponding value from the substitution box, as illustrated in Table 1.

2.2.3. ShiftRows (SR)

SR shifts all the matrix rows (R1, R2, R3, R4, and R5) to the left by respective defined indices. The first row (R0, indexed with 0) remains unchanged, R1 is shifted one position, R2 is shifted two positions, R3 is shifted three positions, and R4 is shifted four positions. SR is a wire shift, whereby it does not consume many logic resources.

2.2.4. MixColumns (MC)

MC enhances the property of diffusion in addition to SC. MC is designed in parallel instead of using the serialized pre-defined matrix. All the columns of the state matrix are multiplied separately with the defined 5 × 5 matrix shown in Equation (2):

$$A_{100}=\left\{\begin{array}{ccccc}1& 2& 9& 9& 2\\ 2& 5& 3& 8& D\\ D& B& A& C& 1\\ 1& F& 2& 3& E\\ E& E& 8& 5& C\end{array}\right\}$$

(2)

MC requires significant logic resources due to the finite multiplications performed on the matrices. The intensive computation of the column multiplication is replaced by functions of LUTs.

3. LED–PHOTON AE Implementation

The proposed authenticated encryption scheme makes use of shared resources between the block cipher (LED) and the hash function (PHOTON). The encryption process is followed by a MAC process using the generic method of encrypt-then-MAC. The processing begins by resetting the registers of the state (STR) and the selector (LP), and initializing the round constants register (RC) by using a suitable value from the LFSR. RC is utilized to count the round indices of the permutation in both primitives (LED and PHOTON). STR holds the input values to the state matrix. LP is the selector used for performing LED encryption followed by PHOTON authentication. The encryption process begins when LP is set to one; it carries out all four permutation blocks and generates the output ciphertext while also taking advantage of shared resources with the permutation operations of PHOTON. Once the plaintext encryption is completed and the ciphertext is generated, LP is set and the authentication of the ciphertext begins. PHOTON applies authentication to the ciphertext generated by the LED. The permutation operation of PHOTON is processed while sharing the possible resources with the LED. The round count of the permutation operation is controlled by the LFSR. Figure 9 illustrates the block diagrams for the top-level design, and Figure 10 illustrates the arithmetic state machine, of the proposed authenticated encryption architecture.

The design of the LED block cipher architecture is inherited from the PHOTON hash function, as they are produced by the same group. The internal permutation structure for both LED and PHOTON is an AES-like structure following the substitution permutation network (SPN). Therefore, the LED–PHOTON authenticated encryption (AE) process has some similarities within the permutation modules. The similarity between LED and PHOTON permutation functions is exploited to reduce the logic area utilization.

The LED block cipher applies the encryption to the input message. The architecture of the individual design of LED-64 is shown in Figure 3. The processing of the LED begins by XORing the input plaintext (P) with the encryption key (K), and the output is loaded to the state register (STR) to be processed in the permutation blocks. This XOR operation of K and P is repeated every four rounds. The round constants (RCs) are fed every round to control the XOR and permutation operations, whereas the STR register is updated every round to hold the current state values. Once the STR is loaded, the state is passed through the permutation blocks for the main encryption operations. The output ciphertext is generated after 32 rounds of permutation functions.

The PHOTON hash function performs the authentication process on the ciphertext encrypted by the LED. The architecture of the individual design of PHOTON-80/20/16 is shown in Figure 7. Four 20-bit input messages are considered, because the input to PHOTON is the 64-bit ciphertext from LED. The 64-bit input is padded with zeros to form a multiple of 20 to be absorbed by the sponge construction. The operation of PHOTON begins by XORing the 20 most significant bits of the initialization vector (IV) with the input message (M) and concatenating the result with the 80 least significant bits of IV and loading it to the STR register. The state matrix is passed through the permutation blocks for the main authentication operations. The RC controls the selections of the multiplexers and permutation rounds. The output hash function is generated after 48 rounds for the absorbing phase and 60 rounds for the squeezing phase to absorb the 64-bit input message and squeeze the 80-bit hash output.

For the proposed AE scheme of LED–PHOTON, the design of the internal state follows PHOTON because it has a larger state size than LED. Thus, the state size is 100 bits organized in a 5 × 5 matrix. As in a substitution permutation network, the permutation function consists of four operations: AddConstants (AC), SubstitutionBox (SB) or SubCells (SC), ShiftRows (SR), and MixColumns (MC).

3.1. AddConstants (AC)

The Add Constants (AC) operation in the authenticated encryption architecture partially modifies the internal state matrix according to the specific algorithm of the cryptographic primitive. In LED, the AC permutation involves XOR operations for the first two columns, while the other two columns remain unchanged. The first column is XORed with an eight-bit key-size representation constant, whereas the second column is XORed with a six-bit round constant generated from LFSR. Meanwhile, the AC operation in PHOTON applies modification only to the first column by XORing a four-bit LFSR-generated round constant and a predefined internal constant. The Add Constants modules of LED and PHOTON partially share the logic resources and reuse several XOR operations. To minimize the number of XOR gates, the high bit of the key size representation in LED is inverted instead of using an XOR operation, and the XOR operation in the LFSR of PHOTON is converted to XNOR. The bits of various rows in PHOTON are flipped to reduce the number of XOR gates in the Add Constants module. The first row, Row 0, is produced by flipping specific bits of rows 1–4, namely, the least significant bit (b₀) of row 1, the two least significant bits of row 2 (b₁ b₀), the two mid-bits of row 3 (b₂ b₁), and the third bit of the last row (b₂). The round constants in each row are equal to the round constants in the first row after being XORed with their respective internal constants.

3.2. SubCells (SC)

SCs modify the internal state in a nonlinear manner. The same substitution box (PRESENT) [36] is employed by both LED and PHOTON. The non-linear values of the substitution box replace the equivalent cells of the state matrix, as shown in Table 1. Since the same confusion technique is utilized by both LED and PHOTON with the same substitution box, the SubCells modules are fully shared.

3.3. ShiftRows (SR)

SR is the third permutation operation in the SPN (substitution–permutation network) structure. LED and PHOTON apply similar operations, whereby all the rows in the matrix are rotated to the left based on their index values. The first row, indexed with 0, remains unchanged, while all the other rows are rotated according to the respective positions. The SR modules of LED and PHOTON are partially shared, but they do not take up a significant amount of the logic area as they are just a simple wire shift. There are some mismatched matrix cells for two modules when shifting the rows. Therefore, separate multiplexers were used to match these matrix cells.

3.4. MixColumns (MC)

MC is the final permutation operation in the SPN structure. This operation works in conjunction with the ShiftRows function to ensure data diffusion. For both LED and PHOTON, an algorithm-specific pre-defined matrix is multiplied with each row of the state matrix. Although the structure of the LED’s MC operation is inherited from PHOTON, the size of the internal matrix state and the pre-defined matrices are different. The columns of the state in LED are multiplied by a 4 × 4 matrix, shown in Equation (1), while the columns in PHOTON are multiplied by a 5 × 5 matrix, shown in Equation (2).

The MixColumns operations in LED and PHOTON share some of the logic resources. The output of the MC is generated by feeding the input into a 100-bit LUT to obtain the relevant multiplication values for the particular cipher.

3.5. Summary of Resource Reusability

The authenticated encryption architecture being proposed leverages the common logic resources shared by both the LED block cipher and the PHOTON hash function. The state matrices of both primitives are merged into a unified 100-bit register in the authenticated encryption shared architecture.

In the AddConstants module, part of the internal state is directly modified using XOR operations. The sharing ability reduces the number of XOR gates used in this module by half. The four-bit LFSR of PHOTON is considered a part of the six-bit LFSR of LED, as it takes its four LSB bits. Therefore, these two LFSRs are combined into one. For the SubCells module, since it is generated from the same substitution box for both LED and PHOTON, it may be used by both, with the exception that LED’s state is now 100 bits long rather than 64 bits long, to match PHOTON. The ShiftRows module is applied to both LED and PHOTON but, since the number of cells in the state is not the same for LED and PHOTON, there are some mismatched cells, and they are treated individually. Therefore, the ShiftRows module is partially shared. MixColumns, on the other hand, consumes more logic resources than the other modules, even though look-up tables are used to replace the finite intensive multiplications. Since the sizes of the state matrices and pre-defined matrices are not the same for LED and PHOTON, the two modules are not fully merged. However, some similar cells of the pre-defined matrices were exploited to reuse the mask for the LUTs. Generally, the similarity of the operations and the network structure between the LED block cipher and the PHOTON hash function allows for the reusability of the logic resources.

4. Results and Discussion

Modules related to cryptography are among the highest in terms of logic resources consumption compared to other modules in IoT edge devices [41]. Therefore, plenty of attention is paid to the cryptographic modules in resource-constrained devices to satisfy their limitations.

We have presented detailed discussions of the proposed AE, and further parameters were considered in addition to synthesis and simulation on different platforms. The block cipher (LED) and hash function (PHOTON) were combined to create an authenticated encryption with the aim of utilizing and reusing the common operations between the two cryptographic primitives. Therefore, a lightweight authenticated encryption primitive is implemented on the register transfer level (RTL) using Verilog Hardware Description Language (HDL). The most lightweight variants, the LED-64 block cipher and the PHOTON-80/20/16 hash function, are merged to compose the proposed authenticated encryption. The generic composition method used in this architecture design is the encrypt-then-MAC method, which is the most provably secure. The architecture is synthesized and simulated on several Altera FPGA devices with the help of their provided software. Figure 11 and

Table 3. Synthesis and simulation results of authenticated encryption, LED, and PHOTON.

Design	Datapath (Bits)	No. of LEs	No. of Clock Cycles	Max. Freq. (MHz)	Power (mW)	LE Reduction Rate (%)	Power Consumption Reduction Rate (%)	FPGA Device
AE	100	1030	140	140.39	99.30	13.52	24.19	Cyclone II
LED	64	365	32	208.72	89.38
PHOTON	100	826	108	321.44	41.60
AE	100	1017	140	184.77	89.73	13.67	39.03	Cyclone III
LED	64	357	32	271.96	82.19
PHOTON	100	821	108	338.75/250.0	64.99
AE	100	1018	140	150.51	157.97	13.73	46.04	Cyclone III LS
LED	64	357	32	231.21	150.45
PHOTON	100	823	108	336.36/250.0	142.21
AE	100	1024	140	176.87	147.38	13.58	33.06	Cyclone IV E
LED	64	357	32	254.19	120.52
PHOTON	100	828	108	361.53/250.00	99.65
AE	100	1020	140	164.31	217.51	13.56	19.65	Cyclone IV GX
LED	64	357	32	265.46	173.61
PHOTON	100	823	108	368.32/250.0	97.10

demonstrate the results of the proposed authenticated encryption. The results of the single architectures of the LED block cipher and the PHOTON hash function, as well as the composite authenticated encryption, are generated by Altera Quartus II. The results of the resource utilization and maximum operating frequency are taken directly from the analysis generated by Quartus II. Power consumption was measured using the power analyser tools (PowerPlay) provided by Quartus II. The percentages of the reduction rates of the resource utilization and power consumption are found by comparing the composite architecture to the single architectures. The efficiency is obtained from the input data, maximum allowable frequency, latency, and logic utilization.

The authenticated encryption is processed in 140 permutation rounds. LED-64 encrypts the 64-bit input block in 32 rounds. PHOTON-80/20/16 processes the input data in two phases, the absorbing phase and the squeezing phase. The absorbing phase processes a single 20-bit message in 12 rounds, resulting in 48 rounds for all four input messages. The squeezing phase also takes 12 rounds for each 16-bit output, resulting in 60 rounds for the whole concatenated hash digest of 80 bits. Therefore, the ciphertext takes 32 rounds to be generated, whereas the hash digest is produced in another 108 rounds, as illustrated in the simulation waveform in Figure 11.

The performance of the proposed AE scheme is proportional to the performance of our architectures for the single LED cipher and the PHOTON hash function. The performance metric is based on the maximum operating frequency of the single architectures and the composite architecture of the proposed AE. PHOTON runs at a high frequency, whereas LED runs at a slightly lower frequency. If the encryption of the LED block cipher is authenticated by the PHOTON hash function, it will run within the frequency of the lower primitive, regardless of the generic composition method used. Therefore, the proposed AE runs at a frequency within the range of the single design of the LED. Table 3 illustrates the operating frequency of the single architecture, as well as the composite architecture. The operating frequency of the proposed AE is slightly lower than the frequency of both LED and PHOTON. This is because this design completes a full permutation round in a single cycle, as well as sharing more than a single operation in one cycle. Therefore, the cycle count is the same as the total number of permutation rounds of LED and PHOTON.

The proposed AE scheme is efficient in terms of power consumption and area reduction. For the same number of permutation rounds, the utilization of logic resources is proportional to the power consumption. Sharing the common resources between LED and PHOTON and reducing the utilization of logic resources will result in a reduction in the power consumption. This includes the tradeoffs of security, cost, and architecture design. In this work, we aimed to optimize the architecture to reduce the logic resources, thus reducing the cost and power consumption.

The available previous work related to targeted cryptographic primitives aims for a single-architecture design. Moreover, these architecture designs are mostly synthesized on Xilinx FPGA devices. Therefore, a proposed authenticated encryption architecture synthesized on Altera FPGA devices is compared with our single LED and PHOTON architecture designs.

The LED and PHOTON architectures were individually designed and synthesized on several FPGA platforms. The cyclone family was used for synthesis and simulation. The results show similar resource utilization levels for all cyclone devices, as shown in Table 3. For the LED block cipher, the resource utilization was approximately 365 LE, whereas the PHOTON hash function utilizes 826 LE. The total logic utilization for both LED and PHOTON, when synthesized individually, is 1191 LE. However, the proposed architecture of LED–PHOTON authenticated encryption utilizes about 1030 LE for Altera Cyclone devices. This results in a reduction in the utilization of logic resources by approximately 14% in comparison with individual architectures.

The datapath width and the number of cycles for LED, PHOTON, and the AE are the same for all FPGA devices. However, the performance of the individual implementation of LED, PHOTON, and AE varies from one FPGA device to another. The individual design of LED achieves 208.72 MHz to 265.46 MHz, and PHOTON achieves 321.44 MHz to 368.32 MHz, depending on the type of FPGA device. When LED and PHOTON are merged without sharing the logic resources, the maximum frequency of PHOTON is cut off at the lower frequency of the LED. On the other hand, the proposed authenticated encryption achieves 140.39 MHz to 176.87 MHz for the same FPGA devices as the single designs. The proposed AE has a slightly lower maximum allowable frequency in comparison to the individual designs of LED and PHOTON. However, the degradation in performance is quite reasonable compared to the reduction in logic resource usage that is accomplished.

As the logic area utilization is mostly proportional to the power consumption, the reduction in the logic resources also improves the power consumption. For the individual designs of LED and PHOTON, the total power consumption for both ranges from 130.98 mW to 292.66 mW, whereas the power consumption of the proposed architecture ranges from 89.73 mW to 217.51 mW, depending on the FPGA device of the Cyclone family. Therefore, the power consumption was reduced by a minimum of 19.65% and a maximum of 46.04% based on the FPGA device, as shown in Table 3.

A comparison of the related work with the proposed work is provided in

Table 4. Comparison of related work with the proposed work.

Ref.	Generic Composition	Logic Utilization	Clock Cycles	Max. Freq. (MHz)	Power (mW)	Logic Reduction Rate (%)	Platform
[10]	PRESENT and SPONGENT	2508 GE	-	-	3.9	27	ASIC
[21]	LED and PHOTON	415 Slices	44	587	469	8.6	Xilinx Vertix-5
[21]	LED and PHOTON	825 Slices	140	332	60	8.6	Xilinx Spartan-3
[33]	AES-OTR	11 k ALMs	-	-	-	50	Altera Stratix 4
[40]	LED and MonkeyDuplex	303 Slices	72	640	-	-	Xilinx Virtex-6
Proposed	LED and PHOTON	1030 LE	140	140.39	99.30	13.52	Altera Cyclone II
Proposed	LED and PHOTON	1017 LE	140	184.77	89.73	13.67	Altera Cyclone III
Proposed	LED and PHOTON	1018 LE	140	150.51	157.97	13.73	Altera Cyclone III LS
Proposed	LED and PHOTON	1024 LE	140	176.87	147.38	13.58	Altera Cyclone IV E
Proposed	LED and PHOTON	1020 LE	140	164.31	217.51	13.56	Altera Cyclone IV GX

. The work detailed in [33] implemented an authenticated encryption on Stratix 4 FPGA and other devices from the Virtex family with the goal of reducing the logic area and achieving high speeds. They used an AES block cipher with an offset two-round (OTR) method, comprising an authenticated encryption. The authors were able to reduce the logic area by almost half compared to the original design. However, since they had to keep the speed in gigabits, the architecture still utilizes a large area compared to the proposed lightweight authenticated encryption. Z’aba et al. [40] introduced CiliPadi lightweight authenticated encryption, and the first design was submitted to the first round of the US NIST project. Their design was implemented on the Virtex 6 Xilinx FPGA device. They achieved higher frequencies compared to our work and the benchmarked work, but their most lightweight design (CiliPadi-Mild) still consumes more logic resources, even in comparison to their benchmarked proposals [42,43]. The authors of [21] aimed to design an authenticated encryption architecture and reuse the datapath functions by integrating an LED block cipher with the PHOTON hash function. They performed design space exploration for the LED and PHOTON resources and reported their results in logic slices. They were able to achieve an 8.6% reduction in logic resource utilization. The authors of [10] constructed an authenticated encryption by composing a PRESENT block cipher and a SPONGENT hash function with the goal of reusing the common datapath blocks. The design of the SPONGENT architecture was inherited from the sponge construction with the permutation function instantiated from the PRESENT block cipher. The authors of [10] reported their results in Gate Equivalent (GE) and were able to reduce the logic resources by 27% compared to the individual architectures of both primitives. However, the performance of their composite authenticated encryption was degraded.

There are always tradeoffs between security, cost, and architecture design, where improving one of them can result in compromising one or both of the others. The architecture design in this paper was optimized to reduce the utilization of logic resources. Nevertheless, the performance results are still quite acceptable. For example, for the Cyclone II FPGA device, the utilization of logic elements was reduced to 1030 LEs, and the power consumption was reduced to about 99 mW, but the operating frequency was still high (around 140 MHz) and the throughput was around 100 Mbps. Therefore, the proposed architecture can be used for many potential applications ranging from video surveillance to IoT.

Security Aspects

The security feature of authenticated encryption (AE) is an important aspect of the design. AE provides both confidentiality (encryption) and data integrity (authentication) in a single operation. It ensures not only that the data are kept secret from unauthorized parties (confidentiality), but also that the data have not been tampered with during transmission or storage (integrity). The proposed AE scheme focuses mainly on reducing the logic resources within FPGA devices to construct a compact AE suitable for resource-efficient applications. The generic composition method used to integrate encryption and authentication primitives in this design has the primary purpose of improving the footprints. The security of the proposed AE scheme is directly tied to the encryption and authentication mechanisms that were utilized to construct this AE. Therefore, the security level for encryption is based on the cryptanalysis of the original LED block cipher, whereas the security level for the authentication is based on the cryptanalysis of the PHOTON hash functions.

The LED block cipher has proven confidentiality and was designed to be resistant to the following attacks: brute-force attacks, differential cryptanalysis, linear cryptanalysis, and slide attacks. On the other hand, the PHOTON hash function has proven authenticity and was designed to be resistant to the following attacks: preimage attacks, collision attacks, second preimage attacks, differential cryptanalysis, linear cryptanalysis, and slide attacks. No cryptanalysis of post-quantum attacks is reported in the original paper of the utilized primitives. Moreover, the cost of quantum attacks is very high [29]. There are some analyses of the attacks applied to the single architectures of the LED block cipher and the PHOTON hash function. However, the main objective of this paper is to reduce the footprints without compromising the security level of the original utilized cryptographic primitives.

Table 5. Comparison of security features and related attacks.

AE Scheme	Ref.	Provable Confidentiality	Provable Authenticity	Nonce Misuse Resistance	Attacks
AES-CLOC	[44]	√	√	✕	Fault attack [45]
PRIMATEs	[46]	√	√	√	Cube attack [47]
AES-JAMBU	[48]	✕	✕	√	Nonce-misuse attack [49]
Tiaoxin	[50]	✕	✕	✕	Fault attack [51]
Ketje_v2	[52]	√	√	✕	Key-recovery attack [53] Fault attack [54] Cube-like attack [55,56] State-recovery attack [57]
MORUS_v2	[58]	✕	✕	✕	Cube attack [59] State-recovery attack [60] Fault attack [60]
JOLTIK	[61]	√	√	√	Key-recovery attack [62] Differential attack [63]
SILC-AES	[64]	√	√	✕	Fault attack [65,66]
SILC-LED	[64]	√	√	✕	Fault attack [65,66]
Keyak	[67]	√	√	✕	Fault attack [54]
ACORN_v3	[68]	√	√	✕	Fault attack [69]
ASCON_v1.2	[70]	√	√	✕	Preimage attack [71] Template attack [72] Side-channel attack [73] Cube attack [74]
LED-PHOTON	Proposed	√	√	✕	Fault attack on LED [75] S-Box attack on LED [76]

shows the security provability of some related AE schemes compared to the security of the proposed scheme based on the original primitives.

5. Conclusions

The proposed design of the LED–PHOTON lightweight authenticated encryption uses a repetitive architecture implemented on multiple FPGA devices from Altera. This architecture is based on rounds, whereby the permutation operations are performed in a single iteration. The LED-64 block cipher takes 32 permutation rounds to complete the encryption of one 64-bit input block. The PHOTON-80/20/16 sponge structure’s absorbing phase requires 48 rounds to handle four 20-bit messages, and the squeezing phase generates the 80-bit hash output in 60 rounds. The proposed design is more efficient in terms of area–performance tradeoffs compared to existing designs because it employs common components from both types of architecture. The proposed encrypt-then-MAC design consumes fewer logic resources while maintaining the performance of the single architectures. The proposed design of LED–PHOTON authenticated encryption consumes about 1017–1030 logic elements, achieving approximately a 14% reduction rate in logic utilization depending on the targeted FPGA device. Since there is an area–performance tradeoff, the proposed AE exhibits a slight degradation in performance, whereby the maximum allowable frequency was slightly reduced. However, the performance is considerable compared to the achieved area reduction. As a future recommendation, we suggest implementing the design on actual hardware to obtain more accurate timing data and investigating potential design alternatives, including serialized architectures with smaller areas and pipelined architectures with higher throughput.