1. Introduction
With the development of the Internet of Things (IoT), the number of IoT devices has increased very rapidly. Information interaction based on identification technology, pervasive computing and edge computing [
1] is the core of the IoT, in which IoT nodes are the medium of information interaction. IoT nodes collect data by sensing external changes and sending the collected data to a data analysis center. At present, IoT nodes, such as RFID tags and sensors, are widely used in manufacturing, smart cities, defence and military applications, public security and other fields. Generally, data collected by IoT nodes are highly confidential; hence, it is particularly important to ensure the security of data transmission and storage [
2,
3,
4]. Therefore, with respect to the special requirements of the IoT, a dedicated encryption algorithm is urgently needed for data storage and transmission in the perception layer of the IoT.
Common IoT nodes consist of various sensors, such as pressure sensors, temperature sensors, humidity sensors and smoke sensors. The sensors perceive external changes and generate analog signals. To prevent data leakage or tampering, it is necessary to deploy a lightweight encryption chip inside the sensor node. When the sensor generates an analog signal, a compatible A/D converter is needed to convert the analog signal into digital form as input to an encrypted chip. Based on the cryptographic functions coded inside the chip, the sensed data is encrypted and then transmitted to the cloud server through a data-analysis center for storage. Authorized users can only access the encrypted data subsequently from the cloud server through the cloud service provider. The specific process is shown in
Figure 1. However, IoT nodes are usually small embedded devices, which have relatively limited computing power and storage space. It is noteworthy that traditional encryption algorithms, such as AES (Advanced Encryption Standard) [
5] and IDEA (International Data Encryption Algorithm) [
6], are not suitable for resource-constrained devices. Therefore, a lightweight cryptographic algorithm is essential for IoT nodes.
In recent years, many excellent lightweight cryptographic algorithms have emerged. These algorithms can be roughly divided into four types of structures [
7]: SPN (substitution permutation networks), Feistel, ARX and a mixture of these. Lightweight block cipher algorithms, such as PRESENT [
8], GIFT [
9], Loong [
10] and ILEA [
11], are all based on the SPN structure. The SPN structure usually uses S-boxes as the only non-linear component, but the hardware implementation is complicated. For resource-constrained IoT devices, implementing algorithms with an SPN structure requires significant overhead. In contrast, algorithms with a Feistel structure use the same components for both encryption and decryption, thus consuming fewer resources. These algorithms are more suitable for resource-constrained environments. Cryptographic algorithms based on ARX exhibit non-linearity, diffusion and confusion through a combination of Addition or AND, Rotation and XOR. The simple structure of ARX makes it ideal for lightweight block ciphers. However, due to the particular features of ARX (Addition or AND, Rotation, XOR) operations, its round function can only be based on a Feistel structure or a generalized Feistel structure, otherwise, the decryption process cannot be completed correctly [
12].
Traditional Feistel structures divide a plaintext source into two halves and apply a round function to half of the state before adding the result to the other half. The algorithm based on the Feistel structure is symmetrical and easily implemented in hardware and software. Without needing a specially designed decryption function, this kind of algorithm saves half of the hardware implementation design. However, generally, traditional Feistel structures do not have a good diffusion effect because they only process half the data in each round. Consequently, more rounds are required to ensure security.
A generalized Feistel structure [
13] divides the input into
sub-blocks and potentially applies different
F functions to each sub-block. Compared with a traditional Feistel structure, the diffusion effect of the generalized Feistel structure is slightly improved, but still cannot reach an ideal diffusion effect. Therefore, a new logical combination of a generalized Feistel structure and an ARX operation is proposed to enhance the diffusion speed, reduce iteration rounds and improve hardware performance. The main contributions of this paper are as follows:
To improve the diffusion effect of the traditional Feistel structure, a new variant of the generalized Feistel structure GFRX is proposed. In GFRX, two ARX structures with different linear components are used to deal with all branches of the generalized Feistel structure to enhance diffusion and confusion.
To reduce the cost of hardware implementation, the decryption process of the proposed GFRX is similar to its encryption process, so significant additional resources are not required. Meanwhile, the encryption structure is reused in the key extension to minimize the additional resource consumption.
To improve the flexibility and efficiency of hardware implementation, different levels of serialization implementation are proposed to ensure efficiency under different hardware and throughput requirements.
The remainder of this paper is organized as follows: In
Section 2, related studies are reviewed. In
Section 3, we describe the specific details of the GFRX algorithm. In
Section 4, the security of the GFRX algorithm is analyzed. In
Section 5, we present performance results for the GFRX algorithm. Finally, we conclude the paper in
Section 6.
2. Related Work
Lightweight block ciphers with a Feistel structure that have been proposed in recent years show excellent performance. SLIM [
14] adopts a traditional Feistel structure and uses
S-boxes as non-linear components in the round function, which results in high security and excellent hardware performance. SAND [
15] uses a combination of traditional Feistel and ARX structures, with a novel design method. The core idea of SAND is to limit the AND-RX operations to half bytes. Therefore, SAND enables equivalent representation based on a
synthetic S-box (SSb) in the security analysis, which greatly reduces the complexity of security analysis and results in strong software performance. However, the traditional Feistel structure makes the diffusion effect worse. Therefore, to address the diffusion effect, SLIM32/64 encrypts 32 rounds, while SAND64/128 encrypts 54 rounds. The high number of iterative rounds will inevitably lead to huge energy consumption.
Two methods have been introduced to improve the diffusion effect of the traditional Feistel structure. One uses complex round functions, such as in MIBS [
16],
[
17] and LiCi [
18]. MIBS uses a complete SPN structure in the round function. Although strong diffusion is obtained, it offer an advantages in terms of hardware consumption. The round function of
uses a four-round ultra-lightweight cipher for higher security, but its hardware implementation is more complicated. LiCi uses the SPN structure directly on the branch of the Feistel structure. Therefore, its encrypted branch looks like an independent SPN structure. However, this design method destroys the consistency of encryption and decryption for the Feistel structure, which requires an independent decryption module. Another approach uses the generalized Feistel structure constructed from the structure itself to improve the diffusion effect. Piccolo [
19] uses a four-branch generalized Feistel structure with a more complex arrangement for the diffusion layers. TWINE [
20] is a generalized Feistel structure encryption algorithm with 16 branches. The plaintext is divided into more sub-blocks in the encryption and the round function is used for the key extension. QTL [
21] uses a four-branch generalized Feistel structure to process all branches in one round of encryption, which produces a very fast diffusion rate. However, to reduce the hardware cost, the QTL does not have a key extension function. This means that the same key is used in multiple iterations of the QTL, which makes the algorithm less resistant to standard statistical attacks. Shadow [
12] is constructed of a combination of generalized Feistel and ARX structures, which enhances the diffusion of traditional Feistel structures. However, the key extension of the Shadow requires a lot of resources, which means that it offers no significant advantage in terms of hardware implementation. Therefore, hardware consumption should be reduced while improving the diffusion effect, especially in processing key extensions, which is addressed in this paper.
4. Security Analysis
In the encryption of the GFRX algorithm, branches affected by
in the current round are processed by
in the next round through branch replacement. The GFRX algorithm can be classified into a CFB [
22] encryption mode. In each round, the encryption result of one branch is XOR, with the other used to obtain the ciphertext.The ciphertext obtained in the previous round will be encrypted again in the next round, where the result will be XOR with the plaintext. The two ARX structures with different non-linear components can be used by all branches in the whole encryption process through branch replacement. The CFB mode makes each ciphertext block depend on all previous plaintext blocks. Even if the data of a ciphertext block is cracked, it is difficult to crack other data blocks by the same method, which greatly improves the algorithm’s security.
Differential analysis [
23] and linear analysis [
24] of cryptography algorithms are effective attacks against iterative block ciphers. Any block cipher should be tested by both differential analysis and linear analysis.
4.1. Overall Structure Analysis
The proposed GFRX algorithm is based on a generalized Feistel structure, which is widely used in block ciphers and has good structural security [
25]. In terms of encryption, GFRX uses the CFB encryption mode slightly differently from traditional CFB. The difference is that in the CFB mode of GFRX, the encryption function of each round is different. In terms of core components, the non-linear components of GFRX are implemented through the ARX structure, which also appears in SIMON and SPECK [
26]. In recent years, a large number of studies has demonstrated that the components used by the SIMON and SPECK algorithms are sufficiently secure [
27,
28,
29]. Therefore, the GFRX algorithm with a generalized Feistel and ARX structure can ensure adequate security.
4.2. Differential and Linear Analysis
The GFRX algorithm is divided into left and right, represented by and , respectively. Since the left and right parts of GFRX use non-linear components which are similar to those of SIMON, whose security has mainly been investigated through differential and linear analysis, differential and linear analysis of the GFRX algorithm can utilize the analysis results for the existing SIMON algorithm.
In addition, in the encryption process of GFRX64/128, the branch replacement causes the left and right parts to interact with each other, making it more resistant to differential and linear analysis than the two independent GFRX32/64.
Taking GFRX64/128 as an example, GFRX64/128 can be divided into mutually independent
and
. The GFRX64/128, which is resistant to differential and linear analysis, can be evaluated with the two independent GFRX32/64. Compared to SIMON32/64, GFRX32/64 has higher security with no unprocessed branches in each round of encryption. The evaluation of differential and linear security depends on the availability of efficient differential and linear trails. The authors of [
30] proposed a technique for automatically searching the differential trails in ARX ciphers, called threshold search. The threshold search screens the differentials in the DTT (differential distribution table) and keeps those differentials whose probability is higher than a fixed probability threshold to form the partial DDT (pDDT). The authors of [
31] improved the threshold search algorithm and divided the pDDT more finely to form a primary pDDT and a secondary pDDT. Subsequently, [
31] used the improved threshold search algorithm to obtain the 13-round effective differential trails of SIMON32/64. On this basis, it was extended for six rounds and 19 rounds of attacks were carried out on SIMON32/64 using differential analysis with a time complexity of
and a data complexity of
. Most of the subsequent differential analyses for SIMON32/64 have been extended from the known 13-round differential trails. By reducing the complexity, more rounds can be used to attack SIMON32/64. In other words, the continuous differential trails for GFRX32/64 do not exceed 13 rounds, and the effective differential attacks do not exceed 19 rounds, which means that a complete GFRX64/128 is secure against differential analysis. Similarly, the effective linear trails of 11 rounds for SIMON32/64 are presented in [
29]. Then, in [
32], the result is extended by two rounds and uses linear analysis with the data complexity of
to attack SIMON32/64 for 13 rounds. Thus, the continuous linear trails for GFRX32/64 do not exceed 11 rounds and the effective linear attacks do not exceed 13 rounds. The entire round of GFRX64/128 can withstand linear analysis.
6. Conclusions
In this paper, we propose a lightweight block cipher GFRX, combining a generalized Feistel structure and an ARX structure. The algorithm is based on a generalized Feistel structure with two different non-linear components of the ARX structure as round functions. In the round function, operations such as AND, ADD, Rotation, and XOR replace the hardware to effect the complex non-linear components. The flexible combination of generalized Feistel and ARX structures solves the problems of slow diffusion and confusion in traditional Feistel structures and offers great flexibility in hardware implementation. Compared with the current generalized Feistel structure algorithms, the GFRX algorithm has better diffusion and confusion effects, fewer iterations and higher hardware efficiency. The security analysis results for the GFRX algorithm show that the effective differential attacks do not exceed 19 rounds and the effective linear attacks do not exceed 13 rounds. Therefore, the GFRX algorithm is secure against differential and linear analysis.
However, there is no such thing as the best encryption algorithm for a specific application scenario, only the most appropriate one. The GFRX algorithm proposed in this paper can consume fewer resources with a sufficient security margin. Therefore, it has greater applicability in resource-constrained environments.