DABC: A dynamic ARX-based lightweight block cipher with high diffusion

Abstract

The ARX-based lightweight block cipher is widely used in resource-constrained IoT devices due to fast and simple operation of software and hardware platforms. However, there are three weaknesses to ARX-based lightweight block ciphers. Firstly, only half of the data can be changed in one round. Secondly, traditional ARX-based lightweight block ciphers are static structures, which provide limited security. Thirdly, it has poor diffusion when the initial plaintext and key are all 0 or all 1. This paper proposes a new dynamic ARX-based lightweight block cipher to overcome these weaknesses, called DABC. DABC can change all data in one round, which overcomes the first weakness. This paper combines the key and the generalized two-dimensional cat map to construct a dynamic permutation layer P1, which improves the uncertainty between different rounds of DABC. The non-linear component of the round function alternately uses NAND gate and AND gate to increase the complexity of the attack, which overcomes the third weakness. Meanwhile, this paper proposes the round-based architecture of DABC and conducted ASIC and FPGA implementation. The hardware results show that DABC has less hardware resource and high throughput. Finally, the safety evaluation results show that DABC has a good avalanche effect and security.

1. Introduction

With the development of technologies such as wireless communication and the Internet of Things (IoT), many sensor devices were widely used in our daily life [1]. However, IoT devices usually work in a wireless sensor network environment where sensor nodes can be easily captured by attackers [2]. It leads to some information leakage. Li et al. [3] considered the importance of providing security services in IoT, which makes people begin to pay attention to security in resource-constrained environments. At the same time, traditional block cipher (such as AES) cannot adapt to the resource-constrained environment due to high hardware resource consumption. Cipher designers have begun studying lightweight block ciphers to address this challenge. Different from traditional block ciphers, lightweight block ciphers with low resource and energy consumption are suitable for resource-constrained environments. The Feistel and the substitution-permutation networks (SPN) structure are its two mainstream cipher structures, respectively. Encryption and decryption of the Feistel structure are consistent, but the diffusion effect is poor, such as Piccolo [4], TWINE [5], QTL [6], etc. The SPN structure has a good diffusion speed but generally consumes additional resources when decrypting, such as PRESENT [7], Midori [8], RECTANGLE [9], SKINNY [10], etc.

Most of these mainstream ciphers use S-box to enhance confusion. There are ARX-based lightweight block ciphers without S-boxes in addition to these mainstream ciphers. ARX-based lightweight block ciphers are generally designed with simple operations, such as Addition, AND, Rotation, and XOR. It is superior to other ciphers with S-box according to the test results of the "Fair Evaluation of Lightweight Cryptography System (FELICS) [11]" platform designed by researchers at the University of Luxembourg. Some classical ARX-based lightweight block ciphers have been proposed in recent years. D. Hong et al. [12] proposed HIGHT by ARX operations, which is adapted to low-resource environments. R. Beaulieu et al. [13] proposed SIMON and SPECK with good performance in hardware implementation and software implementation, respectively. However, proof of their theoretical security has always been a difficult task. G. Yang et al. [14] combined the advantages of SIMON and SPECK to propose the Simeck, which is less than the SMION in terms of hardware resources and power consumption. Y. Guo and L. Li et al. [15] proposed Shadow to protect the security of sensory layer nodes in IoT, which overcomes the problem of poor diffusion of ARX-based lightweight block cipher. S. Chen and M. Wang et al. [16] proposed SAND. The authors used equivalent S-box-based representation to evaluate the security of SAND, which provides a new way to analyze the security of ARX-based lightweight block ciphers. In general, these ARX-based lightweight block ciphers are competitive in terms of hardware and software implementations. However, except for Shadow, these ARX-based lightweight block ciphers generally have the weakness of slow diffusion (only half the data can be changed in one round). For Shadow, it solves the weakness by combining four ARX operations and branch swapping. Therefore, Shadow is not as impressive in terms of latency. Furthermore, ARX-based lightweight block cipher generally suffers from poor diffusion when the initial plaintext and key are all 0 or all 1.

The lightweight ARX-based block ciphers currently designed are all static structures. Some security analysis of them has been carried out by cryptographers. B. Koo et al. [17] and J. Song et al. [18] proposed a correlation key attack and a biclique attack for the HIGHT full-round, respectively. B. Ryabko and A. Soskov [19] proposed an integral attack on Simeck 48/96 full-round. J. Lu et al. [20] proposed Simeck64/128 to construct 17-round neural discriminators (NDs) and 21-round correlated key neural discriminators (RKNDs). K. Fu et al. [21] proposed a mixed integer linear program (MILP)-based method to automatically search for differential features and linear approximations of SPECK. They also use this feature to improve the differential analysis of SPECK, which improves the analysis effect. It can be seen that the security provided by static structures is limited. Therefore, this paper attempts to improve the resistance of ARX-based lightweight block ciphers to potential attacks by adding less dynamic control logic and dynamic calling of some components. There are also some current designs for dynamic ciphers. J. Yang and L. Li et al. [22] proposed an SPN-based dynamic lightweight block cipher DULBC, which is a dynamic variation of the overall structure of the cipher. A. D. Dwivedi [23] proposed BRISK, which uses two different cryptographic components to encrypt data. It is worth noting that dynamic changes to the overall structure of the cipher will require more hardware resources. In contrast to these cipher design ideas, this paper is a dynamic variation on the linear component of the cipher. It does not consume excessive additional hardware resources in hardware implementation. In each round of encryption, the non-linear operations are still performed first and then the diffusion of the cipher is enhanced by different linear permutation operations.

For ARX-based lightweight block ciphers, this paper summarizes three of their currently prevalent weaknesses. 1) Only half of the data is changed in one round, which is poorly diffused. It also makes them require a large number of iterative rounds to improve the security of the cipher. 2) Traditional ARX-based lightweight block ciphers are usually a static structure. The security of their encryption is usually not particularly high. 3) ARX-based lightweight block ciphers have poor diffusion when the initial plaintext and key are all 0 or all 1. It is mainly due to the nature of the AND operation. To overcome the above three weaknesses, this paper proposes a new dynamic ARX-based lightweight block cipher, called DABC. Our contributions mainly include the following aspects:

• This paper combines ARX operation and Feistel structure to design a new variant of the generalized Feistel network (GFN) structure. The structure can change all data in one round, which overcomes the weakness of traditional ARX-based lightweight block cipher that only changes half of the data in one round. Meanwhile, its encryption and decryption are highly consistent.

• The dynamic permutation layer is proposed by combining the generalized two-dimensional cat map with the key. The first 2 bits of the key are used as the parameters of the generalized two-dimensional cat map. The dynamic permutation layer with four different permutation effects is constructed by circular shift and iterative operations on the generalized two-dimensional cat map, which improves the uncertainty between different rounds of the cipher. It can implement by wiring and does not consume excessive resources in hardware implementation.

• The odd and even rounds use round functions 𝐹₁ and 𝐹₀ for encryption, respectively. 𝐹₀ uses AND operation as a non-linear component, while 𝐹₁ uses the NAND operation. The approach increases the complexity of the attack without consuming too many hardware implementation resources. It solves the weakness of poor diffusion well when the initial plaintext and the key are all 0 or all 1.

• This paper conducts ASIC implementation and FPGA implementation on DABC. Avalanche effect tests and safety analysis are also performed in this paper. The results show that DABC is safe, efficient, and adaptable to resource-constrained environments.

The rest of the paper is organized as follows. This paper introduces the cipher specifications of DABC in Section 2 and the design principles of DABC in Section 3. The hardware implementation of DABC and the avalanche effect test are arranged in Section 4. Section 5 is the security analysis of the DABC. Finally, Section 6 concludes this paper.

2. Specification of DABC

DABC is based on a variant of the GFN structure with four branches, which has a 64-bit block with a 96-bit or 128-bit key block. The number of encryption rounds (𝑅𝑅) for DABC64/96 and DABC64/128 is 27 and 33, respectively.

2.1 Encryption algorithm

The plaintext is divided into four blocks of the same size in the encryption process of DABC. Then the operations such as the round function, AddRoundKey, and P1 permutation are performed sequentially. DABC mainly uses NAND and AND operations as non-linear components, while the P1 permutation layer is used as a linear component. In odd rounds, the encryption process calls the round function 𝐹₁ and the key update calls the round function 𝐹₀. The opposite is true in even rounds. Fig. 1 shows the encryption process of DABC. Algorithm 1 shows the detailed process of DABC.

Algorithm 1 DABC Encryption Routine.

Input: Plaintext, Key;

Output: Ciphertext;

1: (𝑋₀, 𝑋₁, 𝑋₂, 𝑋₃) ⟵ Plaintext;

2: for 𝑟 = 1 to 𝑅 do

3: 𝑋₀′ = 𝑋₀ ⊕ 𝑋₂ ⊕ 𝑘_𝑖^𝑟;

4: if (𝑟 % 2 == 0) then

5: 𝑋₁′ = 𝑋₁ ⊕ 𝐹₀(𝑋₀) ⊕ 𝑘_𝑖^𝑙;

6: 𝑋₃′ = 𝑋₃ ⊕ 𝐹₀(𝑋₀) ⊕ 𝑋₁;

7: 𝑋₂′ = 𝑋₂ ⊕ 𝐹₀(𝑋₃′) ⊕ 𝑘_𝑖^𝑟;

8: else

9: 𝑋₁′ = 𝑋₁ ⊕ 𝐹₁(𝑋₀) ⊕ 𝑘_𝑖^𝑙;

10: 𝑋₃′ = 𝑋₃ ⊕ 𝐹₁(𝑋₀) ⊕ 𝑋₁;

11: 𝑋₂′ = 𝑋₂ ⊕ 𝐹₁(𝑋₃′) ⊕ 𝑘_𝑖^𝑟;

12: end if

13: if (𝑟 ≤ (𝑅 − 1)) then

14: state = P1(𝑋₀′||𝑋₁′||𝑋₂′||𝑋₃′);

15: else

16: state = 𝑋₀′||𝑋₁′||𝑋₂′||𝑋₃′;

17: end if

18: end for

19: Ciphertext ⟵ state;

20: Return Ciphertext;

Fig. 1. The encryption process of DABC.

2.2 Round function

The main difference between the round functions 𝐹₀ and 𝐹₁ is that 𝐹₁ uses the NAND operation (!&) as a nonlinear component, while 𝐹₀ uses the AND operation (&). Fig. 2 shows the round functions 𝐹₀ and 𝐹₁. They together include three operations: left circular shift by 3 bits (⋘ 3), left circular shift by 1 bit (⋘ 1), and an XOR operation (⊕).

Fig. 2. The operation process of round function.

The 𝐹₀ as described in formula (1), where 𝑛 = 64:

\(\begin{aligned}\left\{\begin{array}{c}\{0,1\}^{n / 4} \times\{0,1\}^{n / 4} \rightarrow\{0,1\}^{n / 4} \\ X^{\prime}=X \\ Y^{\prime}=F_{0}(X) \oplus Y=\left(\left(X \&\left(X^{<<< 3}\right)\right) \oplus X^{<<< 1}\right) \oplus Y .\end{array}\right.\end{aligned}\)       (1)

The 𝐹₁ as described in formula (2):

\(\begin{aligned}\left\{\begin{array}{c}\{0,1\}^{n / 4} \times\{0,1\}^{n / 4} \rightarrow\{0,1\}^{n / 4} \\ X^{\prime}=X \\ Y^{\prime}=F_{1}(X) \bigoplus Y=\left(\left(X ! \&\left(X^{<<< 3}\right)\right) \bigoplus X^{<<<1}\right) \bigoplus 1\end{array}\right.\end{aligned}\)       (2)

2.3 P1 permutation layer and AddRoundKey

P1 permutation layer: The P1 permutation layer of DABC is dynamic. It performs different bit-level permutation operations on the input data according to the value of the key. More details are described in Section 3.3.

AddRoundKey: The AddRoundKey means that two 16-bit block data are XORed with the round keys of this encryption round.

2.4 Key generator and AddRoundconstant

Key generator: The key generator of DABC supports two different versions of keys, 96-bit and 128-bit. The 96-bit initial key 𝑘₀||𝑘₁||. . . ||𝑘₉₅ is divided into six 16-bit blocks 𝐾₀||𝐾₁||𝐾₂||𝐾₃||𝐾₄||𝐾₅. Then proceed as follows, where 𝑛 takes 0 in odd rounds and 1 in even rounds, 0 ≤ 𝑖 ≤ 𝑅 − 1, 0 ≤ counter ≤ 𝑅 − 1:

• 𝐾₀||𝐾₁||𝐾₂||𝐾₃||𝐾₄||𝐾₅ = (𝑘₀||𝑘₁|| ⋯ ||𝑘₉₄||𝑘₉₅)<<<³⁷;

• 𝑘₆₀||𝑘₆₁||𝑘₆₂||𝑘₆₃||𝑘₆₄ = 𝑘₆₀||𝑘₆₁||𝑘₆₂||𝑘₆₃||𝑘₆₄ ⊕ counter;

• 𝑘_𝑖^𝑙 = 𝐹_𝑛(𝐾₀) ⊕ 𝐾₂, 𝑘_𝑖^𝑟 = 𝐹_𝑛(𝐾₁) ⊕ 𝐾₃.

The 128-bit initial key 𝑘₀||𝑘₁|| ⋯ ||𝑘₁₂₇ is divided into eight 16-bit blocks 𝐾₀||𝐾₁||𝐾₂||𝐾₃||𝐾₄||𝐾₅||𝐾₆||𝐾₇. The following operations are performed in turn:

• 𝐾₀||𝐾₁||𝐾₂||𝐾₃||𝐾₄||𝐾₅||𝐾₆||𝐾₇ = (𝑘₀||𝑘₁|| ⋯ ||𝑘₁₂₇)<<<³⁸;

• 𝑘₆₀||𝑘₆₁||𝑘₆₂||𝑘₆₃||𝑘₆₄||𝑘₆₅ = 𝑘₆₀||𝑘₆₁||𝑘₆₂||𝑘₆₃||𝑘₆₄||𝑘₆₅ ⊕ counter;

• 𝑘_𝑖^𝑙 = 𝐹₀(𝐾₀) ⊕ 𝐾₂ ⊕ 𝐹₁(𝐾₄), 𝑘_𝑖^𝑟 = 𝐹₀(𝐾₁) ⊕ 𝐾₃ ⊕ 𝐹₁(𝐾₅).

𝐾ey′ = 𝐾₀||𝐾₁||𝑘_𝑖^𝑙||𝑘_𝑖^𝑟||𝐾₄||𝐾₅(for 128-bit initial key, 𝐾ey′ = 𝐾₀||𝐾₁||𝑘_𝑖^𝑙||𝑘_𝑖^𝑟||𝐾₄||𝐾₅||𝐾₆||𝐾₇) as the input value for next round of key updates. The generated 𝑘_𝑖^𝑙 and 𝑘_𝑖^𝑟 are round keys used for the AddRoundKey operation. Fig. 3 shows the core process of the DABC64/96 key generator.

Fig. 3. The core operation process of key generator (left: odd rounds, right: even rounds).

AddRoundconstant: The current number of encryption rounds is used as the round constant (counter) of DABC, which is described as 𝑐₀||𝑐₁||𝑐₂||𝑐₃||𝑐₄ (for 128-bit initial key, counter = 𝑐₀||𝑐₁||𝑐₂||𝑐₃||𝑐₄||𝑐₅). The round constant is XORed with the corresponding bits of the key.

2.5 Decryption algorithm

It is necessary to perform linear rP1 and NP1 permutations on the encryption data to make the encryption and decryption structures highly reusable. See section 3.3 for the principle of NP1. In addition, the round keys are used in reverse order during decryption. The two round keys 𝑘_𝑖^𝑙 and 𝑘_𝑖^𝑟 of the same round also need to be swapped in the AddRoundKey operation. rP1 permutation means that the branches are output in reverse order, which is performed before and after the round function operation. In the hardware implementation, the rP1 and NP1 permutations can be implemented by wiring operations. Therefore the decryption process does not consume many additional resources.

3. Design rationale of DABC

DABC is designed mainly to solve the poor diffusion of traditional ARX-based lightweight block ciphers and increases security through a dynamic encryption structure. In order to avoid continuous linear operations, this paper chooses dynamic changes in some components instead of dynamic changes in the overall structure of the cipher. It also reduces the resources consumed in hardware implementation. The specific design details of DABC are described next.

3.1 Cipher structure

The DABC proposed in this paper has the following characteristics. Firstly, it can change all data in one round of encryption, which overcomes the slow diffusion of the traditional ARX-based lightweight block cipher. Secondly, the round functions 𝐹₁ and 𝐹₀ are used alternately in DABC encryption, which is safer than a single round function. At the same time, a dynamic permutation layer P1 is designed based on the generalized two-dimensional cat map, which increases the randomness of the cipher structure. Finally, DABC retains the advantage that the decryption process of the Feistel structure can highly reuse the encryption process. Therefore, the decryption process does not consume many additional resources.

3.2 Round function F₀ and F₁

The ARX-based lightweight block cipher suffers from poor diffusion when the plaintext and the key are all 0 or all 1. For example, the first 4 rounds of SIMON, SPECK, and SAND ciphertext change very little when plaintext and key are all 0 or all 1. It is not until rounds 5 or 6 that the ciphertext changes significantly, which is caused by the nature of the AND operation. This paper introduces the NAND operation to break the effect of AND operation. The purpose of using round functions alternatively is also to solve this problem. DABC changed significantly in the second round of ciphertext when the plaintext and the key are all 0 or all 1, so it can be considered that DABC has high diffusion. AND and NAND operations are used as non-linear components for the round functions 𝐹₀ and 𝐹₁, respectively. NAND gate resources in most standard libraries are less than AND gate resources. Compared to traditional ARX-based lightweight block ciphers, the alternate use of round functions can increase the complexity of the attack without increasing too many hardware resources. The round function also involves left circular shift and XOR operations. Overall, it is beneficial to hardware implementation.

3.3 Key generator

DABC supports two key sizes to accommodate resource-constrained environments with different security strengths. For high-security environments, the 128-bit version of the key meets the security key length requirements in the NIST standard. The order of round function calls in the key generator is the opposite of the encryption process. It effectively improves the problem of poor diffusion when the plaintext and the key are all 0 or all 1.

3.4 P1 and NP1 permutation layer

The two-dimensional cat map is a pixel shuffling scheme that goes through multiple iterations to upset the pixel positions in the image, which happens to be similar to the effect of a linear permutation layer in a grouping cipher. However, the first position coordinate does not change when position coordinates are transformed through the two-dimensional cat map. To avoid this situation, a left-loop operation is added after each iteration in this paper.

This paper designs a key-related dynamic permutation layer P1 based on the generalized two-dimensional cat map. P1 increases the randomness of the cipher structure more than the traditional static permutation layer. It can be implemented with wiring operations, which do not consume excessive hardware resources. The generalized two-dimensional cat map used by DABC is shown in formula (3):

\(\begin{aligned}\left[\begin{array}{l}x_{1} \\ y_{1}\end{array}\right]=\left[\begin{array}{cc}g+2 & g+1 \\ 1 & 1\end{array}\right]\left[\begin{array}{l}x_{0} \\ y_{0}\end{array}\right] \bmod N\end{aligned}\)       (3)

where 𝑔 is the control parameter of the generalized two-dimensional cat map. 𝑁 is the number of digits of input data, which is 8. Let 𝑥₀ and 𝑦₀ be the original position coordinates of the data, and let 𝑥₁ and 𝑦₁ be the position coordinates after being scrambled by the generalized two-dimensional cat map.

The input data of the P1 is arranged in the form of 8 × 8 two-dimensional matrix, as shown in formula (4):

\(\begin{aligned}\left[\begin{array}{cccc}Y_{0,0} & Y_{0,1} & \cdots & Y_{0, y_{0}} \\ Y_{1,0} & Y_{1,1} & \cdots & Y_{1, y_{0}} \\ \vdots & \vdots & \vdots & \vdots \\ Y_{x_{0}, 0} & Y_{x_{0}, 1} & \cdots & Y_{x_{0}, y_{0}}\end{array}\right]\end{aligned}\)       (4)

The position coordinates of data in the matrix are used as the input values of generalized two-dimensional cat map. The results of map are used as the new position coordinates of data. The above operation is iterated 16 times. In the first 15 iterations, the result is subjected to a 3-bit left circular shift operation after each iteration is completed. The permutation relationship between the final permutation result and the position coordinates of initial data is used as the P1 permutation. It should be noted that the first 2 bits of the key are used as the value of map control parameter 𝑔. Four permutation tables are generated by the above method based on different values of the control parameter 𝑔. Select one of the tables to replace the data based on the first 2 bits of the key. Tables 1 to 4 show the different elemental values of P1, respectively.

Table 1. P1 permutation table when 𝑔 = 0.

Table 2. P1 permutation table when 𝑔 = 1

Table 3. P1 permutation table when 𝑔 = 2.

Table 4. P1 permutation table when 𝑔 = 3.

The NP1 permutation layer is constructed from the inverse map of the generalized two-dimensional cat map. Formula (5) shows its inverse map.

\(\begin{aligned}\left[\begin{array}{l}x_{0} \\ y_{0}\end{array}\right]=\left[\begin{array}{cc}1 & -g-1 \\ -1 & g+2\end{array}\right]\left[\begin{array}{l}x_{1} \\ y_{1}\end{array}\right] \bmod N\end{aligned}\)       (5)

The NP1 layer is constructed in a similar way to the P1 layer. The difference is that in the first 15 of the 16 iterations, a 3-bit right circular shift operation is performed after each completion.

4. Performance evaluation

4.1 Avalanche effect

The avalanche effect is an indicator of the diffusion effect, which is related to the randomness of the cipher. If the avalanche effect is too poor, the cipher can be easily cracked by an attacker. Therefore, the designed cipher needs to meet the avalanche effect. Half of the output binary bits change when one of the binary bits of the cipher input changes. It can be considered the cipher with a good avalanche effect. The strict avalanche criterion means that every bit in the output has a 50% probability of changing when any input bit is inverted.

This paper assesses average change digit (𝑤_𝑣), average change probability (𝑃𝑟_𝑣), avalanche effect degree (𝐴_𝑑), and strict avalanche criterion degree (𝐴_𝑐d) of the output change when the input 1-bit changes. In addition, 𝑤_𝑣 ≈ 𝑛/2 (𝑛 is the bit width of the plaintext), 𝐴_𝑑 ≈ 1, and 𝐴_cd ≈ 1 indicate that the avalanche effect of the cipher is splendid. 𝑃𝑟_𝑣 ≈ 0.5 indicates that the cipher satisfies the strict avalanche criterion.

In order to make the experimental data results more accurate and scientific, this paper has carried out 10,000 sample tests on DABC, Piccolo64/128, HIGHT64/128, Simeck64/128, SIMON64/96, and SPECK64/96 according to the same avalanche effect test method. Table 5 shows that 𝑤_𝑣, 𝑃𝑟_𝑣, 𝐴_𝑑, and 𝐴_cd of DABC are as close to ideal as the compared ciphers. In summary, DABC can be considered to have a good avalanche effect.

Table 5. Comparison of avalanche effect data of various ciphers.

4.2 Hardware implementation

The throughput of cipher is important, which is related to the efficiency of data transfer in the network. At the same time, it is also necessary to consider the hardware resource and energy consumption of the cipher in a resource-constrained environment. This paper proposes a round-based architecture for DABC. Fig. 4 shows the round-based architecture for DABC64/96. The architecture is conducive to the low-resource implementation of DABC for resource-constrained environments. The design idea of round-based architecture is repeatedly invoking the components of encryption. One round of encryption is one clock cycle. Twenty-seven and thirty-three clock cycles are required for DABC64/96 and DABC64/128, respectively.

Fig. 4. Round-based architecture for DABC.

4.2.1 ASIC implementation

The ASIC implementation of DABC has been synthesized by the UMCL18G212 Synchronous Design Compiler A-2007.12-SP1T3 standard cell library. The logic process of the library is UMCL180 0.18µm 1P6M with a clock frequency of 100KHz and a standard voltage of 1.8V.

The round-based architecture of DABC mainly includes the following operations: round function, AddRoundKey, AddRoundconstant, and dynamic P1 permutation. Among them, the circular shift operation in the round function module can be realized by wiring operation without spending additional hardware resources. The dynamic effect of P1 permutation is achieved by adding a 4-to-1 multiplexer. Use the first 2 bits of each 𝐾ey as a control signal to select the permutation table corresponding to 𝑔=0, 1, 2, or 3 in the order, when the 2 bits are "00", "01", "10", or "11". The specific hardware resource consumption of DABC is as follows (in 0.18µm standard process library): an AND gate consumes 1.33GE, a NAND gate consumes 1GE, and an XOR gate consumes 2.67GE. The round function module includes a 16-bit XOR gate, a 16-bit AND gate, and a 16-bit NAND gate, which require a total of 80GE. Two 16-bit AddRoundKey is equivalent to two 16-bit XOR gates, which require 85.44GE. The encryption process includes four 16-bit XOR operations and two round function modules, which require a total of 330.88GE. 5-bit AddRoundconstant is equivalent to 5-bit XOR operation, which requires 13.35GE (which requires 16.02GE for DABC64/128). The 96-bit and 128-bit key generators require 245.44GE and 405.44GE, respectively. The 64-bit plaintext and 96-bit key registers require a total of 832.32GE. The 64-bit plaintext and 128-bit key registers require a total of 981.76GE. The control logic requires 20GE. In total, DABC64/96 and DABC64/128 require 1527.43GE and 1839.54GE, respectively. For better performance comparison, this paper also implemented DABC64/96 and DABC64/128 under IBM 130µm standard process library (for 0.13µm, an AND gate consumes 1.25GE, a NAND gate consumes 0.75GE, and an XOR gate consumes 2GE). Table 6 shows the resource comparison of DABC with other lightweight packet ciphers. In general, DABC has certain advantages in hardware implementation.

Table 6. Comparison of hardware resources between DABC and other ciphers.

4.2.2 FPGA implementation

The round-based RTL file of DABC was obtained through ISE Design Suite 14.6 and mapped to the Xilinx Virtex-5 FPGA development board to evaluate its hardware performance. Table 7 shows the hardware performance of the DABC.

Table 7 Hardware performance of DABC on Virtex-5.

This paper implements DABC on Virtex-5 FPGA and tries its best to find some lightweight block ciphers implemented on Virtex-5 FPGA. Table 8 shows the FPGA implementation performance with different ciphers, where 𝑇ℎ𝑟 is the throughput at the maximum frequency (𝐹). This paper also counts the throughput 𝑇ℎ𝑟* under a unified 13.56MHz to better compare the throughput. Although the 𝑇ℎ𝑟* of LEA128/128 [29] and LEA128/128 [30] are higher than DABC64/128, the LUT of LEA128/128 [29] and LEA128/128 [30] are 47% and 52% higher than DABC64/128, respectively. The Flip Flop, Slice, and LUT of other ciphers are not much different from DABC, but 𝑇ℎ𝑟* is lower than DABC. Fig. 5 shows the comparison of Flip Flop, Slice, and LUT parameters implemented on Virtex-5 FPGA. Fig. 6 shows the throughput comparison of each cipher at the 13.56MHz frequency on Virtex-5 FPGA. In Fig. 5 and Fig. 6, 𝑎, 𝑏, 𝑐, 𝑑, 𝑒, 𝑓, 𝑔, ℎ, 𝑖, 𝑗, 𝑘, and 𝑙 represent the lightweight block ciphers ^IPRESENT, PRESENT64/80, ^RPRESENT64/128, PRESENT64/128, LEA128/128 [28], LEA128/128 [29], LEA 128/128 [30], ^RAMRECTANGLE, QTL64/64, XTEA, DABC64/96, and DABC64/128, respectively. In summary, it can be seen that DABC achieves a good balance between throughput and hardware implementation resources from the above comparison results.

Fig. 5. Flip Flop, Slice and LUT comparison of various ciphers on Virtex-5.

Fig. 6. Throughput comparison of various ciphers at 13.56MHz onVirtex-5.

Table 8. Hardware performance comparison of various ciphers on Virtex-5.

𝑇ℎ𝑟*: represents the parameter calculated at a fixed frequency of 13.56 MHz. 𝐹: represents maximum frequency. -: represents uncertainty. ^I: represents the Iterative architecture. ^R: represents the Round-based architecture. ^RAM: represents the RAM based architecture.

5. Security analysis

5.1 Differential analysis

Differential analysis is the analysis method introduced by E. Biham and A. Shamir [36] in the cryptanalysis of FEAL, which was the classical analysis method in cryptanalysis. The main idea of differential analysis is to take a pair of plaintexts and analyze the propagation of their differences by the iterative process.

This paper refers to the method of K. Fu et al. [21] to calculate the differential probability of DABC. Differential analysis modeling of DABC using MILP automatic analysis method with the help of Gurobi optimizer. The best differential characteristics were obtained, as shown in Table 9. It can be seen that the differential probability for the first 10 rounds of DABC is 2⁻¹⁴⁶, which is much smaller than 2⁻⁶⁴. Therefore, DABC64/96 for 27 rounds and DABC64/128 for 33 rounds can be considered to resist differential analysis.

Table 9. Differential characteristic for DABC.

5.2 Linear analysis

Linear analysis is a new attack method proposed by M. Matsui [37] for the DES. Similar to differential analysis, linear analysis is also a classical analysis method in cryptanalysis. It recovers the key by studying the linear relationship between plaintext and ciphertext. This paper assumes its input mask value and tracks the iterative process of the DABC round function to obtain the corresponding linear characteristic probabilities. Its value is sufficiently small by calculating its linear probability. Therefore, DABC is considered to resist linear analysis.

5.3 Impossible differential analysis

Impossible differential analysis [38] is a variant of differential analysis. In this section, impossible differential analysis is performed for DABC. This paper finds two differential paths 𝐸₀ and 𝐸₁ of DABC with a differential probability of 1. 𝐸₀: Δ𝛼 → Δ𝛽 is the path of encryption direction. 𝐸₁: Δ𝛾 → Δ𝜁 is the path of decryption direction. "1" means that the bit difference value is 1, "0" means that the bit difference value is 0, and "*" means that the bit difference value is uncertain. The input difference Δ𝛼 of 𝐸₀ is (0000, 0001, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000). Carrying out two rounds of encryption operation, the output difference Δ𝛽 is obtained as (0*0*, *0**, ****, ****, 0*00, 00**, 0*0*, ***0, 00**, 0***, ****, 0**0, ****, 0*1*, 000*, ****). The input difference Δ𝛾 of 𝐸₁ is (1000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000). After two rounds of decryption operations, the output difference Δ𝜁 is obtained as (00*1, 0*00, 0000, 0000, 0000, 0001, 0000, 0010, 0100, 0000, 0000, 0000, 0*00, *0*1, 0000, 0000). Fig. 7 shows the impossible differential path for 4 rounds of DABC. It can be seen from Fig. 7 that there is a contradiction when 𝐸₀ and 𝐸₁ meet, as shown in the red box in Fig. 7. The contradiction is the difference value for the 33rd position of Δ𝛽 is not equal to the 33rd position of Δ𝜁. It constitutes a 4-round impossible difference path of DABC.

Fig. 7. Impossible differential path for 4 rounds of DABC.

One round of forwarding decryption and two rounds of backward encryption based on the 4-round impossible difference path. The 7-round impossible difference path of DABC is obtained, as shown in Fig. 8.

Fig. 8. Impossible differential path for 7 rounds of DABC.

According to the 7-round impossible differential path, the plaintext input differential is set as:

𝑋₀ = (0000,1 ∗ 00,000 ∗ ,0100);

𝑋₁ = (0000,0000,0000,0000);

𝑋₂ = (0000,0000,0000,0000);

𝑋₃ = (0000,0000,0000,0000).       (6)

Setting the plaintext structure as follows:

𝑊_𝑋0⁰ = (𝛼₁𝛼₂𝛼₃𝛼₄, 𝛼₅𝛽₁𝛼₆𝛼₇, 𝛼₈𝛼₉𝛼₁₀𝛽₂, 𝛼₁₁𝛼₁₂𝛼₁₃𝛼₁₄);

𝑊_𝑋1⁰ = (𝛼₁₅𝛼₁₆𝛼₁₇𝛼₁₈, 𝛼₁₉𝛼₂₀𝛼₂₁𝛼₂₂, 𝛼₂₃𝛼₂₄𝛼₂₅𝛼₂₆, 𝛼₂₇𝛼₂₈𝛼₂₉𝛼₃₀);

𝑊_𝑋2⁰ = (𝛼₃₁𝛼₃₂𝛼₃₃𝛼₃₄, 𝛼₃₅𝛼₃₆𝛼₃₇𝛼₃₈, 𝛼₃₉𝛼₄₀𝛼₄₁𝛼₄₂, 𝛼₄₃𝛼₄₄𝛼₄₅𝛼₄₆);

𝑊_𝑋3⁰ = (𝛼₄₇𝛼₄₈𝛼₄₉𝛼₅₀, 𝛼₅₁𝛼₅₂𝛼₅₃𝛼₅₄, 𝛼₅₅𝛼₅₆𝛼₅₇𝛼₅₈, 𝛼₅₉𝛼₆₀𝛼₆₁𝛼₆₂),       (7)

where 𝛼_𝑖(1 ≤ 𝑖 ≤ 62) is a constant, 𝛽_𝑗(1 ≤ 𝑗 ≤ 2) is an arbitrary value.

Then, the ciphertext pairs satisfying the following differential forms are selected after 7 rounds of encryption:

Δ𝐶_𝑋0⁷ = (𝜏₁𝜏₂0𝜏₃, 0𝜏₄00,000𝜏₅, 𝜏₆0𝜏₇0);

Δ𝐶_𝑋1⁷ = (00𝛿₁0, 𝛿₂100, 𝛿₃𝛿₄01,00𝛿₅𝛿₆);

Δ𝐶_𝑋2⁷ = (0𝜁₁𝜁₂𝜁₃, 𝜁₄𝜁₅𝜁₆𝜁₇, 00𝜁₈𝜁₉, 𝜁₁₀𝜁₁₁10);

Δ𝐶_𝑋2⁷ = (𝜂₁𝜂₂11,0𝜂₃0𝜂₄, 00𝜂₅𝜂₆, 00𝜂₇𝜂₈).       (8)

It can be seen from formula (8) that the plaintext structure contains 2⁶² plaintexts, forming a total of 2¹²³ plaintext pairs. If 2^𝑁 structures are selected, there are 2⁶² plaintexts and 2^𝑁+62 data pairs. Finally, the data complexity of the attack is 2^𝑁 × 2⁶² = 2^𝑁+62 selected plaintext.

5.4 Biclique analysis

Biclique analysis [39] is a variant of the meet-in-the-middle (MITM) attacks, which is widely used in cryptanalysis for key recovery attacks based on a two-party matrix. Reducing the complexity of MITM attacks by constructing biclique structures is the basic idea behind biclique analysis.

\(\begin{aligned}K\left\{\begin{array}{c}K[0]=k_{0}\left\|k_{1}\right\| k_{2}\left\|k_{3}\right\| k_{4}\left\|k_{5}\right\| k_{6} \| k_{7} \\ K[1]=k_{8}\left\|k_{9}\right\| k_{10}\left\|k_{11}\right\| k_{12}\left\|k_{13}\right\| k_{14} \| k_{15} \\ \vdots \\ K[10]=k_{80}\left\|k_{81}\right\| k_{82}\left\|k_{83}\right\| k_{84}\left\|k_{85}\right\| k_{86} \| k_{87} \\ K[11]=k_{88}\left\|k_{89}\right\| k_{90}\left\|k_{91}\right\| k_{92}\left\|k_{93}\right\| k_{94} \| k_{95}\end{array}\right.\end{aligned}\)       (9)

The initial key of DABC is divided into the form shown in formula (9). Table 10 shows the initial keys involved in each round of round keys. The 4-round Δ_𝑖 differential path is obtained by backward encrypting 4 rounds using the 18th round key 𝐾[6]. The 4-round ∇_𝑗 differential path is obtained by forward decrypting 4 rounds using the 19th round key 𝐾[1]. The active bytes in the Δ_𝑖 differential path are inactive bytes in the ∇_𝑗 differential path and vice versa (active bytes refer to bytes with a difference other than 0, and inactive bytes refer to bytes with a difference of 0). The two differential paths are combined to form an 8-round biclique structure from rounds 15 to 22. Formula (10) shows parting the key. It is represented by a 4 × 2 matrix to simplify the key space, where 𝐾[•] represents an 8-bit block of data.

Table 10. The initial keys involved in each round of round keys.

\(\begin{aligned}\left[\begin{array}{cc}K[1], K[2] & K[3], K[4] \\ K[5], \boldsymbol{K}[\mathbf{6}] & K[7], K[8] \\ K[10], K[11] & K[0], \boldsymbol{K}[\mathbf{1}] \\ K[2], K[3] & K[4], K[5]\end{array}\right]\end{aligned}\)       (10)

The 8-round biclique structure consists of 2^𝑑 ciphertexts 𝐶_𝑛(0 ≤ 𝑛 ≤ 2^d) , 2^𝑑 intermediate states 𝑆_𝑛(0 ≤ 𝑛 ≤ 2^𝑑) , and keys 𝐾(𝐾_(𝑖,𝑗)) . The difference Δ_𝑖 and the difference ∇_𝑗 are derived from ∆_𝑖^𝐾 and ∇_𝑗^𝐾 respectively. In this paper, the difference corresponding to 𝐾[6] is 𝑖 and the difference corresponding to 𝐾[1] is 𝑗. The remaining 80-bit will iteratively take all possible values.

The non-linear component in this paper refers to the AND operation and the NAND operation, but these differential components do not share active non-linear components. This paper uses the formula (11) to express the difference relation between (𝑆₀, ∆_𝑖^𝐾, ∇_𝑗^𝐾, 𝐶₀).

\(\begin{aligned}S_{0} \oplus \Delta_{i}^{K} \frac{K_{[0,0]} \oplus \Delta_{i}^{K} \oplus \nabla_{j}^{K}}{f} \rightarrow C_{0} \oplus \nabla_{j}^{K}\end{aligned}\)       (11)

This paper has successfully constructed an 8-dimensional double factorial structure for DABC. Corresponding plaintext pair 𝑃_𝑖 is obtained when the ciphertext pair 𝐶_𝑛 is decrypted with the key 𝐾_hide. Formula (12) holds when 𝐾_[𝑖,𝑗] = 𝐾_hide. Meanwhile, \(\begin{aligned}\vec{v}\end{aligned}\) and \(\begin{aligned}\overleftarrow{v}\end{aligned}\) are called matches, which means 𝐾_[𝑖,𝑗] is a candidate key for 𝐾_hide. Then the full round of DABC keys is recovered.

\(\begin{aligned}P_{i} \frac{K_{[i, j]}}{\varepsilon_{1}} \rightarrow \vec{v} \stackrel{?}{=} \overleftarrow{v} \leftarrow \frac{K_{[i, j]}}{\varepsilon_{2}} S_{j}\end{aligned}\)       (12)

5.4.1 Complexity of recovering the key

The time complexity is usually used to measure the effectiveness of a biclique attack. Formula (13) shows the time complexity calculation process of key recovery:

𝐶_full = 2^𝐾−2𝑑(𝐶_Biclique + 𝐶_precomp + 𝐶_recomp + 𝐶_falsepas),       (13)

where 𝐶_full represents the time complexity of recovering the key. 𝐾 is the bit size of the key. 𝑑 is the dimension of the constructed biclique structure, where 𝑑 = 8. 𝐶_biclique represents the complexity of constructing the biclique structure. It is at most 8-rounds of calculation after our analysis, C_biclique = 2^𝑑+1 × (8/27) = 2^7.25. 𝐶_precomp represents the pre-calculated complexity of matching detection. Pre-calculating the remaining rounds of DABC, the obtained complexity result is 2⁸ × (19/27) ≈ 2^7.49. 𝐶_recomp represents the complexity of the recalculation process. Recalculation requires sixteen 16-bit AND operations and sixteen 16-bit NAND operations in our analysis. DABC requires a total of fifty-two 16-bit AND operations and fifty-four 16-bit NAND operations, \(\begin{aligned}C_{\text {recomp }}=2^{16} \times \frac{16 \times 16}{52 \times 54} \approx 2^{12.54}\end{aligned}\). C_falsepas refers to the complexity of matching 𝑣 at the wrong position. The value is 2⁸ when matching a single byte. The matching in formula (12) is performed on a single byte. Finally, 𝐶_full = 2^96−2×8 × (2^7.25 + 2^7.49 + 2^12.54 + 2⁸) ≈ 2^92.68.

5.5 Side-channel analysis

Side-channel analysis is a current attack against hardware implementations of cryptographic algorithms. It takes advantage of the correlation between the physical leakage generated by the encryption device at runtime and the intermediate state operations. The correlation is analyzed by mathematical-statistical methods. The key is recovered according to the results of the analysis. A variety of attack methods have been proposed, such as power analysis, time analysis, electromagnetic analysis, and so on. The defense against such attacks is generally by adding mask countermeasures to the algorithm. For example, Y. Ou and L. Li [40] resist side-channel analysis by adding the first-order mask to AES. The n-order mask can prevent n-order side-channel analysis. Its attack cost increases exponentially for each additional order of attack. Considering that lightweight block ciphers are generally applied in resource-constrained environments, they are generally protected by adding first-order masks. Since mask technology is mature, this paper will not discuss it too much here.

6. Conclusion

This paper proposes a new dynamic ARX-based lightweight block cipher to address the slow diffusion and low security of ARX-based lightweight block ciphers, called DABC. Firstly, DABC adopted a new variant of the GFN structure, which has high diffusion and can change all data in one round. It overcomes the weakness that the traditional ARX-based lightweight block cipher only changes half of the data in one round. Second, the generalized two-dimensional cat map and the key are combined to construct a dynamic linear permutation layer. The data is subjected to different permutation operations according to different values of the key in each round. Compared with a single linear permutation layer, it increases the randomness of the cipher structure and improves the poor security of the traditional ARX-based lightweight block cipher. In the round function part, NAND and AND operations are used as nonlinear components for odd and even rounds, respectively, which further increases the complexity of the attack. It also overcomes the weakness of poor diffusion when the initial plaintext and key are all 0 or all 1. This paper proposes a round-based architecture of DABC and conducted ASIC implementation and FPGA implementation. The results show that DABC consumes fewer hardware resources and has a high throughput, which is suitable for a resource-constrained environment. This paper performs avalanche tests on DABC, Piccolo, HIGHT, Simeck, SIMON, and SPECK by the same test methods. DABC has a good avalanche effect while satisfying the strict avalanche criterion after comparison. Finally, this paper conducts a security analysis of DABC. The analysis results show that DABC has good security and can resist differential analysis, linear analysis, impossible differential analysis, biclique analysis, and side-channel analysis.