Implementing a Symmetric Lightweight Cryptosystem in Highly Constrained IoT Devices by Using a Chaotic S-Box

: In the Internet of Things (IoT), a lot of constrained devices are interconnected. The data collected from those devices can be the target of cyberattacks. In this paper, a lightweight cryptosystem that can be efﬁciently implemented in highly constrained IOT devices is proposed. The algorithm is mainly based on Advanced Encryption Standard (AES) and a new chaotic S-box. Since its adoption by the IEEE 802.15.4 protocol, AES in embedded platforms have been increasingly used. The main cryptographic properties of the generated S-box have been validated. The randomness of the generated S-box has been conﬁrmed by the NIST tests. Experimental results and security analysis demonstrated that the cryptosystem can, on the one hand, reach good encryption results and respects the limitation of the sensor’s resources, on the other hand. So the proposed solution could be reliably applied in image encryption and secure communication between networked smart objects.


Research Background and Motivation
The data security is considered to be one of the most critical issues; it is an indispensable requirement especially for the operations and transactions that are based on data. As a matter of fact, data encryption is required before transmitting the data into the network. Developing new technologies for IoT without considering security will make the privacy of users' data vulnerable. The integration of the IoT with the security protocols is therefore a challenge. Recently, security aspects in the Internet of Things are getting more and more attention. Sensor nodes are characterized with their limited capacities and therefore implementing solutions based on the actually security protocols makes the subject challenging. In order to guarantee security in IOT, communications should be encrypted. Unfortunately, security is in general considered to be complex. Its cost is even more noticeable because of the limited resources of the sensor nodes [1]. Therefore, lightweight cryptography proved to be suitable for limited resources in IoT. As an emerging paradigm, the smart city avails and takes advantage of the existence of a variety of promising solutions, such as artificial intelligence (AI), Internet of Things (IoT), big data analysis, and real-time control. Many research works studied smart cities from several perspectives [2]. The main problem that was mentioned in these recent research studies was "security". In [3], authors presented the concept of citizen's privacy where they detailed a model which distinguishes five dimensions: identity privacy, query privacy, location privacy, footprint privacy, and owner privacy. The security problem becomes much more serious due to the vulnerabilities of IoT devices. In [4], Abomhara et al. showed that IoT has resulted in the emergence of new types of security threats and it is evident that sensors and devices used in the IoT network could be targeted with malware and be vulnerable to several attacks.

Related Work
For the last two decades, lightweight cryptography has received significant attention and this has increased further in the last five years. Cryptographic algorithms must be used in the communication channels between the sensors so as to provide security. However, because of the very low energy available and the size of ROM and RAM, the cryptographic algorithms shall be as "small" as possible. Several lightweight algorithms were presented and they drew attention to their high security level [5]. These algorithms are still resistant against different attacks and are still effective. During the design of the cipher, PRESENT, Bogdanov et al. focused on security and hardware efficiency [6]. PRESENT, a leading algorithm for a lightweight block cipher, has a competitive requirement in compact hardware implementation compared with other algorithms. Several attempts have been suggested but none has succeeded in cryptanalysing the algorithm [7,8]. In [9], the blockcipher named CLEFIA was proposed. 128, 192 and 256 bits are the lengths key which are supported by CLEFIA. The authors explained in their paper that achieving a high level of efficiency in both hardware and software implementation as well as maintaining high levels of security was a challenge. In their paper (2008), Tsunoo et al. presented an impossible differential attack of CLEFIA [10]. Another lightweight algorithm, named LED, was described in 2011 [11]. The authors claimed that their solution can be adapted efficiently for lightweight hardware implementation. However an efficient attack has been found in [12]. Piccolo is the lightweight algorithm developed by Shibutani et al. [13]. It is a 64-bit blockcipher with keys of 80 and 128-bit. The authors showed that Piccolo ensures both a high level of security and an efficient implementation in hardware. They, also, made the point that the algorithm can resist against differential attacks and meet-in-the-middle attacks. An efficient attack has been found in [14]. In [15], a new cryptosystem named PRINCE was proposed taking into account the latency during the implementation in hardware. Compared with known solutions, PRINCE enables the encryption of data within one clock cycle with a very competitive chip area. Banik et al. presented an algorithm named Midori. The algorithm, which is characterized by its low energy consumption and compact hardware implementation, [16] is based on two block ciphers Midori128 and Midori64 with block sizes equal to 128 and 64 bits, respectively. Key weaknesses and efficient attacks have been found [17,18]. In order to ensure better results, several algorithms took advantage of the strength of AES algorithm. Sungha Kim and Ingrid Verbauwhede showed in their paper that implementing the Rijndael algorithm using 16 registers improves the efficiency over 40% in both speed and code size. They also showed that 128-bit size of input block is optimal for Rijndael implementation on 8-bit microcontroller [19]. In [20], authors tried to identify the candidates of blocks ciphers which are suitable for wireless sensor networks (WSNs), by constructing an evaluation framework. Because of the security properties, the storage and energy efficiency, authors selected the most appropriate ciphers for WSNs: Skipjack, MISTY1 and Rijndael. Andrea Vitaletti and Gianni Palombizio tried to answer the question: is speed the main issue? In their paper [21], they revealed that the developers of encryption algorithms for WSNs need to give priority to memory occupation and energy efficiency over speed. The designers showed that their AES-based scheme can be a solution for data encryption and for end-to-end encryption. They also developed a nesC module On the operating system TinyOS that enables users to encrypt messages at the application layer. An implementation of AES algorithm on MOTE-KIT 5040 was presented in [22]. The main contribution of the paper is the development of an encryption algorithm based on multi-space random key pre-distribution system for wireless sensor network. In [23], an implementation of an encryption algorithm like-AES was proposed. The authors aim to ensure sufficient levels of security so as to improve data privacy in WSN networks. As a basic nonlinear component of symmetric algorithms, substitution boxes (S-boxes) are the core component of the AES algorithm. In modern cryptography, image encryption algo-rithms essentially make use of S-boxes to be able to strengthen substitution phases [24][25][26][27][28]. Recently, many powerful S-boxes have been generated on the basis of chaos functions because of their nonlinear property. A one-dimensional discrete-space chaotic system was proposed in [29]. The authors detailed in their paper the design algorithm of a new S-box using the proposed chaotic map which is based on the multiplication of integer numbers and circular shift. In [30], authors used a hybrid chaotic map in order to design an image encryption scheme. The proposed chaotic map displayed good cryptographic properties. In [31], authors designed a chaotic encryption system to generate a new S-box. In [32], authors presented a novel algorithm for designing a strong S-box. Their approach was based on cellular automata, and a fractional linear transformation over the Galois field.

Contributions of the Work
Most of the previous papers used simulations to assess the efficiency and strength of their algorithms. We think that a real implementation of encryption algorithms on real sensors provides more realistic results. Thus, our goal is to develop a lightweight scheme which is based on a modified AES algorithm and then implement it on a real wireless sensor. This modified algorithm is based on a new chaotic S-box that showed good cryptographic properties and a high level of randomness. In this paper, two main contributions are detailed. The first one is the drawing of a new strong S-box that passed all NIST tests. This S-box is essentially based on the generation of chaotic Boolean Functions aiming at reinforcing the nonlinear aspect. The Hilbert curve, which is a type of space-filling curves, was used to redistribute values in the S-box to ensure a high level of randomness. Our second contribution is the implementation of the encryption algorithm into a real sensor node characterized by limited capacities. In order to validate the strength of our encryption algorithm, a practical experiment was setup by encrypting a grayscale image on physical Wireless Sensor. This algorithm was implemented on Crossbow TelosB mote [33]. The use of the AES algorithm is justified by its inclusion in the IEEE 802.15.4 [34] standard. It is also the standard encryption protocol for ZigBee making it ideal for securing data exchange in wireless sensor networks.

Internet of Things
IoT can be defined as a paradigm that takes into account the considerable presence of various things that can communicate with each other through wireless and wired connections [35]. The rapid development of the classical Internet into the IoT is empowering the exploration of countless domains of utilities that were previously unimaginable [36]. IOT networks, especially WSNs, are generally composed of constrained objects that are handled by a non-constrained object. A mutual authentication is necessary between a given device and the device manager if the former is aimed to join a WSN. Then, a symmetric secured pipe is created between the communicating entities in order to secure the exchanged data. IoT has been criticized for developing rapidly without taking into account the profound security challenges it entails and the necessary regulatory changes it require [37].
To deal with the issue of security of IoT, it is essential to first, understand all the building blocks of IoT. Then, one should identify each block's area of vulnerability and finally explore the necessary technologies to counter each weaknesses. Things, gateways, network infrastructure and cloud infrastructure are the main components of an IoT architecture [38]. The IOT architecture is illustrated in Figure 1.

Boolean Functions
One of the most interesting methods of drawing symmetric key algorithms is Boolean functions. Their properties play a key role in cryptography where an S-box (substitutionbox) is a basic component of symmetric key algorithms which performs substitution. A Boolean function on n variables takes the form F n 2 into F 2 . S-boxes can therefore be defined as (n, m) Boolean functions [39]. The generated S-box should have good cryptographic properties such as nonlinearity, bijection, the strict avalanche criterion, the output bits independence criterion (BIC) and the equiprobable input/output XOR distribution. A detailed description can be found in [40].

NIST Statistical Test Suite
To evaluate the different aspects of the randomness of binary sequences, cryptographers refer to the 15 NIST tests [41]. These tests evaluate different types of non-randoms that could exist in a sequence.
In this paper, NIST Statistical Test Suite will be called to study the randomness of the generated S-boxes, the chaotic PRNG and the ciphered images.

The Lorenz System
The high sensitivity to initial values is an important feature of chaotic systems. The Lyapunov exponent provides a quantitative description of the initial state sensitivity of a chaotic system [42]. The chaotic behavior of the Lorenz map is described by the following equation [43][44][45]: where: the system state (x,y,z), the system parameters (a,b,c). The Lorenz attractor and the Lyapunov exponents are illustrated in Figures 2 and 3 respectively.  The main usefulness of the Lorenz system is to generate chaotic binary sequences in order to create the Boolean Functions.

SHA-2
The SHA-2 function was used in order to generate 256-bit external secret key K [46,47]. This secret key K will strengthen the proposed cryptosystem by increasing the complexity of the encryption algorithm to 2 256 . Therefore it can withstand the brute-force attack. K is split into 8-bit blocks as follows.
The initial values can be derived as follows.
where x 0 , y 0 and z 0 are the initial given values.

Scan Methodology
In [48,49], Giuseppe Peano and David Hilbert demonstrated that Space-filling curves are fractal objects. They formulate curves that visit every point in a unit square. The Scan represents a family of two-dimensional spatial accessing methodology to generate a large number of scanning paths [50]. The Hilbert curve H 2 n , for n ≥ 1, is a fractal structure that is generated by the following recursive production rule [51]: where D, U, L and R indicate the directions taken by the curve (Down, Up, Left and Right).

Hilbert Curve Scan Pattern
The scan path of Hilbert curve can be drawn either from right bottom (RB), left bottom (LB), right top (RT) or left top (LT) of the square grid [52,53]. The proposed construction method of the S-box is based on this scan path. The application of Hilbert curve scan pattern in this work is to redistribute values in the initial generated S-box. The representation of Hilbert curve using matrices is performed recursively via successive approximations which are called an order for that curve. The Orders (n) one through three of the Hilbert curve are shown in Figure 4.

Modified AES S-Box Generation
An S-Box takes m input bits and transforms them into m output bits where n can be different to m. It is called (m × n) S-box and is implemented as a LookUp Table (LUT). The basic function of an S-Box is transforming one byte of input data into another one. It is specifically designed to be resistant to linear and differential cryptanalysis.

The Main Idea
The generating algorithm of the S-box is based on creating a set S of 2048 bits by using a chaotic map. Then, 8 subsets of Boolean functions are obtained from the main set S. The flowchart of the construction method is shown in Figure 6.

1.
Generate a chaotic set S of 2048 bits.
• Define an empty binary set S.
• Iterate Equation (1) for 200 times to get rid of the transient effect by using x 0 , y 0 , z 0 . • Iterate Equation (1) for 2048 times and denote the current state value as x , y , z .
x is obtained by Equation (7) and inserted in S.
Adjustment: Each element in the S-box must be unique. To guarantee this property, an adjustment of the S-box is needed. Figure 6. Flowchart of the initial S-box.

Generate a Cryptographically Strong S-box
In this part, the initial S-box which was obtained above will be improved in order to produce a better S-box. Improving the algorithm is based on the Hilbert curve that will be used to permute values of the initial S-box. This permutation step will be iterated 1000 times. At each iteration we calculate the nonlinearity value of the generated S-box. Whenever we find a high value of nonlinearity, we save the corresponding S-box. The improvement of the algorithm of the S-box is described in Figure 7.

Bijectivity
The output values of the generated S-box are in the interval [0, 255]. Therefore, the S-box satisfies the requirement of bijectivity.

Nonlinearity
The average value of nonlinearity is equal to 107 Table 4. A comparison of the nonlinearity value of our s-box with others is illustrated in Table 5.

Strict Avalanche Criterion: SAC
The dependence matrix is illustrated in Table 6 and its mean value is 0.4932 which is very close to the ideal value 0.5. A comparison with other dependence values obtained from other S-boxes is illustrated in Table 7.

Nist Statistical Test Suite
To evaluate the randomness of the S-box, we applied all NIST tests. Table 9 demonstrates that the generated S-box has passed all tests.

The Proposed Image Encryption Scheme
Many factors and constraints on sensor nodes must be taken into consideration for the implementation of lightweight cryptography. We listed essentially: energy, memory, computational speed and communications bandwidth. Because of the execution time, power consumption depends on the processing speed. Hence, the number of computations that determines the processing speed becomes the index of lightness.
With regard to security, lightweight encryption is the adopted method of the overall system security. This work is based on the fact that the proposed cryptosystem needs to be based on an algorithm that shows a sufficient security level in modern cryptography. In the context of lightweight algorithms, there have been many proposed optimised implementations that improve the algorithms performance [64].
The implementation of an encryption scheme in a wireless sensor depends on two determining factors: the memory size and the energy consumption. A wireless sensor with a RAM size of 8 KB and a ROM size of 116 KB is not able to do the following actions simultaneously: • store the TinyOS operating system, • store the encryption algorithm, • store the grayscale image to be encrypted and • run the algorithm in order to generate the encrypted image.
Therefore, the proposed solution consists of developing a lightweight algorithm and implementing it in an XM1000 wireless sensor. In the following part, we will show that the encryption algorithm is able to encrypt grayscale images of large sizes. The flowchart of the main algorithm is illustrated in Figure 9. To implement the algorithm, we propose to encrypt the image by blocks of 16 bytes. We note that after running the code with larger blocks, the sensor gave us unstandard results and that is why we chose the 16 bytes. To encrypt the grayscale image, the main code is triggered via the Boot.booted() event. To get the ciphered image from the sensor, we divided it into blocks of 4 × 16 bytes and we sent each block apart. In our implementation, we used images of 50 × 64 bytes and a period of 5 × 10 −2 s. In TinyOs, Timer.startPeriodic() is the command to set the period and Timer.fired() is the event to send ciphered blocks. Finally, all received blocks are concatenated into one ciphered image. The generated S-box, which is used in the modified AES, is illustrated in Table 2.

The Setup
As mentioned earlier, we chose to implement the solution on the XM1000 sensor which consists of the MSP430 microcontroller and the CC2420 radio chip. The code was implemented under the TinyOs operating system. TinyOS is an embedded operating system written in the nesC [65].

Memory Consumption and Execution Times
Our algorithm was implemented under a physical sensor (XM1000 sensor), not a simulation, wich gave us real results. 50 × 64 is the size of the image we ciphered and the execution time of the algorithm is 230,399 milliseconds. The ROM consumption is 13,624 KB and the RAM consumption is 7826 KB.

Information Entropy
Information entropy is an important feature of randomness and it is an indicator of the pixel values distribution. The equation to calculate it is illustrated in Equation (12): m: information source, p(m): probability of m where p(m) represents the probability of symbol m. Table 10 shows the information entropy of the encrypted images. Table 10. Entropy values.

Images Plain Image Ciphered Image
The information entropy of the encrypted images is better than the information entropy of the encrypted ones. Therefore, the efficiency and security of the proposed cryptosystem are validated. We notice that all values of entropy are very close to 8 (Table 10). Therefore the probability of accidental information disclosure is minor.

The Histogram Analysis
The histogram of an image measures the distribution of gray levels in the image [66,67]. Therefore, histograms have been plotted in order to evaluate the uniformity of the encrypted images [68]. Table 11 shows that the histograms of the encrypted images are uniform unlike those of the plain images. Therefore the attacker cannot extract information from the encrypted image because the encryption algorithm damaged the original images' features. Table 11. Histograms of the plain/encrypted images.

Correlation Coefficient Analysis
To measure the correlation between two adjacent pixels, horizontally, vertically and diagonally, developers of image encryption algorithms analysed correlation coefficients. The correlation coefficients of two adjacent pixels are calculated according to the following formula [69,70]: where cov(x, y) = 1 N ∑ N i=1 (x i − E(x))(y i − E(y)), where x and y are gray level values of two adjacent pixels. N is the total number of the selected pixels, E(x) is the mean values of x i and E(y) is the mean values of y i . Correlation coefficients are given in Table 12. We can conclude, from the analysis of Table 12, that the proposed algorithm can resist against statistical attacks. We note that the image correlation values of the encrypted image are very close to zero. Table 13 illustrates the distribution of two adjacent pixels.  Table 13. Distribution of two adjacent pixels in the plain/encrypted images.

Images
Horizontally Vertically Diagonally

Conclusions
In this paper, a lightweight encryption algorithm based on the standard AES was proposed. The first step was generating a cryptographically strong S-box based on chaotic Boolean functions. The Hilbert curve scan pattern and the Lorenz system were used in order to realize the permutation and diffusion phases. Cryptographic properties of the chaotic S-box and NIST tests validates its strength. The algorithm was developed to be implemented in highly constrained IoT devices. In order to show the effectiveness of the scheme, it was implemented to encrypt a grayscale image by using an XM1000 sensor. Experimental results showed that the algorithm is light enough to satisfy many criteria like memory consumption, execution time and information entropy.

Conflicts of Interest:
The authors declare no conflict of interest.