Related work

Lightweight cryptography is the only suitable technology to secure resource-constrained devices such as IoT in connected environments.

Lu et al. (2019) proposed a lightweight encryption and authentication protocol (LEAP) based on the Rivest Cipher 4 (RC4) algorithm. The technique identifies one of the secured ECUs to generate and distribute the session keys periodically to the rest of the ECUs, which may result in underperformance.

Hyun Park et al. (2021) proposed a hybrid algorithm with symmetric and asymmetric-key cryptographic methods to secure the information over the CAN bus. The proposed method exploits advanced encryption standards (AES) to encrypt and decrypt the message. The Diffie-Helman key-exchange method was employed to exchange keys. An elliptic curve digital signature algorithm (ECDSA) was employed to authenticate a source and messages. A shared key and a sequence number are the parameters used to generate a one-time encryption key for each packet of the CAN bus using a password-based key-derivation function 2 (PKDF2). Thus, the proposed method is too complex and degrades the system's performance.

Castiglione et al. (2020) examined the possibility of securing the CAN bus messages using the encryption algorithms PRESENT, SIMON, and SPECK. Algorithms provide security at the cost of complexity. Bogdanov et al. (2007) devised an encryption algorithm PRESENT: An Ultra-Lightweight Block Cipher for data security on the line of AES for resource-constrained devices. It is a block cipher with multiple rounds and a key length of 80 and 128 bits. It is complex and not suitable for resource-constrained devices.

Siddiqui et al. (2017) proposed mutual authentication and a message encryption scheme based on a physical unclonable function (PUF) to secure messages over the CAN bus. The scheme employs the elliptic Curve Diffie-Helman (ECDH) algorithm to exchange keys. The complexity is that the cipher requires large data memory to store session keys and public keys, including the public-private key pair generation.

Jakul et al. (2015) proposed a tiny encryption algorithm (TEA) to secure CAN bus communication. The complexity of key generation and distribution are the major issues of TEA.

Yeom and Seo (2020) investigated the suitability of the shuffling algorithm for securing messages over the CAN bus. Fisher-Yates initially designed the shuffling algorithm to generate a random permutation of finite sequences. The investigation revealed that message security depends on the block size if the shuffling algorithm is employed.

Farag (2017) presented a CANTrack computer-aided design tool-powered investigation of message security over the CAN bus using an intuitive algorithm. The results were positive. Pese et al. (2021) developed a sufficiently secure controller area network by leveraging protocol-specific properties, such as differential signal levels, to provide security instead of using cryptographic primitives. Since signal levels of the protocol depend upon the network clock, synchronization, and operating conditions, the proposed cipher is not advisable. The related work (and introduction) comprises old and recent articles up to 2023.

Motivation

The many interconnected, resource-constrained systems in modern cars necessitate effective yet reliable encryption techniques to guarantee secure communication. These environments are unsuitable for traditional encryption algorithms because of their high computational and memory requirements. As pointed out, there are still significant gaps in the trade-off between the level of security and resource consumption, security, and performance despite the development of lightweight block ciphers to overcome these limitations.

Contributions

We propose a SCAN-C (signifies secured controller area network for communications) new lightweight block cipher optimized for resource-constrained devices (ECUs) in connected and autonomous vehicles.

We summarize the technical and contextual contributions of this unique research as follows:

1. A unique hybrid architecture encompassing uniquely designed round key generation and encryption schedule built with multilayer F function embedded in the Feistel network improves the diffusion effect.

2. The cipher ensures the confidentiality and integrity of the data over the CAN bus with a sufficient security margin within 12 rounds, thereby improving processing speed. The maximum differential and linear probability of 2^–272 and 2^–274 ensures this aspect.

3. The cipher implemented using an ASIC cell library of 0.13um technology consumes only 1197 GEs. It is suitable for resource-constrained ECUs.

4. It (SCAN-C) requires only 2459.3 execution cycles, which include key generation, encryption, and decryption when implemented in a generic hardware platform Arduino Uno (ATmega 320 microcontroller) compared to 17,428 cycles of PRESENT, 3248 cycles of RBFK-64, 4084 cycles of SPECK, and 14,076 cycles of AES. It is thus suitable for resource-constrained ECUs and IoT devices.

5. Since the SCAN-C has a 64-bit block, and CAN has a payload size equal to a 64-bit block, it is well suited to operate efficiently in ECUs. The encrypted payload resists passive eavesdropping, and replay attacks.

In summary, we focused on achieving a secure, scalable, energy-efficient, hardware and software-friendly lightweight block cipher to secure data communications over the CAN bus in autonomous, connected vehicles powered by IoT devices. The contributions list is limited to five only.

Organization

The rest of the article is arranged into sections as follows. The section "Background" presents the details of the area of concern. The section "Proposed Algorithm" describes the design of the cipher. The analysis of cipher resistivity to known classical attacks is in the "Security Analysis" section. The performance assessment is in the “Performance Analysis" section. The summary of the work is in the "Research Summary" section. The last section is "Conclusion and Future Scope".

Overview-the CAN bus

A controller area network (CAN) bus is an electronic communication bus defined by the ISO 11898-1/2 standards (1983 to 1986/ Revised in 2003) for the intercommunication between the various electronic control units employed in connected and autonomous vehicles. The most important advantage of this protocol standard was its ability to accommodate several ECUs to connect economically and efficiently.

The CAN bus protocol is a message-based communication with prioritization decided by a listen-and-respond technique to avoid critical data loss. This protocol supports two data frame formats for communication viz; the basic frame format shown in Fig. 1a and the extended frame format Fig. 1b on the next page.

[See PDF for image]

Fig. 1

a The structure of the CAN standard frame. b The structure of the CAN extended frame

Data, remote, error, and overload are the frames of four types supported by the CAN protocol. The data frame is the main frame in the CAN bus communication. The maximum data over the CAN bus that could be transmitted is 64 bits in both standard formats at configurable speeds of 250 kbps, 500 kbps, and 1 Mbps.

Threat model of CAN bus

Figure 2 shows the threat model of the CAN bus with legitimate and malicious nodes. The threat model has two legitimate ECUs (ECU-1 and ECU-2) and ECU-3 as a malicious node. The adversary can attack the CAN bus either through the onboard diagnostic II (OBD-II) connector or by compromising on one of the ECUs remotely within the network.

[See PDF for image]

Fig. 2

CAN bus threat model

Adversaries can gain access to the CAN bus, either by physically connecting a malicious ECU or by compromising an existing ECU remotely.

The anticipated specific threats to the CAN bus communications are as follows.

1. Messages sent over the CAN bus can be intercepted, changed, or deleted.

2. Adversaries can hijack the session key.

3. Adversaries can seize the BUS by flooding it with messages from malicious ECUs.

Security goals

The security goals of the proposed research are to ensure.

1. Confidentiality: The cipher must ensure that the messages between the two legitimate entities remain inaccessible and secret.

2. Message Integrity: The cipher must ensure the messages are unmodified or deleted by adversaries.

3. Availability: The protocol must have low computational and communication costs to ensure the timely availability of messages between entities and remain in service.

4. Forward security: The protocol must ensure that the current and previous sessions have no relation.

Round key generation

Configuration of round key generator

As illustrated in Fig. 3, the round key generator requires 160-bit initial bits for layer 1 and 25 (5 × 5) selection bits for layer 2 to generate a bit stream. These 185 = 160 + 25 bits form a session key generated from a session key generator described in Appendix I. The session key is denoted by (sk₁₈₄-sk₀). As and when required, the key generator is loaded with appropriate session key bits as per Table 2. To be specific, the session key bits sk₂₄-sk₀, select output bit of five multiplexers, sk₁₁₃-sk₂₅, sk₁₅₀-sk₁₁₄, and sk₁₈₄-sk₁₅₁, serve as initial vector bits for 89-bit, 37-bit, and 34-bit LFSRs. The user key is 160-bit initial bits denoted by sk₁₈₄-sk₂₅.

Table 2. Session key bits allocation

Encryption schedule

SCAN-C employs the Feistel and uniform substitution-permutation networks in its encryption/decryption process.

F-function

F function is the critical building block of the encryption/decryption schedule of SCAN-C. It has twelve substitution boxes arranged in a 3 × 4 matrix sandwiched between two fixed permutation layers. It is shown in Fig. 4 and influenced by the tweaked Kazad block cipher proposed by Bogdanov and Rijmen (2014). The F-function encompasses two types of substitution boxes denoted by P and Q (Tables 4 and 5).

[See PDF for image]

Fig. 4

F-function

Table 4. S-box P

Table 5. S-box Q

The SP network of the F function exhibits confusion and diffusion characteristics to satisfy Shannon's criteria. The P and Q tables are distinct and introduce confusion and diffusion in the encryption and decryption processes. Multiplexer and nonlinear functions introduce confusion and diffusion in round key generation. The P and Q tables ensure a 50% avalanche effect on the output compared to the corresponding input. For instance, in the Q table, the bits of output change by 50% when the input bits (0000)2 are replaced by (1001)2.

Architecture

Figure 5 illustrates the architecture of the encryption schedule. The architecture encompasses four columns 1 to 4. The 1st and 4th columns have an XNOR operator to add with round keys. The schedule has an F function between columns 1st and 2nd and between columns 4th and 3rd. The output of the respective F functions is added with swapped column inputs as illustrated in Fig. 5. For example, $R_{1-2}={\mathit{Ef}}_{l1}\oplus P_{1-3}$ and $R_{1-3}={\mathit{Ef}}_{r1}\oplus P_{1-2}$. At the end of the round, $R_{1-1}$ and $R_{1-3}$ are swapped with $R_{1-2}$ and $R_{1-4}$. Thus, a round function encompasses two add-round keys, two F functions, two XOR, and swapping operations.

[See PDF for image]

Fig. 5

Architecture of encryption process

Encryption process

As illustrated in Fig. 5, the encryption architecture accepts 64-bit input in four groups of 16 bits each. The designated groups are P_i–1, P_i–2, P_i–3, and P_i–4. The round key is Ki, where i = 1 to 12 since the cipher has 12 iterations.

Mathematically, the encryption process is expressed as

3

The algorithm below describes the encryption process.

Detailed encryption process

As a first step, divide the plaintext of 64 bits into four groups of 16 bits, each designated as $P_{1-1}$, $P_{1-2}$, $P_{1-3}$, and $P_{1-4}$. The process of execution is as follows (first round).

1. Swap $P_{1-2}$, and $P_{1-3}$

2. $R_{1-1}=P_{1-1}\otimes K_1$

3. Input $R_{1-1}$ to F function, which yields ${\mathit{Ef}}_{l1}=F\left(R_{1-1}\right)$.

4. $R_{1-2}={\mathit{Ef}}_{l1}\oplus P_{1-3}$

5. $R_{1-4}=P_{1-4}\otimes K_1$

6. Input $R_{1-4}$ to F function, which yields ${\mathit{Ef}}_{r1}=F\left(R_{1-4}\right)$

7. $R_{1-3}={\mathit{Ef}}_{r1}\oplus P_{1-2}$

For succeeding rounds,

• $P_{2-1}=R_{1-2}$

• $P_{2-2}=R_{1-1}$

• $P_{2-4}=R_{1-3}$

• $P_{2-3}=R_{1-4}$

Repeat the above process for eleven rounds by swapping the necessary data segments, and no swapping is allowed at the last round.

Since the cipher is symmetric, the swapping operation process is not executed in the 12th round to enable the decryption process by reversing the use of round keys.

At the end of every round, the concatenated data is represented by,

4

Equation (5) shows the concatenated cipher text obtained after the 12th round.

5

Cipher employs two distinct substitution tables (P and Q) to increase the confusion and diffusion properties with a fixed permutation. Logical operators such as XNOR and XOR help the cipher to achieve a high degree of security. The XNOR operator helps to maximize the active S-boxes by activating the data bits that reduce the iterative rounds. It is another contribution of our research to lightweight cryptography.

Differential and linear cryptanalysis

The security analysis in this section includes both encryption and round-key generation schedules. F-function structure plays a role in deciding the level of security offered by the ciphers against the attacks. The active S-box count is the metric to determine the security level of a particular block cipher against differential and linear cryptanalysis if designed with an SP network Biham et al. (1991), and Heys (2017). Thus, the total count of active S-boxes in a certain number of iterative rounds indicates the level of security against differential and linear attacks.

To ensure sufficient security by SCAN-C, function F has a structure with twelve substitution boxes arranged in three rows with a permutation layer sandwiched between the rows. The F function has three rows of four S-boxes and two layers of permutation effectively. Further, the first and the fourth branches of the SCAN-C have an XNOR operator, which inverts the input data bits. These bits go as input to the function F in the left and right half of the Feistel structure (Ref: Fig. 5). The XNOR operator decides the maximum or minimum number of active substitution boxes in the first layer of the respective function F. Further, the activation of substitution boxes in the subsequent layers of the respective function F relies on the propagation of the bits due to permutation layer. The F-functions outputs (Efl and Efr) will be active if the outputs ${\text{R}}_{\text{i}-1}$ and ${\mathrm{\Delta }\text{R}}_{1-4}$ are active.

It is typical practice to employ maximum distance separable code Bogdanov et al. (2007), mixed integer linear programming Mouha et al. (2007), and exhaustive search approaches to identify the active S-boxes.

In this article, algorithm 2, by Matsui (1994), is employed and verified with a mixed integer programming technique. Appendix III briefs the other concerned properties in determining the lower bound for the minimum number of active S-boxes. The exhaustive search technique suggests the same results.

Differential cryptanalysis

Linear cryptanalysis

Special case

To test SCAN-C's resistance, linear and differential cryptanalysis was performed by substituting the XOR operator for the XNOR operator in branches one and four. After three consecutive iterative cycles, there are nine active S-boxes. A twelve-round SCAN-C has a maximum differential probability of $P_D={\left(2^{-2}\right)}^{12\times 3}\cong 2^{-72}$ and a linear approximation of ${\in }_{\text{L}}=2^{35}\times 2^{-72}=2^{-37}$. Thus, the number of ciphertext or plaintext pairs required is $2^{72}$ and $2^{74}$. Such data requirements exceed the available text. Hence, modified SCAN-C is safe.

Conclusion Given the described cryptanalysis above, SCAN-C exhibits the highest resistance with fewer iterative rounds to differential and linear attacks. For example, the maximum differential probability and linear approximation of SCAN-C over six iterative rounds are $P_D={\left(2^{-2}\right)}^{6\times 34/3}\cong 2^{-136}$ and ${\in }_{\text{L}}=2^{67}\times 2^{-2\times 68}=2^{-69}$. Thus, the number of ciphertext or plaintext pairs required is $2^{136}$ and $2^{138}$. Such data requirements exceed the available text. Hence, a six-iterative round SCAN-C is also safe against differential and linear attacks.

Impossible differential cryptanalysis

It is extended differential cryptanalysis to discover inaccurate key guesses using differential, which never occurs and narrows the key-space Hong Xu et al. (2023) and Eli Biham et al. (1999). The miss-in-the-middle is the best technique to conduct an impossible differential attack on block ciphers Eli Biham et al. (1999). In this attack, the subkey bit recovery is achieved by sieving out the keys, suggesting the impossible differential from the list of all possible keys.

Two states with a transfer probability1 are selected to establish a two-round impossible differential distinguisher. One of the states is in the direction of encryption, the other in the direction of decryption.

The impossible differential distinguisher with defined states is ${\mathit{FFFF}}_{(16)},{0001}_{(16)}{0000}_{(16)}{\mathit{FFFF}}_{(16)}\mapsto {\mathit{FFFF}}_{(16)},{0000}_{(16)},{0001}_{(16)},{\mathit{FFFF}}_{(16)}$.

Let ${\mathrm{\Delta }}_{\alpha }=\left\{F,F,F,F,,,\text{0001,0000},,,F,F,F,F\right\}$ be the input difference in the direction of encryption, which yields an output difference of ${\mathrm{\Delta }}_{\beta }=\left\{0000,,,\alpha ,10,\alpha ,2,\mathbf{\alpha },3,,,\alpha ,40,\alpha ,5,\mathbf{\alpha },6,,,0000\right\}$ at the end of the first iterative round.

Let ${\mathrm{\Delta }}_{⋋}=\left\{F,F,F,F,,,\text{0000,0001},,,F,F,F,F\right\}$ be the input difference in the direction of decryption, which yields an output difference of ${\mathrm{\Delta }}_{⋎}=\left\{0000,,,\mathrm{\beta },10,\mathrm{\beta },2,\mathbf{\beta },3,,,\mathrm{\beta },40,\mathrm{\beta },5,\mathbf{\beta },6,,,0000\right\}$ at the end of the first iterative round.

Since ${\mathrm{\Delta }}_{\beta }\ne {\mathrm{\Delta }}_{⋋}$, ${\mathrm{\Delta }}_{\alpha }\top {\mathrm{\Delta }}_{⋋}(\text{FFFF}00010000\text{FFFF})2\text{R}\top (\text{FFFF}00000001\text{FFFF})$ is an impossible differential for a two-iterative round.

Table 6 shows the impossible trails.

Table 6. Impossible differential trails

α₃ ≠ β₃ and α₆ ≠ β₆

Figure 7 shows the differential propagation during the key-recovery process for impossible differential cryptanalysis. The process is as follows.

[See PDF for image]

Fig. 7

N + 1 round impossible differential cryptanalysis

i. Let the plaintext difference be

• $\mathrm{\Delta }P=\mathrm{\Delta }{P}_{i-1}^0\Vert \mathrm{\Delta }{P}_{i-2}^0\Vert \mathrm{\Delta }{P}_{i-3}^0\Vert \mathrm{\Delta }{P}_{i-4}^0$, and

• $\mathrm{\Delta }{P}_{i-1}^0=0\times FFFF$,

• $\mathrm{\Delta }{P}_{i-2}^0=0\times 0001$,

• $\mathrm{\Delta }{P}_{i-3}^0=0\times 0000$,

• $\mathrm{\Delta }{P}_{i-4}^0=0\times FFFF$.

Let the plaintext structure be,

• $P_{i-1}^0={\alpha }_0,{\alpha }_1,\cdots {\alpha }_{15},$

• $P_{i-2}^0={\alpha }_{16},{\alpha }_{17},\cdots {\alpha }_{31}$

• $P_{i-3}^0={\alpha }_{32},{\alpha }_{33},\cdots {\alpha }_{47}$,

• $P_{i-4}^0={\alpha }_{48},{\alpha }_{49},\cdots {\alpha }_{63}$,

ii. The ciphertext pairs that satisfy the following form are selected,$$\mathrm{\Delta }{P}^{N+1}=\mathrm{\Delta }{P}_{i-1}^{N+1}\Vert \mathrm{\Delta }{P}_{i-2}^{N+1}\Vert \mathrm{\Delta }{P}_{i-3}^{N+1}\Vert \mathrm{\Delta }{P}_{i-4}^{N+1}$$$$\mathrm{\Delta }{P}_{i-1}^{N+1}=0000\cdots 0000$$$$\mathrm{\Delta }{P}_{i-2}^{N+1}=\ast \ast \ast \ast 0000\ast 000\ast \ast 00$$$$\mathrm{\Delta }{P}_{i-3}^{N+1}=\ast \ast \ast \ast 0000\ast 000\ast \ast 0\ast$$$$\mathrm{\Delta }{P}_{i-4}^{N+1}=0000\cdots 0000,$$where * ∈ F₂. The ciphertext pairs that satisfy the above form with a probability of $2^{15}\times 2^{-64}=2^{-49}$, are $2^{15}$. Thus, the remaining ciphertext pairs after screening are $2^{n+1}\times 2^{-49}=2^{n-48}$.

iii. Guess the 32-bit key (2 times 16-bit) in the N + 1 round. Then decrypt each ciphertext pair from step ii one round forward and judge the ciphertext if it holds $\mathrm{\Delta }{P}_N={\mathit{FFFF}}_{(16)},{0000}_{(16)},{0001}_{(16)},{\mathit{FFFF}}_{(16)}$. If it holds, then the guessed key is wrong and is discarded. Repeat the procedure until the correct key remains.

Complexity analysis The error value of the key after step iii is $\left(2^{32},-,1\right)\times {\left(1,-,2^{-1}\right)}^{2^{n-48}}$ approximately. The condition for excluding all wrong keys is $\left(2^{32},-,1\right)\times {\left(1,-,2^{-1}\right)}^{2^{n-48}}<1$ with n = 53. The data complexity is 2n + ∆in + 1, according to Boura et al. (2014). The ∆in represents the number of active bits in plaintext difference.

The data complexity is $2^{53+33+1}=2^{87}$. A time complexity of $2^{n-48}\times 2^{32}\times 2=2^{38}$ one-round encryption is required to complete step iii, followed by an exhaustive search to retrieve 128 bits of the primary key. Thus, the time complexity of $2^{38}/N+1+2^{128}\cong 2^{128}$ (N + 1) round encryption is required to recover the full round key.

A total memory complexity of $\left(2^5+2^{32}+2^{128}\right)/64\approx 2^{122}$ 64-bit block is required to retrieve the full round key. SCAN-C has 12 rounds and N = 11. Therefore, a full round impossible differential attack on SCAN-C requires $2^{87}$ data complexity, time complexity of $2^{128}$ 12-round encryption, and memory complexity of $2^{122}$ 64-bit block. Thus, SCAN-C is safe against impossible differential attacks.

Zero correlation cryptanalysis-6 rounds

Zero-correlation cryptanalysis is one of the recent cryptanalytic methods introduced by Bogdanov and Rijmen (2014) based on linear approximations with zero correlation. Consider a function f with input ${x\in \mathbb{F}}_2^n$, whose linear approximation with an input mask u and an output mask v is

6

The probability of linear approximation (6) is

7

The correlation is

8

Zero-correlation linear cryptanalysis involves using linear approximations that exhibit zero correlation for all keys. If there are 2 ^m zero-correlation approximations, according to Lu et al. (2019), the number of distinct plaintexts needed is approximately 2^n+2−m/2. The key-recovery process employs Matsui's Algorithm 2 (1994).

A miss-in-the-middle technique is employed to construct the zero-correlation linear distinguisher. The zero-correlation linear distinguisher with defined states is 000α000000000000 → 000000000000000β. Where α and β are non-zeros. Table 7 displays the zero-correlation trails for the six rounds of SCAN-C. The contradiction occurs in 3rd round.

Table 7. Zero-correlation linear approximation

Notations used in Table 7 are as per [41]

A 6-round zero correlation linear approximation distinguisher (Table 7) from rounds 4 to 9 is employed in the analysis. The subkey bits for the first three rounds and the last two rounds are determined based on a sufficient collection of plaintexts and ciphertext pairs. Merely, the values of ${\text{P}}_{4-1}\left(\text{3,1}\right)$ and ${\text{P}}_{10-4}\left(\text{3,1}\right)$, unaffected by every bit of the outer rounds are sufficient to measure the correlation. Table 8 shows the plaintext and ciphertext bits that affect the ${\text{P}}_{4-1}\left(\text{1,3}\right)\text{and}{\text{P}}_{10-4}\left(\text{1,3}\right),$ round-wise.

Table 8. Plaintext-Ciphertext bits

The time complexity is around 2⁶⁴ × 2³² = 2⁹⁶ and is much more than an exhaustive search, where 2⁶⁴ is the plaintext-ciphertext pair, and 2³² is the outer rounds subkeys. In this article, the technique utilized for the zero-correlation attack is the divide-and-conquer technique Matsui (1994). Table 8 shows the active bits involved in each round of the cipher while cryptanalysis is underway.

A counter with appropriate width is employed to maintain the count of the plaintext-ciphertext pairs indexed by the active bits. For every subkey candidate, the active bits are encrypted (Decrypted) in round r over one round in each step. Then, the count of the pairs that yield the same value in active bits over the r + 1 (r-1) round is determined. The zero-correlation attack scenario is in Fig. 8.

[See PDF for image]

Fig. 8

Zero-correlation attack scenario

Attack procedure

• I. Collect 2⁶⁴ plaintext-ciphertext pairs and guess 10 sub-key bits K₁₀(14,8,6) (Twice) and K₁₁(3,1) (Twice) to calculate ${\text{P}}_{10-4}\left(\text{1,3}\right)$.

• ii. Set an 8-bit counter $N_1\left[x_1,\Vert ,x_{10}\right]$ for each of the 2¹⁸ possible values of ($x_1\Vert x_{10}$) with $x_1=P_{1-1}\Vert P_{1-2}\Vert P_{1-3}\Vert P_{1-4}$ and $x_{10}=P_{10-2}$ and set them to zero. Determine the number of plaintext-ciphertext pairs with the above-given values and update the counters. There are 2⁶⁴ plaintext-ciphertext pairs in this step with 2¹⁸ different states. An 8-bit counter is sufficient to count the expected pairs for each of the states of 2⁴⁶.

• iii. Guess the 12-bits $K_1\left(\text{15,12,8},,,\text{4,3},,,0\right)\times 2$, then set a counter $N_2\left[x_2,\Vert ,x_{10}\right]$ for each of the 2²⁸ possible values of ($x_2\Vert x_{10}$) with $x_2=P_{2-1}\Vert P_{2-2}\Vert P_{2-3}\Vert P_{2-4}$ and $x_{10}=P_{10-2}$ and set them to zero. Next, update the value $N_2\left[x_2,\Vert ,x_{10}\right]=N_2\left[x_2,\Vert ,x_{10}\right]+N_1\left[x_1,\Vert ,x_{10}\right]$ for all four values of $x_{10}$ by encrypting $x_1$ one round to update $x_2$ for all 2¹⁶ values of $x_1$.

• iv. Guess the 4-bits $K_2\left(\text{3,1}\right)\times 2$, then set a counter $N_3\left[x_3,\Vert ,x_{10}\right]$ for each of the 2⁴ possible values of ($x_3\Vert x_{10}$) with $x_3=P_{3-1}\Vert P_{3-2}\Vert P_{3-3}\Vert P_{3-4}$ and $x_{10}=P_{10-2}$ and set them to zero. Next, update the value $N_3\left[x_3,\Vert ,x_{10}\right]=N_3\left[x_3,\Vert ,x_{10}\right]+N_2\left[x_2,\Vert ,x_{10}\right]$ for all four values of $x_{10}$ by encrypting $x_2$ one round to update $x_3$ for all 2²⁶ values of $x_2$.

• v. Guess the 6-bits $K_3\left(\text{11,9},,,5\right)\times 2$, then set a counter $N_4\left[x_4,\Vert ,x_{10}\right]$ for each of the 2⁴ possible values of ($x_4\Vert x_{10}$) with $x_{10}=P_{10-2}$ and set them to zero. Next, update the value $N_4\left[x_4,\Vert ,x_{10}\right]=N_4\left[x_4,\Vert ,x_{10}\right]+N_3\left[x_3,\Vert ,x_{10}\right]$ for all four values of $x_{10}$ by encrypting $x_3$ one round to update $x_4$ for all 2² values of $x_3$.

• vi. Next, check if$$\sum _{x_4=x_{10}}{N}_4\left[x_4,\Vert ,x_{10}\right]=N/2$$

  If not, discard the guessed corresponding key.

• vii. Repeat the search for all keys corresponding to the guessed subkey bits.

Attack complexity The time complexity of step 1 is $2^{64}\times 2^{10}=2^{74}$.The time complexity of each step from iii to v is as follows.

1. $2^{10}\times 2^{12}\times 2^{18}=2^{40}$

2. $2^{10+12}\times 2^4\times 2^{28}=2^{54}$

3. $2^{10+12+4}\times 2^6\times 2^4=2^{36}$

Key schedule-cryptanalysis

Statistical tests

In this section, the authors present the analysis of round keys generated by the key-generation schedule for randomness through statistical tests. A test suite developed by the National Institute of Standards and Technology (NIST) tests the randomness exhibited by the bitstream and validates their compliance with SP800-22 Revision 1a AndrewRukhin et al. (2010). Randomness is a probabilistic property; that is, the properties of a random sequence can be characterized and described in terms of probability (P-value). Using a round key generator set of 100 round-key streams of size 107 is generated. They are all tested for randomness using a NIST test suite with selected tests. The summary of the test results is in Table 9.

Table 9. Statistical test results

In summary, the key-generation schedule produces a random round key bitstream.

Avalanche effect

The avalanche effect is a desirable property of cryptographic algorithms. It serves as the metric to ensure the randomness exhibited by the ciphertext corresponding to a single-bit change in either plaintext or a key. The expected numerical value is > 50%. Consequently, round keys were generated and tested. The results are in Fig. 9.

[See PDF for image]

Fig. 9

Block size versus avalanche effect

Hardware implementation-ASIC

A 0.13 μm ASIC technology is employed to evaluate the performance of the proposed SCAN-C in hardware. The cipher consists of a key, encryption, and decryption schedules. The cell library, the 0.13 μm technology, delineates the domain of standard logic gates with gate equivalents (GEs). Among them are NOT (0.75), D flip-flop (4.25), XOR (2.0), XNOR (2.0), AND (1.25), NAND (1.00), and others. The hardware implementation strategy is in Fig. 10.

[See PDF for image]

Fig. 10

Hardware Implementation Strategy

The number of gate equivalent requirements for the key schedule and encryption schedule of the SCAN-C is as follows.

Key schedule GE requirements

• 160-bit LFSR 160 × 4.25 = 680 GE.

• Feedback (12 + 6 + 7) × 2 = 50 GE.

• MUX 5 × 6.25 = 31.25 GE.

• MUX 5 × 7.25 = 36.25 GE.

• Encryption schedule GE requirements.

• 64-bit register         64 × 4.75 = 272 GE.

• F-Function         16 × 4 = 64 GE.

• XOR         16 × 4 = 64 GE.

• Total         1197.5 GE.

Firmware implementation

The proposed SCAN-C was implemented on a generic hardware platform, an AVR-based Arduino Uno, to evaluate its firmware performance. The microcontroller used in the Arduino-Uno is an ATmega 328, an 8-bit device with an operating frequency of 16 MHz and a clock period/machine cycle of 0.06 microseconds. Table 10 shows the complexity of SCAN-C implementation in firmware.

Table 10. Complexity of SCAN-C in firmware

The total execution cycles of this cipher are high (3151) with raw code. The optimized code resulted in a total execution cycle of 2459.3. The optimized code resulted in a total execution time of 165.858 μs, which includes seed key 5.34 μs, session key 12.96 μs, round key 41.04 μs, encryption process, and decryption process 53.259 μs each. It means that the best performance of the cipher can be expected in firmware only if the code is optimized. Furthermore, it suggests that expertise in software coding is the key to expecting better performance (of the cipher) if implemented in microcontrollers and software.

Comparison of linear/differential attack

Table 11 shows the linear and differential attack comparison of SCAN-C with other block ciphers. The proposed SCAN-C has a better attack complexity with a minimal number of iterative rounds.

Table 11. Linear/differential attack comparison

The comparative analysis in Table 11 clearly states that SCAN-C is superior to PRESENT (Bagdanav et al. 2007), SLIM (Basam et al. 2020), SLA (Nahla et al. 2023), and ANU (Gaurava et al. 2016) in terms of resistance to classical attacks (Linear/differential), iterative rounds, and number of active S-boxes.

Comparison of hardware resources

Space complexity is one of the metrics to evaluate the performance of the cipher in hardware implementation. The type of cell technology adapted for the cipher implementation is the parameter that validates the space complexity.

The cell technology of 0.13 μm technology is employed to compare the hardware resource requirements for the selected ciphers' implementation. The SCAN-C outsmarts the fellow ciphers in hardware implementation with reduced hardware resources. Table 12 shows the comparative analysis.

Table 12. Comparison of hardware resources

Comparison of firmware resources

Time complexity is one of the metrics to evaluate the performance of the cipher in firmware or software implementation. The performance of the cipher depends upon the technology adapted to create the microcontroller or a microprocessor in addition to the optimization of the code. The firmware code is developed for a microcontroller with AVR architecture while comparing the performance of the ciphers. The microcontroller used in the Arduino-Uno is an ATmega 328, an 8-bit device with an operating frequency of 16 MHz and a clock period/machine cycle of 0.06 microseconds. Table 13 compares the complexity of different block ciphers with the SCAN-C.

Table 13. Firmware Complexity Comparison of SCAN-C and other block ciphers (AVR Architecture)

Comparison of execution cycles and power consumption

The execution cycles and power consumption are other parameters used to analyze the performance of ciphers. The Figs. 11 and 12 show the comparative analysis of execution cycles and power consumption of selected block ciphers. The overall execution cycles 2459.3 of the SCAN-C are fewer compared to 17,428 of PRESENT (Bagdanav et al. 2007), 3289 of RBFK (S Rana et al. 2023), 4084 of SPECK (Ray Beaulieu et al. 2013), and 14,076 of AES (Daemen 2001a, b).

[See PDF for image]

Fig. 11

Comparative analysis of execution cycles

[See PDF for image]

Fig. 12

Comparative analysis of power consumption

The optimized code resulted in fewer execution cycles of 684 cycles for the round key and 887.65 cycles for each encryption and decryption process. Figures 11 and 12 are updated with new values. An expanded comprehensive comparative analysis is in Appendix IV.

Competing interests

The authors declare no competing interests.