Lightweight Encryption Schemes for the Internet of Things: A review

Journal of Science & Technology 144 (2020) 053-057 
53 
Lightweight Encryption Schemes for the Internet of Things: A review 
Sonxay Luangoudom*, Duc Tran, Nguyen Linh Giang 
Hanoi University of Science and Technology, No.1, Dai Co Viet Road, Hai Ba Trung, Ha Noi, Viet Nam 
Received: February 17, 2020; Accepted: June 22, 2020 
Abstract 
Lightweight encryption schemes can be implemented in resource-constrained devices with different 
cryptography primitives. However, finding an effective algorithm that can be deployed in limited-resource 
devices of an Internet of Things (IoT) application is not a trivial task. This paper focuses on the lightweight 
encryption schemes. We describe the feasibilities and challenges of their practical deployment. Specifically, 
the most popular lightweight schemes that belong to two different categories, namely block ciphers and stream 
ciphers, have been analyzed and compared in the current work. The comparative studies show that there are 
no lightweight algorithms that can meet the requirements of both the performance and security. 
Keywords: Authenticated Encryption, Security, Lightweight Encryption 
1. Introduction 
Cryptography is a process of protecting the 
communication data from unauthorized access by 
transforming the data into an unrecognizable form. 
The general cryptographic algorithms are designed 
sophisticatedly based on mathematical theory, making 
such algorithms hard to be cracked. However, the 
communication exchanged among limited-resource 
devices such as Internet of Thing (IoT) devices 
requires lightweight cryptography algorithms [1]. The 
reduction of the heaviness of cryptography algorithms 
has been linked to all performance aspects including 
memory, power, and energy consumption. 
In IoT environment, it is necessary to secure 
communication information with a low power 
consumption on both hardware and software. 
Lightweight encryption schemes are designed for 
resource-constrained environments. Hence, these 
algorithms must be fast, consume less energy and store 
data more efficiently than conventional encryption and 
decryption algorithms [2]. To have an optimized 
lightweight encryption algorithm, it is necessary to 
balance between the performance, security, and 
computational cost. 
 It has been well-known that there is a trade-off 
between security and performance. Specifically, the 
shorter key length is the lower the security level is. 
Similarly, the smaller the number of rounds in the 
encryption process is the less security and performance 
are. 
In this paper, we present a comparison between 
stream ciphers and block ciphers. The analyzed stream 
ciphers are CCM, GCM, Salsa20-Poly 1305 while the 
analyzed block ciphers are AES, DEA, 3DES, and 
Blowfish as shown on Fig. 1. 
Lightweight Encryption Schemes
Block ciphers Stream ciphers
 AES
 DES
 3DES
 Blowfish
 CCM
 GCM
 Salsa20-Poly1305
Fig. 1. Classification of lightweight encryption 
algorithms 
The rest of the paper is organized as follows: 
Section 2 presents lightweight schemes. Section 3 
provides a detailed discussion on the block ciphers. 
Section 4 analyzes stream ciphers. Finally, Section 5 is 
dedicated to conclusions and future works. 
2. Lightweight encryption schemes 
In IoT systems, implementing the traditional 
cryptography algorithm in the resource-constrained 
devices is not a trivial task. Hence, it is necessary to 
develop lightweight schemes for such devices. 
Lightweight schemes are specially designed for IoT 
and Wireless Sensor Networks (WSN). In general, 
these schemes can be categorized into two types: 
asymmetric encryption and symmetric encryption [3]. 
* Corresponding author: Tel.: (+84) 936.399.476 
Email: s.luangoudom@cu.edu.la 
Journal of Science & Technology 144 (2020) 053-057 
54 
Table 1. Block cipher based on the different indices like size of the key, block, rounds, speed and attacks [7] 
Block cipher Key length 
(bits) 
Block length 
(bits) 
Rounds Speed 
(MB/sec) 
Attacks 
AES 128/192/256 64/128 10/12/14 61.01 
Side channel attack, 
Man-in-the-middle 
DES 64 64 14 21.34 
Brute force attack, 
Man-in-the-middle attack 
3DES 192 64 48 20.78 Theoretical attacks 
Blowfish 448 64 16 64.386 
Birthday attack, 
Known-plaintext attack 
Asymmetric encryption relies on public and 
private keys to ensure the communication between the 
sender and receiver. The public key is used for 
encipherment, while the private key is used for 
decipherment. Asymmetric encryption can provide 
authentication, confidentiality, and integrity. It also 
offers a safety mechanism for key-sharing and 
supports various security services. However, the large 
key size in such method makes the encryption process 
slow and complex [4]. The most popular asymmetric 
algorithms are Rivest–Shamir–Adleman (RSA), 
Digital Signature Algorithm (DSA), Shamir-Adleman, 
Diffie-Hellman key exchange (DH), and Elliptic 
Curve Cryptography (ECC). 
Symmetric encryption uses a single key for both 
encryption and decryption processes. This method is 
extremely secure and fast. It is able to guarantee the 
integrity and confidentiality but does not assure the 
authentication. The disadvantage of symmetric 
encryption is due to the key that must be shared 
between the communicating parties. If malicious 
parties get the key, the encrypted data will be 
compromised [4]. The symmetric encryption can be 
classified as block ciphers and stream ciphers [1, 5]. 
These ciphers will be analyzed and discussed in the 
following sections. 
3. Block ciphers 
In a block cipher, the message or plaintext is 
divided into blocks of data and the same key is used to 
encrypt each block. Block cipher has a fixed number 
of bits and different stages of transformation. These 
stages are determined by a symmetric. Block cipher 
algorithms are versatile and can be very helpful when 
d ... ncryption is 
the same as the regular DES. The data is encrypted and 
decrypted with the first and second keys and then 
encrypted again using the third key. Note that the 
3DES algorithm is three times as secure as DES if 
three separate keys are used. 
Blowfish on the other hand, is a symmetric block 
cipher that can be treated as a replacement of the DES 
algorithm [10]. It is unpatented, and thus, being free of 
cost for all usages [13]. Blowfish provides high speed, 
Journal of Science & Technology 144 (2020) 053-057 
55 
compactness, security and simplicity. Its rate of 
encryption is 26 cycles/byte on a 32-bit 
microprocessor. Blowfish requires less than 5 KB of 
memory space. Its block size is 64-bit and the key size 
is from 32 bits to 448 bits. The design and 
implementation of Blowfish rely on primitive 
operations, including lookup tables, XOR and addition 
[14]. In [7], Blowfish was observed to be the fastest 
algorithm as compared with AES, DES, 3DES and 
RC2. Similar observations can be found in [15], where 
the various block ciphers were executed on the Beagle 
Bone Black and Raspberry PI 3 for different file sizes 
ranging from 1 MB to 128 MB. 
4. Stream ciphers 
Stream ciphers use keys with the size that is equal 
to the size of the data. In stream ciphers, the ciphertext 
is obtained by bit operations on the plaintext. 
Particularly, a keystream that is generated using a key 
and an Initialization Vector (IV), is XORed with the 
plaintext to create ciphertext. Stream ciphers are 
potentially more compact, simpler, and faster as 
compared to the block ciphers [16]. In this section, the 
various stream ciphers are reviewed and discussed in 
detail. 
CBC-MAC (CCM) stands for Cipher Block 
Chaining Message Authentication Code. CCM is 
originally designed to be used with 128-bit block 
ciphers but can be extended to be used with other block 
sizes [17]. CCM provides confidentiality and 
authenticity of data using an approved symmetric 
algorithm, whose block size is 128 bits with 12-byte 
nonce. CCM allows varying degrees of protection 
against unauthorized modifications by using variable-
length authentication tags. In CCM, a single key to the 
block cipher must be established beforehand among 
the communication parties. For this reason, such 
scheme should be implemented within a well-designed 
key management structure. The security properties of 
CCM are much dependent on the secrecy of the pre-
shared key. 
Galois/Counter Mode (GCM) for authenticated 
encryption with associated data is constructed from an 
approved symmetric block cipher with a block size of 
128 bits with 12-bytes nonce. GCM has two functions, 
i.e., authenticated encryption and authenticated 
decryption. GCM can provide data confidentiality with 
various counter modes of operation since its hash 
function is defined over a binary Galois field. The 
encryption and authentication of GCM is safe from the 
attack [18]. 
Salsa20 [19] is a stream cipher that was designed 
and introduced in 2005. Salsa20 has 256-bit keys. The 
20-round stream cipher Salsa 20/20 is consistently 
faster than AES. The Salsa20/12 and Salsa20/8 are 
among the fastest 256-bit stream ciphers. In Salsa20, 
the key is a uniform random sequence of 32 bytes; The 
24-byte nonce is never used for any other 32-byte 
messages that are exchanged between the source to the 
destination. The nonce is long enough to minimize the 
risk of collision. Salsa20 encryption function by 
hashing the key, nonce and block number and xor’ing 
the result with the plaintext [19]. 
Poly1305 authenticator is designed by D. J. 
Bernstein in 2005. Poly1305 is a one-time polynomial 
evaluation Message Authentication Code (MAC). It 
aims at providing fast authentication mechanisms on 
software platforms. Poly1305 is considered as a secure 
message authentication if AES is secure. It relies on a 
32-byte secret key and a 16-byte nonce to compute the 
16-byte authenticator of a given message. A popular 
implementation of Poly1305 can be found in NaCl 
library [20]. More importantly, the >100-bit security 
level of Poly1305 prevents forgery attack. The 
Poly1305 authenticator, which has been standardized 
in RFC 7539 [21], is designed to ensure that those 
forged messages are rejected with a probability of 1-
(n/(2^102)), even after 2^64 legitimate messages have 
been sent. In other words, such method is unforgeable 
against chosen message attacks. Poly1305 is known to 
have consistent high speed, even when being run on 
many different Central Processing Units (CPUs). 
Table 2. shows the comparison between 
lightweight stream ciphers based on the key size, block 
size, performance, number of rounds and the possible 
attacks [22]. CCM employs counter mode for 
encryption. However, reusing the same Initialization 
Vector (IV) with the same key is catastrophic. This 
potentially leads to an IV collision and the leakage of 
information in data packets. For this reason, it is 
inappropriate to use CCM with static keys. Additional 
measures would be needed to prevent the reuse of IV 
values with the static key. 
Implementations of GCM mode often utilize 
short IV. This potentially results in the collision 
probability of random IV. The reuse of the GCM 
nonce/key combination also destroys the security 
guarantees and leads to the degradation of the 
confidentiality of a given plaintext. Because the GCM 
mode uses a variation of the counter mode to ensure 
confidentiality. As a result, it can be extremely 
difficult to deploy GCM securely when using static 
keys. In many cases, GCM has been proved to be faster 
than AES in CBC mode, especially when the hardware 
supports cryptographic engine [23]. AES-GCM is 
faster than AES-CCM. When it comes to performance, 
AES-GCM is a better alternative to be used in 
applications.
Journal of Science & Technology 144 (2020) 053-057 
56 
Table 2. Stream cipher based on the different indices like initialization vector (IV), size of the key, block, nonce 
and attacks [22] 
Stream cipher IV 
(bits) 
Key size 
(bits) 
Block size 
(bits) 
Nonce 
(bytes) 
Attacks 
CCM 64 128 64/128 12 Unauthorized modifications 
GCM 64 128 64/128 12 Chosen plaintext attack, replay attack 
Salsa 20- Poly 1305 128 256 512 24 Forged attack 
The Salsa20 stream cipher and Poly1305 
authenticator were also evaluated by the CFRG. Based 
on such evaluation, the RFC7539 [21] and RFC7905 
[24] have been established. Salsa 20 and Poly1305 
have been designed for high-performance software 
implementations and to minimize leakage of 
information through side channel attacks. 
Salsa 20 is simple and easy to setup. It can 
achieve a good overall performance and is selected as 
part of the eSTREAM portfolio of stream ciphers [21]. 
Poly 1305 is never used the same nonce for two 
different messages. Poly1305 has extremely high 
speed and low overhead. XSalsa20-Poly1305 is 
proved to be a well-suited algorithm that can be used 
to encrypt and decrypt data packets in a wide range of 
applications, where time and memory usage are 
considered as important factors. XSalsa20-Poly1305 is 
three times faster than AES-GCM on mobile devices. 
It spends less time on decryption and thus providing 
faster page rendering and better battery [25]. In [26], it 
was observed that GMC, CCM, SIV and EAX are not 
feasible to perform in the current swarm architecture 
and configuration. GCM and CCM are only feasible 
when risk is accepted. Overall, the best choice by far 
is XSalsa20-Poly1305. XSalsa20-Poly1305 should be 
a viable option in any scenario, where classified data 
is not being created or handled [26]. 
5. Conclusion 
The security and privacy issues have drawn a lot 
of consideration, while other concerns such as 
availability, reliability, and performance of the 
constrained IoT devices still require more attention. In 
this paper, we provide a comprehensive discussion on 
the lightweight security solutions, i.e., stream ciphers 
and block ciphers for the IoT systems. Based on such 
discussion, we can conclude that there is no single best 
scheme that is able to meet the needs of the IoT 
applications. Block ciphers and stream ciphers achieve 
a good performance in terms of computational cost and 
improve the security level slightly. Future research is 
therefore dedicated to designing a lightweight cipher 
that can provide fast confusion and diffusion in a 
smaller number of rounds for block ciphers and extend 
the nonce for the stream ciphers. 
Acknowledgements 
This work is supported by the Centre for 
Technology Environment Treatment. 
References 
[1] Bansod, Gaurav, et al., An ultra-lightweight encryption 
design for security in pervasive computing, Big Data 
Security on Cloud (BigDataSecurity), IEEE 
International Conference on High Performance and 
Smart Computing (HPSC). (2016) 79-84. 
[2] Hammi, Mohamed Tahar and Livolant, Erwan and 
Bellot, Patrick and Serhrouchni, Ahmed and Minet, 
Pascale, A lightweight IoT security protocol, Cyber 
Security in Networking Conference (CSNet). (2017) 1-
8. 
[3] Dutta, Indira Kalyan and Ghosh, Bhaskar and 
Bayoumi, Magdy, Lightweight Cryptography for 
Internet of Insecure Things: A Survey, Annual 
Computing and Communication Workshop and 
Conference (CCWC). (2019) 475-481. 
[4] Bhardwaj, Isha and Kumar, et al., A review on 
lightweight cryptography algorithms for data security 
and authentication in IoTs, International Conference 
on Signal Processing, Computing and Control. (2017) 
504-509. 
[5] Batina, Lejla, et al., Dietary recommendations for 
lightweight block ciphers: power, energy and area 
analysis of recently developed architectures, 
International Workshop on Radio Frequency 
Identification: Security and Privacy Issues. Springer, 
Berlin, Heidelberg. (2013) 103-112. 
[6] M. A. Philip, A Survey on Lightweight Ciphers For 
IoT Devices, Int. Conf. Technol. Adv. Power Energy 
(TAP Energy). (2017) 1-4. 
[7] Nadeem, Aamer and Javed, M Younus, A performance 
comparison of data encryption algorithms, 
international Conference on information and 
communication technologies. (2005) 84-89. 
[8] Martin Feldhofer, Sandra Dominikus, and Johannes 
Wolkerstorfer, Strong Authentication for RFID 
Systems Using the AES Algorithm, in Cryptographic 
Hardware and Embedded Systems–CHESS Lecture 
Notes in Computer Science, Springer. (2004) 357-370. 
Journal of Science & Technology 144 (2020) 053-057 
57 
[9] O.A. Hamdan, and B.B. Zaidan, New Comparative 
Study Between DES, 3DES and AES within Nine 
Factors, Journal Of Computing. 2 (2010). 
[10] Y. Kumar, R. Munjal, and H. Sharma, Comparison of 
Symmetric and Asymmetric Cryptography with 
Existing Vulnerabilities and Countermeasures, 
International Journal of Computer Science and 
Management Studies. 11 (2011) 60-63. 
[11] Mathur, Raghav and Agarwal, Shruti and Sharma, 
Vishnu, Solving security issues in mobile computing 
using cryptography techniques—A Survey, 
International Conference on Computing, 
Communication \& Automation. (2015) 492-479. 
[12] Adhie, Roy Pramono and Hutama, Yonatan and 
Ahmar, A Saleh and Setiawan, MI, Implementation 
cryptography data encryption standard (DES) and 
triple data encryption standard (3DES) method in 
communication system based near field 
communication (NFC), Journal of Physics: 
Conference Series. 954 (2018) 012009. 
[13] S.P. Singh, and R. Maini, Comparison of Data 
Encryption Algorithms, International Journal of 
Computer Science and Communication. 2 (2011) 125-
127. 
[14] A. Kumar, Comparative Analysis between DES and 
RSA Algorithm’s, International Journal of Advanced 
Research in Computer Science and Software 
Engineering. 2 (2012) 386-391. 
[15] Deshpande, Kedar and Singh, Praneet, Performance 
evaluation of cryptographic ciphers on IoT devices, 
International Conference on Recent Trends in 
Computational Engineering and Technologies. (2018) 
1-6. 
[16] Armknecht, Frederik, and Vasily Mikhalev, On 
lightweight stream ciphers with shorter internal states, 
International Workshop on Fast Software Encryption. 
Springer, Berlin, Heidelberg. (2015) 451-470. 
[17] Whiting, D and Housley, R and Ferguson, N, 
RFC3610: Counter with CBC-MAC (CCM). (2003). 
[18] McGrew, David and Viega, John, The Galois/counter 
mode of operation (GCM), submission to NIST Modes 
of Operation Process. 20 (2004). 
[19] Bernstein, Daniel J, The Salsa20 family of stream 
ciphers, New stream cipher designs, Springer. (2008), 
84-97. 
[20] Bernstein, Daniel J, The Poly1305-AES message-
authentication code, In International Workshop on Fast 
Software Encryption. (2005) 32-49. 
[21] Y. Nir and A. Langley, ChaCha20 and Poly1305 for 
IETF Protocols, RFC 7539, https://rfc-
editor.org/rfc/rfc7539.txt. (2015). 
[22] https://libsodium.gitbook.io 
[23] Bogdanov, Andrey and Mendel, Florian and 
Regazzoni, Francesco and Rijmen, Vincent and 
Tischhauser, Elmar, ALE: AES-based lightweight 
authenticated encryption, International Workshop on 
Fast Software Encryption. (2013) 447-466. 
[24] A. Langley, W.-T. Chang, N. Mavrogiannopoulos, J. 
Strombergson, and S. Josefsson, ChaCha20-Poly1305 
Cipher Suites for Transport Layer Security (TLS), 
RFC 7905, https://rfc-editor.org/rfc/rfc7905.txt. 
(2016). 
[25] Islam, Maliha Momtaz and Paul, Sourav and Haque, 
Md Mokammel, Reducing network overhead of IoT 
DTLS protocol employing ChaCha20 and Poly1305, 
International Conference of Computer and Information 
Technology (ICCIT). (2017) 1-7. 
[26] Thompson, Richard B and Thulasiraman, Preetha, 
Confidential and authenticated communications in a 
large fixed-wing UAV swarm, IEEE 15th International 
Symposium on Network Computing and Applications 
(NCA). (2016) 375-382.