A Survey on Stream Ciphers for Constrained Environments

— Lightweight ciphers are defined as symmetric ciphers. They could be categorized into stream and block ciphers. A stream cipher is faster and less complex than block ciphers so it is suitable with the Internet of Things (IoT). The IoT is composed of many interconnected constrained devices that share and exchange data and information among each other continuously. Therefore, IoT devices must ensure basic security characteristics to protect that information. In this paper, we will make a survey on a solution that used stream cipher in cryptography. This survey investigates a detailed flow of the stream ciphers such as algorithm design pattern, key size, internal state, throughput, the vulnerability in security, and the initial vectors for comparison among various types of stream ciphers from lightweight cryptographic solutions. The goals of this survey are to discover the most effective IoT protection solution and to look at lightweight cryptographic solutions by taking into account the constraints the IoT devices have, as well as how does researched symmetric key cryptographic solution analysis work. The conclusion is the Fruit stream cipher has good resistance to known attacks, whereas the Enocoro128 and F-FCSR stream ciphers have large throughputs, as well as a WG, Grain, and MICKEY-128 stream ciphers are faster and more suitable to constrained devices (e.g., IoT) than other studied algorithms.


I. INTRODUCTION
This paper abstracts a state-of-the-art comparison among various and most commonly algorithms published in the lightweight symmetric stream cipher cryptographic field. However, depending on their implementations many researchers have provided different meanings of IoT, but in simple terms, IoT is a network of linked things, each with a specific identifier, capable of gathering and sharing data with or without human intervention over the Internet [1]. Lightweight stream cipher cryptographic algorithms are continuously studied and improved to meet the development in both hardware performance and software requirements [2]. Particularly, the lightweight cryptographic algorithms are designed for devices constrained in resources (e.g. Wireless Sensor Networks (WSN), RFID systems, smart cards, etc.) [3] [4]. Also, stream ciphers are ideal for systems where the plaintext length is unknown or continuous, such as military applications and network streams. Wherever the cipher stream is installed in a protected environment and fed computers that are supposed to be operated in dangerous conditions [5]. Moreover, stream ciphers are usually fast, lightweight, and low-power consuming, giving an appealing alternative for devices that are constrained in resources [6].
In terms of operation, ciphers achieve good results utilizing an Arduino-based microcontroller. Also, lightweight asymmetric algorithms complex and not time-efficient. These algorithms are often made weak by the operands scale and the continuous advance in attack models [7]. Due to its rapid operations, which are mainly XORed and permutations, symmetric cryptography is more fitting for IoT applications. Hence, A key size is identical as the data is utilized by stream ciphers. Stream ciphers are symmetric ciphers that encrypt the stream of plain text bits to produce ciphertext with the corresponding keystream [8]. Therefore, the stream cipher with maximum security and minimum computational complexity may be called a lightweight stream cipher. There are several lightweight stream ciphers currently in existence, and each has special requirements and vulnerabilities [9]. The remaining of this paper is organized as follows: section two explains the lightweight stream ciphers, while the existing stream cipher algorithms are given in section three, and finally, the most important conclusion is summarized in section four.

II. LIGHTWEIGHT STREAM CIPHERS
Lightweight ciphers are defined as symmetric ciphers and could be categorized into stream and block ciphers [10]. However, the key size used in lightweight stream ciphers is equivalent to the data size used in cryptography operation. The ciphertext is acquired simply by XOR-ed the plaintext with the keystream. This operation is done bit by bit (onetime pad. They are considered to be theoretically more lightweight, as they utilize only bit operations. Compared to block ciphers, the stream ciphers are faster and simpler in hardware. Nonlinear feedback shift registers (NLFSRs) and linear feedback shift registers (LFSRs) are used to construct the stream ciphers [11]. It is commonly utilized in wireless networking, mobile phones, etc. Their big downside is the long period of the setup before first use. Besides, communication protocols exist do not use stream ciphers. They are still in the foreground, though, because of their hardware simplicity and speed. They are also used in applications where the size of plaintext is unclear or continuous [12].

A-A5/1 stream cipher
A5/1 stream cipher is the kind of private key cryptography utilized to encrypt the transmitted signal. In modern symmetric cryptography, it plays a significant role [13]. Due to its performance and hardware suitability. It is commonly utilized in practice. The plain text is combined with keystream to encrypt the data and produce ciphertext utilizing a binary linear function (XOR). These ciphers are utilized to produce the keystream that is a pseudo-random binary sequence. Stream ciphers are created to be very rapid and quicker than the ciphers of the block [14]. Applications that utilize stream cipher to encrypt their data have an unknown plain text size [15]. A5/1 is utilized in the Global System for Mobile Communications (GSM) standard to give privacy to the voice and data communication of the customers [16].

B-RC4
In the cryptography field, RC4 can be utilized as one of the most widespread symmetric encryption streams. It is sometimes referred to as ARCFOUR or ARC4. Ron Rivest of RSA security developed the algorithm in 1987 and then published it anonymously in 1994 for mail development [17]. The algorithm has several applications and has been used to confidentially encrypt file items via e-mail to protect many popular protocols such as WEP (Wireless Equivalent Privacy) and Secure Sockets Layer (SSL)/TLS [17]. This algorithm utilizes a variable key-size stream that is independent from plaintext, from 1 to 256 bytes [18]. RC4 has a hidden internal state that is a permutation of all the terms of n = 2 n potential n bits, along with two indices in it.

C-Rabbit
In 2003, Rabbit was presented, depending on a series of coupled non-linear functions being iterated. Rabbit is distinguished by good efficiency in software [19]. The concept of Rabbit was inspired by the chaotic maps. The Rabbit algorithm could be defined briefly as follows: the input parameters are 64-bit initial value (IV) and 128-bit secret key, to produces an output block of 128 pseudorandom bits from an integration of the internal state bits for each iteration. The XORing used pseudo-random data and plaintext/ciphertext to achieve encryption/decryption operations. The internal state size is 513 bits, split into one counter carry bit, eight 32-bit counters, and eight 32-bit state variables. Eight coupled non-linear functions update the eight state variables. For the state variables, the counters guarantee a lower limit on the duration of the time [19].

D-Trivium
Trivium stream cipher is synchronous cryptography intended to establish a keystream of up to 2 64 bits from an initial value of 80 bits (IV) and an 80-bit secret key. This method consists of two steps, as with most stream ciphers: the first step is the cipher internal state which is initialized by utilizing the IV and the key, after that the state is periodically modified and utilized to produce keystream bits [20].

E-Salsa
In 2005, the Salsa stream cipher was created. It utilized 128-bit initial vectors (IVs) and 256-bit keys [21]. To cover the tradeoff between performance and protection, three variants were proposed, accounting the various application requirements. In standard cryptographic applications, Salsa20/20 is reserved for cryptography, Whereas, the Salsa20/8 and Salsa20/12 versions provide minimal security but the operations are quicker. Its architecture depends on bit rotation, bitwise XOR, and basic additional operations modulo 232, that are executed efficiently in software [21].

F-Grain and Grain128a
The grain stream cipher is synchronous. It was created in 2004. It uses both the LFSR and a function of non-linear filtering. Thus, the LFSR guarantees less period of output balancing and a keystream. The function of filtering is known as an NFSR form and applies the cipher to nonlinearity. With the input of this NFSR to stabilize its state, the LFSR output is masked [22]. However, raising the length of the processing term also provides the ability to increase its speed; the number of bits can be increased at the cost of more hardware (we can expand the rate to 16 bits/cycle) [23]. Whereas Grain128a is a new version of Grain cipher, it utilizes 96-bit IVs, 128-bit keys, and up to 32 bits of tag size is variable. Grain-128a was created to provide higher level of security to sensitive applications. One bit is the minimum word length, and 32 bits is the maximum word length [24].

G-HC-128
There are two major versions of HC cipher, HC-128 (128 bit IVs and 128 bit key size) and HC-256 (256 bit IVs and 256 bit key size). There are two big secret tables utilized. Each table has elements with size 512 32 bit and performs on words of 32 bits. Thus, the element is upgraded utilizing an NLFSR function at each step, and a non-linear output filtering function produces a 32-bit output. Since three sequential steps could be calculated in parallel, HC is sufficient for modern superscalar microprocessors and parallel processing. At each step, the output functions and feedback could be executed at the same time [25].

H-F-FCSR
The design of the stream cipher is as follows. the architecture of LFSRs is replaced by Feedback with carrying Shift Registers (FCSRs). The key distinction lies in the computation of feedback between these two automata. While LFSRs utilize basic bitwise addition, FCSRs utilize carries of addition. Consequently, an FCSR's transformation function is non-linear, more specifically quadratic [26].

I-SNOW
The stream cipher SNOW was suggested in 2000. After that, a new version of SNOW called SNOW 2.0. was proposed in 2003, while SNOW 3G was introduced in 2010. The SNOW 3G utilizes two modules, a Finite State Machine (FSM) and a Linear Feedback Shift Register (LFSR) [27]. The LFSR consists of 16 phases, each phase carrying 32 bits, and a primitive polynomial over the finite field GF(2 32 ) which determines the feedback. The FSM is using three R1, R2, and R3 32-bit registers and utilizes two S1 and S2 substitution boxes. The addition operation modulo 2 32 and exclusive OR are the mixed operations [28] [29].
J-ACORN ACORN utilizes 128-bit IVs and a 128-bit key. The length of the plaintext length and the associated data are smaller than 2 64 bits. ACORN stream cipher is proposed for lightweight authenticated encryption. It is a bit-wise authenticated cipher (i.e. one piece of message is interpreted in a single stage) which is work efficiently both hardware and software, and it is easy to evaluate its authentication security. The bit-wise mechanism facilitates the application of light-weight hardware, therefore, the control circuit could be simplified greatly [30].

K-Sablier
Sablier stream has built-in authentication as a hardwareefficient cipher. Sablier utilizes a modern internal structure to produce the keystream from an 80-bit IVs and an 80-bit key, opposite the standard LFSR-based stream ciphers and the normal nonlinear/linear shift registers merged structure in Trivium and Grain. In Sablier only bitwise intra-word rotation, bitwise logical, and bitwise xor are utilized [31]. In restricted hardware environments, it can be applied successfully and the speed of encryption is about 16 times quicker than Trivium in hardware [32].

L-Sosemanuk
SOSEMANUK is a cipher for a synchronous stream. The size of the IV is 128 bits, while, the range size of the key is (128 to 256) bits. The protection standard given, however, is identical, at 128 bits, to different sizes of the key. It utilizes the same concepts and procedures of the architectural principles of the SNOW 2.0 cipher and Serpent block cipher. As it has a quicker IV initialization step, SOSEMANUK is better performing than SNOW 2.0 and requires fewer static data. It utilizes and functions on 32-bit terms with an LFSR and an FSM. A 24-round serpent is utilized to accomplish the FSM and the LFSR for the setup process. The FSM's four output words are fed into Serpent's third S-Box at the keystream generation level, afterwards, it is XOR-ed with the LFSR output words [33].

M-ALE
ALE is an AES-based, lightweight, authenticated encryption algorithm called ALE (Authenticated Lightweight Encryption) that is both software and hardware are efficient [34]. It is a nonce-based online single-pass scheme that maintains data memory alignment. It has a secret internal state of 256 bits reliant on both key and nonce [35] [36].
N-MICKEY MICKEY (Mutual Erratic Clocking KEYstream generator) implements nonlinearity in addition to several innovative strategies to assurance time and pseudorandomness. It utilizes an NFSR and a Galois LFSR with sporadic clocking. It utilized 80 bits key size, and from 0 to 80 bits, the IV will vary. We can create 240 keystream bits from each (key and IV) pair, and up to 240 various IVs of a similar length could be utilized for each key [37].

O-CHACHA
ChaCha stream cipher has a 256-bit depending on the Salsa20 cipher, ChaCha has conjectural and greater perround diffusion improved cryptanalysis strength relative to Salsa20. The essence of the ChaCha (and Salsa20) features is a hash function that maps 64 input bytes and output keystream with irreversible and a special 64 bytes [38]. The encryption and decryption operations are achieved by XORing the input data into the keystream. The probability of output block creation at random locations and the autoadapted constant time for processing stream blocks are two useful features of ChaCha [39].

P-Enocoro
Enocoro is a stream cipher algorithm suggested in 2007 by Watanabe et al. It comprises two algorithms named Enocoro-80 and Enocoro-128v1.1, the key lengths of which are 80 bits and 128 bits respectively [40]. Enocoro utilizes 64-bit IVs and uses an S-box byte-oriented architecture that works well in both hardware and software. For each pair IV and key, it generates one byte for each round and up to (264) bytes [40] [41].
Q-A2U2 A2U2 stream cipher was created for the constraint resource for the printed RFID tag environment. The region occupied for protection in this application field must be about 500 GE, whereas the power usage is reduced to lesser tens of Ws. To allow interactions with a big number of tags in real-time, throughput should also be appropriate. A2U2 is a cipher for synchronous streams that utilize 56-bit keys [42]. A2U2 uses short-length registries backed by lightweight usable blocks and reutilizes components of hardware to reach a limited hardware area. Its execution is firmly dependent on effective concepts of hardware architecture implemented by the block cipher KATAN. More precisely, as suggested by KATAN, it utilizes a mixture of two NSFRs and an LFSR-based counter. During the initialization process, the LFSR acts as a counter and then begins to act as an LFSR. Every NFSR's feedback feature provides the other NFSR with feedback. In comparison, in the filter functions and feedback, A2U2 uses irregular shifts [43].

R-Quavium
Quavium is a flexible Trivium extension, Quavium is suggested and supported like Trivium the 80 bits IV, internal state (288-bits), and key (80-bits) sizes. It depends on Trivium-like four-round SHRs and primitive polynomials of the k-order. In coupling relation, Quavium utilizes four Trivium-like SHRs, rather than the three SHRs in the sequence attachment used in the original Trivium. For either two or three rounds, it could also work, as the relation of the pairing preserves the characteristic polynomials primitiveness [44].
S-WG-8 WG-8 stream cipher is a type of the Welch Gong family. However, WG-8 has a 20-phase LFSR with an 80bits initialization vector and an 80-bits key size. It has two operating stages, the setup stage, and the running process. The cipher contains LFSR accompanied by transformations of the Welch-Gong with feedback polynomial, that produces sequences of bits with proven properties of randomness. It has better performance than most ciphers and fewer memory requirements. It has attacked resistor as well as it has strong randomness. This offers strong productivity and consumes the less power. But it was found that the key recovery attack was not secure [45].

T-Sprout
Sprout's architecture is adopted from Grain 128a. The sizes of both the Grain families LFSR and NLFSR were minimized to half of their values also the functions were modified slightly [46]. Except for the inclusion of a circular key element to combine key bits for each clock, the design principle of output generation and input functions is almost retained. Therefore, the cost of an area stream cipher is approximately 800 GE, while Grain requires 1162 GE for the equivalent 80-bit security standard [47] [48].

U-Plantlet
Plantlet is built to fulfill the following design aims: 80bit low-area stream cipher, shorter internal state thus retaining the degree of protection. This achieves high efficiency even though the key is permanently stored and continuously read during computation from re-writable nonvolatile memory while being hardware-friendly and independent of the option of underlying non-volatile memory technology. A stronger variant of Sprout is Plantlet. In specific, it inherits from Sprout the general framework, adopts continuous key engagement, but at the same time imposes patches for vulnerabilities found, e.g. greater function of the round key and prevent the all-zero states [49].

W-Fruit
Armknetcht et al., in FSE 2015, suggested a new stream cipher architecture method. With each round of a bit generation keystream, this approach requires repetitive utilize of key bits. The probability of developing stream ciphers where the internal state size is considerably smaller than twice. The key size was shown by this proposal. They suggested a modern cipher, called Sprout, depending on this concept. But Sprout rapidly verified vulnerable in an exhaustive search [50]. The new concept utilized in Sprout, however, presented a new direction in stream cipher design, leading to the suggestion of many modern ciphers with limited internal state sizes. The fruit is an alternative recently suggested cipher in this context since the key size and state size are both 80. Till now, no attack on this cipher has occurred [51].

X-Lizard
The Lizard's design was inspired by the stream ciphers Grain family. Lizard's internal state is spread over two interconnected feedback shift registers (FSRs). But note that whereas Grain utilizes one NFSR and one LFSR, both are identical in length, Lizard instead utilizes two NFSRs of various lengths. As in Grain, besides the two FSRs, the third important building block is a nonlinear output function, which holds inputs from both shift registers and is often utilized as a portion of the state initialization algorithm [52].

Y-Espresso
Among the lightweight ciphers below 1500 GE, ESPRESSO is designed to be the quickest. It has to collect the benefit of NLFSR's Fibonacci configuration and Galois configuration. It utilizes an initialization vector with a length of 96-bit and a 128-bit key together in the configuration stage. It is composed of an NLFSR with a length of 256 bit and a non-linear 29 vector function. It has low propagation delays and could be formally analyzed. Both speed optimization and hardware size were considered for their design. It has, thus, minimized the footprint of hardware and expanded throughput. It is created specifically for applications of 5G with improved service quality, as well as it provides a few milliseconds of minimum latency [53].

Z-Modified RC4
There are two steps of the RC4 algorithm's main work: the key generation step and the encryption step. For a new key, both steps must be done. Key generation is the first step in RC4, and the most complicated. Two state variables like S1 (initial with between 0 and 255) and S2 (fill with the selected key) are used in key generation. The second step is carried out by conducting several operations on the S1 and S2, such as (swapping, modulo, and other formulas). The encryption method is carried out after generating a stream bit of key, XOR-ed bit with a bit of plaintext to create the ciphertext, and the cipher-text is XOR-ed with keystream to decrypt the plaintext. Since RC4 has two phases: KSA and PRGA, the suggested improvements in the KSA process are based on a linear equation with a certain prime number, allowing the main generator function [17].

WG-29
Two main building blocks consist Grain-128AEAD. The first is a pre-output generator that is designed utilizing an NFSR, an LFSR, and a pre-output function, whereas the second one is an authenticator generator which is comprised of a shift register and accumulator. The architecture is very identical to Grain-128a but has been changed to endorse AEAD and to make larger authenticators [54].
A4 A4 is proposed in 2020 as a modern lightweight stream cipher, utilizing one Feedback with Carry Shift Register (FCSR) and LFSR. In various applications where safe communication among parties is a priority, A4 highly guarantees security to a large degree and is also easy to enforce. The LFSR serves as a clock to guarantee the primary degree of security. The LFSR seed value is pseudorandomly taken from a seedbox composed of 256 values with a length of 128 bits each. It clocks the FCSR that produces the keystream for server and client-side messages to be encrypted and decrypted, respectively [2].

III. EXISTING STREAM CIPHER ALGORITHMS
The latest stream cipher algorithms have been studied by more than twenty-seven symmetric LWC algorithms proposed by numerous scholarly, proprietary, and government agencies with an emphasis on cost savings (memory, computing power, GE), energy consumption) and better performance of hardware and software (latency, throughput) [6]. Low computing energy in low-end devices makes the encryption/decryption processes more complex to apply at the level of the system in the resource-constrained environment. Thus, the metric of throughput plays a crucial role in guaranteeing the system's efficiency. The throughput of the chosen stream cipher was verified by producing large keystreams. In software, the throughput could be calculated by computing the average plaintext amount processed per CPU clock cycle at a frequency equal to 4 MHz. Whereas in hardware, it could be calculated in terms of plaintext processed bits per second (per time unit) at a frequency equal to 100 kHz [6]. In this study, throughput was demonstrated in kilobytes per second (kbps). Table I. shown a summary of the most common stream ciphers. The key size, internal state (IS), initialization vector (IV), algorithm design pattern, throughput, and vulnerability of algorithms. While Table II. illustrates the categories of each algorithm into a particular class according to the structure type utilized.is a summary of the most common stream ciphers.