REALISE-IoT RISC-V-Based Efficient and Lightweight Public-Key System For IoT App
REALISE-IoT RISC-V-Based Efficient and Lightweight Public-Key System For IoT App
REALISE-IoT RISC-V-Based Efficient and Lightweight Public-Key System For IoT App
2, 15 JANUARY 2024
Abstract—LoRa is a promising choice for deploying an IoT networks (LPWANs) become the wireless communication
network due to its lightweight feature and the extensive support backbone for long-range interconnection between diversified
by LoRa Alliance. However, as a fundamental part of LoRa, the IoT devices [3]. LoRa, a popular radio modulation technol-
typical LoRaWAN protocol confronts severe security challenges
because it insecurely utilizes AES-128 to support the low-cost ogy licensed by Semtech Corporation, provides a long-range
feature. In this article, we propose a systematic solution that communication approach with the chirp spread spectrum tech-
is compatible with LoRaWAN for IoT applications. We extend nique (CSS) [4]. LoRa-based communication systems can
the standard LoRaWAN protocol with public-key infrastructures. be deployed in various scenarios, such as suburban environ-
Public-key features like key exchange and authentication are ments [5], remote field sites [6], multifloor buildings [7], etc.
supported by lightweight hardware implementations of SHA-2,
ECDH, EdDSA, and TRNG. A lightweight RISC-V processor While there are other networks, such as Wi-Fi and Bluetooth,
with a security coprocessor is implemented and verified using LoRa is a better choice for long-range communication and
FPGA technology. The security protocol and the prototype hard- low-power applications [8]. However, the LoRa only defines
ware system are validated and evaluated on practical applications the standards of the physical layer. To support the increasing
from our industrial partner. The prototyped development board demand for IoT connectivity, LoRaWAN [9] defines the upper
consumes a static power of 0.116 W and a dynamic power
of 0.206 W. The proposed system can achieve a 5.6×–144.7× layers and communication protocol of LoRa-based networks.
speed up and reduce memory usage by 2.4×–12.3× for security LoRaWAN connects and links the LoRa signal to applica-
computations. tions. Lora and LoRaWAN define the network protocol in the
Index Terms—Internet of Things (IoT), lightweight cryp- LPWANs family to connect battery-operated devices to the
tography, LoRa network, LoRaWAN, public-key cryptography, Internet wirelessly. LoRa devices and LoRaWAN standards
RISC-V. provide flexibility in many industrial use cases and dominate
the market.
For the consideration of lightweight features, most IoT
I. I NTRODUCTION applications based on LPWAN technologies are vulnerable to
HE Internet of Things (IoT) is one of the key tech- hostile attackers. For example, despite the satisfactory secu-
T nologies for the next generation of industrial revolu-
tion [1]. It can get linked to everything, hence, getting popular
rity level of AES-128 encryption, the use of AES-128 in the
standard LoRaWAN protocol introduces potential weaknesses
day by day [2]. Wireless communication technology acts as a price of the lightweight feature. To increase security,
as the bridge between data collection and control message many enhanced protocols for LoRaWAN have been proposed.
delivery, facilitating IoT expansions. Low-power wide-area Naoui et al. [10] enhanced the security of LoRaWAN by
applying proxy nodes and a reputation system to alleviate the
Manuscript received 30 December 2022; revised 1 July 2023; accepted computation tasks. Han and Wang [11] proposed a lightweight
8 July 2023. Date of publication 20 July 2023; date of current version
8 January 2024. This work was supported in part by the Hong Kong Innovation key management scheme based on the Rabbit cipher embedded
and Technology Commission (ITF Seed Fund) under Grant ITS/216/19; in in a two-step key derivation function (KDF). To overcome the
part by the City University of Hong Kong under Project 9440242 and Project challenge of secure key generation at long distances and low
9678187; in part by the Hong Kong Innovation and Technology Commission
(InnoHK Project CIMDA); and in part by the National Natural Science data rates, Xu et al. [12] proposed a compressive sensing-based
Foundation of China under Grant 62002239. (Corresponding author: Yao Liu.) reconciliation framework combined with several signal pro-
Gaoyu Mao, Guangyan Li, Zhewen Zhang, Alan H. F. Lam, and cessing techniques to achieve secure key generation. To further
Ray C. C. Cheung are with the Department of Electrical Engineering, City
University of Hong Kong, Hong Kong, SAR, China (e-mail: gaoyumao3-c@ support indoor-to-outdoor scenarios and reduce the correlation
my.cityu.edu.hk; [email protected]; [email protected]. between channel measurements, Junejo et al. [13] presented a
edu.hk; [email protected]; [email protected]). shared secret key generation scheme with several processing
Yao Liu is with the School of Microelectronics Science and Technology,
Sun Yat-sen University, Zhuhai 510275, China (e-mail: liuyao25@ techniques and achieved a low correlation value, low key dis-
mail.sysu.edu.cn). agreement rates, and high key generation rates. However, these
Wangchen Dai is with the Research Center for Basic Theories of Intelligent solutions lack strong public-key cryptography support due to
Computing, Zhejiang Laboratory, Hangzhou 311121, China (e-mail: w.dai@
my.cityu.edu.hk). the limited computing resources and low-power consumption
Digital Object Identifier 10.1109/JIOT.2023.3296135 requirements of LoRa devices [14], [15].
2327-4662
c 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3045
IoT applications generate large amounts of data and require and an effective modular multiplication algorithm is
complex computations. Edge computing solutions place IoT explored for hardware implementation.
devices close to data sources to facilitate real-time process- 3) The proposed system supports lightweight features for
ing. With built-in processors, IoT devices can accommo- IoT applications. The compact point multiplication mod-
date advanced computing requirements. Current options for ule contains only one multiplier, adder, and subtractor.
developing IoT processors include ARM, x86, and RISC-V. The addition and subtraction operations are hidden in the
Jung et al. [16] proposed a secure platform model for low-end multiplication pipeline cycles to make a compact timing
IoT devices based on ARM platform security architecture. It schedule. The platform is implemented with reconfig-
consisted of system security services and application security urable logic on a low-cost FPGA and prototyped on a
services and provided APIs for easy and fast development. PCB board. The proposed system can achieve 5.6×–
Considering the integration of RISC-V and IoT devices, 144.7× speed up and reduce memory usage by 2.4×–
Amor et al. [17] extended the RISC-V ISA to achieve 12.3×. The overall estimated static power is 0.116 W,
improved support for ultralow power wireless communication. and the dynamic power is 0.206 W.
Taheri et al. [18] extended the RI5CY core with ISA extension The remainder of this article is organized as follows.
for hyperdimensional computing. It achieved 7.48× speed up Section II illustrates the background. Section III describes the
and 7.22× energy efficiency. However, no additional security enhanced security protocol, the system architecture for the
features at the hardware level were included in these works, LoRaWAN communication system, and efficient implementa-
which failed to enhance the security mechanism. tions for ECC. Section IV details the hardware architecture of
RISC-V is an open-source instruction set architecture (ISA) the secure processor and security modules. Section V presents
based on the reduced instruction set computer (RISC) prin- the evaluation results. Section VI concludes this article.
ciples [19]. It consists of three basic instruction sets and six
extended instruction sets. With high flexibility, RISC-V can
II. BACKGROUND
be extended with additional instructions for specific applica-
tions. The RISC-V architecture allows open-source processor A. Security Protocol for LoRaWAN
designs for both FPGA and ASICs. The processor can be cus- From the security perspective, a typical working process
tomized for specific IoT applications based on the existing for a LoRaWAN device consists of four phases, as shown in
RISC-V design. PULPino is an open-source platform based on Fig. 1.
the RISC-V architecture. It is based on 32-bit RISC-V cores 1) Deployment: The LoRa node is fabricated with the root
developed at ETH Zurich [20], [21]. It can be configured to key Kr and the unique device info Id , including AppEUI,
use either the RISCY or the zero-riscy core. The RISCY is DevEUI, etc. The network server needs to know Kr
a single-issue core with four pipeline stages, while the zero- and partial information of Id before the LoRa node is
riscy is an in-order, single-issue core with two pipeline stages. deployed so that the server can authenticate the identity
The zero-riscy core is designed to target low power and lower of the LoRa device in the following phases.
area constraints. It can be configured to the lightweight version 2) Join: The LoRa node does not bear a routable address
with only 16 general-purpose registers (GPRs). in the network, and a gateway is needed to relay and
To enhance the security of the LoRaWAN protocol and reassemble the frames. The LoRa device must complete
make it practical for IoT applications, we propose a systematic the join process before communicating with the server.
solution for the LoRaWAN security communication system. The join message is a plaintext with device nonce Nd ,
The main contributions are summarized as follows. affiliated with the message integrity code (MIC) calcu-
1) The security of the LoRaWAN protocol is enhanced with lated with Kr . The server verifies the correctness of the
minimal cost. The enhanced protocol provides public- join message by the predistributed information.
key features and is compatible with the LoRaWAN 3) Acceptance: The server needs to send a join-accept
standard. The elliptic-curve cryptography (ECC) algo- message to the LoRa node after the LoRa device is suc-
rithms are applied. Specifically, the X25519 algorithm cessfully authenticated. Application information Ia and
is selected to enhance the key exchange process, while application nonce Na are added to the message, and the
the Ed25519 algorithm is chosen to add the digital sig- join message is encrypted by Kr together with the MIC.
nature. The compatible protocol can gain support from The LoRa device recovers the extra information Na and
LoRa Alliance and, hence, is practical to deploy in real Ia with Kr and generates the session key Ks . Since the
applications. server knows all the information, the same session key
2) A systematic solution is proposed from network proto- can be generated in the server.
col to system architecture and hardware devices. The 4) Communication: The LoRa node and the server com-
platform is developed based on PULPino, and multiple municate with each other using Ks . Since a typi-
hardware modules are included for applications. For cal LoRaWAN frame cannot exceed 255 bytes, the
instance, the LoRa network interface is integrated for LoRaWAN provides a bytewise encryption approach.
communication, a digital TRNG core acts as the root of Each byte in the payload is encrypted by XORing
trust, and a lightweight security coprocessor is designed (exclusive-OR) an encryption block uniquely generated
for public-key cryptography computations. Furthermore, by the frame information and the position information
an efficient point multiplication architecture is designed, of the block.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3046 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024
The details of the security protocol slightly change in Encryption block S is generated by AES-128 encryption Ef (),
LoRaWAN v1.1. More keys are involved, but the security and the encryption process during the communication phase
protocol remains similar with no significant security enhance- is essentially the Feistel cipher with S so that the encryption
ment [22]. Note that this protocol only applies to over-the-air and decryption share the same processes.
activation (OTAA) devices. As for activation by personal- The lightweight feature of the security protocol brings
ization (ABP) devices, the join and acceptance phases are potential weaknesses to the whole system. The key genera-
skipped. The session key is directly stored inside the APB tion scheme is based on the fixed root key and never updates.
devices so that the session key remains unchanged with- The system will be compromised once a third party obtains
out redistribution [23]. However, the deployment scenarios this key [24]. Aras et al. [23] launched an experiment on the
of LoRa networks are usually in the wild without human Xignal mousetrap device and extracted the keys via the phys-
management, such as outdoor pipelines, farmland, or deep ical access of the UART interface. With keys and a custom
mountains. Predeployed session keys are easily available in LoRa device, they impersonated a LoRa mouse trap and sent
these scenarios, making it easy to steal or forge transmission the data pretending from it. Furthermore, LoRaWAN imple-
information. Therefore, we only consider OTAA for secure ments AES in counter mode. If the counter values repeat
wireless transmission in this article. with the same key, the same keystream is used for encryp-
The security protocol is delicately designed, aiming for tion, voiding confidentiality [25]. Yang et al. [26] conducted
lightweight applications. Only AES-128 encryption is needed a proof-of-concept experiment to evaluate the data recovery
in the LoRa node, and the decryption part is only necessary attack caused by the key stream reuse issue. The TTN Fair
for the server. For the MIC generation function H(), AES- Access Policy somewhat reduces the possibility of data leak-
CMAC is applied. For the key generation process, Ea () is the age by restricting the transmitted data volume in a fixed period
AES-128 decryption in the server, and the LoRa node only to share the communication channel fairly [27]. Nevertheless,
needs to perform the AES-128 encryption as the Da () process. it is not a compulsory rule for all LoRa devices to follow.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3047
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3048 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3049
TABLE I
T IMING S CHEDULE OF S CALAR M ULTIPLICATION FOR X25519
The timing schedule of scalar multiplication for X25519 is The timing schedule of scalar multiplication for Ed25519
shown in Table I. The u and k are 256-bit input variables. The is shown in Table II. The design principle is similar to
capital letters (e.g., A), xi , zi , and k are used to store the com- X25519 shown in Table I. P and k are input variables. The
putation results. The MUX_2X2 function is to swap two inputs MUX function selects two inputs based on the kt signal. The
based on the swap signal. The main computation is performed main loop starts from t = 255 to t = 0. Similar to X25519,
in the main loop. The loop is controlled starting from t = 254 only one multiplier, adder, and subtractor are used in the com-
to t = 0. The computation is conducted with one multiplier, putation. Meanwhile, the modulo q is the same in X2559
adder, and subtractor. The timing schedule is arranged mainly and Ed25519. Therefore, a unified hardware architecture can
based on the multiplication operation. Addition and subtrac- be designed to accommodate the scalar multiplications for
tion are hidden in the multiplication cycle to achieve compact X25519 and Ed25519. Both multiplications share the same
scheduling. The computation of 121665 · c is split into several computation unit (multiplier, adder, and subtractor), while
addition operations (States 5–8). the control logic differs in the two functions. In summary,
In the post computation of Table I, the inverse of z2 is com- the unified architecture can achieve a more compact design.
p−2
puted by z2 , where p = 2255 − 19. This exponentiation can The cycles of addition and subtraction are hidden in the
be computed by 254 squaring and 11 multiplications. The multiplication computation to achieve compact scheduling.
addition chain of power is described as follows: 1 → 2 →
4 → 8 → 9 → 11 → 22 → (25 − 1) → (26 − 2) → · · · D. Systematic Solution for LoRaWAN Communication
→ (210 − 25 ) → (210 − 1) → (211 − 2) → · · · → The IoT platforms contain software, hardware, memory,
(220 − 210 ) → (220 − 1) → (221 − 2) → · · · → (240 − 220 ) sensors, network, user interfaces, etc. Integrating various com-
→ (240 − 1) → (241 − 2) → · · · → (250 − 210 ) → ponents helps unlock IoT systems’ full potential and build
(250 − 1) → (251 − 2) → · · · → (2100 − 250 ) →→ complete end-to-end IoT solutions. For a proper integration
(2100 − 1) → (2101 − 2) → · · · → (2200 − 2100 ) to occur, it requires a unifying platform. FPGAs contain pro-
→ (2200 − 1) → (2201 − 2) → · · · → (2250 − 250 ) → grammable logic blocks, and reconfigurable interconnects. The
(2250 − 1) → (2251 − 2) → · · · → (2255 − 25 ) → (2255 − 21). logic blocks can perform complex functions and wire together
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3050 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024
TABLE II
T IMING S CHEDULE OF S CALAR M ULTIPLICATION FOR E D 25519
through interconnections. The reconfigurable hardware feature transceiver offers long-range communication and communi-
of FPGA allows for providing customized IoT solutions with- cates with the LoRa gateway. The proposed FPGA platform
out any physical hardware modifications. Moreover, to make it has a RISC-V core for software programming. Security exten-
feasible to deploy ECC and maintain high performance, FPGA sions are inherent as the root of trust. Security modules are
has low cost and power consumption features compared with designed for public-key cryptography and security compu-
high-end CPU and GPU, making it suitable to optimize the tations. These modules are packed as a coprocessor. The
performance of IoT [34]. Therefore, a systematic solution for FPGA platform provides communication interfaces to inter-
LoRaWAN secure communication is proposed with the FPGA act with the LoRa transceiver directly. On the server side,
platform, as shown in Fig. 4. ECC algorithms are also added to interact with the LoRa
In Fig. 4, there are multilayered solutions, including pro- node to complete the key exchange and digital signature
tocol, architecture, and cryptology. The standard LoRaWAN verification.
protocol lacks public-key support, and the proposed solu-
tion adds public-key cryptography to enhance security. The
IV. H ARDWARE A RCHITECTURE OF S ECURE P ROCESSOR
server enables connectivity, device monitoring, and end-user
applications. The LoRa gateway transmits data between end A. Overview of Secure Processor Architecture
devices and the cloud server. The gateway provides Internet The secure processor architecture is presented in Fig. 5.
access and uses the MQTT protocol to send the packets. The The architecture contains a RISC-V core, on-chip memory,
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3051
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3052 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024
TABLE III
H ARDWARE R ESOURCES C ONSUMPTION IN FPGA
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3053
TABLE IV
E XPERIMENT R ESULTS ON S PEED AND M EMORY S IZE
TABLE V
C OMPARISON W ITH R ELATED W ORKS
concatenation, they are kept to run in software in the over- and provide message authentication. Hence, our solution is
all SW/HW co-design. Our SW/HW co-design can achieve better in terms of security.
2.4× memory efficiency and 20.1× speed up for the complete The hardware design results are also compared with related
EdDSA function. The consumed instruction RAM size of the works, as shown in Table V. Sasdrich and Güneysu [36]
EdDSA function is larger than other functions, but our cur- proposed high-performance single-core and multicore archi-
rent memory budget is still enough to support this function. tecture for X25519. Our lightweight design consumes fewer
If a more tight memory budget is required in the future, the resources but runs at a lower speed. Our design achieves
modular reduction and number addition can be implemented a better area-time product than the multicore architec-
in FPGA to reduce the memory size further. ture but slightly worse than the single-core architecture.
Koppermann et al. [37] proposed a low-latency design of
X25519, which consumed more than 10× the resources com-
C. Results Comparison and Discussion
pared with our work. Both the design in [37] and our work
In terms of security enhancement, the classical LoRaWAN are in the Xilinx Zynq architecture. In contrast, our design
system calculates the AES key with a preinstalled root key. removes the ARM processor and implements the RISC-V core
Our enhanced system introduces ECDH for key exchange in FPGA. Compared with the work in [37], our design con-
before encryption. The pure software method takes 0.57 ms sumes only 77% of the static power and 26% of the dynamic
for each 128-bit AES encryption. With the hardware acceler- power. Turan and Verbauwhede [38] combined Ed25519 and
ation, the LoRa node spends 4.46 ms for key exchange and X25519 in a single module, which is similar to our design. In
performs multiple AES encryption afterward. For the mes- comparison, our design for lightweight implementation con-
sages which require data authentication, the LoRa node takes sumes half the resources but 3× as many cycles. Overall,
8.53 ms to generate a digital signature in each LoRa frame. our design is the most compact compared with previous
The signature is then sent to the server for verification. Since work and achieves a relatively similar area-time product. Our
the classical LoRaWAN system lacks public-key-based key design consumes lower power compared to similar SoCs.
exchange and digital signatures, our system provides better Therefore, our design is suitable for resource-constrained,
security guarantees. multifunctional, and low-power IoT systems.
Some works also tried to enhance the security of LoRa com-
munication. Tomasin et al. [39] identified the possibility of
regenerating the device nonce. The author proposed a random VI. C ONCLUSION
number generator algorithm and increased the devise nonce In this article, we propose a security-enhanced LoRaWAN
size. Kim and Song [40] proposed using a second root key communication network with public-key infrastructure. We
to avoid the application and network session keys generated enhance the key exchange process with the ECDH algorithm
from the same root key. In comparison, our platform gener- and data authentication with the EdDSA signature algorithm.
ates the random number more securely with a digital TRNG The extended protocol is compatible with the LoRaWAN.
core, which has passed the NIST test with high p-values, as We propose a RISC-V-based secure processor architecture
described in [35]. With public-key cryptography algorithms, and provide a systematic solution for the secure network.
we can safely update the root key through insecure channels We provide the root of trust with a digital TRNG core
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3054 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024
and design hardware modules to accelerate the computation- [16] J. Jung, B. Kim, J. Cho, and B. Lee, “A secure platform model based
intensive security algorithms. We prototype and evaluate on ARM platform security architecture for IoT devices,” IEEE Internet
Things J., vol. 9, no. 7, pp. 5548–5560, Apr. 2022.
a development board on a practical LoRa communication [17] H. B. Amor, C. Bernier, and Z. Přikryl, “A RISC-V ISA extension for
system. The measured total on-chip power is 0.321 W. The ultra-low power IoT wireless signal processing,” IEEE Trans. Comput.,
proposed architecture can achieve a 5.6×–144.7× speed up vol. 71, no. 4, pp. 766–778, Apr. 2022.
[18] F. Taheri, S. Bayat-Sarmadi, and S. Hadayeghparast, “RISC-HD:
and reduce memory usage by 2.4×–12.3×. Lightweight RISC-V processor for efficient hyperdimensional comput-
Our future work is to develop an application-specific inte- ing inference,” IEEE Internet Things J., vol. 9, no. 23, pp. 24030–24037,
grated circuit (ASIC) and replace the existing processor in Dec. 2022.
[19] K. Asanović and D. A. Patterson, “Instruction sets should be free: The
the application with the designed secure processor for secure case for RISC-V,” Dept. Electr. Eng. Comput. Sci., Univ. California,
communication. Berkeley, Rep. UCB/EECS-2014-146, 2014.
[20] M. Gautschi et al., “Near-threshold RISC-V core with DSP extensions
for scalable IoT endpoint devices,” IEEE Trans. Very Large Scale Integr.
ACKNOWLEDGMENT (VLSI) Syst., vol. 25, no. 10, pp. 2700–2713, Oct. 2017.
[21] “PULPino.” 2019. [Online]. Available: https://github.com/pulp-platform/
The authors would like to thank Jack Junjie Liu, pulpino
John Yiqing Zhang, Man-Kit Sit, Max Tsz-Ho Sze, and [22] M. Eldefrawy, I. Butun, N. Pereira, and M. Gidlund, “Formal secu-
rity analysis of LoRaWAN,” Comput. Netw., vol. 148, pp. 328–339,
Yifei Zhao for their great help in this work. They also would Jan. 2019.
like to thank the anonymous reviewers for their valuable [23] E. Aras, G. S. Ramachandran, P. Lawrence, and D. Hughes, “Exploring
comments. the security vulnerabilities of LoRa,” in Proc. 3rd IEEE Int. Conf.
Cybern. (CYBCONF), 2017, pp. 1–6.
[24] J. P. S. Sundaram, W. Du, and Z. Zhao, “A survey on LoRa networking:
Research problems, current solutions, and open issues,” IEEE Commun.
R EFERENCES Surveys Tuts., vol. 22, no. 1, pp. 371–388, 1st Quart., 2020.
[25] D. Basu, T. Gu, and P. Mohapatra, “Security issues of low power
[1] A. Shrivastava, K. M. Krishna, M. L. Rinawa, M. Soni, G. Ramkumar,
wide area networks in the context of LoRa networks,” 2020,
and S. Jaiswal, “Inclusion of IoT, ML, and blockchain technologies in
arXiv:2006.16554.
next generation industry 4.0 environment,” Mater. Today Proc., vol. 80,
[26] X. Yang, E. Karampatzakis, C. Doerr, and F. Kuipers, “Security
pp. 3471–3475, Apr. 2023.
vulnerabilities in LoRaWAN,” in Proc. IEEE/ACM 3rd Int. Conf.
[2] S. Balaji, K. Nathani, and R. Santhakumar, “IoT technology, applica-
Internet-Things Design Implement. (IoTDI), 2018, pp. 129–140.
tions and challenges: A contemporary survey,” Wireless Pers. Commun.,
[27] Arjan. “Fair use policy explained.” May 2021. [Online]. Available:
vol. 108, no. 1, pp. 363–388, 2019.
https://www.thethingsnetwork.org/forum/t/fair-use-policy-explained/13
[3] A.-A. A. Boulogeorgos, P. D. Diamantoulakis, and G. K. Karagiannidis,
00
“Low power wide area networks (LPWANs) for Internet of Things
[28] Z. Vahdati, S. Yasin, A. Ghasempour, and M. Salehi, “Comparison of
(IoT) applications: Research challenges and future trends,” 2016,
ECC and RSA algorithms in IoT devices,” J. Theor. Appl. Inf. Technol.,
arXiv:1611.07449.
vol. 97, no. 16, pp. 4293–4308, 2019.
[4] G. S. Ramachandran, F. Yang, P. Lawrence, S. Michiels, W. Joosen, and [29] S. Bai et al., CRYSTALS-Dilithium—Algorithm Specifications
D. Hughes, “PnP-WAN: Experiences with LoRa and its deployment in and Supporting Documentation, Post-Quantum Cryptography
DR Congo,” in Proc. 9th Int. Conf. Commun. Syst. Netw. (COMSNETS), Standardization Round 3, NIST, Gaithersburg, MD, USA, 2020.
2017, pp. 63–70. [30] D. J. Bernstein, “Curve25519: New Diffie–Hellman speed records,” in
[5] I. D. S. Batalha et al., “Large-scale modeling and analysis of uplink Public Key Cryptography, M. Yung, Y. Dodis, A. Kiayias, and T. Malkin,
and downlink channels for LoRa technology in suburban environ- Eds. Heidelberg, Germany: Springer, 2006, pp. 207–228.
ments,” IEEE Internet Things J., vol. 9, no. 23, pp. 24477–24491, [31] L. Chen, D. Moody, A. Regenscheid, and K. Randall,
Dec. 2022. “Recommendations for discrete logarithm-based cryptography: Elliptic
[6] S. R. J. Ramson et al., “A self-powered, real-time, LoRaWAN IoT-based curve domain parameters,” Nat. Inst. Stand. Technol., Gaithersburg,
soil health monitoring system,” IEEE Internet Things J., vol. 8, no. 11, MD, USA, Rep. NIST SP 800-186, 2019.
pp. 9278–9293, Jun. 2021. [32] A. Langley, M. Hamburg, and S. Turner, “Elliptic curves for secu-
[7] W. Xu, J. Y. Kim, W. Huang, S. S. Kanhere, S. K. Jha, and W. Hu, rity,” RFC 7748, Internet Res. Task Force, 2016.
“Measurement, characterization, and modeling of LoRa technology [33] S. Josefsson and I. Liusvaara, “Edwards-curve digital signature algo-
in multifloor buildings,” IEEE Internet Things J., vol. 7, no. 1, rithm (EdDSA),” RFC 8032, Internet Res. Task Force, 2017.
pp. 298–310, Jan. 2020. [34] R. Nair, P. Sharma, and T. Sharma, “Optimizing the performance of IoT
[8] S. Devalal and A. Karthikeyan, “LoRa technology—An overview,” in using FPGA as compared to GPU,” Int. J. Grid High Perform. Comput.,
Proc. 2nd Int. Conf. Electron., Commun. Aerosp. Technol. (ICECA), vol. 14, no. 1, p. 15, 2022.
2018, pp. 284–290. [35] Y. Liu, R. C. C. Cheung, and H. Wong, “A bias-bounded digital true
[9] N. Sornin, M. Luis, T. Eirich, T. Kramp, and O. Hersent, Lorawan random number generator architecture,” IEEE Trans. Circuits Syst. I,
Specification, LoRa Alliance, Fremont, CA, USA, 2015. Reg. Papers, vol. 64, no. 1, pp. 133–144, Jan. 2017.
[10] S. Naoui, M. E. Elhdhili, and L. A. Saidane, “Enhancing the security [36] P. Sasdrich and T. Güneysu, “Efficient elliptic-curve cryptogra-
of the IoT LoraWAN architecture,” in Proc. Int. Conf. Perform. Eval. phy using Curve25519 on reconfigurable devices,” in Reconfigurable
Model. Wired Wireless Netw. (PEMWN), 2016, pp. 1–7. Computing: Architectures, Tools, and Applications, D. Goehringer, M. D.
[11] J. Han and J. Wang, “An enhanced key management scheme for Santambrogio, J. M. P. Cardoso, and K. Bertels, Eds. Cham, Switzerland:
LoRaWAN,” Cryptography, vol. 2, no. 4, p. 34, 2018. Springer Int., 2014, pp. 25–36.
[12] W. Xu, S. Jha, and W. Hu, “LoRa-key: Secure key generation system [37] P. Koppermann, F. De Santis, J. Heyszl, and G. Sigl, “X25519 hardware
for LoRa-based network,” IEEE Internet Things J., vol. 6, no. 4, implementation for low-latency applications,” in Proc. Euromicro Conf.
pp. 6404–6416, Aug. 2019. Digit. Syst. Design (DSD), 2016, pp. 99–106.
[13] A. K. Junejo, F. Benkhelifa, B. Wong, and J. A. Mccann, “LoRa- [38] F. Turan and I. Verbauwhede, “Compact and flexible FPGA implemen-
LiSK: A lightweight shared secret key generation scheme for LoRa tation of Ed25519 and X25519,” ACM Trans. Embedded Comput. Syst.,
networks,” IEEE Internet Things J., vol. 9, no. 6, pp. 4110–4124, vol. 18, no. 3, p. 24, 2019.
Mar. 2022. [39] S. Tomasin, S. Zulian, and L. Vangelista, “Security analysis of
[14] N. Torres, P. Pinto, and S. I. Lopes, “Security vulnerabilities in LoRaWAN join procedure for Internet of Things networks,” in Proc.
LPWANs—An attack vector analysis for the IoT ecosystem,” Appl. Sci., IEEE Wireless Commun. Netw. Conf. Workshops (WCNCW), 2017,
vol. 11, no. 7, p. 3176, 2021. pp. 1–6.
[15] Z. Sun, H. Yang, K. Liu, Z. Yin, Z. Li, and W. Xu, “Recent advances [40] J. Kim and J. Song, “A dual key-based activation scheme for secure
in LoRa: A comprehensive survey,” ACM Trans. Sens. Netw., vol. 18, LoRaWAN,” Wireless Commun. Mobile Comput., vol. 2017, Nov. 2017,
no. 4, pp. 1–44, 2022. Art. no. 6590713.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3055
Gaoyu Mao received the B.Eng. degree in inte- Zhewen Zhang received the B.Eng. degree in elec-
grated circuit design and integration system from the tronics information science and technology from
School of Microelectronics, Shandong University, the School of Astronautics, Harbin Institute of
Jinan, China, in 2020. He is currently pursuing Technology, Harbin, China, in 2020. She is currently
the Ph.D. degree with the Department of Electrical pursuing the Ph.D. degree with the Department
Engineering, City University of Hong Kong, of Electrical Engineering, City University of Hong
Hong Kong. Kong, Hong Kong.
He visited Zhejiang Laboratory, Hangzhou, China, Her research interests include processor design
from September to November 2022. His research and hardware security.
interests include reconfigurable computing with
FPGA, and cryptographic hardware design.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.