REALISE-IoT RISC-V-Based Efficient and Lightweight Public-Key System For IoT App

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

3044 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO.

2, 15 JANUARY 2024

REALISE-IoT: RISC-V-Based Efficient and


Lightweight Public-Key System for
IoT Applications
Gaoyu Mao , Yao Liu , Member, IEEE, Wangchen Dai , Guangyan Li , Zhewen Zhang ,
Alan H. F. Lam , Member, IEEE, and Ray C. C. Cheung , Senior Member, IEEE

Abstract—LoRa is a promising choice for deploying an IoT networks (LPWANs) become the wireless communication
network due to its lightweight feature and the extensive support backbone for long-range interconnection between diversified
by LoRa Alliance. However, as a fundamental part of LoRa, the IoT devices [3]. LoRa, a popular radio modulation technol-
typical LoRaWAN protocol confronts severe security challenges
because it insecurely utilizes AES-128 to support the low-cost ogy licensed by Semtech Corporation, provides a long-range
feature. In this article, we propose a systematic solution that communication approach with the chirp spread spectrum tech-
is compatible with LoRaWAN for IoT applications. We extend nique (CSS) [4]. LoRa-based communication systems can
the standard LoRaWAN protocol with public-key infrastructures. be deployed in various scenarios, such as suburban environ-
Public-key features like key exchange and authentication are ments [5], remote field sites [6], multifloor buildings [7], etc.
supported by lightweight hardware implementations of SHA-2,
ECDH, EdDSA, and TRNG. A lightweight RISC-V processor While there are other networks, such as Wi-Fi and Bluetooth,
with a security coprocessor is implemented and verified using LoRa is a better choice for long-range communication and
FPGA technology. The security protocol and the prototype hard- low-power applications [8]. However, the LoRa only defines
ware system are validated and evaluated on practical applications the standards of the physical layer. To support the increasing
from our industrial partner. The prototyped development board demand for IoT connectivity, LoRaWAN [9] defines the upper
consumes a static power of 0.116 W and a dynamic power
of 0.206 W. The proposed system can achieve a 5.6×–144.7× layers and communication protocol of LoRa-based networks.
speed up and reduce memory usage by 2.4×–12.3× for security LoRaWAN connects and links the LoRa signal to applica-
computations. tions. Lora and LoRaWAN define the network protocol in the
Index Terms—Internet of Things (IoT), lightweight cryp- LPWANs family to connect battery-operated devices to the
tography, LoRa network, LoRaWAN, public-key cryptography, Internet wirelessly. LoRa devices and LoRaWAN standards
RISC-V. provide flexibility in many industrial use cases and dominate
the market.
For the consideration of lightweight features, most IoT
I. I NTRODUCTION applications based on LPWAN technologies are vulnerable to
HE Internet of Things (IoT) is one of the key tech- hostile attackers. For example, despite the satisfactory secu-
T nologies for the next generation of industrial revolu-
tion [1]. It can get linked to everything, hence, getting popular
rity level of AES-128 encryption, the use of AES-128 in the
standard LoRaWAN protocol introduces potential weaknesses
day by day [2]. Wireless communication technology acts as a price of the lightweight feature. To increase security,
as the bridge between data collection and control message many enhanced protocols for LoRaWAN have been proposed.
delivery, facilitating IoT expansions. Low-power wide-area Naoui et al. [10] enhanced the security of LoRaWAN by
applying proxy nodes and a reputation system to alleviate the
Manuscript received 30 December 2022; revised 1 July 2023; accepted computation tasks. Han and Wang [11] proposed a lightweight
8 July 2023. Date of publication 20 July 2023; date of current version
8 January 2024. This work was supported in part by the Hong Kong Innovation key management scheme based on the Rabbit cipher embedded
and Technology Commission (ITF Seed Fund) under Grant ITS/216/19; in in a two-step key derivation function (KDF). To overcome the
part by the City University of Hong Kong under Project 9440242 and Project challenge of secure key generation at long distances and low
9678187; in part by the Hong Kong Innovation and Technology Commission
(InnoHK Project CIMDA); and in part by the National Natural Science data rates, Xu et al. [12] proposed a compressive sensing-based
Foundation of China under Grant 62002239. (Corresponding author: Yao Liu.) reconciliation framework combined with several signal pro-
Gaoyu Mao, Guangyan Li, Zhewen Zhang, Alan H. F. Lam, and cessing techniques to achieve secure key generation. To further
Ray C. C. Cheung are with the Department of Electrical Engineering, City
University of Hong Kong, Hong Kong, SAR, China (e-mail: gaoyumao3-c@ support indoor-to-outdoor scenarios and reduce the correlation
my.cityu.edu.hk; [email protected]; [email protected]. between channel measurements, Junejo et al. [13] presented a
edu.hk; [email protected]; [email protected]). shared secret key generation scheme with several processing
Yao Liu is with the School of Microelectronics Science and Technology,
Sun Yat-sen University, Zhuhai 510275, China (e-mail: liuyao25@ techniques and achieved a low correlation value, low key dis-
mail.sysu.edu.cn). agreement rates, and high key generation rates. However, these
Wangchen Dai is with the Research Center for Basic Theories of Intelligent solutions lack strong public-key cryptography support due to
Computing, Zhejiang Laboratory, Hangzhou 311121, China (e-mail: w.dai@
my.cityu.edu.hk). the limited computing resources and low-power consumption
Digital Object Identifier 10.1109/JIOT.2023.3296135 requirements of LoRa devices [14], [15].
2327-4662 
c 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3045

IoT applications generate large amounts of data and require and an effective modular multiplication algorithm is
complex computations. Edge computing solutions place IoT explored for hardware implementation.
devices close to data sources to facilitate real-time process- 3) The proposed system supports lightweight features for
ing. With built-in processors, IoT devices can accommo- IoT applications. The compact point multiplication mod-
date advanced computing requirements. Current options for ule contains only one multiplier, adder, and subtractor.
developing IoT processors include ARM, x86, and RISC-V. The addition and subtraction operations are hidden in the
Jung et al. [16] proposed a secure platform model for low-end multiplication pipeline cycles to make a compact timing
IoT devices based on ARM platform security architecture. It schedule. The platform is implemented with reconfig-
consisted of system security services and application security urable logic on a low-cost FPGA and prototyped on a
services and provided APIs for easy and fast development. PCB board. The proposed system can achieve 5.6×–
Considering the integration of RISC-V and IoT devices, 144.7× speed up and reduce memory usage by 2.4×–
Amor et al. [17] extended the RISC-V ISA to achieve 12.3×. The overall estimated static power is 0.116 W,
improved support for ultralow power wireless communication. and the dynamic power is 0.206 W.
Taheri et al. [18] extended the RI5CY core with ISA extension The remainder of this article is organized as follows.
for hyperdimensional computing. It achieved 7.48× speed up Section II illustrates the background. Section III describes the
and 7.22× energy efficiency. However, no additional security enhanced security protocol, the system architecture for the
features at the hardware level were included in these works, LoRaWAN communication system, and efficient implementa-
which failed to enhance the security mechanism. tions for ECC. Section IV details the hardware architecture of
RISC-V is an open-source instruction set architecture (ISA) the secure processor and security modules. Section V presents
based on the reduced instruction set computer (RISC) prin- the evaluation results. Section VI concludes this article.
ciples [19]. It consists of three basic instruction sets and six
extended instruction sets. With high flexibility, RISC-V can
II. BACKGROUND
be extended with additional instructions for specific applica-
tions. The RISC-V architecture allows open-source processor A. Security Protocol for LoRaWAN
designs for both FPGA and ASICs. The processor can be cus- From the security perspective, a typical working process
tomized for specific IoT applications based on the existing for a LoRaWAN device consists of four phases, as shown in
RISC-V design. PULPino is an open-source platform based on Fig. 1.
the RISC-V architecture. It is based on 32-bit RISC-V cores 1) Deployment: The LoRa node is fabricated with the root
developed at ETH Zurich [20], [21]. It can be configured to key Kr and the unique device info Id , including AppEUI,
use either the RISCY or the zero-riscy core. The RISCY is DevEUI, etc. The network server needs to know Kr
a single-issue core with four pipeline stages, while the zero- and partial information of Id before the LoRa node is
riscy is an in-order, single-issue core with two pipeline stages. deployed so that the server can authenticate the identity
The zero-riscy core is designed to target low power and lower of the LoRa device in the following phases.
area constraints. It can be configured to the lightweight version 2) Join: The LoRa node does not bear a routable address
with only 16 general-purpose registers (GPRs). in the network, and a gateway is needed to relay and
To enhance the security of the LoRaWAN protocol and reassemble the frames. The LoRa device must complete
make it practical for IoT applications, we propose a systematic the join process before communicating with the server.
solution for the LoRaWAN security communication system. The join message is a plaintext with device nonce Nd ,
The main contributions are summarized as follows. affiliated with the message integrity code (MIC) calcu-
1) The security of the LoRaWAN protocol is enhanced with lated with Kr . The server verifies the correctness of the
minimal cost. The enhanced protocol provides public- join message by the predistributed information.
key features and is compatible with the LoRaWAN 3) Acceptance: The server needs to send a join-accept
standard. The elliptic-curve cryptography (ECC) algo- message to the LoRa node after the LoRa device is suc-
rithms are applied. Specifically, the X25519 algorithm cessfully authenticated. Application information Ia and
is selected to enhance the key exchange process, while application nonce Na are added to the message, and the
the Ed25519 algorithm is chosen to add the digital sig- join message is encrypted by Kr together with the MIC.
nature. The compatible protocol can gain support from The LoRa device recovers the extra information Na and
LoRa Alliance and, hence, is practical to deploy in real Ia with Kr and generates the session key Ks . Since the
applications. server knows all the information, the same session key
2) A systematic solution is proposed from network proto- can be generated in the server.
col to system architecture and hardware devices. The 4) Communication: The LoRa node and the server com-
platform is developed based on PULPino, and multiple municate with each other using Ks . Since a typi-
hardware modules are included for applications. For cal LoRaWAN frame cannot exceed 255 bytes, the
instance, the LoRa network interface is integrated for LoRaWAN provides a bytewise encryption approach.
communication, a digital TRNG core acts as the root of Each byte in the payload is encrypted by XORing
trust, and a lightweight security coprocessor is designed (exclusive-OR) an encryption block uniquely generated
for public-key cryptography computations. Furthermore, by the frame information and the position information
an efficient point multiplication architecture is designed, of the block.

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3046 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024

Fig. 1. Security protocol for LoRaWAN v1.0 with OTAA.

The details of the security protocol slightly change in Encryption block S is generated by AES-128 encryption Ef (),
LoRaWAN v1.1. More keys are involved, but the security and the encryption process during the communication phase
protocol remains similar with no significant security enhance- is essentially the Feistel cipher with S so that the encryption
ment [22]. Note that this protocol only applies to over-the-air and decryption share the same processes.
activation (OTAA) devices. As for activation by personal- The lightweight feature of the security protocol brings
ization (ABP) devices, the join and acceptance phases are potential weaknesses to the whole system. The key genera-
skipped. The session key is directly stored inside the APB tion scheme is based on the fixed root key and never updates.
devices so that the session key remains unchanged with- The system will be compromised once a third party obtains
out redistribution [23]. However, the deployment scenarios this key [24]. Aras et al. [23] launched an experiment on the
of LoRa networks are usually in the wild without human Xignal mousetrap device and extracted the keys via the phys-
management, such as outdoor pipelines, farmland, or deep ical access of the UART interface. With keys and a custom
mountains. Predeployed session keys are easily available in LoRa device, they impersonated a LoRa mouse trap and sent
these scenarios, making it easy to steal or forge transmission the data pretending from it. Furthermore, LoRaWAN imple-
information. Therefore, we only consider OTAA for secure ments AES in counter mode. If the counter values repeat
wireless transmission in this article. with the same key, the same keystream is used for encryp-
The security protocol is delicately designed, aiming for tion, voiding confidentiality [25]. Yang et al. [26] conducted
lightweight applications. Only AES-128 encryption is needed a proof-of-concept experiment to evaluate the data recovery
in the LoRa node, and the decryption part is only necessary attack caused by the key stream reuse issue. The TTN Fair
for the server. For the MIC generation function H(), AES- Access Policy somewhat reduces the possibility of data leak-
CMAC is applied. For the key generation process, Ea () is the age by restricting the transmitted data volume in a fixed period
AES-128 decryption in the server, and the LoRa node only to share the communication channel fairly [27]. Nevertheless,
needs to perform the AES-128 encryption as the Da () process. it is not a compulsory rule for all LoRa devices to follow.

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3047

B. Lightweight Public-Key Cryptography


The public-key cryptographic systems use two key pairs:
public and private keys. The private key is kept secret, while
the public key can be distributed to the public without com-
promising security. Hence, public-key cryptography provides
a strong security guarantee and is ideal for security extensions.
However, public-key cryptography has a relatively large size
and low processing speed, which may not be suitable for LoRa
applications. For example, the RSA algorithms use very large
key sizes (e.g., 1024, 2048, or 4096 bits), which require large
hardware areas and expensive arithmetic calculations [28].
The popular lattice-based cryptography schemes are also rel-
atively large in size. For example, the lattice-based signature
CRYSTALS-Dilithium [29] has a public size of 1312 bytes
and a signature size of 2420 bytes in Dilithium2. However, a
typical LoRaWAN cannot exceed 255 bytes. If post-quantum
cryptography is applied for LoRa applications, it is necessary
to propose a more lightweight scheme with a smaller key and
signature size and conduct a security analysis.
ECC achieves an equivalent security level with smaller key
sizes and computation overhead than other public-key cryp-
tography schemes. For example, to achieve a security level
of 128 bits, the traditional RSA scheme requires 3072 bits
operands while ECC only requires 256 bits. The security Fig. 2. Enhanced protocol with ECDH.
strength of ECC schemes depends on the underlying elliptic
curves. Due to the concern about the potential security weak- principle of the proposed protocol as presented in Fig. 2. The
ness of the curve recommended by the National Institute of proposed protocol enhances security with a two-level struc-
Standards and Technology (NIST), the Montgomery curves, ture. Level 1 is the underlying IoT communication protocol,
mainly Curve25519 [30], have drawn increasing attention. which is LoRaWAN in this work. After the LoRaWAN com-
Curve25519 is faster, more secure, and simpler than other ECC munication channel is established, the LoRa nodes and servers
curves; therefore, it has recently been recommended by IETF will generate their own ECC key pairs with Curve25519. The
RFC 7748 and integrated into popular SSL/TLS libraries [31]. key exchange algorithm is shown below, where SDH () is scalar
The Elliptic-curve Diffie–Hellman (ECDH) key exchange multiplication defined on an elliptic curve, and G is the base
protocol can generate a shared secret key through insecure point for the chosen elliptic curve
channels. The secure key exchange protocol can address the Puba = SDH (Priva , G) Pubb = SDH (Privb , G)
potential weakness in generating the symmetric AES key in
SKab = SDH (Priva , Pubb ) = SDH (Privb , Puba ) = SKba .
LoRaWAN. The shared secure key generated by ECDH can
be adopted as the subsequent AES key to enhance secu- During ECDH, each end device only distributes its public
rity strength. The Edwards-curve digital signature algorithm key through the insecure communication channel and keeps
(EdDSA) is a digital signature scheme that provides a layer of its private key. ECDH guarantees the same secret keys pairs
validation and security to messages through nonsecure chan- (SKab , SKba ), as long as two parties (a, b) using the same
nels. The generated signature can be added to the LoRaWAN base point G and have access to each other’s public key
communication packet for message authentication. We select (Puba , Pubb ). Meanwhile, a strong security level is guaran-
the X25519 for ECDH based on RFC 7748 [32] and the teed whenever each side protects the private key (Priva , Privb )
Ed25519 for EdDSA based on RFC 8032 [33]. properly. A third party with the public key of both sides still
needs to crack down the secret key with brute force. With
III. M ETHODOLOGY the shared secret key, a secure communication channel is
A. Enhanced Security Protocol With ECDH Key Exchange established. The application layer can assume the underlying
communication layer is secure with the corresponding APIs.
The primary security deficiency of the existing LoRaWAN
With this protocol, various applications with higher security
protocol lies in the fixed root key, which is used repeatedly
requirements can be performed on IoT devices.
to generate the session key for symmetric encryption between
different end devices. To address this security problem, a two-
level security protocol is proposed to provide an enhanced B. Enhanced Security Protocol With EdDSA Signature
security guarantee for a general IoT system. The proposed The standard LoRaWAN frame contains header information
protocol is decoupled with the underlying IoT protocol; thus, and payload messages, as shown in Fig. 3. One security defi-
it is compatible with various IoT networking techniques. ciency of the LoRaWAN frame is the lack of message authenti-
LoRaWAN is adopted in this work to demonstrate the working cation, so the message receiver is hard to identify the message

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3048 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024

Algorithm 1 Modular Multiplication for Modulus 2255 − 19


Require: Modulus 2255 − 19, operand a, b < 2256 − 1 are in
radix-2w form with ai , bi ∈ [0, 2w − 1], i = 0, 1, . . . , s − 1
and sw = 256.
Ensure: p = a · b mod 2255 − 19.
1: (t, u, v) ← 0
2: for i from 0 to s − 1 do
3: for j from 0 to s − 1 do
Fig. 3. Enhanced LoRaWAN frame with a digital signature. 4: if j ≤ i then
5: (t, u, v) ← (t, u, v) + aj · bi−j
sender without authentication. To address this problem, a 6: else
digital signature can be attached to each frame. Since the size 7: (t, u, v) ← (t, u, v) + aj · bi−j+s
of the EdDSA signature is only 512-bit (64 bytes), the gener- 8: (t, u, v) ← (t, u, v) × 38
ated signature can be put within each LoRaWAN frame. The 9: end if
security-enhanced LoRaWAN frame is shown in Fig. 3. Two 10: end for
modes of usage scenarios are provided. The first is to send the 11: if i < s − 1 then
plaintext message, and the signature is signed for the plain- 12: pi ← v
text. While the other is first to encrypt the message to obtain 13: v ← u, u ← t, t ← 0
a ciphertext, and then a signature is signed for the ciphertext. 14: else
The EdDSA algorithm is used to create the signature. The 15: ps−1 ← v mod 2w−1
signature is generated in Curve25519, the same as ECDH. 16: (t, u, v) ← (t, u, v)  (w − 1)
The signature algorithm is shown below. The SDSA is two 17: end if
18: end for
coordinates scalar multiplication in EdDSA. The SHA512 is
19: (t, u, v) ← (t, u, v) × 19
the hash function of SHA-2. The input message is hashed with
20: for i from 0 to s − 1 do
SHA512 to produce a 512-bit output. Two modulo operations
(mod q) are required, where q = 2255 − 19. The signature is 21: (t, u, v) ← (t, u, v) + pi
the concatenation of two intermediate results, R and s 22: pi ← v
  23: v ← u, u ← t, t ← 0
r = SHA512 Priva [32:63] + msg mod q 24: end for
R = SDSA (r, G) 25: If p ≥ n return p ← p − n, else return p
 
h = SHA512 R + Puba + msg
 
s = r + h · Priva [0 : 31] mod q
Signature = R||s.
the end of step 18, we get the value of x + x · 2255 , where
The LoRa nodes create the public key Puba and private key x ∈ [0, 2255 − 1] and x is a small value with less than 2w bits.
Priva . The public key is sent to the LoRa server to verify the Besides, x is stored in pi in radix-2w form and x in the register
message. The Puba and the Priva are stored in the node to sign array (t, u, v). Steps 19–24 reduce the value of x modulo n
the messages. This public key is distributed through insecure by computing 19 · x and add the result back to x. It is easy to
channels. A third party with the public key Puba can only see the sum of x + 19x may be greater than n but less than
verify the message but cannot create a new signature without 2n, and, therefore, a final conditional subtraction is required
knowing the private key Priva . (i.e., step 25).
During the realization of Algorithm 1, the final conditional
C. Lightweight and Efficient Implementation of ECC subtraction can process with the reduction of x + x · 2255 and,
Scalar multiplication is the most time-consuming function in thus, save a subtraction with long propagation. This can be
ECDH (X25519) and EdDSA (Ed25519). The scalar multipli- done by computing y = x + 19x and y = x + 19x + 19 in
cation involves the modular multiplication p = a·b mod q, q = parallel. If the MSB (the 256th bit) of y (denoted as ymsb ) is
2255 − 19. We apply the property of modular q and obtain set, we assign p = y mod 2255 and output; otherwise, p = y.
an efficient modular multiplication algorithm, as shown in The conclusion can be proved as follows. Since y < y < 2n,
Algorithm 1. In Algorithm 1, the parameter w is 32 and s there exist three cases: both ymsb and ymsb are set; only ymsb is
is 8. The (t, u, v) is a 96-bit register, and t, u, v are 32-bit. set; and both are zero. For both ymsb and ymsb are set, y ≥ 2255 ,
In the whole algorithm, the 256-bit multiplication is split into note that y < 2n, we only need to subtract one n from y:
32-bit multiplications. It first calculates a·b mod 2q (i.e., steps y − n = (x + 19x + 19) mod (2255 ) = y mod 2255 . For only
1–18), then calculates a · b mod q (i.e., steps 19–25). For the ymsb is set, then n ≤ y < 2255 , we still need to subtract one n
coefficients with an index exceeding s − 1, each coefficient is from y: y − n = y + 19 − 2255 , notice that y + 19 = y ≥ 2255 ,
multiplied by 38 · 2−256 (i.e., steps 7 and 8). The final result so y − n = y mod 2255 . Finally, for both ymsb and ymsb are
is modular q instead of modular 2q, so the last word con- zero, then y < 2255 and y = y − 19 < 2255 − 19 = n, no
tains w − 1 bits instead of w bits (i.e., steps 15 and 16). At subtraction is needed.

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3049

TABLE I
T IMING S CHEDULE OF S CALAR M ULTIPLICATION FOR X25519

The timing schedule of scalar multiplication for X25519 is The timing schedule of scalar multiplication for Ed25519
shown in Table I. The u and k are 256-bit input variables. The is shown in Table II. The design principle is similar to
capital letters (e.g., A), xi , zi , and k are used to store the com- X25519 shown in Table I. P and k are input variables. The
putation results. The MUX_2X2 function is to swap two inputs MUX function selects two inputs based on the kt signal. The
based on the swap signal. The main computation is performed main loop starts from t = 255 to t = 0. Similar to X25519,
in the main loop. The loop is controlled starting from t = 254 only one multiplier, adder, and subtractor are used in the com-
to t = 0. The computation is conducted with one multiplier, putation. Meanwhile, the modulo q is the same in X2559
adder, and subtractor. The timing schedule is arranged mainly and Ed25519. Therefore, a unified hardware architecture can
based on the multiplication operation. Addition and subtrac- be designed to accommodate the scalar multiplications for
tion are hidden in the multiplication cycle to achieve compact X25519 and Ed25519. Both multiplications share the same
scheduling. The computation of 121665 · c is split into several computation unit (multiplier, adder, and subtractor), while
addition operations (States 5–8). the control logic differs in the two functions. In summary,
In the post computation of Table I, the inverse of z2 is com- the unified architecture can achieve a more compact design.
p−2
puted by z2 , where p = 2255 − 19. This exponentiation can The cycles of addition and subtraction are hidden in the
be computed by 254 squaring and 11 multiplications. The multiplication computation to achieve compact scheduling.
addition chain of power is described as follows: 1 → 2 →
4 → 8 → 9 → 11 → 22 → (25 − 1) → (26 − 2) → · · · D. Systematic Solution for LoRaWAN Communication
→ (210 − 25 ) → (210 − 1) → (211 − 2) → · · · → The IoT platforms contain software, hardware, memory,
(220 − 210 ) → (220 − 1) → (221 − 2) → · · · → (240 − 220 ) sensors, network, user interfaces, etc. Integrating various com-
→ (240 − 1) → (241 − 2) → · · · → (250 − 210 ) → ponents helps unlock IoT systems’ full potential and build
(250 − 1) → (251 − 2) → · · · → (2100 − 250 ) →→ complete end-to-end IoT solutions. For a proper integration
(2100 − 1) → (2101 − 2) → · · · → (2200 − 2100 ) to occur, it requires a unifying platform. FPGAs contain pro-
→ (2200 − 1) → (2201 − 2) → · · · → (2250 − 250 ) → grammable logic blocks, and reconfigurable interconnects. The
(2250 − 1) → (2251 − 2) → · · · → (2255 − 25 ) → (2255 − 21). logic blocks can perform complex functions and wire together

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3050 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024

TABLE II
T IMING S CHEDULE OF S CALAR M ULTIPLICATION FOR E D 25519

Fig. 4. Security cryptographic processor architecture and LoRaWAN Communication system.

through interconnections. The reconfigurable hardware feature transceiver offers long-range communication and communi-
of FPGA allows for providing customized IoT solutions with- cates with the LoRa gateway. The proposed FPGA platform
out any physical hardware modifications. Moreover, to make it has a RISC-V core for software programming. Security exten-
feasible to deploy ECC and maintain high performance, FPGA sions are inherent as the root of trust. Security modules are
has low cost and power consumption features compared with designed for public-key cryptography and security compu-
high-end CPU and GPU, making it suitable to optimize the tations. These modules are packed as a coprocessor. The
performance of IoT [34]. Therefore, a systematic solution for FPGA platform provides communication interfaces to inter-
LoRaWAN secure communication is proposed with the FPGA act with the LoRa transceiver directly. On the server side,
platform, as shown in Fig. 4. ECC algorithms are also added to interact with the LoRa
In Fig. 4, there are multilayered solutions, including pro- node to complete the key exchange and digital signature
tocol, architecture, and cryptology. The standard LoRaWAN verification.
protocol lacks public-key support, and the proposed solu-
tion adds public-key cryptography to enhance security. The
IV. H ARDWARE A RCHITECTURE OF S ECURE P ROCESSOR
server enables connectivity, device monitoring, and end-user
applications. The LoRa gateway transmits data between end A. Overview of Secure Processor Architecture
devices and the cloud server. The gateway provides Internet The secure processor architecture is presented in Fig. 5.
access and uses the MQTT protocol to send the packets. The The architecture contains a RISC-V core, on-chip memory,

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3051

Fig. 6. Hardware architecture of ECC point operation.

Fig. 5. Secure processor architecture.

peripherals, interconnections, and extended security modules.


The processor is developed based on the Pulpino SoC plat-
form. The developed architecture is to use the zero-riscy
core with standard 32 GPRs. The platform boots from the
boot ROM. The executable code is preloaded into the RAMs Fig. 7. Hardware architecture of SHA-2.
and executed by the RISC-V core. The RISC-V core fetches
instructions from the instruction RAM and reads/writes the a purely digital circuit and embedded inside the processor to
data from/to the data RAM. The FPGA device contains a rel- ensure inaccessibility. The TRNG applies the staged-running
atively larger number of block memory and some distributed self-timed ring (STR) architecture, which generates high-
memory implemented with LUT. Hence, we use the block quality unpredictable random numbers by utilizing the diverse
RAMs (BRAM) to function as the instruction RAM and data timing response to different initial values. The details of the
RAM. TRNG architecture are described in [35].
The AIX bus is the main interconnection of different mod-
ules. The relatively low-speed peripherals (e.g., UART and
GPIOs) are connected to the APB with a bridge to the B. Hardware Architecture of Security Modules
AXI. The high-performance security modules, including AES, The specific instance of the ECDH scheme is the X25519,
SHA-2, and ECC point operation modules, are connected and the EdDSA scheme is the Ed25519. The X22519 uses the
with the AXI bus via the AXI DMA. The DMA provides x coordinate of the Curve25519, and the Ed25519 uses a curve
high-bandwidth direct memory access between the RISC-V birationally equivalent to Curve25519. Scalar multiplication is
processor and security modules, so the data transmission will the most time-consuming function and a unified architecture
not become the bottleneck. The LoRa transceiver receives is designed for both schemes, as shown in Fig. 6. The inside
the settings via an SPI interface as a slave device. The SPI modular multiplication architecture is designed according to
interface has a relatively low data bits rate, so a hardware SPI Algorithm 1. The timing schedule of X25519 and Ed25519
master is designed to parse the settings from the APB bus into is shown in Tables I and II. The designed hardware module
an SPI protocol. The AES module is to accelerate the origi- is lightweight, and the arithmetic unit contains an adder, a
nal LoRa node encryption, while the SHA-2 and ECC point subtractor, and a modular multiplier. The inside computation
operation modules are to support the public-key computations. bit width is 32 bit. The BRAMs are used to store intermediate
The true random number generator (TRNG) module gen- computation results. A finite state machine (FSM) is used to
erates the root of trust for the secure processor. The TRNG control the calculation flow, and the calculation is designed to
is used in several cases: the ECDH key exchange algorithm run in constant time to avoid simple timing attacks.
uses a 256-bit random number as the private key, and the The SHA-2 module supports both SHA256 and SHA512 ,
AES algorithm uses the exchanged key for encryption; the and the architecture is shown in Fig. 7. For the SHA256 , the
EdDSA signature algorithm requires a 256-bit random number input block is 512 bit, the inside permutation is performed
to generate key pairs. Hence, the TRNG module safeguards the with 32 bit, and the output result is 256 bit. For the SHA512 ,
security of data and LoRaWAN applications and helps to build the input block is 1024 bit, the permutation bit is 64 bit,
trust in the overall platform. The TRNG is implemented with and the output block is 512 bit. In order to be compatible

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3052 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024

TABLE III
H ARDWARE R ESOURCES C ONSUMPTION IN FPGA

The power consumption results are accurately simulated from


Fig. 8. Hardware architecture of AES encryption. the Vivado. The static power is 0.116 W, and the dynamic
power is 0.206 W. The total on-chip power is 0.321 W.

B. Speed Performance and Memory Efficiency


The firmware program is designed to configure the hardware
module, including the TRNG, AES, SHA-2, and ECC point
operation modules. To test the performance and efficiency of
the designed platform, the results of SW design and SW/HW
co-design are compared, as shown in Table IV. The SW design
is to run the whole function in the RISC-V core. The SW/HW
co-design also runs the function in the RISC-V core, but at the
same time, the firmware program is used to call the hardware
modules to accelerate the functions.
Fig. 9. Prototype of the development board.
The tested AES encrypt function encrypts one block (128-
with SHA512 , for SHA256 , the higher significant bytes are dis- bit) message with the (ECDH) exchanged key. The AES
carded. A distributed ROM is used to store the constants for achieves the most basic security functions and can be used
the round permutation. A distributed RAM is used to store before and after the security extension of the LoRa network.
the intermediate computation results. The computation flow is The AES is more lightweight compared with other public-key
controlled using an FSM. functions. Our SW/HW co-design can achieve 12.1× memory
The AES module supports the AES-128 operation used in efficiency and 8.1× speed up in the AES.
the LoRaWAN encryption standard. The AES architecture is The tested ECDH function is the scalar multiplication func-
shown in Fig. 8. The AES core contains a cipher block and tion used in X255519. Since both public and shared key
a key management block. To begin with, the 128-bit shared generation involve only one scalar multiplication function, this
key is sent and stored in distributed RAM. Next, the 128-bit function is the only function that needs to be tested for ECDH.
input is sent for each block encryption. The S-box is used to As shown in Table IV, both SW design and SW/HW co-design
expand the key for encryption. consume the same size of data RAM. However, the instruction
RAM size is significantly larger in the pure SW design due
to the high complexity of scalar multiplication. Our SW/HW
V. E VALUATIONS AND D ISCUSSION
co-design can achieve 12.3× memory efficiency and 144.7×
A. Development Board Prototype and Experiment Setup speed up in the ECDH.
A customized tiny FPGA platform is developed for fur- The EdDSA is the most complex function in our security
ther validation experiments on IoT applications, as shown extension. The SHA512 and scalar multiplication functions are
in Fig. 9. This platform includes an xc7z020clg FPGA chip the most time consuming. The tested SHA512 function is to
and a LoRa transceiver chip SX1262. The FPGA bitstream hash the 32 bytes private key and 32 bytes message, which
is downloaded onto the board over JTAG. The USB-UART consumes 1.08 ms in pure software design. Our SW/HW co-
device is attached to the corresponding ports in the FPGA design can achieve 4.8× memory efficiency and 5.6× speed
board and performs online programming (TX) or prints out up in the SHA512 . The scalar multiplication is slightly more
the information (RX). The hardware is designed with Verilog complex in EdDSA compared with ECDH since the two coor-
HDL, and the hardware bitstream is generated in Xilinx Vivado dinates scalar multiplication is involved. The tested software
2019.2. The resource consumption result is shown in Table III. design of the EdDSA scalar multiplication performs a lot of
The hardware resources of three security modules are tested precomputing and stores the results in the data RAM to speed
before integration into the processor, and the secure processor up the function. However, its speed improvement is limited
includes all modules used in the application. The application and consumes many RAM resources. Our SW/HW co-design
software is designed using the C/C++ language and pro- can achieve 93.0× memory efficiency and 23.8× speed up in
grammed into the memory on the board through the UART the EdDSA scalar multiplication function. For the other func-
port. The prototype board is configured to run at 50 MHz. tions, including the modular reduction, number addition, and

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3053

TABLE IV
E XPERIMENT R ESULTS ON S PEED AND M EMORY S IZE

TABLE V
C OMPARISON W ITH R ELATED W ORKS

concatenation, they are kept to run in software in the over- and provide message authentication. Hence, our solution is
all SW/HW co-design. Our SW/HW co-design can achieve better in terms of security.
2.4× memory efficiency and 20.1× speed up for the complete The hardware design results are also compared with related
EdDSA function. The consumed instruction RAM size of the works, as shown in Table V. Sasdrich and Güneysu [36]
EdDSA function is larger than other functions, but our cur- proposed high-performance single-core and multicore archi-
rent memory budget is still enough to support this function. tecture for X25519. Our lightweight design consumes fewer
If a more tight memory budget is required in the future, the resources but runs at a lower speed. Our design achieves
modular reduction and number addition can be implemented a better area-time product than the multicore architec-
in FPGA to reduce the memory size further. ture but slightly worse than the single-core architecture.
Koppermann et al. [37] proposed a low-latency design of
X25519, which consumed more than 10× the resources com-
C. Results Comparison and Discussion
pared with our work. Both the design in [37] and our work
In terms of security enhancement, the classical LoRaWAN are in the Xilinx Zynq architecture. In contrast, our design
system calculates the AES key with a preinstalled root key. removes the ARM processor and implements the RISC-V core
Our enhanced system introduces ECDH for key exchange in FPGA. Compared with the work in [37], our design con-
before encryption. The pure software method takes 0.57 ms sumes only 77% of the static power and 26% of the dynamic
for each 128-bit AES encryption. With the hardware acceler- power. Turan and Verbauwhede [38] combined Ed25519 and
ation, the LoRa node spends 4.46 ms for key exchange and X25519 in a single module, which is similar to our design. In
performs multiple AES encryption afterward. For the mes- comparison, our design for lightweight implementation con-
sages which require data authentication, the LoRa node takes sumes half the resources but 3× as many cycles. Overall,
8.53 ms to generate a digital signature in each LoRa frame. our design is the most compact compared with previous
The signature is then sent to the server for verification. Since work and achieves a relatively similar area-time product. Our
the classical LoRaWAN system lacks public-key-based key design consumes lower power compared to similar SoCs.
exchange and digital signatures, our system provides better Therefore, our design is suitable for resource-constrained,
security guarantees. multifunctional, and low-power IoT systems.
Some works also tried to enhance the security of LoRa com-
munication. Tomasin et al. [39] identified the possibility of
regenerating the device nonce. The author proposed a random VI. C ONCLUSION
number generator algorithm and increased the devise nonce In this article, we propose a security-enhanced LoRaWAN
size. Kim and Song [40] proposed using a second root key communication network with public-key infrastructure. We
to avoid the application and network session keys generated enhance the key exchange process with the ECDH algorithm
from the same root key. In comparison, our platform gener- and data authentication with the EdDSA signature algorithm.
ates the random number more securely with a digital TRNG The extended protocol is compatible with the LoRaWAN.
core, which has passed the NIST test with high p-values, as We propose a RISC-V-based secure processor architecture
described in [35]. With public-key cryptography algorithms, and provide a systematic solution for the secure network.
we can safely update the root key through insecure channels We provide the root of trust with a digital TRNG core

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
3054 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 2, 15 JANUARY 2024

and design hardware modules to accelerate the computation- [16] J. Jung, B. Kim, J. Cho, and B. Lee, “A secure platform model based
intensive security algorithms. We prototype and evaluate on ARM platform security architecture for IoT devices,” IEEE Internet
Things J., vol. 9, no. 7, pp. 5548–5560, Apr. 2022.
a development board on a practical LoRa communication [17] H. B. Amor, C. Bernier, and Z. Přikryl, “A RISC-V ISA extension for
system. The measured total on-chip power is 0.321 W. The ultra-low power IoT wireless signal processing,” IEEE Trans. Comput.,
proposed architecture can achieve a 5.6×–144.7× speed up vol. 71, no. 4, pp. 766–778, Apr. 2022.
[18] F. Taheri, S. Bayat-Sarmadi, and S. Hadayeghparast, “RISC-HD:
and reduce memory usage by 2.4×–12.3×. Lightweight RISC-V processor for efficient hyperdimensional comput-
Our future work is to develop an application-specific inte- ing inference,” IEEE Internet Things J., vol. 9, no. 23, pp. 24030–24037,
grated circuit (ASIC) and replace the existing processor in Dec. 2022.
[19] K. Asanović and D. A. Patterson, “Instruction sets should be free: The
the application with the designed secure processor for secure case for RISC-V,” Dept. Electr. Eng. Comput. Sci., Univ. California,
communication. Berkeley, Rep. UCB/EECS-2014-146, 2014.
[20] M. Gautschi et al., “Near-threshold RISC-V core with DSP extensions
for scalable IoT endpoint devices,” IEEE Trans. Very Large Scale Integr.
ACKNOWLEDGMENT (VLSI) Syst., vol. 25, no. 10, pp. 2700–2713, Oct. 2017.
[21] “PULPino.” 2019. [Online]. Available: https://github.com/pulp-platform/
The authors would like to thank Jack Junjie Liu, pulpino
John Yiqing Zhang, Man-Kit Sit, Max Tsz-Ho Sze, and [22] M. Eldefrawy, I. Butun, N. Pereira, and M. Gidlund, “Formal secu-
rity analysis of LoRaWAN,” Comput. Netw., vol. 148, pp. 328–339,
Yifei Zhao for their great help in this work. They also would Jan. 2019.
like to thank the anonymous reviewers for their valuable [23] E. Aras, G. S. Ramachandran, P. Lawrence, and D. Hughes, “Exploring
comments. the security vulnerabilities of LoRa,” in Proc. 3rd IEEE Int. Conf.
Cybern. (CYBCONF), 2017, pp. 1–6.
[24] J. P. S. Sundaram, W. Du, and Z. Zhao, “A survey on LoRa networking:
Research problems, current solutions, and open issues,” IEEE Commun.
R EFERENCES Surveys Tuts., vol. 22, no. 1, pp. 371–388, 1st Quart., 2020.
[25] D. Basu, T. Gu, and P. Mohapatra, “Security issues of low power
[1] A. Shrivastava, K. M. Krishna, M. L. Rinawa, M. Soni, G. Ramkumar,
wide area networks in the context of LoRa networks,” 2020,
and S. Jaiswal, “Inclusion of IoT, ML, and blockchain technologies in
arXiv:2006.16554.
next generation industry 4.0 environment,” Mater. Today Proc., vol. 80,
[26] X. Yang, E. Karampatzakis, C. Doerr, and F. Kuipers, “Security
pp. 3471–3475, Apr. 2023.
vulnerabilities in LoRaWAN,” in Proc. IEEE/ACM 3rd Int. Conf.
[2] S. Balaji, K. Nathani, and R. Santhakumar, “IoT technology, applica-
Internet-Things Design Implement. (IoTDI), 2018, pp. 129–140.
tions and challenges: A contemporary survey,” Wireless Pers. Commun.,
[27] Arjan. “Fair use policy explained.” May 2021. [Online]. Available:
vol. 108, no. 1, pp. 363–388, 2019.
https://www.thethingsnetwork.org/forum/t/fair-use-policy-explained/13
[3] A.-A. A. Boulogeorgos, P. D. Diamantoulakis, and G. K. Karagiannidis,
00
“Low power wide area networks (LPWANs) for Internet of Things
[28] Z. Vahdati, S. Yasin, A. Ghasempour, and M. Salehi, “Comparison of
(IoT) applications: Research challenges and future trends,” 2016,
ECC and RSA algorithms in IoT devices,” J. Theor. Appl. Inf. Technol.,
arXiv:1611.07449.
vol. 97, no. 16, pp. 4293–4308, 2019.
[4] G. S. Ramachandran, F. Yang, P. Lawrence, S. Michiels, W. Joosen, and [29] S. Bai et al., CRYSTALS-Dilithium—Algorithm Specifications
D. Hughes, “PnP-WAN: Experiences with LoRa and its deployment in and Supporting Documentation, Post-Quantum Cryptography
DR Congo,” in Proc. 9th Int. Conf. Commun. Syst. Netw. (COMSNETS), Standardization Round 3, NIST, Gaithersburg, MD, USA, 2020.
2017, pp. 63–70. [30] D. J. Bernstein, “Curve25519: New Diffie–Hellman speed records,” in
[5] I. D. S. Batalha et al., “Large-scale modeling and analysis of uplink Public Key Cryptography, M. Yung, Y. Dodis, A. Kiayias, and T. Malkin,
and downlink channels for LoRa technology in suburban environ- Eds. Heidelberg, Germany: Springer, 2006, pp. 207–228.
ments,” IEEE Internet Things J., vol. 9, no. 23, pp. 24477–24491, [31] L. Chen, D. Moody, A. Regenscheid, and K. Randall,
Dec. 2022. “Recommendations for discrete logarithm-based cryptography: Elliptic
[6] S. R. J. Ramson et al., “A self-powered, real-time, LoRaWAN IoT-based curve domain parameters,” Nat. Inst. Stand. Technol., Gaithersburg,
soil health monitoring system,” IEEE Internet Things J., vol. 8, no. 11, MD, USA, Rep. NIST SP 800-186, 2019.
pp. 9278–9293, Jun. 2021. [32] A. Langley, M. Hamburg, and S. Turner, “Elliptic curves for secu-
[7] W. Xu, J. Y. Kim, W. Huang, S. S. Kanhere, S. K. Jha, and W. Hu, rity,” RFC 7748, Internet Res. Task Force, 2016.
“Measurement, characterization, and modeling of LoRa technology [33] S. Josefsson and I. Liusvaara, “Edwards-curve digital signature algo-
in multifloor buildings,” IEEE Internet Things J., vol. 7, no. 1, rithm (EdDSA),” RFC 8032, Internet Res. Task Force, 2017.
pp. 298–310, Jan. 2020. [34] R. Nair, P. Sharma, and T. Sharma, “Optimizing the performance of IoT
[8] S. Devalal and A. Karthikeyan, “LoRa technology—An overview,” in using FPGA as compared to GPU,” Int. J. Grid High Perform. Comput.,
Proc. 2nd Int. Conf. Electron., Commun. Aerosp. Technol. (ICECA), vol. 14, no. 1, p. 15, 2022.
2018, pp. 284–290. [35] Y. Liu, R. C. C. Cheung, and H. Wong, “A bias-bounded digital true
[9] N. Sornin, M. Luis, T. Eirich, T. Kramp, and O. Hersent, Lorawan random number generator architecture,” IEEE Trans. Circuits Syst. I,
Specification, LoRa Alliance, Fremont, CA, USA, 2015. Reg. Papers, vol. 64, no. 1, pp. 133–144, Jan. 2017.
[10] S. Naoui, M. E. Elhdhili, and L. A. Saidane, “Enhancing the security [36] P. Sasdrich and T. Güneysu, “Efficient elliptic-curve cryptogra-
of the IoT LoraWAN architecture,” in Proc. Int. Conf. Perform. Eval. phy using Curve25519 on reconfigurable devices,” in Reconfigurable
Model. Wired Wireless Netw. (PEMWN), 2016, pp. 1–7. Computing: Architectures, Tools, and Applications, D. Goehringer, M. D.
[11] J. Han and J. Wang, “An enhanced key management scheme for Santambrogio, J. M. P. Cardoso, and K. Bertels, Eds. Cham, Switzerland:
LoRaWAN,” Cryptography, vol. 2, no. 4, p. 34, 2018. Springer Int., 2014, pp. 25–36.
[12] W. Xu, S. Jha, and W. Hu, “LoRa-key: Secure key generation system [37] P. Koppermann, F. De Santis, J. Heyszl, and G. Sigl, “X25519 hardware
for LoRa-based network,” IEEE Internet Things J., vol. 6, no. 4, implementation for low-latency applications,” in Proc. Euromicro Conf.
pp. 6404–6416, Aug. 2019. Digit. Syst. Design (DSD), 2016, pp. 99–106.
[13] A. K. Junejo, F. Benkhelifa, B. Wong, and J. A. Mccann, “LoRa- [38] F. Turan and I. Verbauwhede, “Compact and flexible FPGA implemen-
LiSK: A lightweight shared secret key generation scheme for LoRa tation of Ed25519 and X25519,” ACM Trans. Embedded Comput. Syst.,
networks,” IEEE Internet Things J., vol. 9, no. 6, pp. 4110–4124, vol. 18, no. 3, p. 24, 2019.
Mar. 2022. [39] S. Tomasin, S. Zulian, and L. Vangelista, “Security analysis of
[14] N. Torres, P. Pinto, and S. I. Lopes, “Security vulnerabilities in LoRaWAN join procedure for Internet of Things networks,” in Proc.
LPWANs—An attack vector analysis for the IoT ecosystem,” Appl. Sci., IEEE Wireless Commun. Netw. Conf. Workshops (WCNCW), 2017,
vol. 11, no. 7, p. 3176, 2021. pp. 1–6.
[15] Z. Sun, H. Yang, K. Liu, Z. Yin, Z. Li, and W. Xu, “Recent advances [40] J. Kim and J. Song, “A dual key-based activation scheme for secure
in LoRa: A comprehensive survey,” ACM Trans. Sens. Netw., vol. 18, LoRaWAN,” Wireless Commun. Mobile Comput., vol. 2017, Nov. 2017,
no. 4, pp. 1–44, 2022. Art. no. 6590713.

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.
MAO et al.: REALISE-IoT: RISC-V-BASED EFFICIENT AND LIGHTWEIGHT PUBLIC-KEY SYSTEM 3055

Gaoyu Mao received the B.Eng. degree in inte- Zhewen Zhang received the B.Eng. degree in elec-
grated circuit design and integration system from the tronics information science and technology from
School of Microelectronics, Shandong University, the School of Astronautics, Harbin Institute of
Jinan, China, in 2020. He is currently pursuing Technology, Harbin, China, in 2020. She is currently
the Ph.D. degree with the Department of Electrical pursuing the Ph.D. degree with the Department
Engineering, City University of Hong Kong, of Electrical Engineering, City University of Hong
Hong Kong. Kong, Hong Kong.
He visited Zhejiang Laboratory, Hangzhou, China, Her research interests include processor design
from September to November 2022. His research and hardware security.
interests include reconfigurable computing with
FPGA, and cryptographic hardware design.

Yao Liu (Member, IEEE) received the B.S. and M.S.


degrees in microelectronics from Fudan University,
Shanghai, China, in 2008 and 2011, respectively, and
the Ph.D. degree from the Department of Electrical Alan H. F. Lam (Member, IEEE) received
Engineering, City University of Hong Kong, Hong the B.Eng., M.Phil., and Ph.D. degrees from
Kong, in 2019. the Department of Mechanical and Automation
Before he obtained a faculty job, he gained Engineering, The Chinese University of Hong Kong,
over-5-year working experience in IC industry and Hong Kong, in 1999, 2001, and 2004, respectively.
academia. He is currently an Assistant Professor He is an Adjunct Professor with the Department of
with the School of Microelectronics Science and Electrical Engineering, College of Engineering, City
Technology, Sun Yat-sen University, Zhuhai, China. University of Hong Kong, and the Department of
His research interests include FPGA prototyping and VLSI implementation Mechanical and Automation Engineering, Faculty of
for hardware security systems, computer architecture, and network systems. Engineering, The Chinese University of Hong Kong.
His main research interest is in artificial intelligence,
the Internet of Things, and the use of wearable motion sensors for sports sci-
ence and medical applications.
Dr. Lam has won numerous prestigious local and international awards for
Wangchen Dai received the B.Eng. degree in product innovation and excellence. He was named one of the five local inno-
electrical engineering and automation from Beijing vation heroes by the Hong Kong Science Park in 2014 for his excellence in
Institute of Technology, Beijing, China, in 2010, the research and development projects commercialization and was selected as one
M.A.Sc. degree in electrical and computer engineer- of the awardees of 2015 Hong Kong Ten Outstanding Young Persons.
ing from the University of Windsor, Windsor, ON,
Canada, in 2013, and the Ph.D. degree in electronic
engineering from the City University of Hong Kong,
Hong Kong, in 2018.
After completing the Ph.D. study, he had appoint-
ments with the Hardware Security Laboratory,
Huawei Technologies Company Ltd., Shenzhen,
China, in 2018, and the Department of CSSE, Shenzhen University, Shenzhen,
in 2020, respectively. He is currently working as a Senior Researcher with Ray C. C. Cheung (Senior Member, IEEE) received
Zhejiang Laboratory, Hangzhou, China. His research interests include crypto- the B.Eng. (Hons.) and M.Phil. degrees in computer
graphic hardware and embedded systems, fully homomorphic encryption, and engineering and computer science and engineer-
reconfigurable computing. ing from The Chinese University of Hong Kong,
Hong Kong, in 1999 and 2001, respectively, and
the D.I.C. and Ph.D. degrees in computing from
Imperial College London, London, U.K., in 2007.
He received the Hong Kong Croucher Foundation
Guangyan Li received the B.Eng. degree from Fellowship for his postdoctoral research work with
the Department of Electrical Engineering, City the Electrical Engineering Department, University of
University of Hong Kong, Hong Kong, in 2020, California at Los Angeles, Los Angeles, CA, USA,
where he is currently pursuing the Ph.D. degree with and completed his visiting fellowship with Princeton University, Princeton,
the EE Department. NJ, USA. He is a Professor with the Department of Electrical Engineering,
He joined the overseas internship scheme to and an Associate Provost (Digital Learning) with the City University of Hong
the LIRMM, Montpellier, France, from June to Kong, Hong Kong. His current research interests include cryptographic pro-
August 2019. He was a research-based FYP student cessor designs and embedded system designs.
under the supervision of Dr. R. C. C. Cheung. His Prof. Cheung served as the Technical Chair of FPT’02, the General Chair of
research interests include reconfigurable computing ARC’12, and the General Co-Chair of FPT’22. He is currently the Treasurer
with FPGA, and hardware security. of the IEEE Hong Kong Section.

Authorized licensed use limited to: Zhejiang University. Downloaded on September 07,2024 at 16:17:11 UTC from IEEE Xplore. Restrictions apply.

You might also like