Abstract. Smaller, smarter and faster edge devices in the Internet of things era demands secure data analysis and transmission under resource constraints of hardware architecture. Lightweight cryptography on edge hardware is an emerging topic that is essential to ensure data security in near-sensor computing systems such as mobiles, drones, smart cameras and wearables. In this article, the current state of memristive cryptography is placed in context of lightweight hardware cryptography. The paper provides a brief overview of the traditional hardware lightweight cryptography and cryptanalysis approaches. The contrast for memristive cryptography with respect to traditional approaches is evident through this article, and need to develop a more concrete approach to developing memristive cryptanalysis to test memristive cryptographic approaches is highlighted.
Introduction
The penetration of internet into every aspect of our lives also brings with it several challenges related to data security and privacy [112, 28] . Manipulation and misuse of data can have a substantial influence in the way we perceive and view our world [18, 104] . The cryptography [48] studies deals with encryption and decryption, while cryptanalysis [90] deals with the techniques to break encrypted systems. The existing cryptography methods [9] are largely based on mathematical theories designed for computational hardness, with an aim to make it difficult for an adversary to break into such systems.
The vulnerability of the encryption techniques are often exposed through various side channel attacks [114, 16, 44] and through high performance computing tools. It is expected that with future technologies such as quantum computing [87] can introduce massive parallelism that can make most of the encryption techniques look very weak. Given the challenges are significant in the years ahead, it is only important to address this topic in a hardware perspective in view of the challenges ahead with post-quantum cryptography era [17] . The exclusive need to ensure secure data processing in edge devices with internet requires high speed and low power offered by hardware circuits that is not beatable by the existing software only counterparts [26] .
The hardware based cryptography [84, 27] has been in use for several decades, as it offers a faster and efficient way to generate keys and random numbers. In addition, embedded in reconfigurable chips, or that in ASIC, it is practically difficult to decode the logic or implement various side channel attacks [30] . The dynamic nature of such a e-mail: apj@ieee.org
arXiv:1906.00574v1 [cs.ET] 3 Jun 2019
keys makes it extremely hard to break. With advancement of wearable and internet of things devices, it becomes even more important to provide on-chip solutions, that are area and power efficient [82] . The ability to have low power solutions are important as many of these wearable works on limited battery capacity, and often require secure data transmission [80] . The implementation of the existing algorithmic only solutions are not efficient in such situations, and nano-electronic solutions become more viable .
In the last decade, there has been a substantial push towards more than Moore's era technologies [39, 106] , with focus on emerging devices for non-traditional computing architectures and systems. This is required to overcome the limitations imposed by device scaling [45] and the rapid need to have higher computational capabilities for edge devices [55] . In this review, we present the overall developments in the hardware based cryptography with specific focus on the use of memristor devices and networks. The importance of this topic lay in the intersection of memristor as an effective device used for chaotic system, having ability to switch states, and having interesting properties that resemble the generalisation functions of a neuron and its networks.
The paper is organised into five sections: section 2 provides an introduction to memristors and memristor networks, section 3 provides background on lightweight cryptography, section 4 builds on the previous section to introduce memristor cryptography and section 5 concludes the paper.
Memristor networks
The memristor ( Fig. 1(a,b) ) remained as an elusive circuit element for several decades, until the claims of this missing circuit element being found was proposed in 2008 [93] . After this, there have been a surge of memory devices that is deemed fit into the broad category of memristors. They find applications in as non-volatile memory, modelling neural networks, chaotic circuits, signal processing, and cryptography. In several of these applications, the most popular memristor circuit configurations is that of a memristor crossbar configuration ( Fig. 1(c) ), which can be used for memory array, and for dot-product computations.
Memristor in a nutshell
The memristor is considered as a fourth fundamental circuit element [93, 22] . There has been arguments in the recent past for and against this assertion [100, 2] . Nonetheless, there are several useful behavioural properties that makes memristor practically a very useful circuit element [43, 37, 23] . In a recent paper, five enigmas of non-volatile memristor device theory [21] were proposed and proved: These enigmas provide the summary of what we know today about idealistic memristor device. In fact, modelling of any realistic memristor with high accuracy is very challenging task. The underlying reason for this is largely due to the material characteristics of the devices that vary significantly from one device to another. The device level variability issues for large majority of memristor devices is still not resolved to completely validate with mathematical models with accuracy's similar to standard CMOS technology. Any simulation of memristors without variability analysis is incomplete and does not reflect a realistic implementation. In contrast, the variability of memristor specific to a manufacturing process is often useful for cryptographic application such as to generate random keys and physically unclonable functions.
Crossbar arrays
The crossbar latch [57] is one of the memristor array configuration that was shown to be useful for implementing various digital logic operations. The memristor crossbar array architecture can also be used for writing and reading conductance values of the memristor making it useful as a memory array. The crossbar architecture can also be used for building analog neural computing units. In a crossbar arrangement of memristors [73, 74, 101] , the inputs are applied to the rows as voltage signals and outputs are read as current signals. The current output is a weighted sum of input voltage, where the weights corresponds to the memristor conductance [50] . Mathematically, this is equivalent to a dot product operator which is required for weighted summation of inputs in each neural network layer [111, 56] . The two-terminal memristor devices are area efficient, and can help accelerate neural network computations at high speed and low power. The memristor crossbar can also be used as a regular memory array, with each memristor in the network is capable to be programmed to several discrete resistive states [3, 63] .
The variability of the memristor states from device to device under the same conditions and constraints, often is considered as a challenge for having stable analog memory [40, 91] . This makes the use of memristor as an analog memory in large crossbar array not practical, however, as a discrete state device and as a binary state device, they can be used effectively, in small arrays. The crossbar also suffers from sneak path problems, parasitic resistors, and wire resistors, that can further limit the large scaling of crossbar that can be implemented today [61, 54] .
3 Lightweight cryptography
Cryptograpic methods
Lightweight cryptography [29] works between the trade-offs of security, cost, and performance, and is focused at devices and systems on edge. The increase in internet connected devices, requires to build smarter systems that are secure using low-cost hardware solutions. The symmetric and asymmetric ciphers are essentially a major topic of study in hardware cryptography, each having a different set of applications. Hardware for asymmetric ciphers are more complex than symmetric ones, and consume more area on chip and power. For example, in terms of computational complexity, symmetric cipher such as the Advanced Encryption Standard (AES) [25] algorithm is about 1000 much faster than an optimised elliptic-curve cryptography [36] that is an asymmetric algorithm.
There exists several hardware implementations of ciphers such as Hight [38] , Clefia [89] , DESXL [81] , DESL, SEA [72] , Hummingbird[31], PRESENT [83] , PRINTcipher [51] , mCrypton [62] , KLEIN[35] , TWINE [97] , SIMON [10] , SPECK [10] , PRINCE [14] , PRIDE [4] , LBLOCK [108] , MIBS [41] , Puffin [20] , ESF [98] , Piccolo [88] , Khudra [53] etc in use today, making this an emerging topic of study for edge devices. In addition, there are also several requirements for AEAD [92] and hash functions [8] , for lightweight cryptography, such as, they should be useful for short messages, optimised for resource constraint hardware, efficient key preprocessing, apply to different platforms, and have low power/energy/latency. The resource constraints also means that there are higher 'risk' in design, lower security margins, and few number of components that can be targets of attacks.
Cryptanalysis methods
The analysis of the cryptography algorithms in general is known as cryptanalysis [86] , and is an essential aspect of testing the reliability of the cryptography system for practical use. The major classes of attacks [95] can be classified as based on impossible differentials, guess and determine, and that are dedicated for a given method. In classical differential attack [46] , the difference two outputs relative to the difference in pain text is tracked. In a truncated differential attacks [52] , changes to only part of the differences are predicted. The impossible differential attacks [49] on the other hand uses a differential with probability 0. The Miss-in-the-middle [12] improves over this, and by extending such approaches to forward and backward can give information of key bits [103] .
There have been numerous improvements to impossible differential attacks such as multiple impossible differentials, choosing the correctly the changes, state-test techniques, and improving the estimate of pairs [15] . The example applications of impossible differential attacks includes a best attack on CLEFIA with 13 rounds [68] , improved best attacks for Camellia [107] , AES attacks comparable with best mitm ones in 7 rounds [67] and LBlock with reduced rounds [47] .
The Meet-in-the-middle [79] attack is relatively an old approach, that over the years have been improved using partial matching [105] , bicliques [13] , sieve-in-themiddle [19] etc. This approach requires fewer data and is an applied tool. The bicliques method can be used to reduce the total number of computations, with the main focus of acceleration of exhaustive search. Bicliques [42] have been used for attacks on PRESENT, LED, KLEIN, HIGHT, Piccolo, TWINE, and LBlock.
Merging the lists and dissection algorithm such as that for divide-and-conquer and rebound attacks find applications in ARMADILLO2 [1] , ECHO256 [76] , JH42 [77] , Grstl [70] , Klein, AES-like, Sprout [59] , and Ketje. Among the popular algorithm specific attack schemes, such as for PRESENT, the most effective approach as been multiple linear attacks using Sieving, forward and backward computations [60] .
Memristor cryptography
The majority of the cryptography works based on memristor circuits aim for low power and compact on-chip solution. Given that more and more devices are connected to internet, such solutions are ideally suitable for edge devices and can be considered within the class of lightweight cryptography solutions.
Chaotic systems
The memristor due to this resistive switching behaviour forms as an excellent choice for building chaotic circuits [75, 113] . The cryptographic application [109] of chaotic circuits range from that of random number generators to that for modelling dynamic systems. The state equations for chaotic systems can be parameterised using the memristor device, and offers an area efficient way to implement chaotic oscillators and circuits. The chaotic systems can be used to build chaotic encryptor and the chaotic decryptor for secure communication [5] . The memristor based chaotic system also finds application in image encryption [102] .
The use of random numbers are essential to ensure the difficulty of breaking a majority of cryptographic systems used today such as AES and RSA [71] . The ability to guess the pseudo random numbers generated by conventional techniques within this algorithm can be a potential weakness that can be exploited by the attackers. A chaotic random number generators [24] can overcome this issue by making it extremely difficult to predict the generated numbers.
Physical unclonable functions
Physical Unclonable Functions (PUFs) [64] from electronic circuits has a unique microstructure that results from the variability introduced during semiconductor manufacturing. The physical variability are unpredictable making it impossible to replicate its structure. PUFs are implemented using challengeresponse authentication, where it evaluates the underlying microstructure. For a given stimulus (or challenge), the microstructure responds (or response) in unpredictable but in a precise manner. The challenge-response pair (CRP) does not reveal the device structure and hence is resistant to spoofing attacks.
The cryptographic keys can be also obtained using key extractor PUFs. The PUF hardware costs lower that a ROM based CRP that uses table of responses to the challenges. Even with same manufacturing process, the PUF from one device to another will be different, making it unclonable and difficult to compute unknown response. Without knowing all the physical properties its practically not possible to predict CRPs. This essentially means that PUFs are useful as unique signatures for edge devices, and is also useful for key generation and a source of randomness.
The classical approaches to cryptography are often slow, energy consuming, and prone to various attacks. The physical unclonable functions [94] are hardware tokens that depends on the intrinsic behavior of memristor networks, and maps a challenge to a response. The public physical unclonable functions (PPUF) [11, 65] is one of the prominent build using memristor crossbar arrays [85, 33, 69, 6, 99] , and employs the non-idealities and characteristics of the memristor devices. Such PPUF can be used for multiple party security using keys, authentications, time stamping, and bit commitments.
Arguably, the most important aspect that makes memristor a suitable device for PUF is the ability to have randomness within a memristor network, making it a good building block for a complex physical system for extracting secret keys. In the past, the use of Ring Oscillator PUF (ROPUF) [66] , Arbiter PUF (APUF) [96] , and SRAM (Static Random Access Memory) PUF (SRAM PUF)[34] used digital designs testing on FPGAs or ASICs. However, with scaling, these systems become unstable due to dependence of temperature and practical signal integrity issues. The use of nanoelectronic systems such as based on memristor could become popular for generating large challenge-response pairs, as they prove to be area efficient and provides an option for generating more stable PUF such as within crossbar networks [110, 78] . The PUF design with memristors can be also extended to develop reconfigurable PUFs using different memristor network configurations, which help generalise the PUF approach to larger number of key exchange schemes[32].
Hash functions
The memristor crossbar can be used to build encrypted messaging systems, such as MemHash [58, 7] . In MemHash, a prefix and suffix is wrapped with original message. This message is further passed through a scrambler that is linear function of input bits, cycle count and a random value read from the crossbar array. This is used to generate an address and a value to write to the crossbar array. For the subsequent cycles, a differential read circuit is used to provide the input to the scrambler and for having a signature read-back.
The feasibility of using such hash functions in realistic systems requires further tests, as the quality of the crossbar devices can have an impact on how it is used in the hashing based algorithms. The interface circuits such as differential read block if inaccurate can have a significant impact on the performance of hash functions generated using the memhash systems. Nonetheless, this approach is useful as the technology matured and process related issues resolved.
Open challenges
Reliability issues There exists several open challenges in this area of work. The field of memristor cryptography is challenged by the reliability issues of memristor devices. The device and process variability in memristor crossbars is a useful aspect of the design of most memristor cryptographic systems. However, there are several practical reliability issues that are not usually accounted for in the design such as effect of aging, state variability, signal integrity and, electromagnetics issues.
Variability The integration of the CMOS circuits with that of the memristor arrays in a cryptography chip is not a trivial task. Since the variability between a nonideal memristor crossbar from one chip to another can be high, the process related variability that acts as an encoding signature expected from these devices would be hard to replicate under the effect of aging and temperature changes.
Architecture robustness The system integration and architecture for memristor cryptography is another open problem. While there are few class of architectures such as based on PUF and hash functions, they could be prone to side channel attacks when the designs are of small scale. Further, communication errors on-chip and off-chip can be explored by adversaries to model the behaviour of the encryption scheme.
Hardware acceleration The speed-up of traditional hardware implementations of cryptography algorithms is an on-going challenge for edge devices. There are dedicated cryptography chips that are incorporated as a co-processor in modern commercial edge devices. These co-processors uses digital gates and random number generators, which could be in future efficiently implemented with memristor threshold logic gates and chaotic generators.
Neural cryptography Neural cryptography is an emerging field of study that is yet to be proven to be a useful cryptography solution. In this approach, the human is kept out of the loop, while the encryption, decryption and adversaries are all neural network machines. Given that several different types of neural networks can be implemented with memristor crossbar arrays, it is possible to built and deploy the memristive neural cryptography solutions in the upcoming years.
Discussions and concluding remarks
The hardware security primitives are required to provide on-chip solutions that work at high speeds and provide additional layer of security as it is difficult to physically identify the on-chip circuits, and reduces the chance of the attacker to crack such systems. However, as a caution of note, the cryptanlysis for the memristor cryptographic systems is not a developed field. The understanding for dedicated attacks needs to be further investigated. The design risk, low security margin, and fewer number of components in the memristor systems offers certain room for attacks. These systems are not yet fully tested for practical use.
The use of memristor circuits in traditional lightweight cyptographic methods for edge devices is an important and open problem. Since memristor networks can serve as associative memories they could be incorporated into different algorithmic cryptographic methods. The memristor circuits are also a good source for random key generation, that can make it useful for various traditional cryptographic methods.
The memristor behaviours are hard to replicate under realistic conditions. This makes it a good candidate for the PUFs. On the other hand, the impact of reliability, number of write-erase cycles, stability and the interconnect issues are not very well studied for practical use to build memristive cryptographic chips. The cryptanalysis over such hardware issues are nearly not studied at this stage in a practical context, and a substantial progress is required for memristive chips to be of realistic use in modern cryptography.
Author contribution statement
All contributions in the writing of this paper is done by A.P. James. 
