A Scoping Study on Lightweight Cryptography Reviews in IoT

The efforts in designing and developing lightweight cryptography (LWC) started a decade ago. Many scholarly studies in literature report the enhancement of conventional cryptographic algorithms and the development of new algorithms. This significant number of studies resulted in the rise of many review studies on LWC in IoT. Due to the vast number of review studies on LWC in IoT, it is not known what the studies cover and how extensive the review studies are. Therefore, this article aimed to bridge the gap in the review studies by conducting a systematic scoping study. It analyzed the existing review articles on LWC in IoT to discover the extensiveness of the reviews and the topics covered. The results of the study suggested that many review studies are classified as overview-types of review focusing on generic LWC. Further, the topics of the reviews mainly focused on symmetric block cryptography, while limited reviews were found on asymmetric-key and hash in LWC. The outcomes of this study revealed that the reviews in LWC in IoT are still in their premature stage and researchers are encouraged to explore by conducting review studies in the less-attended areas. An extensive review of studies that cover these two topics is deemed necessary to establish a balance of scholarly works in LWC for IoT and encourage more empirical research in the area.


Introduction:
The fast development in information and communication technology has witnessed the emergence of the Internet of Things (IoT), a technology in which electronic devices and electrical appliances are interconnected and are able to transfer data (1,2). IoT is expected to facilitate and automate information exchange to a broader context of data communication (3,4) which consequently improves the quality of life (5-7) and business processes (8). IoT applications cover smart homes (9), smart cities (10), smart vehicles (11), healthcare (12), smart grids (13), and smart farming (14), to mention a few. They mainly use sensors and wearable devices that are capable of communicating with each other and other devices in a network. Sensors and wearable devices are resource-constraint in which they are powered up by batteries and have limited processing and storage capabilities.
In terms of data communication, sensors and devices in IoT work in a way similar to mobile and wireless communication. Therefore, they are also susceptible to security threats and attacks which require similar approaches for protection (15,16). For example, data are required to be in an encrypted form when they are transferred in the network to protect their confidentiality and secrecy (17). It is commonly known that cryptographic systems are a suitable approach for protecting data confidentiality, secrecy and authenticity. However, conventional cryptographic systems are complex and use high computational power, making them not suitable for resource-constraint devices within the IoT environment (18). Due to the limitations in the IoT resource-constraint devices, there is a need for lightweight cryptography (LWC) to address the issue (19). Generally, cryptography is a study of data encoding and decoding using logical and mathematical principles to protect the secrecy of information (20,21). The encoding and decoding processes are also called encryption and decryption respectively. In an IoT environment, the LCW is a crucial component that protects the data exchanged between interconnected devices from spoofing and modification attacks.
In supporting the need for LWC in IoT, the National Institute of Standards and Technology (NIST) has started developing a standard for LWC algorithms to be used within resource-constrained devices. The call for algorithms was published, and currently, the process for developing a standard for LWC is taking place. Apart from that, many scholarly studies were also conducted a decade ago by researchers in the area to design LCW algorithms suitable for an IoT environment. The significant number of scholarly works increased the review and survey studies reported in the academic databases. These review studies shared a common aim in providing a basic understanding of LWC in IoT and its state-of-the-art. Academic papers reporting on LWC in IoT are beneficial for researchers to acquire information about the domain systematically more quickly than performing research from scratch. The increase in the number of review studies also indicates that the domain is constantly being developed with many new studies emerging, and more improvements being added to the literature.
Due to the vast number of review studies on LWC in IoT being available in academic databases, it is not clear what the studies cover and how extensive the review studies are. Therefore, this study aims to bridge the gap in the review studies by conducting a scoping study to answer the two questions stated above. The outcome of this scoping study could suggest the areas of studies on LWC in IoT that have received much and also less attention. Consequently, it may encourage researchers to explore the potential of conducting review studies in the less-researched areas. Hence, the next section of this article describes the methodology for conducting the scoping study, and the results are described in the following section. Finally, the last section concludes the study.

Methodology:
The main objective of this study is to provide an in-depth coverage of available review studies on LCW within the IoT environment. A scoping study following the method proposed by Arksey and O'malley; and Pham et al. was conducted to identify the review studies related to LWC (22,23). The method is presented in Figure 1. It comprised five stages: identifying the research questions (RQ), identifying relevant studies, selecting the relevant studies, sorting and documenting the data, and finally, summarising and reporting the results. In Stage 1 (i.e. identify the RQ), two RQs were formulated to guide the scoping study. They aimed to investigate: "What are the topics covered by the review studies?" (RQ1) and "How extensive are the studies in covering the various aspects of LCW in IoT?" (RQ2). Based on the specified RQs, this study identified the keywords that would be used in the database search for Stage 2 of the method (i.e. identify the relevant studies). The keywords were "lightweight (cryptography OR encryption OR cipher) + IoT + (review OR survey)." An initial search from the database in the middle of February 2020 returned approximately 4080 documents. A filtering process was conducted on the search results by analyzing the abstracts of the documents. Three key elements were identified in the abstracts that were selected; (a) review articles, (b) reporting lightweight implementation of the cryptography techniques and (c) in the IoT domain. Only studies that reviewed lightweight cryptography techniques within the IoT environment were selected. At the end of the filtering process, irrelevant documents were discarded. Documents that reported empirical research in LWC within IoT were also discarded.
Finally, only forty-nine documents were selected for content analysis in the next stage of the scoping study method. In Stage 3 (i.e. select the relevant studies), a full-text document search was conducted to identify whether the review studies were relevant to LCW in IoT. Eight documents were not included in the scoping studies because (a) four documents were duplicated, (b) three documents had no full content published on the Internet, and (c) one document was not relevant as it reviewed hardware implementation. Therefore, forty-one review studies were selected for further analysis, as listed in Table 1. In Stage 4 (i.e. sort and record the data), the full-text of the contents of the documents was analyzed and reported in the next section.   extensiveness of the studies in covering the various aspects of LCW in IoT (RQ2).

Background of the Selected Review Studies
Forty-one documents were found reporting on review studies related to LWC in IoT. They included twenty articles published in journals, fifty articles published in conference proceedings, five chapters in a book, and one technical report. Figure  2 shows a pie chart representing the types of documents reporting the reviews of LCW in IoT.

Figure 2. Types of Documentr Reportingr Reviews on LCW in IoT
One hundred and seventeen authors authored the forty-one review studies with 111 unique authors. Authors like Biryukov, Beheshti, Manifavas, Hatzivasilis, Fysarakis and Asif had their names on two documents (19,27,32,35,40,45,49). Further, this study analyzed the country of the first author of the selected review studies. The result of the analysis suggested that seventeen of the first authors were from India, three from the United Kingdom (UK) and two from Malaysia, the United States of America (USA), the United Arab Emirates (UAE), Luxembourg, Pakistan and Iraq, while countries like Bangladesh, China, Jordan, Greece, Spain, Iran, Saudi Arabia, Mexico, and South Korea had one first authoreach. Table 2 lists the first authors' countries.

RQ1 -The Topics Covered bythe Review Studies
Katz and Lindell defined cryptography as a scientific study of techniques for securing digital information, transactions and distributed computations (64). Stalling categorized modern cryptography into three categories: symmetric-key, asymmetric-key and hash function (65). The symmetric-key can be divided into block and stream cryptography. Symmetric key cryptography uses a shared secret key to encrypt and decrypt messages. The asymmetric-key is also known as public-key cryptography which uses a public key and a secret key for encryption and decryption respectively. A hash function returns the hash value of a message that can be used to check that the message is not altered. These three classifications of cryptography have been used in modern computer systems since the 1970s. Apart from these three generic classifications, cryptography is operable and is implemented through unique algorithms that efficiently run a computing environment. Data Encryption Standard (DES) and Advanced Encryption Standard (AES) and This scoping study analyzed the types of cryptography that the review studies had covered. The results of the analysis suggest that 36% of the review studies focused on generic cryptography which covered symmetric, asymmetric and hash, as well as the associated algorithms. Next, 32% of the review studies surveyed symmetric block cryptography. These two areas are the most popular areas of review studies reported in the academic database and appear every year since the LWC in IoT started. There are also review studies that generally report their findings on general symmetric cryptography, cryptographic algorithms and cryptographic methods. A review study also surveyed symmetric stream cryptography, pseudorandom number generators, elliptic curve cryptography and public-key cryptography. Table 3 lists the number of review studies for the corresponding areas of LCW in IoT. This scoping study further analysed the information to see how the existing review studies cover the cryptography domain areas. A hierarchical diagram of LCW in Figure 4 represents the overall coverage of the exiting review studies. Many review studies were conducted on the generic LWC in IoT as well as the symmetric block cryptography. These two are the most popular areas of the review studies on LWC in IoT. On the other hand, the diagram shows that a limited number of review studies on LCW in IoT that were conducted on symmetric stream cryptography, asymmetrickey cryptography, and hash. The asymmetric-key cryptography i is commonly used in authentication schemes to exchange secret key encryption (66 -68). Therefore, they might use other keywords that are not included when the academic database performed the search.

. Number of Review Studies Based on the Cryptography Classification
The analysis conducted on the forty-one documents suggested that researchers in the area mainly focused on the generic LWC and symmetric block cryptography in their review studies. Unlike these two topics, other areas of cryptography had limited attention in terms of the review studies. This answers the RQ1 of this scoping study.

RQ2 -The Extensiveness of the Studies in Covering Various Aspects of LCW in IoT
This section describes the answer to the second RQ on: "How extensive are the studies in covering the various aspects of LCW in IoT?". In answering this RQ, this study analyzed the selected review studies on LWC in IoT and classified them into one of the fourteen types of review studies suggested by Grant and Booth (69). The fourteen types of review studies are listed in Table 4.

Num.
Type of review Description 1 Critical review A review paper in which the authors performed extensive research in the literature and evaluated the quality of the study critically. 2 Literature review A review paper in which the authors examined recent or current literature. 3 Mapping review/ systematic map A review paper in which the authors classified existing literature to identify gaps in the literature. 4 Meta-analysis A review paper in which the authors integrated and analyzed the results of quantitative studies statistically which demonstrated the combined effect of the results. 5 Mixed studies review/mixed methods review A review paper in which the authors combined literature review with other review approaches, for example combining quantitative with qualitative research. 6 Overview A review paper in which the authors summarised the literature by providing the characteristics of a topic. 7 Qualitative systematic review/ qualitative evidence synthesis A review paper in which the authors compared the findings from qualitative studies and identified the themes or constructs underpinning the individual qualitative studies. 8 Rapid review A review paper in which the authors appraised a known current issue using a systematic review. 9 Scoping review A review paper in which the authors evaluated the potential size and scope of the available research literature to find the nature and extent of research evidence. 10 State-of-the-art review A review paper in which the authors addressed more current matters in a topic to provide new perspectives on an issue or suggest an area for further research. 11 Systematic review A review paper in which the authors searched, appraised, and synthesized research evidence systematically. 12 Systematic search and review A review paper in which the authors integrated critical review with a comprehensive search process to generate a piece of comprehensive evidence. 13 Systematized review A review paper in which the authors performed the process of doing a systematic review, however reporting the finding in a shorter and simpler version of the systematic review 14 Umbrella review A review paper in which the authors compiled evidence from multiple reviews into one accessible and usable document. In classifying the review studies, this study used the Search, Appraisal, Synthesis, and Analysis (SALSA) framework (69). The results of the classification revealed that fifteen studies were classified as overview studies, nine studies were literature reviews and critical reviews, five studies were systematic reviews and three studies were state-of-the-art review. The bar chart in Figure 5 shows the classification of the review studies.

Reviews on LCW in IoT According to Types of Review Study
This study also calculated the number of references for each of the review study. A total of 2236 references were cited and referred to in the forty-one studies. However, this study did not count the unique number of references from this number. Further, this study listed eight review studies with the number of references exceeding a hundred as listed in Table 5. This scoping study believes that these review studies can be used as a starting point for researchers to understand LWC in IoT as they have a higher coverage of references and the types of review that they reported in the respective studies varied covering literature reviews (2 studies), state-of-the-art reviews (2 studies), systematic reviews (3 studies) and critical review (1 study). This study also collected the number of citations received by each paper in the Google Scholar (as of Mid-February 2020). All papers received substantial citations except for the study by Dhanda, Singh, and Jindal (2020), as the paper was newly published when this scoping study was conducted. This scoping study also looked into the extensiveness of the review studies of LCW in IoT based on the types of review studies and the number of documents or references included in the reviews. Classification of the review studies using the SALSA framework demonstrated that 36% of the review studies provided overviews of the various aspects of LCW in IoT. About 20% provided a more comprehensive coverage of the reviews in which they provided literature reviews. The critical review also contributed 20% of the review studies. The rest covered the systematic review and the state-of-the-art review. The number of references or documents included in the selected review studies, covered various numbers, as low as eight to the highest of two hundred. The types of review studies had a relationship with the number of documents or articles listed in the reference section of the respective study. For example, the review study by Kong, Ang, and Seng (25) had 200 references for the literature review while Patil, Banerjee, and Borkar (62) had only eight references for their overview study. Hence, the outcome of this analysis answers RQ2. The result of the scoping study suggests that many review studies focused on the areas of generic cryptography and symmetric block cryptography. Nevertheless, limited review studies were found on symmetric stream cryptography, asymmetric-key cryptography and hash for achieving LWC in IoT. Further, more than a quarter of the selected review studies reported on the overview of the cryptographic concept, which is beneficial in obtaining a basic understanding of the area. Literature review and critical review also contributed to the LCW literature, with approximately forty percent of the total number of review studies. However, the results of this scoping study reveal that a limited number of systematic reviews and the state-of-the-art reviews were conducted in the area of LCW in IoT. State-of-theart reviews are a beneficial source of reference that can provide other researchers with information on recent fundamental advances related to LCW in IoT. It can be a starting point for further improvements that can lead to advancement in the area.

Conclusion:
The cryptography domain is considered monumental which can be applied in various domains including the emerging IoT environment. However, conventional cryptography is not working efficiently in IoT to lead to active developments in LCW. The increase in the number of review studies also indicates that the domain is constantly developing with many new studies emerging, and more improvements being added to the literature. The review studies on LCW in IoT are good sources of knowledge, especially to those who are new to the domain and to researchers who intend to obtain a general understanding of this domain. However, a significant number of review studies lead to essential questions, such as the topics that are covered by the studies and their level of extensiveness. Hence, a scoping study was conducted to seek answers to these questions. This scoping study revealed that more review studies are needed in the domain to cover specific areas of cryptography, especially on asymmetric-key cryptography and hash. Further, this study also believes that review studies should be conducted to cover specific instances of IoT technology rather than the generic ones. A few review studies covered the suitable cryptography approach for RFID, wireless sensor networks and smart homes. A similar review on other IoT technology instances could help understand the practicability of cryptography in particular instances. Review studies could also be conducted to analyze LWC for specific purposes in IoT such as authentication schemes.