Kong Wonbae1
Choi Piljoo2
Kim Dong Kyue1
-
(Dept. of Electronic Engineering, Hanyang University, 222 Wangsimni-ro, Seongdong-gu,
Seoul 04763, Korea )
-
(Dept. of IT Convergence and Application Engineering, Pukyong National University,
45, Yongso-ro, Nam-gu, Busan 48513, Korea)
Copyright © The Institute of Electronics and Information Engineers(IEIE)
Index Terms
Application-specific integrated circuit (ASIC), lightweight ciphers, cryptographic, hardware implementation, digital circuit
I. INTRODUCTION
Devices protect their data and authenticate themselves on the network using cryptographic
services. These services require a large amount of computing power, which can lead
to the degradation of CPU performance. Although this can be avoided by using hardware
cryptoprocessors, some tiny devices, such as IoT sensors, have highly constrained
resources available for cryptoprocessors. For example, low-cost RFID requires an area
with a total of 1000–10,000 gates, of which only 200–2000 gates can be used for cryptographic
services (2). In such a constrained environment, conventional cryptographic algorithms are unsuitable.
Even the low-area design of the advanced encryption standard (AES) (3), which is a widely used symmetric block cipher, requires at least approximately 2000
gates (4). Therefore, lightweight cryptographic algorithms with a smaller size and lower power
consumption than conventional ones have been proposed in recent years.
Lightweight cryptographic algorithms are divided into the following classes: stream
ciphers, block ciphers, hash functions, and message authentication codes (MACs). Among
these, we focused on the hardware implementation of block ciphers and investigated
the suitability of hardware block ciphers for IoT sensors depending on the communication
method. The contributions of this study are as follows
We analyzed the performance requirements of block ciphers for IoT sensors.
We implemented lightweight block ciphers under the same conditions for a fair comparison
Based on our performance requirements and implementation results, we determined the
suitability of lightweight block ciphers for IoT sensors.
Table 1. Block sizes, key sizes, the number of rounds, network types and operations
of lightweight block ciphers
|
Algorithm
|
Block size
|
Key size
|
Rounds
|
Network type
|
Key storing
|
Operations
|
|
SIMON (5)
|
32, 48, 64,
96, 128
|
64, 72, 96, 128,
144, 192, 256
|
30–72
|
Feistel-1:2$^a$
|
O
|
ARX (AND, Rotation, XOR)
|
|
SPECK (5)
|
22–34
|
Feistel-like
|
O
|
ARX (Addition, Rotation, XOR)
|
|
SIMECK (6)
|
32, 48, 64
|
64, 96, 128
|
30, 36, 44
|
Feistel-1:2$^a$
|
O
|
ARX (AND, Rotation, XOR)
|
|
CHAM (7)
|
64, 128
|
128, 256
|
80, 96
|
Feistel-1:4$^a$
|
X
|
ARX (Addition, Rotation, XOR)
|
|
LED (8)
|
64
|
64, 80, 128
|
32, 48
|
SPN
|
X
|
ARK, AC, SC, SR, MCS$^b$
|
|
Piccolo (9)
|
64
|
80, 128
|
25, 31
|
Feistel-2:4$^a$
|
X
|
S-box, Diffusion, XOR, Permutation
|
|
TWINE (10)
|
64
|
80, 128
|
36
|
Feistel-8:16$^a$
|
O
|
S-box, XOR, Permutation
|
$^a$Feistel-$x$:$y$ is a Feistel structure with $y$ branches and $x$ round functions
$^b$AddRoundKey, AddConstants, SubCells, ShiftRows, and MixColumnsSerial, respectively
Because the throughput and power consumption required by IoT sensors largely depend
on their communication methods, we investigated popular communication methods that
are used for IoT sensors, such as ultra-high-frequency (UHF) and high frequency (HF)
RFID, and their performance requirements. IoT sensors with RFID are widely used in
various fields; for example, logistics monitoring sensors in the e-manufacturing system
(11), real-time biosensors reporting patients' status in healthcare (12), and smart-dust sensors (13) collecting various environmental data. Since most of these IoT sensors use limited
power generated by RFID, they have simple microcontrollers, small memory, sensing
modules, RFID modules, and security modules.
In addition, to allow for fair performance comparison, we implemented lightweight
block ciphers in hardware using the same application-specific integrated circuit (ASIC)
technology library instead of simply referencing other researchers’ results obtained
using different field-programmable gate array (FPGA) families (14,15) or using different ASIC technology libraries for performance comparison (16-20). Our performance requirements and implementation results show which block ciphers
deliver the best performance and which block ciphers are suitable for IoT sensors.
Table 2. The common operations in the block ciphers
|
Operation
|
Description
|
|
⊕
|
Bitwise exclusive-or (XOR)
|
|
⊞
|
Modular addition
|
|
$ROL_i$
|
i-bit left rotate shift
|
|
$ROR_j$
|
j- bit right rotate shift
|
The organization of this paper is as follows. Section II describes the lightweight
block ciphers we discuss in this paper. Section III explains the hardware structure
of these cyphers. Section IV presents the performance required for IoT sensors using
RFID communication, the implementation results of block ciphers, and their suitability
for IoT sensors using RFID communication. Finally, Section V concludes this paper.
II. PRELIMINARIES
In this section, we describe lightweight block ciphers that are suitable for hardware
implementation, including SIMON (5), SPECK (5), SIMECK (6), CHAM (7), LED (8), Piccolo (9), and TWINE (10), but excluding RC5 (21), TEA (22) and XTEA (23), which are designed for constrained software environments. The information of these
ciphers is summarized in Table 1. The common block and key sizes in Table 1 are 64 and 128 bits, respectively, and their structure for these sizes is represented
in Fig. 1. Compared to AES, which has 128-bit block size and 128-, 196-, and 256-bit key sizes,
the lightweight block ciphers have shorter blocks and key sizes and simpler operations
as shown in Table 2, and the security strength that may be weakened by shorter keys and simpler operations
is compensated by more rounds. For example, AES requires 10 rounds for the 128-bit
key, whereas lightweight block ciphers require more than 20 rounds for the same key
size, where the key size typically represents the security strength.
Fig. 1. Encryption structure of (a) SIMON and SIMECK, (b) SPECK, (c) CHAM, (d) LED,
(e) Piccolo, (f) TWINE.
▪ SIMON and SPECK (5) support various lengths of block and key sizes: 32, 48, 64, 96, and 128 bits for
the block size and 64, 72, 96, 128, 144, 192, and 256 bits for the key size. Both
block ciphers have two branches, but the Feistel-like structure of SPECK does not
rotate the branches at each round, as shown in Fig. 1(b), which differs from the classical Feistel structure of SIMON, as shown in Fig. 1(a). In addition, SIMON has 44 rounds and performs AND, rotation, and XOR operations,
whereas SPECK has 27 rounds and performs an addition instead of an AND operation.
Details of their operations are listed in Table 3.
▪ SIMECK (6) is similar to SIMON, except that it supports fewer block and key sizes than SIMON,
and the number of rounds is different, as shown in Table 1 and Fig. 1(a). The round function is slightly different, as detailed in Table 3.
▪ CHAM (7) is a 64- and 128-bit block cipher, which uses 128- and 256-bit key sizes. CHAM has
a four-branch Feistel structure, which is shown in Fig. 1(c) and performs addition, rotation, and XOR operations, as listed in Table 4. CHAM has 80 and 96 rounds. CHAM has key scheduling; however, round keys can be calculated
immediately from the input key value. Consequently, CHAM does not need flip-flops
(FFs) to store key values that are updated during key scheduling.
Fig. 2. Serial-based structure of (a) SIMON and SIMECK, (b) TWINE.
▪ LED (8) is a 64-bit block cipher with a 64-, 80-, or 128-bit key and has 48 rounds. Among
the lightweight block ciphers covered in this paper, only LED has a substitution permutation
network (SPN) structure. The encryption structure of LED is shown in Fig. 1(d). The structure and transformations of LED are similar to those of AES, which is one
of the most popular block ciphers and has an SPN structure. The most significant difference
from AES is that LED has no key scheduling. LED directly selects and uses some bits
from the key input at each round; thus, like CHAM, LED does not require key storing
FFs.
▪ Piccolo (9) is a 64-bit block cipher with an 80- or 128-bit key and has 25 or 31 rounds depending
on the key size. Piccolo has a Feistel structure with four branches and two round
functions. Each round function performs XOR and F-Function operations. An F-Function,
expressed as $F_{0}(x)$ in Table 5, has two S-box layers and a diffusion function, and each S-box layer consists of
four 4-bit S-boxes. After the round function, 64-bit data are divided into 8-bit sub-blocks,
and the sub-blocks are permutated. The entire structure of encryption is shown in
Fig. 1(e). Similar to CHAM and for the same reason, Piccolo does not require key-storing FFs.
▪ TWINE (10) is a 64-bit block cipher with an 80- or 128-bit key and the structure is similar
to Piccolo, as shown in Fig. 1(f). Only the number of rounds, branches, and round functions are different, and TWINE
has simpler round functions, which consist of XOR and S-box. Details of its round
operations are listed in Table 5.
Table 3. Round operations of SIMON, SPECK, and SIMECK
|
Algorithm
|
$L_{i+1}$
|
$R_{i+1}
|
|
SIMON$^1$
|
$f_0 (L_i )⊕R_i⊕k_i$
|
$L_i$
|
|
SPECK
|
$(ROR_α (L_i )+R_i )⊕k_i$
|
$L_(i+1)⊕ROL_β (R_i)$
|
|
SIMECK$^2$
|
f_1 (L_i )⊕R_i⊕k_i
|
$L_i$
|
$^{1}f_0 (X)=(ROL_1 (X)\text{&}ROL_8 (X))⊕ROL_2 (X)$
$^{2}f_1 (X)=(L_i\text{&}ROL_5 (L_i ))⊕ROL_1 (L_i )$
Table 4. Round operations of CHAM
|
Algorithm
|
$X_{i+1, 0}$
|
$X_{i+1,1}$
|
$X_{i+1,2}
|
$X_{i+1,3}$
|
|
CHAM$^1$
|
$X_{i,1}$
|
$X_{i,2}$
|
$X_{i,3}$
|
$f(X_{i,0},X_{i,1},k_{i})$
|
$^{1}f(X_{i,0},X_{i,1},k_i )=ROL_b ((X_{i,0}⊕C_i )+(k_i⊕ROL_a (X_{i,1} ))))$ where
$(a,b)=(1,8)$ for odd rounds and $(a,b)=(8,1)$ for even rounds
Table 5. Round operations of LED, Piccolo, and TWINE
|
Algorithm
|
Round operation
|
|
LED$^{1,2,4}$
|
\begin{array}{c}
X_{i, 0}^{\prime}=S\left(k_{i, 0} \oplus X_{i, 0} \oplus C_{0}\right) \\
\ldots \\
X_{i, 15}^{\prime}=S\left(k_{i, 15} \oplus X_{i, 15} \oplus C_{15}\right) \\
X_{i+1,0}|\ldots| X_{i+1,15}=M C\left(S R\left(X_{i, 0}^{\prime}|\ldots| X_{i, 15}^{\prime}\right)\right.
\end{array}
|
|
Piccolo$^{1,2}$
|
\begin{array}{c}
X_{i, 1}^{\prime}=X_{i, 1} \oplus F_{0}\left(X_{i, 0}\right) \oplus r k_{2 i} \\
X_{i, 3}^{\prime}=X_{i, 3} \oplus F_{0}\left(X_{i, 2}\right) \oplus r k_{2 i+1} \\
X_{i+1,0}\left|X_{i+1,1}\right| \ldots\left|X_{i+1,3}=R P\left(X_{i, 0}\left|X_{i,
1}^{\prime}\right| X_{i, 2} \mid X_{i, 3}^{\prime}\right)\right.
\end{array}
|
|
TWINE$^{1,3}$
|
\begin{aligned}
X_{i, 2 j+1}^{\prime}=& S\left(X_{i, 2 j} \oplus r k_{i}\right) \oplus X_{i, 2 j+1}
\\
& \text { for } 0 \leq j<8 \\
X_{i+1,0}|\ldots| X_{i+1,15}=& R P\left(X_{i, 0}\left|X_{i, 1}^{\prime}\right| \ldots\left|X_{i,
14}\right| X_{i, 15}^{\prime}\right)
\end{aligned}
|
$^1$$A|B$: concatenation of $A$ and $B$
$^2$$MC(SR(X))$ where MC is MixColumns and SR is Shift Rows
$^3$$F_0 (X)=SL(DF(SL(X)))$ where SL is S-box layer and DF is a diffusion function
$^4$$S(X)$ is 4-bit S-box
Table 6. Compared hardware requirement of frequency type
|
Band
|
Range (m)
|
Operating freq. (MHz)
|
Throughput (kbps)*
|
Power (μW)
|
Prioritized performance
|
|
UHF (866 to 960 MHz)
|
3 to 10
|
1.5 to 2.5
|
> 1641
|
< 20 @ 2 MHz
|
High speed
|
|
HF (13.56 MHz)
|
< 0.1
|
0.1
|
> 3.56
|
< 22.5 @ 100 kHz
|
Low cost
|
*1641 kbps = 64 bits × 2 MHz / 78 clock cycles (24), and 3.56 kbps = 64 bits / 18 ms (25).
Table 7. Implementation results of round- and serial-based structure for 64-bit block
size and 128-bit key size
|
Algorithm
|
Our results (Round-based)
|
Our results (Serial-based)
|
Area (GE) in other research
|
|
Area
(GE)
|
TP
(kbps)
|
Power
(μW)
|
Area
(GE)
|
TP
(kbps)
|
Power
(μW)
|
Reference
|
Tech.
(nm)
|
Round-
based
|
Serial-
based
|
|
@ 2 MHz
|
@ 100 kHz
|
@ 2 MHz
|
@ 100 kHz
|
@ 2 MHz
|
@ 100 kHz
|
@ 2 MHz
|
@ 100 kHz
|
|
SIMON
|
1728
|
2666
|
133.33
|
24.00
|
1.38
|
1203
|
83.33
|
4.17
|
18.10
|
1.04
|
DAC ’15 (5)
|
IBM 130
|
1415
|
958
|
|
SPECK
|
1968
|
4129
|
206.45
|
23.00
|
1.38
|
1263
|
68.97
|
3.45
|
17.70
|
1.02
|
DAC ’15 (5)
|
IBM 130
|
1658
|
996
|
|
SIMECK
|
1689
|
2666
|
133.33
|
22.60
|
1.35
|
1191
|
83.33
|
4.17
|
18.00
|
1.04
|
CHES ’15 (6)
|
IBM 130
|
1365
|
924
|
|
CHAM$^{NK}$
|
928
|
1600
|
80
|
12.04
|
0.60
|
742
|
100
|
5
|
8.22
|
0.41
|
ICISC ’17 (7)
|
IBM 130
|
826
|
665
|
|
LED$^{NK}$
|
1658
|
2666
|
133.33
|
17.67
|
0.88
|
1022
|
68.38
|
3.42
|
9.70
|
0.59
|
CHES ’11 (8)
|
UMC 180
|
3036
|
1265
|
|
Piccolo$^{NK}$
|
1539
|
3878
|
193.93
|
17.00
|
1.08
|
913
|
242.42
|
12.12
|
9.00
|
0.55
|
CHES ’11 (9) $^{NK}$
|
130
|
1197
|
758
|
|
TWINE
|
1783
|
3555
|
177.77
|
22.60
|
1.35
|
1552
|
396.3
|
19.81
|
20.89
|
1.04
|
SAC ’12 (10)
|
90
|
1866
|
-
|
$^{NK}$has no FF for storing key
III. HARDWARE STRUCTURE OF CIPHERS
This section presents two of the hardware structures of the lightweight block ciphers
shown in Table 1 with a 128-bit key and 64-bit block sizes: round-base structure and serial-based
structure. The round-based structure processes each round operation for each clock
cycle; however, the serial-based structure uses a minimal bit size operator to reduce
the required resources.
1. Round-based Structure of Lightweight Block Ciphers
SIMON and SIMECK have a classical Feistel network, which has two branches, and one
diffusion function. Although the network type of SPECK is not exactly classical Feistel,
SPECK also has two branches, and its structure is very similar to that of both SIMON
and SIMECK. These three block ciphers perform rotating shifts $(ROL_x$ and $ROR_x)$,
$XOR (⊕)$, and addition (+) operations. Fig. 1 shows their structure, and Table 3 lists their round operations on the two branches, $L_i$ and $R_i$ for the i-th round.
In LED, the intermediate result is expressed as a state consisting of 4 × 4 sub-blocks
as in AES, but the sub-block size is 4-bit instead of 8-bit. Similar to AES, LED performs
AddRoundKey using XOR, SubCells using 4-bit S-boxes, ShiftRows using rotated shifts,
and MixColumnsSerial using XOR. An additional operation, AddConstants adds constant
values generated by a linear feedback shift register.
CHAM, Piccolo, and TWINE also have the Feistel network but have more than two branches,
i.e., 4, 4, and 16, respectively. The round operations of CHAM are listed in Table 4, and those of Piccolo, TWINE are presented in Table 5, where $X_{i,j}$ is the j-th branch of the i-th round, and $k_x$ and $rk_x$ is
the scheduled key for each round. $F_0 (X)$ in Piccolo is diffusion functions, including
eight 4-bit S-boxes and XORs. $RP(x) $ in Piccolo and TWINE denotes round permutation
functions, which are split $x$ by 16 and 4 bits, respectively, and mix.
2. Serial-based Structure of Lightweight Block Ciphers
In the serial-based structure of SIMON, SPECK, SIMECK, and CHAM, certain bits are
selected and operated to generate one new bit per clock, and the newly generated bit
is appended to the left of the block by shifting the existing bits to the right by
1 bit. This is allowed because the bitwise operation, addition, and rotation operations
can easily be performed on a bit-by-bit basis. Fig. 2(a) shows the serial-based structure of SIMON and SIMECK (5,6). CHAM and SPECK, which also have add-rotate-XOR(ARX) operations, can be implemented
in a similar structure (5,7).
TWINE, Piccolo, and LED use 4-bit S-boxes, thus these ciphers process four bits instead
of one bit during each clock cycle. Fig. 2(b) shows our serial-based structure of TWINE with the 128-bit key size we designed because
previously (10), serial-based TWINE only used an 80-bit key. Our serial-based structure of TWINE
only uses a single 4-bit S-box and two 4-bit XOR operations. Block mixing is performed
in the Permutation layer. Piccolo and LED can be implemented in a similar structure
(8,9).
IV. IMPLEMENTATION RESULTS
This section describes the performance requirements for IoT sensors that use RFID
communication and presents the results of our implementation. Based on these requirements
and results, we determined the suitability of lightweight block ciphers for IoT sensors
that use RFID communication.
1. Performance Required for Two Types of RFID
UHF RFID ranges from 3 m to 10 m when used without a battery. This long range allows
UHF RFID to communicate with distant sensors. On the contrary, HF RFID has a very
short range of up to 0.1 m; however, HF is not problematic with regard to tissue burning
or power absorption by tissue in human bodies (26). Hence, HF RFID is suitable for biosensors.
Table 6 presents the throughput and power consumption of UHF and HF RFID. UHF RFID is commonly
used for high-speed applications, and its required maximum latency is 78 clock cycles
at 2 MHz (24). Hence, ciphers require throughput higher than 1641 kbps without which IoT sensors
that use RFID communication may be ineffective. In addition, the average power consumption
should be less than 10 μW/MHz, that is, 20 μW at 2 MHz.
In contrast, in the case of HF RFID, area and power consumption are more important
than speed. According to the HF RFID standard (27), the upper bound of the response time for the challenge is 320 μs. This means that
the block cipher must process one encryption in 32 clock cycles at 100 kHz, the operating
frequency of HF RFID. It is very difficult for lightweight block ciphers to encrypt
the challenge in such a short response time. However, Feldhofer et al. (25) proposed a new HF RFID protocol with a much longer response time of 18 ms. With the
use of this protocol (25), the lower bound of throughput is 3.56 kbps when one 64-bit block has to be processed
in the response time. If there is more than one block, the lower bound will increase.
In addition, the average power consumption should be less than 22.5 μW at 100 kHz
(25).
Table 8. Compared gate count of technology library
|
Used technology
|
GE
|
|
D Flip-flop
|
XOR
|
MUX
|
|
Magna 180 nm (this work)
|
5.66
|
2.67
|
2.67
|
|
IBM 130 nm in (5), (6), (7)
|
4.25
|
2.00
|
2.25
|
|
UMC 180 nm in (8)
|
4.67
|
2.67
|
2.67
|
|
130 nm in (9)
|
4.50
|
2.25
|
2.00
|
|
90 nm in (10)
|
5.50
|
-
|
-
|
As for the area, the exact required values have rarely been specified. Although the
upper limit of the area of a block cipher was indicated to be 2000 gates (24), this number is likely to decrease with time. Attempts have been made to reduce the
chip size of biosensors. For example, the glucose sensor chip designed by Buettner
et al. (13) has a sensing unit with a size of 0.01 mm$^{2}$, which is much smaller than the size
of 0.15 mm$^{2}$ that was previously used (26). Although our research is not concerned with the area of block ciphers, these efforts
to reduce the area of biosensor chips are expected to also require the block cipher
to become increasingly smaller.
2. Implementation Results
We implemented the lightweight block ciphers listed in Table 1 using the same Magna 180-nm CMOS process technology library. The round- and serial-based
implementation results are presented in Table 7. All round-based ciphers have an area of less than 2000 GE, and all serial-based
ciphers have an area of less than 1600 GE. According to our implementation results,
CHAM has the smallest area and lowest power consumption for both round- and serial-based
structures.
The implementation results obtained in other studies are also included in Table 7. Compared with these results, most of our area results are 20–30 % larger. However,
this is not due to our inefficient implementation, but the difference in the technology
library. Table 8 lists the gate equivalents of selected gates such as D flip-flop, 2-input XOR, and
2-input MUX from various technology libraries. As is clear from Table 8, the standard cells of the Magna 180-nm library we used have GEs that are 19–33 %
larger than those of the technology libraries used in related studies (5-7,9). This could explain why we obtained a larger area for Piccolo, SIMON, SPECK, SIMECK,
and CHAM than that in other research. In contrast, the area we obtained for LED and
TWINE is smaller than that in other research. In fact, our round-based LED is approximately
45 % smaller than the results of Guo et al. (8). In addition to the differences among libraries, our results could be explained by
considering that we implemented our LED without FFs for storing the key in contrast
to Guo et al. (8). Our implementation result of serial-based TWINE is the first result that uses a
128-bit key because Suzaki et al. (10) only provides the result of serial-based TWINE for the 80-bit key.
3. Suitability of Lightweight Block Ciphers Implemented on Hardware for IoT Sensors
Based on the above performance requirements and implementation results, only round-based
Piccolo and LED are suitable for IoT sensors using the entire operating frequency
range of UHF RFID communication. CHAM is also available but is valid at clock frequencies
of 2.06 MHz and higher because of throughput. Piccolo, LED, and CHAM are similar in
that they do not need to update key values during key scheduling, thereby obviating
the need for key FF. Although other round-based ciphers satisfy the throughput requirement,
they do not meet the requirements in terms of power consumption. None of the serial-based
ciphers are suitable owing to their low throughput.
For HF RFID communication, all round-based block ciphers satisfy the performance requirements,
and their serial-based design would be preferable because of their lower cost and
power consumption. Although the throughput of certain serial-based block ciphers such
as LED and SPECK is insufficient, their throughput can be increased by splitting their
ARX operations into units larger than one bit, according to an existing approach (5), or by using more than one S-box. This means that serial-based LED and SPECK are
also suitable if they process more data per clock cycle by compromising the area increase.
V. CONCLUSIONS
We analyzed the performance requirements of RFID communications and implemented various
lightweight block ciphers in ASIC. Instead of referring to the results of the previous
study, we have re-implemented all the block ciphers including serial-based TWINE with
128-bit key, which has not been not included in the previous study, and we used the
same Magna 180-nm CMOS process technology. Our implementation results enabled us to
compare the performance of lightweight block ciphers under the same conditions. In
addition, we determined their suitability for IoT sensors that use RFID communication.
According to our performance requirements and implementation results, round-based
Piccolo and LED are suitable for all operating frequencies of UHF RFID communication,
whereas round-based CHAM is only suitable for UHF RFID communication at 2.06 MHz and
higher frequencies. Unlike other block ciphers, the advantage of these three block
ciphers is that they do not need keys to be stored. When HF RFID is used, all round-based
lightweight block ciphers are suitable; in addition, the use of their serial-based
designs is also considered to minimize cost and power consumption.
ACKNOWLEDGMENT
This work was partially supported by Institute for Information & communications Technology
Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2020-0-00215,
The Development of H/W Vulnerability Assessment Technologies Against Supply-chain
Attacks). The chip fabrication and EDA tool were supported by the IC Design Education
Center (IDEC), Korea. The corresponding author is Dong Kyue Kim.
REFERENCES
Kong W., Kim D. K., 2018, Hardware Implementation and Performance Comparison of Various
Lightweight Block Ciphers, The Institute of Electronics and Information Engineers,
Conference on, Vol. pp. 47-48, pp. jun.
Juels A., Weis S. A., 2005, Authenticating Pervasive Devices with Human Protocols,
in Annual International Cryptology Conference, pp. 293-308
2001, FIPS 197 Advanced encryption standard (AES), National Institute of Standards
and Technology
Mathew S., IEEE Journal of, 340 mV–1.1 V, 289 Gbps/W, 2090-gate nanoAES hardware accelerator
with area-optimized encrypt/decrypt GF (24)2 polynomials in 22 nm tri-gate CMOS, Solid-State
Circuits
Beaulieu R., 2015, The SIMON and SPECK lightweight block ciphers, Design Automation
Conference, pp. 1-6
Yang G., 2015, The simeck family of lightweight block ciphers, Cryptographic Hardware
and Embedded Systems, Vol. international workshop on, pp. 307-329
Koo B., 2017, CHAM: a family of lightweight block ciphers for resource-constrained
devices., International Conference on. Springer, Cham, pp. 3-25
Guo J., Peyrin T., Poschmann A., Robshaw M., 2011, The LED Block Cipher, Cryptographic
Hardware and Embedded Systems, International Workshop on, pp. 326-341
Shibutani K., 2011, Piccolo: an ultra-lightweight blockcipher, Cryptographic Hardware
and Embedded Systems, International Workshop on, pp. 342-357
Suzaki T., Minematsu K., Morioka S., Kobayashi E., 2012, TWINE: A Lightweight Block
Cipher for Multiple Platforms, Selected Areas in Cryptography, International Conference
on, pp. 339-354
Gamal Darwish, ElShafee Ahmed, Darwish Dina, 2011, Requirements and Design of RFID
based EManufacturing System., World Academy of Science, Engineering and Technology
Y. I. N. Yuehong, 2016, The internet of things in healthcare: An overview, Journal
of Industrial Information Integration, pp. 3-13
Buettner M., Greenstein B., Sample A., Smith J. R., Wetherall D., 2008, Revisiting
smart dust with RFID sensor networks, in Proceedings of the 7th ACM Workshop on Hot
Topics in Networks (HotNets-VII)
Diehl W., Abdulgadir A., Kaps J.-P., Gaj K., 2018, Comparing the cost of protecting
selected lightweight block ciphers against differential power analysis in low-cost
FPGAs, Computers, Vol. 7, No. 2
William Diehl, 2017, Comparison of hardware and software implementations of selected
lightweight block ciphers., International Conference on, pp. 1-4
Bhardwaj I., Kumar A., Bansal M., 2017, A review on lightweight cryptography algorithms
for data security and authentication in IoTs, Signal Processing, Computing and Control,
International Conference on, pp. 504-509
Hatzivasilis G., Fysarakis K., Papaefstathiou I., Manifavas C., 2017, A review of
lightweight block ciphers, Cryptographic Engineering, Journal of, pp. 141-184
Philip M. A., 2017, A survey on lightweight ciphers for IoT devices, Technological
Advancements in Power and Energy, International Conference on, pp. 1-4
Biryukov A., Perrin L. P., 2017, State of the art in lightweight symmetric cryptography,
Cryptology ePrint Archive
Sadhukhan R., 2017, An Evaluation of Lightweight Block Ciphers for Resource-Constrained
Applications: Area, Performance, and Security, Hardware and Systems Security, Journal
of, Vol. 1, No. 3, pp. 203-218
Rivest R. L., 1994, The RC5 encryption algorithm., Fast Software Encryption, International
Workshop on, Springer, pp. 86-96
Wheeler D. J., Needham R. M., 1994, TEA, a tiny encryption algorithm., Fast Software
Encryption, International Workshop on, pp. 363-366
Needham R. M., Wheeler D. J., 1997, Tea extensions., Report (Cambridge University,
Cambridge, UK, 1997) Google Scholar
Saarinen M.-J. O., Engels D. W., 2012, A do-it-all-cipher for rfid: Design requirements,
IACR Cryptology ePrint Archive
Feldhofer M., Dominikus S., Wolkerstorfer J., 2004, Strong authentication for RFID
systems using the AES algorithm, Cryptographic Hardware and Embedded Systems, International
Workshop on, pp. 357-370
Xiao Z., 2015, An implantable RFID sensor tag toward continuous glucose monitoring,
biomedical and health informatics, IEEE Journal of, Vol. 19, No. 3, pp. 910-919
2003, [27] International Organization for Standardization, ISO/IEC 18000-3, Information
Technology AIDC Techniques — RFID for Item Management
Author
Wonbae Kong received the B.S. degree in Electronic Engineering from Hanyang University
in 2015.
He is currently a Ph.D. student in the Department of Electronic Engineering at Hanyang
University, Korea.
Piljoo Choi received the B.S., M.S., and Ph.D. degrees in Electronic Engineering from
Hanyang Univer-sity in 2010, 2012, and 2017, respectively.
He is currently an assistant professor in the Department of IT Convergence and Application
Engineering at Pukyong National University, Korea.
Dong Kyue Kim received the B.S., M.S., and Ph.D. degrees in Computer Engineering from
Seoul National University in 1992, 1994, and 1999, respectively.
From 1999 to 2005, he was an assistant professor in the Division of Computer Science
and Engineering at Pusan National University.
He is currently a full professor in the Department of Electronic Engineering at Hanyang
University, Korea.