ArticlePDF Available

Lightweight authenticated encryption for embedded on-chip systems

Authors:
George Hatzivasilis at Foundation for Research and Technology Hellas
George Hatzivasilis
George Floros
George Floros
George Floros
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Ioannis Papaefstathiou at Technical University of Crete
Ioannis Papaefstathiou
Harry Manifavas at Foundation for Research and Technology Hellas
Harry Manifavas
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their security is increasingly important. This, combined with the pressing requirement of deploying massive numbers of low-cost and low-energy embedded devices, stimulates the evolution of lightweight cryptography and other green-computing security mechanisms. New crypto-primitives are being proposed that offer moderate security and produce compact implementations. In this article, we present a lightweight authenticated encryption scheme based on the integrated hardware implementation of the lightweight block cipher PRESENT and the lightweight hash function SPONGENT. The presented combination of a cipher and a hash function is appropriate for implementing authenticated encryption schemes that are commonly utilized in one-way and mutual authentication protocols. We exploit their inner structure to discover hardware elements usable by both primitives, thus reducing the circuit’s size. The integrated versions demonstrate a 27% reduction in hardware area compared to the simple combination of the two primitives. The resulting solution is ported on a field-programmable gate array (FPGA) and a complete security application with input/output from a universal asynchronous receiver/transmitter (UART) gate is created. In comparison with similar implementations in hardware and software, the proposed scheme represents a better overall status.
Figures - uploaded by George Hatzivasilis
Author content
All figure content in this area was uploaded by George Hatzivasilis
Content may be subject to copyright.
Content uploaded by George Hatzivasilis
Author content
All content in this area was uploaded by George Hatzivasilis on Mar 25, 2021
Content may be subject to copyright.
Lightweight authenticated encryption for embedded on-chip systems
George Hatzivasilis
a
, George Floros
b
, Ioannis Papaefstathiou
a
, and Charalampos Manifavas
c
a
Department of Electrical & Computer Engineering, Technical University of Crete, Chania, Crete, Greece;
b
Department of Computer Science,
University of Crete, Heraklion, Crete, Greece;
c
Department of Electronic Engineering & Computing, Rochester Institute of Technology Dubai,
Silicon Oasis, Dubai, United Arab Emirates
ABSTRACT
Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their
security is increasingly important. This, combined with the pressing requirement of deploying
massive numbers of low-cost and low-energy embedded devices, stimulates the evolution of
lightweight cryptography and other green-computing security mechanisms. New crypto-primi-
tives are being proposed that offer moderate security and produce compact implementations. In
this article, we present a lightweight authenticated encryption scheme based on the integrated
hardware implementation of the lightweight block cipher PRESENT and the lightweight hash
function SPONGENT. The presented combination of a cipher and a hash function is appropriate for
implementing authenticated encryption schemes that are commonly utilized in one-way and
mutual authentication protocols. We exploit their inner structure to discover hardware elements
usable by both primitives, thus reducing the circuits size. The integrated versions demonstrate a
27% reduction in hardware area compared to the simple combination of the two primitives. The
resulting solution is ported on a field-programmable gate array (FPGA) and a complete security
application with input/output from a universal asynchronous receiver/transmitter (UART) gate is
created. In comparison with similar implementations in hardware and software, the proposed
scheme represents a better overall status.
KEYWORDS
ASIC; authenticated
encryption; FPGA; green
computing; lightweight
cryptography; network
security; PRESENT;
SPONGENT
Introduction
Embedded systems (ESs) are computer systems
designed to manage specific functionalities within
a larger system, and they must meet real-time
computing requirements. These heterogeneous
platforms range from portable devices such as
smart phones to factory controllers and avionic
subsystems. Grand View Research estimates the
global ES market value in 2013 at 123.96 billion,
which is expected to reach 189.39 billion by 2020,
growing at a compound annual growth rate
(CAGR) of 6.3% from 2014 to 2020 (Grand View
Research, 2014).
Green innovation has been gaining ground in
the last years due to the environmental movement
and climate change. The information and commu-
nications technology (ICT) infrastructure con-
sumes 3% of global energy and produces about
2% of global CO
2
emissions (ICT, 2008). The
trend of green computing and networking includes
practices of selecting energy-efficient computing
technologies and products, minimizing resource
consumption whenever it is possible. The
Climate Group and the Global eSustainability
Initiative estimated that such movements could
reduce the global emissions by as much as 15%
by 2020, achieving around an eightfold benefit
compares to carbon-reduction expectations
(sustainableIT, 2011).
ESs utilize hardware and other mechanical com-
ponents to interact with the physical world. Such
systems are deployed in critical infrastructures
where a security incident may lead to damage,
personal injury, or even death. To fortify ESs,
robust cryptographic primitives are often used
(e.g., Desoky, 2013; Mukherjee & Sahoo, 2011),
but the limited capabilities of these resource-con-
strained devices necessitate the development of
compact schemes (e.g., San & At, 2012).
Lightweight cryptography (LWC) (Poschmann,
CONTACT George Hatzivasilis gchatzivasilis@isc.tuc.gr Department of Electrical & Computer Engineering, Technical University of Crete, Akrotiri
Campus, 73100, Chania, Crete, Greece.
Color versions of one or more of the figures in the article can be found online at www.tandfonline.com/uiss.
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE
http://dx.doi.org/10.1080/19393555.2016.1209259
© 2016 Taylor & Francis
2009) is the research field that investigates the
integration of cryptographic primitives into con-
strained devices. It balances the trade-offs among
energy consumption, performance, and security
(Sklavos, 2010) to provide ciphers that consume
low power, comply with standard communication
protocols, and achieve moderate levels of security.
Energy-aware networking becomes imperative for
ES, especially in the case of sensor networks. For
ultraconstrained devices, energy-efficient primi-
tives that perform well in hardware are appropri-
ate. The reduction of the chip area becomes
important in green computing and LWC, as it
proportionally affects the power requirements,
energy consumption of the standby mode, and
economic cost.
Symmetric cryptography performs well in ESs.
It provides confidentiality and data integrity and is
utilized in authentication protocols. For LWC,
block ciphers are the most common choice for
confidentiality. Hash functions are another type
of cryptographic primitive, taking an input mes-
sage and producing a fixed-length tag. They form
message authentication code (MAC) mechanisms
and provide data integrity and authenticity.
Besides the basic crypto-primitive types, there
are efforts to offer more advanced functionality.
Authenticated encryption (AE) integrates ciphers
and integrity mechanisms to provide simulta-
neously confidentiality and integrity with authen-
tication. AE schemes are becoming popular due to
the ongoing Competition for Authenticated
Encryption: Security, Applicability, and
Robustness (CAESAR) (CAESAR, 2013), orga-
nized by the international cryptographic research
community. CAESAR will select a portfolio of
algorithms offering advantages over AES-GCM
(the current AE standard (Dworkin, 2007)) in
2017.
This article presents a lightweight AE based on
an integrated hardware solution of the lightweight
block cipher PRESENT (Bogdanov et al., 2007)
and the hash function SPONGENT (Bogdanov
et al., 2011). The two primitives are merged to
reuse their common parts, reducing the overall
hardware footprint. The combination of the two
primitives forms authenticated encryption
schemes that are used by one-way and mutual
authentication protocols. The resulting design is
ported on an field-programmable gate array
(FPGA) with input/output from a universal asyn-
chronous receiver/transmitter (UART) gate and a
complete security application of two nodes that
communicate via the network is developed, with
its performance being comparable to other known
proposals. The proposed system forms an energy-
efficient infrastructure and is suitable for con-
strained environments, such as sensor networks.
The article is organized as follows. The next
section features an analysis of the evaluation meth-
odology used for comparing different hardware
implementations and refers to related work. Then
we present the integration of the two primitives in
three main AE topologies, the applicability in a
network service, and the relevant security analysis.
Following that is a discussion of the resulting
performance and a comparison with other AE
implementations identified in the literature.
Finally, we present a conclusion.
Background and related work
Evaluation of hardware implementations
Several metrics have been proposed for the evalua-
tion of hardware implementationsperformance.
On FPGA, metrics of throughput, slices, and the
ratio of throughput to slices are used. In this study,
throughput is the processing rate that is achieved
at 100 KHz CPU frequency (a common option in
the literature, e.g., Bogdanov et al. (2011,2007)).
The value of the metric is measured in kilobits per
second (Kbps), and the higher the value, the better.
Slices measure the chip area of an implementation.
More slices impose higher power consumption,
thus the lower the value, the better. The through-
put-to-slices ratio reflects the timeareapower
trade-off for an implementation, and the higher
the value, the better.
Similarly, for application-specific integrated cir-
cuit (ASIC) implementations, the metrics of
throughput, gate equivalence (GE), and figure of
merit (FOM) are utilized. The throughput metric
is the same as in FPGA implementations. GE
measures the complexity of an implementation
and corresponds to the number of logic gates
that are required. One GE corresponds to the
area of one NAND2 gate. The layout area of an
2G. HATZIVASILIS ET AL.
implementation in μm
2
is divided by the area of a
NAND2 gate and the result is the GE metric.
Higher GE means higher power consumption
and production cost; thus, the smaller the value,
the better. In LWC, an implementation can use
about 2503000 GE (Manifavas, Hatzivasilis,
Fysarakis, & Rantos, 2014). FOM is a fair metric
to measure the timeareapower trade-off. It is
calculated as the ratio of throughput to the
squared GE; the higher the value, the better.
Lightweight cryptographic primitives
LWC imposes novel cryptographic primitives that
can fit in resource-constrained devices. The main
design targets for hardware platforms are the
reduction of power/energy requirements and chip
area. In the last decade, a large variety of light-
weight proposals has been developed (Manifavas
et al., 2014). ISO/IEC 29192 (ISO/IEC, 2012) is the
standard for LWC (part 2 includes the block
ciphers and part 5 includes the hash functions).
The first generation of lightweight block ciphers
mainly target compact designs that can be applied
in ultra-constrained devices. Throughput and
power consumption are always taken into consid-
eration. The area reduction is high, reaching a
limit where almost 8090% of the implementation
is occupied by memory elements (e.g., PRESENT).
Smaller area drives many ciphers vulnerable to
side-channel attacks. The standardized block
ciphers are CLEFIA (Shirai, Shibutani, Akishita,
Moriai, & Iwata, 2007) and PRESENT. CLEFIA
was designed by SONY and performs better in
embedded software. PRESENT is a milestone in
LWC and is more efficient in hardware due to its
compact and low-cost implementation (Manifavas
et al., 2014). Newer design challenges include low
latency, efficient support of decryption, and pro-
tection against side-channel attacks.
Many secure hash function designs are based on
the core building blocks of block ciphers. After the
release of PRESENT, there was an effort to con-
struct lightweight hash functions based on it, with
DM-PRESENT, H-PRESENT, and C-PRESENT
being the most representative ones (Bogdanov
et al., 2008). The SHA-3 contest created a new
design trend of hash functions with sponge struc-
ture as an alternative to these approaches that are
based on block ciphers. SPONGENT is the most
lightweight one. Its design takes into consideration
the aforementioned PRESENT-oriented functions
and outperforms them (Bogdanov et al., 2011).
The standardized LWC hash functions are
PHOTON (Guo, Peyrin, & Poschmann, 2011)
and SPONGENT. PHOTON balances the trade-
offs for hardware and software implementation
and performs well in both domains. SPONGENT
is hardware-oriented and achieves a better overall
status in hardware, with smaller chip size
(Manifavas et al., 2014). Lightweight hardware
implementations for SHA3, PHOTON, and
SPONGENT are presented in (Jungk, Lima, &
Hiller, 2014). The functions are implemented in
FPGA under identical devices, interfaces, and
design constraints. A fair comparison study is con-
ducted where it is concluded that SPONGENT
provides the best throughput per area ratios.
Both PRESENT and SPONGENT were exten-
sively analyzed before and after standardization,
and were found to be secure. Newer lightweight
proposals for both block ciphers and hash func-
tions need extensive security analysis before their
novel structures can be considered mature enough
and be adopted.
PRESENT and SPONGENT verilog
implementations
PRESENT is a block cipher with 64-bit blocks and
80/128-bit keys. It is one of the first ciphers that
achieves a compact hardware implementation of
about 1000 GE. Its substitution-permutation net-
work requires 31 rounds for de/encryption. The
cipher is extremely efficient in hardware and uses
a fully wired diffusion layer without any algebraic
unit. Its main feature is the replacement of the
ordinary eight S-boxes with a carefully
selected one.
In this article, the encryption-only implementa-
tion of PRESENT with 80-bit key, available in
OpenCores (OpenCores, 2011), is extended (e.g.,
decryption functionality added). The presented
work is implemented using Verilog (under an
LGPL license). The cipher does not require an
initialization phase.
SPONGENT applies a sponge construction that is
instantiated with a wide PRESENT-type permutation,
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 3
following the hermetic sponge strategy. The
SPONGENT-88 variant is designed for extremely
restricted applications with low pre-image security
requirements. In this article the pipelined version of
SPONGENT-88 is implemented in Verilog. For 88-
bit hashes, the produced implementation requires
1127 GE.
When it is executed simultaneously with
PRESENT over the same data, the input/output
(I/O) of the hash function is slightly changed to
keep the same interface for the different integrated
versions. The input data are processed in 64-bit
blocks, to comply with the I/O interface of
PRESENT. For SPONGENT, we pad 24 bits in
each block, to construct an 88-bit block (the
block size of SPONGENT) and also retain a
small common data path with PRESENT (the
main target of an integrated design).
Authenticated encryption and lightweight
schemes
Authenticated encryption (AE) is a cryptographic
operation that simultaneously provides confidenti-
ality, integrity, and authenticity over processed
data. Encryption processes the plaintext and pro-
duces the ciphertext along with an authentication
tag. Decryption is combined in a single step with
integrity validationthe plaintext is retrieved and
an error is produced if the authentication tag does
not match the ciphertext. AE is required in com-
munication protocols and on-line applications to
prevent attackers from tampering, intercepting, or
submitting ciphertexts to the receiver. If such
attacks (e.g., chosen ciphertext attacks) are
launched, messages can be decrypted and the com-
munication data are completely revealed. For
mainstream applications, AES-GCM is the most
accepted solution. Pervasive and ubiquitous com-
puting develops relevant lightweight schemes for
resource-constrained devices. Three approaches
implement the AE over associated data (Bellare &
Namprempre, 2000):
Encrypt-and-MAC (E&M)the plaintext is
encrypted and the MAC is computed over
the original plaintext.
Encrypt-then-MAC (EtM)the plaintext is
encrypted and the MAC is computed over
the ciphertext afterwards.
and MAC-then-encrypt (MtE)the MAC is
produced over plaintext and then it is
encrypted with the plaintext.
E&M produces the most efficient result, as the
ciphertext and the MAC can be computed simul-
taneously. However, it is also considered the least
secure, as the statistical correlations of the plain-
text can be reflected in its MAC. Combinational
attacks are performed that exploit the MACs vul-
nerabilities to disclose the encryption key and
recover the whole communication (e.g., Banik,
Maitra, & Sarkar, 2012; Saarinen, 2013). EtM and
MtE are slower, as the two primitives are executed
sequentially. Both approaches destroy the statisti-
cal features of the plaintext, with EtM producing
the most secure results (Bellare & Namprempre,
2000).
For LWC, many AE schemes have been pro-
posed. We present the most notable designs and
their main features. Most of them have been ren-
dered insecure, imposing further research to
implement robust solutions. These schemes are
used as a benchmark for the new proposals.
Hummingbird-2 (Engels, Saarinen, Schweitzer,
& Smith, 2011) is one of the first AE schemes for
LWC and a benchmark for newer proposals. It was
developed for lightweight hardware and software
applications. Hummingbird-2 produces a hybrid
structure of block and stream cipher. It uses 128-
bit keys with 64-bit IVs and operates on 16-bit
words. Its main design disadvantage is the lengthy
initialization phase due to its stream nature. The
size of the hardware implementation with both
encryption and decryption is about 70% larger
than the encryption-only version. Although the
encryption of Hummingbird-2 is fast after the
initialization process, the production of the 64-bit
MAC is almost seven times slower. However,
related-key attacks are performed on the full
cipher (Saarinen, 2013).
The Grain-128a (Agren, Hell, Johanson, &
Meier, 2011) AE is based on the eSTREAM finalist
Grain-128 cipher. It enhances the security of the
original cipher and provides built-in support for
authentication. The scheme uses 128-bit keys with
96-bit IVs and variable tag sizes of up to 32 bits.
The cipher outputs one bit per cycle and the AE
outputs one bit per two cycles. In hardware, the
original cipher requires 2133 GE while the Grain-
4G. HATZIVASILIS ET AL.
128-a cipher requires 2145.5 GE without authenti-
cation. With 32-bit authentication, the smaller
version requires about 2769.5 GE. Except from
the general attacks on the Grain family ciphers,
differential fault attacks are also feasible (Banik
et al., 2012) on Grain-128a.
ALE (Bogdanov, Mendel, Regazzoni, Rijmen, &
Tischhauser, 2014) is a lightweight AE that is
based on AES, the stream cipher LEX (an
eSTREAM candidate based on AES), and the AE
ASC-1. It uses 128-bit keys and IVs. AES is uti-
lized due to the high security and the performance
of the AES-NI assembly instruction set. However,
ALE is vulnerable to differential cryptanalysis
(Wu, Wu, Huang, Wang, & Wu, 2013), and the
offered security level is decreased to 97 bits.
FIDES (Bilgin, Bogdanov, Knezevic, Mendel, &
Wang, 2013) is the latest AE proposal and func-
tions as an on-line single-pass nonce-based
scheme. It follows the design principles of AES
with a duplex sponge construction structure. Two
variants are proposed, with 80- and 96-bit keys
requiring 793 GE and 1001 GE, respectively.
FIDES is the most compact AE scheme and per-
forms better than Hummingbird-2, Grain-128a,
and ALE.
PRESENT-SPONGENT authenticated
encryption
Design
PRESENT and SPONGENT are the hardware-
oriented standardized primitives for LWC. They
have been extensively analyzed and have been
found to be secure against the current set of
attacks. Moreover, the two primitives exhibit sev-
eral structural similarities that can be exploited by
an integrated implementation in hardware.
SPONGENT has a sponge structure that is
initiated by a PRESENT-type permutation. Also,
both primitives use 4-bit S-boxes. The authors
goal is to exploit these similarities and merge the
two primitives in a concrete hardware implemen-
tation. This implementation utilizes the same
memory elements for storing the input and output
data of both primitives. Moreover, SPONGENT
uses the key-update module of PRESENT, which
requires 481 GE, to produce a MAC. The
implementations of PRESENT and SPONGENT
are combined, achieving 27% hardware reduction.
Every primitive can also function indepen-
dently. Each part of the circuit is implemented
with its own pipeline, achieving the highest
throughput for encrypted data and the corre-
sponding MAC computation. Three pipelines are
used for the cipher production, the key update,
and the digest generation.
PRESENT pipeline
An encryption of a 64-bit block is performed
after 31 rounds through the 64-bit Substitution-
Permutation Network (SPN) of PRESENT and
the key-update module. The pipeline consists of
the register State Reg, which stores the data
among the iterations, and the 64-bit SPN. The
key-update procedure consists of the state regis-
ter Key Reg that stores the updated key and one
4-bit S-box that updates the key in every round.
The data_i (data input) serves as input for both
the encryption key and the message data. This
input is 80 bit wide to fit the key. Only the 64
least significant bits are used to load the message
data. In the first round the key is loaded in the
key register (Key Reg), and in the next round the
message data is loaded in the cipher state
(State Reg).
SPONGENT pipeline
The hash of an 88-bit block is produced after 45
iterations through a separate 88-bit SPN for
SPONGENT. The pipeline consists of the state
register Hash Reg, which stores the current digest,
and the 88-bit SPN.
Dependent and independent data
The two primitives are executed in parallel over
dependent or independent data, and all three AE
approaches are supported (Figure 1). It requires
4324 logic gates to implement.
In parallel-independent mode (PIm), the cipher
and the MAC process independent data simulta-
neously. SPONGENT loads the first 80-bit block of
data. As the hash function processes the data,
PRESENT loads its 64-bit block of plaintext data.
After 45 rounds, one block of ciphertext data and
the hash are produced. This version processes 144
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 5
bits of data every 45 rounds and achieves a
throughput of 320 Kbps (at 100-KHz frequency).
In E&M the cipher and the MAC process the
data simultaneously in 64-bit blocks. While in
parallel execution, the two primitives are synchro-
nized; the plaintext block is encrypted in 31
rounds and the hash is produced after 14 addi-
tional rounds. The cipher is in standby mode and
waits for the MAC during these extra rounds.
After 45 rounds, one block of ciphertext data and
the relevant hash are produced. This version pro-
cesses 64 bits of data every 45 rounds and achieves
a throughput of 142.22 Kbps.
In EtM the cipher encrypts the plaintext in 64-
bit blocks. Once a ciphertext block is produced, it
can be processed by the MAC while the cipher
proceeds to the next plaintext block. Thus, it
takes 31 initial rounds to encrypt the first block
and 45 rounds multiple the remaining blocks to
encrypt the plaintext, with 45 additional rounds to
produce the final MAC. It takes 121 rounds to
encrypt 1Kbit data, achieving 82.64 Kbps
throughput.
In MtE the data are processed as in E&M. The
88-bit MAC outcome is then encrypted by the
cipher as two 64-bit blocks, requiring 62 more
rounds than E&M (the second block is padded
with zeros). In total, it takes 152 rounds to encrypt
1 Kbit of data with 65.78 Kbps throughput.
Network application
The complete network application was implemen-
ted and tested, with an FPGA platform connected
to a PC via UART. The FPGA communicates
through the network with other entities. The
application supports the following basic
operations:
Send plaintext (unencrypted communication)
Send plaintext with MAC (for integrity
checks)
Send encrypted message (for confidentiality)
Send encrypted message with MAC (for con-
fidentiality and integritythe PIm)
Send a message in which each transmitted
packet is encrypted with a MAC for both
data and the packets headers (for AE
schemesthe three AE approaches)
And send encrypted message with MAC for
the encrypted message and the packet
Figure 1. Parallel integration of PRESENT and SPONGENT. The SPONGENT core hash function is illustrated with green color. The
PRESENT core and key update is colored with blue. The output is represented with purple. The three registers (Hash Reg, State Reg,
Key Reg) are outlined with red color.
6 G. HATZIVASILIS ET AL.
headers, with encryption only for data and
MAC both for encrypted data and the pack-
ets headers (for Authenticated Encryption
with Associated Data (AEAD) schemesthe
three AE approaches).
The integrated implementation is not used for
unencrypted messages. Processing a plaintext to
produce its MAC requires 45 rounds per 88 bits.
Encrypting a message requires 31 rounds per 64
bits. The encryption of a message and the calcula-
tion of its MAC can be done simultaneously and
takes 45 rounds.
Ordinarily, in AE and AEAD modes, each mes-
sage must be processed twice. However, our inte-
grated implementations can encrypt and produce
the MAC simultaneously, processing the message
once and thus reducing the overall processing time
(as described in the previous subsection). When
decryption is supported, we can also apply this
strategy to reduce the execution time.
The encryption-only versions of the integrated
implementations are appropriate for one-way
authentication protocols. When both encryption
and decryption are supported, they can be applied
in mutual authentication protocols.
Security analysis
The security analysis is based on the relevant work
of the original papers for PRESENT (Bogdanov
et al., 2007) and SPONGENT (Bogdanov et al.,
2011). Moreover, the general security properties
of the three AE approaches are detailed in
(Bellare & Namprempre, 2000).
Differential and linear cryptanalysis constitute
the most important techniques for the analyst.
PRESENT is resilient to these attacks and provides
a lower bound to the number of active S-boxes
that affect the differential or linear characteristics.
It is also resistant to structural attacks, such as
integral and bottleneck, due to the exclusively bit-
wise design and the regular permutation opera-
tion. Algebraic attacks resolve the ciphers
equations that imply diffusion. Analysis based on
simulations suggests that it is unlikely to perform
these attacks on PRESENT. Related-key and slide
attacks identify relationships among different sets
of subkeys and impose the most effective key
scheduling attacks. PRESENT counters them by
the appliance of a round-dependent counter and
a nonlinear operation to mix the contents of the
key register.
Since the ciphers release in 2007, several inde-
pendent cryptanalysis results have been
announced. Side-channel (Yang, Wang, & Qiao,
2009) and related-key attacks (Ozen, Varici,
Tezcan, & Kocair, 2009) have been reported on
reduced versions of PRESENT. The full-round
cipher is safe, and no practical attacks have been
reported.
The design and structural similarities of
PRESENT and SPONGENT allow the reuse of
the aforementioned analysis results. Cryptanalysis
on PRESENT was taken into consideration, and
SPONGENT is more resistant to linear attacks.
The hash function is resistant against differential
analysis. Collision attacks, such as the rebound
attack, are mitigated by the bit-oriented permuta-
tion. Full pre-image and second-pre-image secur-
ity can be provided. As most of the embedded
applications do not necessarily provide full sec-
ond-pre-image security, the most compact variants
provide lower protection to enhance performance
in the most constrained environments. Linear dis-
tinguisher attacks on reduced versions of
SPONGENT are reported in (Abdelraheem,
2013). In this article, we use the most constrained
variant of SPONGENT-808-88. It provides 2
80
bits pre-image security and 2
40
bits second-pre-
image and collision security.
The encryption part of the AE approaches
intends to provide four main properties of indis-
tinguishability (IND) and nonmalleability (NM)
under chosen-plaintext (CPA) or chosen-cipher-
text attacks (CCA)abbreviated as IND-CPA,
IND-CCA, NM-CPA, and NM-CCA. The authen-
tication tag implies two properties for integrity:
Of plaintexts (INT-PTXT)it is computa-
tionally infeasible to produce a ciphertext
decrypting to a message that the sender has
never encrypted.
And integrity of ciphertexts (INT-CTXT)it
is computationally infeasible to produce a
ciphertext that has not been previously pro-
duced by the sender.
The study in (Bellare & Namprempre, 2000)
analyzes the provided security of the three AE
approaches in terms of these six properties under
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 7
the assumptions that the encryption part is IND-
CPA and the authentication tag is either weakly or
strongly unforgeable. Table 1 summarizes these
results. NM-CCA is omitted becasuse it is equiva-
lent to IND-CCA. The integrated solution that is
proposed in this article provides strong
unforgeability.
Discussion
Hardware implementations
The Xilinx Virtex-5 FPGA platform is utilized to
implement and test the proposed integrated solu-
tion, using the tools provided by the Xilinx ISE
Design Suite 12.1. A UART is used to check the
bandwidth of each version due to its simple design
and operation. UART is platform-independent
and can be used to transmit data to other FPGAs
and embedded systems. Table 2 summarizes the
implementation details of PRESENT,
SPONGENT, and their integrated versions in
FPGA. As is evident from the table, the PIm ver-
sion achieves a throughput of 370 Kbps and is the
most efficient.
The relevant features are also estimated in
ASIC, based on the implementation details of
PRESENT in (Bogdanov et al., 2007) (Virtual
Silicon, VST, standard cell library, 0.18 μm,
1P6 M Logic process). Table 3 presents the imple-
mentation details of PRESENT, SPONGENT, and
the four integrated variants in ASIC. The reported
metrics are referred to encryption-only implemen-
tations. The integrated implementations are com-
pared with the relevant implementations of
Hummingbird-2 (Engels et al., 2011), Grain-128a
(Agren et al., 2011), ALE (Bogdanov et al., 2014),
FIDES (Bilgin et al., 2013), and AES-CCM (Bilgin
et al., 2013). As mentioned earlier, Hummingbird-
2, Grain-128a, and ALE are vulnerable to attacks.
They are included in this comparison analysis as a
proof of concept for the qualification of the pro-
posed solutions.
In ASIC the individual implementation of
PRESENT is more compact than in
Hummingbird-2, but for encryption the latter is
slightly faster. FOM reveals that PRESENT is the
best choice, as it achieves a better overall status.
Moreover, all the integrated solutions that encrypt
and produce a MAC are compact enough to fit in
embedded devices (less than 3000 GE) and per-
form well. The PIm and the AE versions achieve
better overall status than Hummingbird-2 and
consume less power. The Hummingbird-2 proto-
col (encryption and MAC) performs worse than
the encryption-only version that is reported in
Table 3, as the MAC production is almost seven
times slower than the encryption. Thus, the FOM
gap is even higher when comparing
Hummingbird-2 with the integrated AE versions
of PRESENT and SPONGENT.
Grain-128a produces the shortest authentication
tag (32-bit). In contrast to the core lightweight
Table 1. AE approaches security properties (Bellare & Namprempre,
2000).
AE IND-CPA IND-CCA NM-CPA INT-PTXT INT-CTXT
Weakly unforgeable authentication
E&M Insecure Insecure Insecure Secure Insecure
EtM Secure Insecure Insecure Secure Insecure
MtE Secure Insecure Insecure Secure Insecure
Strongly unforgeable authentication
E&M Insecure Insecure Insecure Secure Insecure
EtM Secure Secure Secure Secure Secure
MtE Secure Insecure Insecure Secure Insecure
Table 2. Hardware implementations in FPGA.
Cipher
Key/tag
(bits) Rounds FFs
Total
slices
Throughput
(Kbps)
Efficiency
(Kbps/
slices)
PRESENT 80/31 162 206.5 1.28
SPONGENT /88 45 95 195.5 2.06
PIm 80/88 45 149 174 320 1.83
E&M 80/88 45 149 174 142.22 0.81
EtM 80/88 121 149 174 82.64 0.47
MtE 80/88 152 149 174 65.78 0.37
Table 3. Hardware implementations in ASIC.
Cipher
Key/tag
(bits)
Throughput
(Kbps) GE FOM
Tech.
(nm)
Power
(μW)
PRESENT 80/206.5 1569 838 180 2.7
SPONGENT /88 195.5 967 209 180 1.5
PIm 80/88 320 2508 508 180 3.9
E&M 80/88 142.22 2508 226 180 3.9
EtM 80/88 82.64 2508 131 180 3.9
MtE 80/88 65.78 2508 104 180 3.9
FIDES-80-S 80/80 10.64 1153 80 130 1.9
FIDES-96-4S 96/96 26/09 1870 74 130 3.1
HB2-ee4c 128/64 222.2 3220 214 180 5.1
HB2-ee16c 128/64 83.3 2332 153 180 4.7
HB2-ee20c 128/64 68.9 2159 147 180 4.3
Grain-128a 128/32 80 2867 97 - -
ALE 128/128 0.6 2579 0.9 65 94
AES-CCM 128 0.14 3472 0.1 65 128
8G. HATZIVASILIS ET AL.
cipher, it deploys different nonlinear functions to
enhance security, adding processing overhead and
hardware space. The shift registers are regularly
clocked, and 1-bit output is produced every second
clock (Grain produces 1 bit per cycle). Grain-128a
is slower and requires more chip area than the
EtM version of the integrated solution.
ALE uses 128-bit keys. Among the lightweight
schemes, it provides the longest authentication tag.
Moreover, it implements AES and requires initia-
lization due to the stream cipher components. As a
result, it exhibits the worst overall status, with high
area demands and low throughput. ALE also con-
sumes the most power.
FIDES achieves the smallest chip area and
power consumption. However, it presents low
throughput. FIDES has a short initialization
phase, and the encryption and MAC components
process the data sequentially. The presented inte-
grated solutions are larger but quite faster due to
the parallel operation by PRESENT and
SPONGENT, resulting in a better overall status.
AES-CCM is designed for mainstream applica-
tions. It provides higher levels of security in return
of more area. AES-CCM operates as E&M and, in
general, it is faster than AES-GCM that works as EtM.
At 100-KHz frequency the scheme is quite slow. We
have to mention that the referred implementation is
not optimized. Both primitives require IV.
Hardware versus software implementations
PRESENT and SPONGENT were designed with
lightweight hardware implementations in mind.
Still, PRESENT also produces a compact software
implementation, suitable for embedded devices. The
authorscomparative analysis of LWC (Manifavas
et al., 2014) revealed that the most efficient imple-
mentation of PRESENT-80 in embedded software
requires 936 bytes of code for 23.8 Kbps throughput
at 4 MHz frequency. This is 8.6 times slower than
the hardware implementation. SPONGENT has not
been studied in the context of embedded software,
but it is estimated that it would perform worse than
in hardware. Thus, the individual hardware imple-
mentations that are reported in this article are more
efficient than the relevant implementations in
embedded software; their throughput ranges from
65.78 Kbps to 206.5 Kbps. The same conclusion
stands for the integrated solutions in hardware and
software.
Hummingbird-2 performs well in embedded soft-
ware. Its most efficient implementation achieves 200
Kbps throughput for encryption (Manifavas et al.,
2014). However, it remains slower than the hard-
ware implementations of the same algorithm (222.2
Kbps) and PRESENT (206.5 Kbps). Thus, the
Hummingbird-2 protocol performs worse in
embedded software than in hardware.
Grain-128a, ALE, and FIDES are hardware-
oriented schemes. Their performance is worse in
embedded software. ALE, AES-GCM, or -CCM
utilize the AES-NI instruction set on Intel CPUs
for increased performance, but it is out of bounds
for embedded devices.
Conclusions
In this article an integrated hardware implementa-
tion of the block cipher PRESENT and the hash
function SPONGENT was proposed. The overall
chip area is reduced by implementing once hard-
ware elements that are common in both primitives.
The resulting scheme provides authenticated
encryption functionality. The complete security
application is implemented on an FPGA with
input/output from UART gates. The proposed inte-
grated solution achieves 27% reduction in hardware
area over the simple combination of the two pri-
mitives. The most secure version requires about
2508 GE for 82.64 Kbps throughput and 3.9-μW
power consumption. The variants of the integrated
solution are more compact than the lightweight
Hummingbird-2 and Grain128-a, and achieve a
better overall status than FIDES. Moreover, the
hardware design performs significantly better than
a relevant embedded software design. The proposed
approach results in energy-efficient and lightweight
implementations that are suitable for green net-
working and embedded devices. The overall system
forms an energy-efficient infrastructure that is sui-
table for constrained environments, such as sensor
networks.
Funding
This work was funded by the General Secretariat of Research
and Technology of Greece (GSRT) under the project
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 9
AFORMI Allowing for Reconfigurable Hardware to
Efficiently Implement Algorithms of Multidisciplinary
Importance,funded in the call ARISTEIAof the frame-
work Education and Lifelong Learning(code 2427).
References
Abdelraheem, M. A. (2013). Estimating the probabilities
of low-weight differential and linear approximations
on PRESENT-like ciphers. In T. Kwon, M.-K. Lee,
& D. Kown (Eds.), Information security and cryptology -
ICISC 2012: 15th International Conference, Seoul,
Korea, November 2830, 2012, revised selected
papers (Vol. 7839, pp. 368382). Berlin Heidelberg:
Springer.
Agren, M., Hell, M., Johanson, T., & Meier, W. (2011). A
New Version of Grain-128 with Optional Authentication.
International Journal of Wireless and Mobile Computing,5
(1), 4859.
Banik, S., Maitra, S., & Sarkar, S. (2012, November 34). A
Differential Fault Attack on Grain-128a using MACs (pp.
111125). SPACE 2012, Springer, LNCS: Chennai, India.
Bellare, M., & Namprempre, C. (2000). Authenticated
encryption: Relations among notions and analysis of the
generic composition paradigm. In T. Kwon, M.-K. Lee, &
D. Kown (Eds.), Advances in CryptologyASIACRYPT
2000: 6th International Conference on the Theory and
Application of Cryptology and Information Security Kyoto,
Japan, December 37, 2000 Proceedings (Vol. 7839, pp.
531545). Berlin Heidelberg: Springer.
Bilgin, B., Bogdanov, A., Knezevic, M., Mendel, F., & Wang,
O. (2013). Fides: Lightweight authenticated cipher with
side-channel resistance for constrained hardware. In G.
Bertoni & J.-S. Coron (Eds.), Cryptographic Hardware
and Embedded Systems - CHES 2013: 15th International
Workshop, Santa Barbara, CA, USA, August 2023, 2013.
Proceedings (Vol. 8086, pp. 142158). Berlin Heidelberg:
Springer.
Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K.,
& Verbauwhede, I. (2011). SPONGENT: A lightweight
hash function. In B. Preneel & T. Takagi (Eds.),
Cryptographic hardware and embedded systems - CHES
2011: 13th International Workshop, Nara, Japan,
September 28October 1, 2011. Proceedings (Vol. 6917,
pp. 312325). Berlin Heidelberg: Springer.
Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C.,
Poschmann, A., Robshaw, M. J. B. . . . Vikkelsoe, C.
(2007). PRESENT: An ultra-lightweight block cipher. In
P. Paillier & I. Verbauwhede (Eds.), Cryptographic hard-
ware and embedded systems - CHES 2007: 9th International
Workshop, Vienna, Austria, September 1013, 2007.
Proceedings (Vol. 4727, pp. 450466). Berlin Heidelberg:
Springer.
Bogdanov, A., Leander, G., Paar, C., Poschmann, A.,
Robshaw, M. J. B., & Seurin, Y. (2008). Hash functions
and RFID tags: Mind the gap. In E. Oswald & P. Rohatgi
(Eds.), Cryptographic hardware and embedded systems
CHES 2008: 10th International Workshop, Washington, D.
C., USA, August 1013, 2008. Proceedings (Vol. 5154, pp.
283299). Berlin Heidelberg: Springer.
Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., &
Tischhauser, E. (2014). ALE: AES-based lightweight
authenticated encryption. In S. Moriai (Ed.), Fast software
encryption: 20th International Workshop, FSE 2013,
Singapore, March 1113, 2013. Revised selected papers
(Vol. 8424, pp. 447466). Berlin Heidelberg: Springer.
CAESAR. (2013). CAESAR: Competition for Authentication
Encryption: Security, Applicability, and Robustness.
CAESAR, 2013. Retrieved from http://competitions.cr.yp.
to/caesar.html.
Desoky, A. (2013). Innocipher: A novel innocent-cipher-
based cryptography paradigm high level of security for
fooling the enemy. Information Security Journal: A Global
Perspective,22(2), 8397.
Dworkin, M. (2007). Recommendation for block cipher modes
of operation: Galois/counter mode (GCM) and GMAC
(NIST Special Publication 800-38D). Gaithersburg, MD:
Computer Security Division, Information Technology
Laboratory, National Institute of Standards and
Technology.
Engels, D., Saarinen, M.-J. O., Schweitzer, P., & Smith, E. M.
(2011). The hummingbird-2 lightweight authenticated
encryption algorithm. In A. Juels & C. Paar (Eds.), RFID.
Security and Privacy: 7th International Workshop, RFIDSec
2011, Amherst, USA, June 2628, 2011, revised selected
papers (Vol. 7055, pp. 1931). Berlin Heidelberg: Springer.
Grand View Research. (2014). Embedded System Market
Analysis by product, by application and segment forecasts
to 2020. Retrieved from http://www.grandviewresearch.
com/industry-analysis/embedded-system-market.
Guo, J., Peyrin, T., & Poschmann, A. (2011). The PHOTON
family of lightweight hash functions. In P. Rogaway (Ed.),
Advances in cryptology - CRYPTO 2011: 31st Annual
Cryptology Conference, Santa Barbara, CA, USA, August
1418, 2011. Proceedings (Vol. 6841, pp. 222239). Berlin
Heidelberg: Springer.
Information & Communication Technology (ICT). (2008).
W-GREEN. Lapland, Finland. Retrieved from http://www.
cwc.oulu.fi/workshops/W-Green2008.pdf
ISO/IEC. (2012). ISO/IEC standard for lightweight crypto-
graphic methods 29192-1. ISO/IEC: Retrieved from http://
www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.
htm?csnumber=56425.
Jungk, B., Lima, L. R., & Hiller, M. (2014, December 810). A
systematic study of lightweight hash functions on FPGAs
(pp. 16). ReConFig14, Cancun, Mexico: IEEE.
Manifavas, C., Hatzivasilis, G., Fysarakis, K., & Rantos, K.
(2014). Lightweight cryptography for embedded systems -
a comparative analysis. In J. Garcia-Alfaro, G. Lioudakis,
N. Cuppens-Boulahia, S. Foley, & W. M. Fitzgerald (Eds.),
Data privacy management and autonomous spontaneous
security: 8th International Workshop, DPM 2013, and 6th
International Workshop, SETOP 2013, Egham, UK,
10 G. HATZIVASILIS ET AL.
September 1213, 2013, revised selected papers (Vol. 8247,
pp. 333349). Berlin Heidelberg: Springer.
Mukherjee, S., & Sahoo, B. (2011). A survey on hardware
implementation of IDEA cryptosystem. Information
Security Journal: A Global Perspective,20(45), 210218.
OpenCores. (2011). PRESENT-80 Verilog implementation.
Retrieved from http://opencores.com/project,present_
encryptor.
Ozen, O., Varici, K., Tezcan, C., & Kocair, C. (2009).
Lightweight block ciphers revisited: Cryptanalysis of
reduced round PRESENT and HIGHT. In C. Boyd & J.
González Nieto (Eds.), Information security and privacy:
14th Australasian Conference, ACISP 2009 Brisbane,
Australia, July 13, 2009 Proceedings (Vol. 5594, pp. 90
107). Berlin Heidelberg: Springer.
Poschmann, A. (2009). Lightweight cryptography crypto-
graphic engineering for a pervasive world (Doctoral Thesis).
IT-SECURITY series, No. 8, Ruhr-University, Bochum,
Germany.
Saarinen, M.-J. O. (2013). Related-key attacks against full
Hummingbird-2. In S. Moriai (Ed.), Fast software encryp-
tion: 20th International Workshop, FSE 2013, Singapore,
March 1113, 2013. Revised selected papers (Vol. 8424,
pp. 467482). Berlin Heidelberg: Springer.
San, I., & At, N. (2012). Compact Keccak hardware architecture
for data integrity and authentication on FPGAs. Information
Security Journal: A Global Perspective,21(5), 231242.
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., & Iwata, T.
(2007). The 128-bit blockcipher CLEFIA (extended
abstract). In A. Biryukov (Ed.), Fast software encryption:
14th International Workshop, FSE 2007, Luxembourg,
Luxembourg, March 2628, 2007, revised selected papers
(Vol. 4593, pp. 181195). Berlin Heidelberg: Springer.
Sklavos, N. (2010). On the hardware implementation cost of
crypto-processors architectures. Information Security
Journal: A Global Perspective,19(2), 5360.
sustainableIT. (2011). Green computing makes good business
sense. Retrieved from http://www.sustainableit.com/green-
computers-make-good-business-sense/
Wu, S., Wu, H., Huang, T., Wang, M., & Wu, W. (2013).
Leaked-state-forgery attack against the authenticated
encryption algorithm ALE. In K. Sako & P. Sarkar (Ed.),
Advances in cryptology - ASIACRYPT 2013: 19th
International Conference on the Theory and Application of
Cryptology and Information Security, Bengaluru, India,
December 15, 2013, proceedings, part I (Vol. 8269, pp.
377404). Berlin Heidelberg: Springer.
Yang, L., Wang, M., & Qiao, S. (2009). Side channel cube
attack on PRESENT. In J. A. Garay, A. Miyaji, & A. Otsuka
(Eds.), Cryptology and network security: 8th International
Conference, CANS 2009, Kanazawa, Japan, December 12
14, 2009. Proceedings (Vol. 5888, pp. 379391). Berlin
Heidelberg: Springer.
Biographies
George Hatzivasilis is a PhD candidate in the Technical
University of Cretes School of Electrical & Computer
Engineering. His research interests include embedded-system
security, privacy, and dependability. Hatzivasilis received an
MSc in computer science from the University of Crete.
Contact him at gchatzivasilis@isc.tuc.gr.
George Floros is an undergraduate student in the University of
Crete of Computer Science Department. He was an undergrad-
uate trainee in the CERN. His research interests include hard-
ware and software security. Contact him at floros@csd.uoc.gr.
Ioannis Papaefstathiou is a professor in the Technical
University of Cretes School of Electrical & Computer
Engineering. Hes interested in the architecture and design of
novel computer systems. Papaefstathiou received a PhD in
computer science from the University of Cambridge. Contact
him at ypg@mhl.tuc.gr.
Charalampos Manifavas is a professor in the Department of
Electrical Engineering and Computing Sciences, Rochester
Institute of Technology Dubai. His research interests include
network and information security. Manifavas received a PhD in
computer science from the University of Cambridge. Contact
him at cxmcad@rit.edu.
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 11
... These designs were synthesized on different hardware platforms and targeting different optimization goals. Several authenticated encryption architectures based on different composition methods were presented, including the latest designs in [10,21,[31][32][33][34][35]. However, some of them were synthesized and simulated on different platforms and others consume large amounts of logic resources when composing the encryption with the authentication. ...
... The work in [10] integrated the PRESENT block cipher [36] and the SPONGENT hash function [37] to construct an authenticated encryption. Both PRESENT and SPONGENT were designed by the same group with similar permutation functions. ...
... Both PRESENT and SPONGENT were designed by the same group with similar permutation functions. Therefore, the authors of [10] achieved a good reduction rate of logic resources by sharing the common functions within both primitives. However, they implemented their design in ASIC and reported their results in Gate Equivalent. ...
IoT Edge Device Security: An Efficient Lightweight Authenticated Encryption Scheme Based on LED and PHOTON
Article
Full-text available
  • Sep 2023
IoT devices and embedded systems are deployed in critical environments, emphasizing attributes like power efficiency and computational capabilities. However, these constraints stress the paramount importance of device security, stimulating the exploration of lightweight cryptographic mechanisms. This study introduces a lightweight architecture for authenticated encryption tailored to these requirements. The architecture combines the lightweight encryption of the LED block cipher with the authentication of the PHOTON hash function. Leveraging shared internal operations, the integration of these bases optimizes area–performance tradeoffs, resulting in reduced power consumption and a reduced logic footprint. The architecture is synthesized and simulated using Verilog HDL, Quartus II, and ModelSim, and implemented on Cyclone FPGA devices. The results demonstrate a substantial 14% reduction in the logic area and up to a 46.04% decrease in power consumption in contrast to the individual designs of LED and PHOTON. This work highlights the potential for using efficient cryptographic solutions in resource-constrained environments.
View
... Given that these devices often handle private or security-critical information, protecting this data from malicious attackers is essential, making secure cryptographic components vital. Research in lightweight cryptography (LWC) focuses on encryption algorithms tailored for constrained devices Hatzivasilis et al. (2016). Lightweight cryptography also uses elliptic curve cryptography Ning et al. (2024) for symmetric key exchange. ...
ENHANCING AES-LIKE IOT SECURITY WITH DIVERSE S-BOX AND INVOLUTORY MATRIX IN MIXCOLUMNS TRANSFORMATIONS
Article
Full-text available
  • Apr 2025
Embedded systems are widely used in various fields, including device-to-device communication, vehicular and maritime mobility, and public infrastructure. These systems often involve the exchange and transmission of sensitive and critical information, which requires protection. However, these devices have limited hardware resources, necessitating compact size and low cost, which restricts the complexity of security algorithms. Therefore, an improved AES algorithm, specifically a lightweight AES-like method, is proposed. It enhances the SubBytes step through dynamic S-box lookups table and uses different 8×8 affine matrix transformations to scramble data. The proposed method is 31% faster than traditional approaches. Furthermore, in the MixColumns transformation, the encryption process using 16×16 involutory matrix achieves 66% speed improvement over the matrix multiplication traditional approach. circulant matrix, while the branch number increases from 5 to 17. Finally, the encryption process also reduces decryption time.
View
... Most of the mutual authentication protocols are theoretical, and their analysis is qualitative. Hardware implemented protocol is given in [1][2][3][4][5][6][7], a protocol for e-health application is presented in [7,8], IoT Cloud-based environment is discussed in [4,9,10]. In [11], Zhang et al. propose a three-factor authenticated scheme for e-health systems to protect users' privacy. ...
FPGA Implementation of ECC Enabled Multi-factor Authentication (E-MFA) Protocol for IoT Based Applications
Chapter
  • Aug 2021
IoT platform creates attractive opportunities for our daily lives which make us smarter and more comfortable. IoT offers an incredible guarantee in the e-healthcare field by enhancing the quality of service with limited time-bound. The connectivity provided for e-healthcare devices poses overwhelming security and privacy concerns in this area. In this work, the Elliptic Curve Cryptography (ECC) based Multi-Factor Authentication (MFA) is employed between two entities to enhance security. The authentication is achieved using the Point multiplication operation, which provides more randomness. The three-factor authentication protocol for IoT based E-health devices is presented in this work. The architecture is coded using Verilog HDL, synthesized using Xilinx Synthesis Technology (XST) and ported in Zynq FPGA device (XC7Z020CLG484–1). The results show that the proposed three-factor mutual authentication protocol provides better security.
View
... With the rises of the smart home, IoT, and 5G/B5G networks, lightweight authenticated encryption (AE) modes are attracting more and more attentions [20][21][22]. A lightweight AE mode is a lightweight symmetric-key cipher which supports the services of privacy and authenticity of the sensitive data in the devices. ...
Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption
Article
Full-text available
  • Mar 2020
The Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. This paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique. These four structures are proven secure up to O˜2k/μ adversarial queries, where k is the bit length of the key material and μ is the maximal multiplicity. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about minb/2,c,k−log μ-bit adversarial queries, where b is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even–Mansour cipher with short keys.
View
Authenticated Encryption Engine for IoT Application
Chapter
  • May 2023
With the increase of connected devices in IoT paradigm for various domains that include wireless sensor networks, edge computing, embedded systems. Hence the cryptographic primitives deployed on these devices have to be lightweight as the devices used are low cost and low energy. The cryptographic techniques and algorithms for data confidentiality only aim at providing data privacy, but the authenticity of the data is not being addressed. Hence Authenticated Encryption (AE) is used to provide a higher level of security. Authenticated encryption is a scheme used to provide authenticity along with confidentiality of the data. In this pper, AE is implemented using a lightweight PRESENT encryption algorithm and hashing SPONGENT algorithm. These algorithms have the smallest foot-print compared to other lightweight algorithms. The proposed design uses a PRESENT block cipher for the key size variants of 80 bits and 128 bits for a block size of 64-bit and SPONGENT variants of 88, 128, and 256 bits for authentication. Simulation, analysis, inference, and synthesis of the proposed architectures i.e. Encryption then MAC (EtM) is implemented on the target platform ARTY A7 100T. A comparative analysis states that the combination of the PRESENT 80 block cipher and SPONGENT 88 variant is best suited for the resource-constrained Internet of Things applications as the world is slowly approaching the brink of mankind’s next technological revolution.KeywordsCryptographyCyber-securitySymmetric block cipherAuthenticationInternet of Things
View
View
Efficient full data-path width and serialized hardware structures of SPONGENT lightweight hash function
Article
  • Jul 2021
  • MICROELECTRON J
In this paper, two efficient low-cost and high-throughput structures of the SPONGENT lightweight hash function are presented. Two structures are called full data-path width (parallel) and 4-bit serialized. The serialized architecture is designed by using one multi-task shift register in the round computations with minimum hardware resources. The area consumed in this structure is lower than that of the full data-path structure but the number of clock cycles is increased. The speed computation of the full data-path is higher compared to the 4-bit serialized structure of the SPONGENT hash function because the data are computed in a parallel form. To improving the timing characteristics, we implement the S-box block as the complex block in the SPONGENT hash function based on an Area×Delay optimized circuit. A large number of gates, in the structure, have been implemented by 2-input NAND and 2-input NOR gates in order to reduce delay and area. The performance measurement of the proposed structures is performed by evaluating the parameters such as area consumption, computation time, critical path delay (CPD), throughput, and throughput/area. The implementation results are achieved for all variants of the SPONGENT hash function in 180 nm CMOS technology. The results of area consumption (for 4-bit serialized structure) and throughput (for full data-path structure) show improvements compared to previous works. For area-constrained applications, the proposed structure with a lower data-path width is an appropriate choice. The full data-path width structure can be used for the high-speed and high-throughout cryptographic applications.
View
View
View
View
ALE: AES-Based Lightweight Authenticated Encryption
Conference Paper
Full-text available
  • Mar 2013
  • Lect Notes Comput Sci
In this paper, we propose a new Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an online single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces. We provide an optimized low-area implementation of ALE in ASIC hardware and demonstrate that its area is about 2.5 kGE which is almost two times smaller than that of the lightweight implementations for AES-OCB and ASC-1 using the same lightweight AES engine. At the same time, it is at least 2.5 times more performant than the alternatives in their smallest implementations by requiring only about 4 AES rounds to both encrypt and authenticate a 128-bit data block for longer messages. When using the AES-NI instructions, ALE outperforms AES-GCM, AES-CCM and ASC-1 by a considerable margin, providing a throughput of 1.19 cpb close that of AES-OCB, which is a patented scheme. Its area- and time-efficiency in hardware as well as high performance in high-speed parallel software make ALE a promising all-around AEAD primitive.
View
A Differential Fault Attack on Grain-128a Using MACs
Conference Paper
Full-text available
  • Nov 2012
  • Lect Notes Comput Sci
The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the Secret Key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct a set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than 211 fault injections and invocations of less than 212 MAC generation routines.
View
Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware
Conference Paper
Full-text available
  • Aug 2013
  • Lect Notes Comput Sci
In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a. While being extremely compact, Fides is both throughput and latency efficient, even in its most serial implementations. This is attained by our novel sponge-like design approach. Moreover, cryptographically optimal 5-bit and 6-bit S-boxes are used as basic nonlinear components while paying a special attention on the simplicity of providing first order side-channel resistance with threshold implementation.
View
Lightweight Cryptography for Embedded Systems – A Comparative Analysis
Conference Paper
Full-text available
  • Sep 2013
  • Lect Notes Comput Sci
As computing becomes pervasive, embedded systems are deployed in a wide range of domains, including industrial systems, critical infrastructures, private and public spaces as well as portable and wearable applications. An integral part of the functionality of these systems is the storage, access and transmission of private, sensitive or even critical information. Therefore, the confidentiality and integrity of the resources and services of said devices constitutes a prominent issue that must be considered during their design. There is a variety of cryptographic mechanisms which can be used to safeguard the confidentiality and integrity of stored and transmitted information. In the context of embedded systems, however, the problem at hand is exacerbated by the resource- constrained nature of the devices, in conjunction with the persistent need for smaller size and lower production costs. This paper provides a comparative analysis of lightweight cryptographic algorithms applicable to such devices, presenting recent advances in the field for symmetric and asymmetric algorithms as well as hash functions and key establishment mechanisms. A classification and evaluation of the schemes is also provided, utilizing relevant metrics in order to assess their suitability for various types of embedded systems.
View
Related-Key Attacks Against Full Hummingbird-2
Conference Paper
  • Jul 2014
  • Lect Notes Comput Sci
We present attacks on full Hummingbird-2 which are able to recover the 128-bit secret keys of two black box cipher instances that have a certain type of low-weight XOR difference in their keys. We call these highly correlated keys as they produce the same ciphertext with a significant probability. The complexity of our main chosen-IV key-recovery attack is 2642^{64}. The first 64 bits of the key can be independently recovered with only 2362^{36} effort. This is the first sub-exhaustive attack on the full cipher under two related keys. Our attacks use some novel tricks and techniques which are made possible by Hummingbird-2’s unique word-based structure. We have verified the correctness and complexity of our attacks by fully implementing them. We also discuss enabling factors of these attacks and describe an alternative design for the WD16 nonlinear keyed function which is resistant to attacks of this type. The new experimental function replaces S-boxes with simple χ\chi functions.
View
A systematic study of lightweight hash functions on FPGAs
Article
  • Feb 2015
Lightweight cryptography provides cryptographic algorithms for resource constrained devices and typically aims for low-cost ASIC applications like RFID tags. In addition, it also provides attractive performance - security trade-offs for FPGAs in scenarios with strict area constraints. This work presents FPGA implementations of the popular lightweight hash functions KECCAK-200 and KECCAK-400, PHOTON and SPONGENT, and gives a systematic analysis of size and throughput. The ratio between throughput and slices is a relative performance measure that enables a fair comparison among different algorithms and implementation strategies. The comparison shows that the size of the presented implementations differs over roughly one order of magnitude and the throughput over more than one order of magnitude. The SPONGENT implementation provided the highest throughput per area ratios.
View
View
Leaked-State-Forgery Attack against the Authenticated Encryption Algorithm ALE
Conference Paper
  • Dec 2013
  • Lect Notes Comput Sci
ALE is a new authenticated encryption algorithm published at FSE 2013. The authentication component of ALE is based on the strong Pelican MAC, and the authentication security of ALE is claimed to be 128-bit. In this paper, we propose the leaked-state-forgery attack (LSFA) against ALE by exploiting the state information leaked from the encryption of ALE. The LSFA is a new type of differential cryptanalysis in which part of the state information is known and exploited to improve the differential probability. Our attack shows that the authentication security of ALE is only 97-bit. And the results may be further improved to around 93-bit if the whitening key layer is removed. We implemented our attacks against a small version of ALE (using 64-bit block size instead of 128-bit block size). The experimental results match well with the theoretical results.
View
Estimating the Probabilities of Low-Weight Differential and Linear Approximations on PRESENT-Like Ciphers
Conference Paper
  • Nov 2012
  • Lect Notes Comput Sci
We use large but sparse correlation and transition-difference-probability submatrices to find the best linear and differential approximations respectively on PRESENT-like ciphers. This outperforms the branch and bound algorithm when the number of low-weight differential and linear characteristics grows exponentially which is the case in PRESENT-like ciphers. We found linear distinguishers on 23 rounds of the SPONGENT permutation. We also found better linear approximations on PRESENT using trails covering at most 4 active Sboxes which give us 24-round statistical saturation distinguishers which could be used to break 26 rounds of PRESENT.
View
Innocipher: A Novel Innocent-Cipher-Based Cryptography Paradigm—High Level of Security for Fooling the Enemy
Article
  • Mar 2013
* - You can download my papers from my website at https://desoky.com - * The recent advances in cryptanalysis techniques are the major threat to cryptography. A leakage of information about the cryptosystem used by either a fatal shortcoming or an insider enemy can easily defeat the cryptographic goal. An adversary may succeed in decrypting ciphertexts, while users of a particular cryptosystem unwarily continue using same vulnerable encryption techniques. Such major concerns motivate the development of a novel Innocent-Cipher-Based Cryptography Paradigm Innocipher, which is presented in this paper. Innocipher focuses on high level security that protects private information through two phases. First, Innocipher system conceals the required data in a legible form of legitimate plaintext other than ciphertext, for example, legitimate text, graph, game, and image, that looks benign and legitimate. Second, it converts the output of the first phase, the encoded data in the legible form, into a ciphertext. The main advantage of the Innocipher paradigm is that if a worst case scenario occurred, which is an adversary succeeding in decrypting a cipher message, then an adversary will be fooled by getting a legible form of legitimate text. At this point, the adversary will stop any further investigation while an original message is not revealed. This fooling mechanism of Innocipher is the key-feature that enables a multilayer of security for protecting valuable information. The presented implementation and validation of Innocipher demonstrates the robust capabilities of achieving the goal of securing information in static stage and during data transmission to its legitimate recipient.
View