A Survey of LightweightCryptography Implementations 
Author: T. Eisenbarth, S. Kumar, L. Uhsadel, C. Paar, A. Poschmann 
Description: The tight cost and implementation constraints of highvolume products, including secure RFID tags and smart cards, require specialized cryptographic implementations. The authors review recent developments in this area for symmetric and asymmetric ciphers, targeting embedded hardware and software. In this article, we present a selection of recently published lightweightcryptography implementations and compare them to stateoftheart results in their field. 

@INCOLLECTION{ieee2007 author = {T. Eisenbarth, S. Kumar, L. Uhsadel, C. Paar, A. Poschmann}, title = {{A Survey of LightweightCryptography Implementations}}, booktitle = {A Survey of LightweightCryptography Implementations}, publisher = {IEEE Design \& Test of Computers}, year = {2007}, } 
Related Tags: ASIC, lightweight, crypto 
go to paper open in new window/tab 

Sidechannel Resistant Lightweight ASIC Implementations of DES and AES 
Author: A. Poschmann 
Description: In this thesis, we investigate a new lightweight cipher based on DESX. We investigate the design criteria of DES presented in [Cop94] and derive stronger design criteria. We show that Sboxes, which satisfy our new design criteria are more resistant against both differential and linear cryptanalysis. Our new cipher DLX is similar to DES or DESX, respectively, except for the ffunction. DES uses eight different Sboxes, whereas our cipher only repeatedly uses one improved Sbox (eight times). The implementation results show that our new cipher DLX requires less chip size, less energy, and is more secure against both differential and linear cryptanalysis. We also show that DLX requires 40% less chip size, 85% less clock cycles, and consumes only about 10% of the energy than the best AES implementation with regard to RFIDs needs [FDW04]. In this thesis we also investigate side channel attacks on AES. We present a size optimised VHDL design of the AES and its results for a standard cell implementation. We show, that this ASIC can easily be broken with a simple power analysis (SPA). 

@INCOLLECTION{2005_DA_DESL_Poschmann_2005 author = {A. Poschmann}, title = {{Sidechannel Resistant Lightweight ASIC Implementations of DES and AES}}, booktitle = {Sidechannel Resistant Lightweight ASIC Implementations of DES and AES}, publisher = {Chair for Communication Security}, year = {2005}, } 
Related Tags: Sbox, ASIC, VHDL, lightweight, crypto, embedded 
go to paper open in new window/tab 

Elliptic Curve Cryptography for Constrained Devices 
Author: S. Kumar 
Description: There is a reemerging demand for lowend devices such as 8bit processors, driven by needs for pervasive applications like sensor networks and RFID tags. Security in pervasive applications, however, has been a major concern for their widespread acceptance. Publickey cryptosystems (PKC) like RSA and DSA generally involve computationintensive arithmetic operations with operand sizes of 1024  2048 bits, making them impractical on such constrained devices. Elliptic Curve Cryptography (ECC) which has emerged as a viable alternative is a favored publickey cryptosystem for embedded systems due to its small key size, smaller operand length, and comparably low arithmetic requirements. However, implementing fullsize, standardized ECC on 8bit processors is still a major challenge and normally considered to be impracticable for small devices which are constrained in memory and computational power. The thesis at hand is a step towards showing the practicability of PKC and in particular ECC on constrained devices. We leverage the exibility that ECC provides with the different choices for parameters and algorithms at different hierarchies of the implementation. First a secure key exchange using PKC on a lowend wireless device with the computational power of a widely used 8bit 8051 processor is presented. An Elliptic Curve DiffieHellman (ECDH) protocol is implemented over 131bit Optimal Extension Field (OEF) purely in software. A secure endtoend connection in an acceptable time of 3 seconds is shown to be possible on such constrained devices without requiring a cryptographic coprocessor. We also investigate the potential of software/hardware codesign for architectural enhancements including instruction set extensions for lowlevel arithmetic used in ECC, most notably to speedup multiplication in the nite elds. We show that a standard compliant 163bit point multiplication can be computed in 0.113 sec on an 8bit AVR microcontroller running at 4 Mhz (a typical representative for a lowcost pervasive pro cessor) with minimal additional hardware extensions. Our design not only accelerates the computation by a factor of more than 30 compared to a softwareonly solution, it also reduces the codesize and dataRAM. Two new custom instructions for the MIPS 32bit processor architecture are also proposed to accelerate the reduction modulo a pseudo Mersenne prime. We also show that the efficiency of multiplication in an OEF can be improved by a modified multiply and accumulate unit with a wider accumula tor. The proposed architectural enhancements achieve a speedup factor of 1.8 on the MIPS processor. iii In addition, different architectural enhancements and optimal digitsize choices for the Least Signicant Digit (LSD) multiplier for binary elds are presented. The two different architectures, the Double Accumulator Multiplier (DAM) and NAccumulator Multiplier (NAM) are both faster compared to traditional LSD multipliers. Later, an area/time efficient ECC processor architecture (for the OEFs of size 169, 289 and 361 bits) which performs all nite eld arithmetic operations in the discrete Fourier domain is described. We show that a small optimized implementation of ECC processor with 24k equivalent gates on a 0.35um CMOS process can be realized for 169bit curve using the novel multiplier design. Finally we also present a highly area optimized ASIC implementation of the ECC processor for various standard compliant binary curves ranging from 133 ¡ 193 bits. An area between 10k and 18k gates on a 0.35um CMOS process is possible for the different curves which makes the design very attractive for enabling ECC in constrained devices. 

@INCOLLECTION{ author = {S. Kumar}, title = {{Elliptic Curve Cryptography for Constrained Devices}}, booktitle = {Elliptic Curve Cryptography for Constrained Devices}, publisher = {}, year = {2006}, } 
Related Tags: crypto 
go to paper open in new window/tab 

Enabling FullSize PublicKey Algorithms on 8bit Sensor Nodes 
Author: L. Uhsadel, A. Poschmann, C. Paar 
Description: In this article we present the fastest known implementation of a modular multiplication for a 160bit standard compliant elliptic curve (secp160r1) for 8bit micro controller which are typically used in WSNs. The major part (77%) of the processing time for an elliptic curve operation such as ECDSA or EC DiffieHellman is spent on modular multiplication. We present an optimized arithmetic algorithm which signicantly speed up ECC schemes. The reduced processing time also yields a signicantly lower energy consumption of ECC schemes. With our implementation results we can show that a 160bit modular multiplication can be performed in 0.39 ms on an 8bit AVR processor clocked at 7.37 MHz. This brings the vision of asymmetric cryptography in the eld of WSNs with all its benets for keydistribution and authentication a step closer to reality. 

@INCOLLECTION{eccesas2007 author = {L. Uhsadel, A. Poschmann, C. Paar}, title = {{Enabling FullSize PublicKey Algorithms on 8bit Sensor Nodes}}, booktitle = {Proceedings of ESAS 2007}, publisher = {SpringerVerlag}, year = {2007}, } 
Related Tags: lightweight, Assembly, crypto, embedded 
go to paper open in new window/tab 

Are standards compliant elliptic curve cryptosystems feasible on RFID? 
Author: S. Kumar, C. Paar 
Description: With elliptic curve cryptography emerging as a serious al ternative, the desired level of security can be attained with signi¯cantly smaller key sizes. This makes ECC very attractive for smallfootprint de vices with limited computational capability, memory and lowbandwidth network connections. However ECC is still considered to be impracticable for very lowend constrained devices like sensor networks and RFID tags. We present a standalone highly area optimized ECC processor design for standards compliant binary field curves. We use the fast squarer implementation to construct an addition chain that allows inversion to be computed efficiently. Hence, we propose an affine coordinate ASIC im plementation of the ECC processor using a modified Montgomery point multiplication method for binary curves ranging from 113193 bits. An area between 10k and 18k gates on a 0.35um CMOS process is possi ble for the different curves which makes the design very attractive for enabling ECC in constrained devices. 

@INCOLLECTION{ author = {S. Kumar, C. Paar}, title = {{Are standards compliant elliptic curve cryptosystems feasible on RFID?}}, booktitle = {}, publisher = {}, year = {2006}, } 
Related Tags: crypto 
go to paper open in new window/tab 

New Lightweight Crypto Algorithms for RFID 
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm 
Description: The authors propose a new block cipher, DESL (DES lightweight extension), which is strong, compact and efficient. Due to its low area constraints DESL is especially suited for RFID (radiofrequency identification) devices. DESL is based on the classical DES (data encryption standard) design, however, unlike DES it uses a single Sbox repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The Sbox has been highly optimized in such a way that DESL resists common attacks, i.e., linear and differential cryptanalysis, and the DaviesMurphyattack. Therefore DESL achieves a security level which is appropriate for many applications. Furthermore, we propose a lightweight implementation of DESL which requires 45% less chip size and 86% less clock cycles than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published, our DESL design requires 38% less transistors. Our 0.18mum DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89muA. These hardware figures are in the range of the best eSTREAM streamcipher candidates, comprising DESL as a new alternative for ultra lowcost encryption. 

@INCOLLECTION{desliscas_2007 author = {G. Leander, C. Paar, A. Poschmann, K. Schramm}, title = {{New Lightweight Crypto Algorithms for RFID}}, booktitle = {Proceedings of The IEEE International Symposium on Circuits and Systems 2007  ISCAS 2007}, publisher = {IEEE}, year = {2007}, } 
Related Tags: Sbox, ASIC, VHDL, lightweight, crypto 
go to paper open in new window/tab 

Security for 1000 Gate Equivalents 
Author: C. Rolfes, A. Poschmann, C. Paar 
Description: Product piracy and counterfeiting is a market with an annual turnover of hundreds of billions of USDollars. The application of RFIDtags is discussed widely to cope with this problem. A major obstacle for a mass deployment of RFIDtags, beside the harsh requirements on power consumption, are fabrication costs. In hardware fabrication costs are proportional to the required area. In this paper we present three different architectures of the present algorithm. Our implementation of the serialized architecture requires only 1000 GE. To the best of our knowledge this is the smallest hardware implementation of a cryptographic algorithm with a moderate security level. 

@INCOLLECTION{secsi2007 author = {C. Rolfes, A. Poschmann, C. Paar}, title = {{Security for 1000 Gate Equivalents}}, booktitle = {ecrypt workshop SECSI  Secure Component and System Identification}, publisher = {}, year = {2008}, } 
Related Tags: crypto, Assembly 
go to paper open in new window/tab 

An Efficient General Purpose Elliptic Curve Cryptography Module for Ubiquitous Sensor Networks 
Author: L. Uhsadel, A. Poschmann, and C. Paar 
Description: In this article we present the fastest known implementation of a modular multiplication for a 160bit standard compliant elliptic curve (secp160r1) for 8bit microcontroller which are typically used in ubiquitous sensor networks (USN). The major part (77%) of the processing time for an elliptic curve operation such as ECDSA or EC DiffieHellman is spent on modular multiplication. We present an optimized arithmetic algorithm which significantly speeds up ECC schemes. The reduced processing time also yields a significantly lower energy consumption of ECC schemes. We show that a 160bit modular multiplication can be performed in 0.37 ms on an 8bit AVR processor clocked at 8 MHz. This brings the vision of asymmetric cryptography in the field of USNs with all its benefits for keydistribution and authentication a step closer to reality. 

@INCOLLECTION{eccspeed2007 author = {L. Uhsadel, A. Poschmann, and C. Paar}, title = {{An Efficient General Purpose Elliptic Curve Cryptography Module for Ubiquitous Sensor Networks}}, booktitle = {ecrypt workshop SPEED  Software Performance Enhancement for Encryption and Decryption}, publisher = {}, year = {2007}, } 
Related Tags: ASIC, VHDL, Assembly, crypto 
go to paper open in new window/tab 

Comparison of LowPower Public Key Cryptography on MICAz 8Bit Micro Controller 
Author: L. Uhsadel 
Description: The terms ubiquitous and pervasive computing designate the penetration of our ev eryday life with intelligent devices. These tiny, constrained, and battery powered nodes are used to build WSNs that may process sensitive data. Therefore security as well as low energy consumption are crucial in this field. Since runtime scales with energy consumption efficient implementation is necessary at all costs. We will show by comparing of different implementations of asymmetric algorithms that ECC is a good choice in this case, as it allows shorter key length with adequate security level and furthermore can be efficiently implemented. We will provide mathematical background as well as algorithms for an efficient implementation. Subsequently we will present the fastest known implementation of a 160bit multiplication, which is the core operation of the prime field of the standardized elliptic curve secp160r1. Even though the implementation is highly optimized for speed, the codesize of 5.4 KB and RAM requirements of 112 B are acceptable. The high efficient prime field is implemented in assembly and available on request. It is thought to be the base for high efficient curve implementations. A curve with basic optimizations is written in C and can also be reused. The 160bit multiplication has a runtime of 0.39ms and requires with our C implementation of the curve 1.151s for a point multiplication. This could be optimized to approximately 0.76s for one point multiplication in combination with a highly efficient elliptic curve. Furthermore this would allow the execution of an ECDSA signature in less than one second without precalculation. 

@INCOLLECTION{2007_DA_ECC_Uhsadel author = {L. Uhsadel}, title = {{Comparison of LowPower Public Key Cryptography on MICAz 8Bit Micro Controller}}, booktitle = {Comparison of LowPower Public Key Cryptography on MICAz 8Bit Micro Controller}, publisher = {Chair for Communication Security}, year = {2007}, } 
Related Tags: lightweight, crypto, embedded 
go to paper open in new window/tab 

New Lightweight DES Variants 
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm 
Description: In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single Sbox rep eated eight times. On this account we adapt wellknown DES Sbox design criteria, such that they can be applied to the special case of a single Sbox. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the DaviesMurphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultraconstrained devices such as RFID tags. 

@INCOLLECTION{2007_deslfse author = {G. Leander, C. Paar, A. Poschmann, K. Schramm}, title = {{New Lightweight DES Variants}}, booktitle = {Proceedings of Fast Software Encryption 2007  FSE 2007}, publisher = {SpringerVerlag}, year = {2007}, } 
Related Tags: Sbox, lightweight, crypto 
go to paper open in new window/tab 
