Obligación de comunicar la existencia de otros seguros.

The areas after the Place and Route phase of our WGLCE in CMOS 130nm and 65nm ASICs are1474 GEs and 1355 GEs respectively. They are both smaller than the well accepted area limit (2000 GEs) in the passive RFID tags. We compare our WGLCE with the cryptographic engines in the previous papers, such as AES plus Grain [33], and Present-80 plus LAMED [107], as shown in Table6.11. Although there is no actual hardware implementation of LAMED, the esti- mate area of LAMED is larger than that of Warbler based on the analysis in [72]. The smallest area of AES reported by Moradi et al. [82] is2400 GEs in CMOS 180nm ASIC. Considering all the above factors together, the area of WGLCE is smaller than that of the other two designs.

Table 6.11: Comparisons with the Existing Cryptographic Engines

Design Crypto Engines Area Power Tech Common Hardware (GEs) (@2MHzµW ) (nm) Reuse

Ertl et al. [33] AES, 2770 − 130 No

Grain 2450 ₋ 130

Todd et al. [107] Present-80, 1900 − 65 No

LAMED _{− − −}

This work WGLCE 1474 12.47 130 Yes

1355 9.29 65

6.5

Summary

In this chapter, we designed a lightweight cryptographic engine (WGLCE) for the passive R- FID systems. WGLCE is a fusion of the Warbler pseudorandom number generator and the lightweight stream cipher WG-5, which can be easily integrated into RFID systems. Firstly, we investigated the rationales and design choices for WGLCE and then explored the hardware implementation of WG-5. Later on, we discussed the design, hardware architectures, and imple- mentations of our WGLCE. Finally, we compared our WGLCE results with other cryptographic engines. Overall, our WGLCE can satisfy the area requirement for the security extension in the passive RFID tags, and it is a promising candidate for this kind of applications.

Chapter 7

Conclusions and Future Work

This chapter concludes the thesis and provides future work. Section7.1presents a summary of contributions and concluding remarks, and the potential future work directions are discussed in Section7.2.

7.1

Conclusions

In this thesis, we concentrated on the efficient hardware implementations and optimizations of lightweight cryptography, including the block cipher Simeck, stream cipher WG-8, pseudo- random number generator Warbler, and cryptographic engine WGLCE, in order to meet the constraints in resource constrained applications. We have shown that they can meet the area, power consumption, and throughput requirements in passive RFID tags and they are promising candidates for resource constrained applications.

Motivated by the designs of SIMON and SPECK, we first proposed Simeck, a new family of lightweight block ciphers with Feistel structure. Simeck takes advantage of the good com- ponents and design ideas of SIMONand SPECK, and it has three instances with different block and key sizes: Simeck32/64, Simeck48/96, and Simeck64/128. Simeck is designed to have a smaller area than that of SIMONwith the following considerations: the reduced shift numbers

in the round function, the simplified key schedule, and the simplified LFSR to generate the key constant. We provided an extensive exploration for different hardware architectures in order to make a balance between area, throughput, and power consumption for SIMON and Simeck in

both CMOS 130nm and CMOS 65nm ASICs. We verified that Simeck is indeed smaller than that of SIMON in terms of area and power consumption, and a thorough analysis for the area

reductions for parallel and fully serialized architectures is given. Moreover, our SIMON’s area is

smaller than the results of SIMONgiven in the original paper. In addition, the security analysis showed that even though the round function of Simeck is quite simple, this round function is iterated a sufficient number of time to provide an adequate security against known attacks.

For WG-8, we explored four different constructions for the WG transformation module. The first architecture directly employs an8×8 constant array over F28, the second one is based on the tower construction F(24₎2 together with small4×4 constant arrays for arithmetic in F₂4, due to the existence of primitive element. The third architecture is slightly different from the second one, due to the usage of a type-I ONB for efficient computations in F24. Finally, the fourth architecture takes advantage of the tower construction F((22₎2₎2 coupled with a nice property for computing the trace of product of two finite field elements under this certain tower construction. We also proposed a novel hybrid design with the parallel width from one to eleven for each proposed architecture. We gave the results on low-cost FPGA and CMOS 65nm and CMOS 130nm A- SICs in terms of area, clock speed, throughput and power consumption The experimental results showed that the lightweight stream cipher WG-8 with the direct constant array based hardware architecture is optimal in terms of throughput, area, and power consumption, when compared to the tower field arithmetic based approaches. The main reason is due to the small field size as well as the relatively complicated architecture of WG-8 permutation/transformation module. Although the tower field based approaches for WG-8 are not efficient, the proposed architecture and extensive experimental results still provide valuable guidance for efficient hardware imple- mentation of medium or large instances of the WG stream cipher family. Moreover, with a little additional hardware resources, the parallel implementations can achieve a high throughput without decreasing the clock speed two much.

Later on, we presented first detailed and smallest hardware implementations and optimiza- tions of Warbler PRNG in CMOS 65nm and CMOS 130nm ASICs. We proposed an architecture for hardware implementations of Warbler with thorough analysis. We improved the throughput from1/5 bpc to 1 bpc by increasing 46% and 36% of the area respectively in CMOS 65nm and CMOS 130nm. Moreover, the sequential logic ratios for all our designs are bigger than 65% for throughput of1/5 bpc and are around 50% for throughput of 1 bpc. We determined that the LFSR counter-based design is better than the binary counter-based design in terms of area and total power consumption. The area of the WG-5 transformation table depends upon the selected decimation value, giving us some suggestions for future ciphers and pseudorandom number gen- erator designs using WG-5 transformations. When compared with other lightweight primitives, the areas of our Warbler implementations are smaller than that of other PRNGs and are in fact smaller than most of lightweight primitives.

Finally, we proposed a lightweight cryptographic engine WGLCE, which can be easily in- tegrated into passive RFID systems. WGLCE merges Warbler PRNG and WG-5 stream ci-

pher, and it takes advantages of reusing the FSM. WGLCE has two functionalities: data en- cryption/decryption and random numbers generation. We provided the design rationales, archi- tectures, and implementation results in CMOS 65nm and CMOS 130nm ASICs. Moreover, an interface with outside environment for WGLCE was provided as well. When compared with other cryptographic engines, the area of WGLCE is smaller than that of them. Overall, the re- sults showed that it can satisfy the requirement for the security extension in passive EPC RFID systems.