Security of Ubiquitous Computing Systems pp 2147  Cite as
Catalog and Illustrative Examples of Lightweight Cryptographic Primitives
 2.4k Downloads
Abstract
The main objective of this chapter is to offer to practitioners, researchers and all interested parties a brief categorized catalog of existing lightweight symmetric primitives with their main cryptographic features, ultimate hardware performance, and existing security analysis, so they can easily compare the ciphers or choose some of them according to their needs. Certain security evaluation issues have been addressed as well. In particular, the reason behind why modern lightweight block cipher designs have in the last decade overwhelmingly dominated stream cipher design is analyzed in terms of security against tradeoff attacks. It turns out that it is possible to design stream ciphers having much smaller internal states.
2.1 Introduction
Lightweight cryptography aims to deploy cryptographic algorithms in resourceconstrained devices such as embedded systems, RFID devices and sensor networks. The cryptographic community has done a significant amount of work in this area, including design, implementation and cryptanalysis of new lightweight cryptographic algorithms, together with efficient implementation of conventional cryptography algorithms in constrained environments (see the Lightweight Cryptography Lounge,^{1} [89, 260, 391]). Most recent cryptographic competitions such as NIST’s SHA3 Cryptographic Hash Algorithm Competition^{2} and eSTREAM project^{3} (with the Profile 2) had requirements that support implementations for highly constrained devices. Additionally, NIST currently is working on a special call^{4} to create a portfolio of lightweight algorithms through an open standardization process.
The lightweightness of a given cryptographic algorithm can be obtained in two ways, by optimized implementations with respect to different constraints or by dedicated designs which use smaller key sizes, smaller internal states, smaller building blocks, simpler rounds, simpler key schedules, etc. There are several relevant metrics for assessing lightweight algorithms, such as power and energy consumption, latency, throughput and resource requirements [404]. Power and energy consumption are important for devices that are batteryoriented or energy harvesting. Latency is the time taken to perform a given task, and is important for applications where fast response time is necessary (e.g., Advanced Driver Assistance Systems), while throughput can be defined as the rate at which the plaintext is processed per time unit, and is measured in Bps.
Resource requirements are expressed differently in hardware and software implementations. In the hardware case, they are described as gate area, expressed by logic blocks for FPGAs or by Gate Equivalents (GEs) for ASIC implementations. However, these measures highly depend on the particular technology, so it is not possible to do a fair and relevant comparison of the lightweight algorithm implementations exactly across different technologies. In the software case, resource requirements are described as number of registers, RAM and ROM consumption in bytes. ROM consumption corresponds in fact with the code size.
Hardware implementations are suitable for highly constrained devices. For example, on the low end, lowcost passive RFID tags may have a total of 1000–10,000 gates, with only 200–2000 budgeted for security purposes [309]. Software implementations are suitable for less constrained devices, and they are optimized for throughput and energy consumption.
Some design choices related to dedicated lightweight cryptographic algorithms have influences on the security margins. For example, smaller key sizes such as 80 bits or 96 bits are in conflict with the current NIST minimum key size requirement of 112 bits. Smaller block and output sizes in some algorithms may lead to plaintext recovery or codebook attacks. Simpler key schedules may enable different attacks using related keys, weak keys, etc. Smaller internal state (IS) and digest sizes in hash functions may lead to collision attacks. Simpler rounds sometimes means that more iterations are required to achieve security.
The main objective of this chapter is to offer to practitioners, researchers and all interested parties a short categorized catalog of existing symmetric lightweight primitives with their main features, some details about known software and hardware performance, and existing security analysis, to enable selection according to specific needs. These cryptographic primitives can be categorized into five areas: block and stream ciphers, hash functions, message authentication codes, and authenticated encryption schemes. As a consequence of the simplicity which provides lightweightness, the security evaluation of lightweight stream ciphers appears as an issue of top importance, and so a number of illustrative elements relevant for cryptanalysis of lightweight encryption techniques have been pointed out as well.
It can easily be observed that (see Sect. 2.2) almost all of the recently designed lightweight ciphers are block ciphers. The requirement for unnecessarily large internal states results in extra hardware area cost which definitely hinders designing ultralightweight stream ciphers. We analyze the arguments behind this criterion and propose to loosen it by justifying the security analysis in Sect. 2.3. We believe this adoption will promote the design and even the analysis of lightweight stream ciphers.
2.2 Catalog of Lightweight Cryptographic Primitives
The catalog of lightweight cryptographic primitives is divided in five categories: block and stream ciphers, hash functions, message authentication codes, and authenticated encryption schemes.
2.2.1 Block Ciphers
Block ciphers encrypt one block of plaintext bits at a time, to a block of ciphertext bits, through multiple rounds, and using a secret key. Each round is a sequence of several simple transformations, which provide confusion and diffusion [522]. In each round, a round key is used, which is derived from the secret key using a key schedule algorithm. According to the algorithm structure, block ciphers can be divided into several types:

Substitution Permutation Network (SPN)—each round consists of substitution (S) and permutation (P) boxes. Usually, Sboxes are nonlinear transformations and provide confusion, while Pboxes are linear and provide diffusion.

Feistel Network (Feistel)—divides the input block into two halves, L_{i} and R_{i}, and in each round, the output block is (L_{i+1}, R_{i+1}) = (R_{i}, L_{i} ⊕ F(R_{i}, K_{i+1})), where F is the roundfunction (introduced by H. Feistel [209]).

AddRotateXOR (ARX)—only three operations are used: modular addition, rotation and XOR.

Generalized Feistel Network (GFN)—divides the input block into n parts, and each round consists of a roundfunction layer and a blockpermutation layer, which usually is a cyclic shift. If the roundfunction is applied only to one part, we speak about Type1, and if it is applied on the n∕2 parts, we speak about Type2 GFN. If there is an additional linear layer between the two layers, we speak about Extended GFN [78].

LFSRbased—in the round function they use one or more Linear Feedback Shift Registers (LFSRs) in combination with nonlinear functions.

LSdesign—each round combines linear diffusion Lboxes with nonlinear bitslice Sboxes, and they are aimed at efficient masked implementations against sidechannel analysis [247].

XLSdesign—a variation of the LSdesign, that uses the additional ShiftColumns operation, and Super Sboxes [306].
There are also tweakable block ciphers, which in addition to the key and the message have a third input named tweak, and they must be secure even if the attacker is able to control the tweak input. Each tweakable block cipher can be seen as a family of permutations in which each (key, tweak) pair selects one permutation.
Lightweight block ciphers (characteristics)
Name  Ref  Type  Key size  Block size  No. of  Techno.  No. of 

(bits)  (bits)  rounds  (μm)  GEs  
3Way  [164]  SPN  96  96  11  −  − 
AES128  [166]  SPN  128  128  10  0.18  2400 
CLEFIA  [527]  Type2 GFN  128/192/256  128  18/22/26  0.13  2604 [16] (CLEFIA128) 
DESL/DESLX  [361]  Feistel  56/184  64  16  0.18  1848/2168 
Fantomas  [247]  SPN+LSdesign  128  128  12  −  − 
FLY  [317]  SPN  128  64  20  −  − 
GOST revisited  [487]  Feistel  256  64  32  0.18  651 
GRANULE  [54]  Feistel  80/128  64  32  0.18  1288/1577 
HIGHT  [283]  ARX+Type2 GFN  128  64  32  0.25  3048 
ICEBERG  [541]  SPN  128  64  16  −  − 
ITUbee  [315]  Feistel  80  80  20  −  − 
KASUMI  [1]  Feistel  128  64  8  0.11  2990 [586] 
KATANn /  LFSRbased  80  n ∈ {32, 48, 64}  254  0.13  1054 (n = 64)  
KTANTANn  [126]  0.13  462 (n = 32)  
KLEIN  [239]  AESlike SPN  64/80/96  64  12/16/20  −  − 
LBlock  [583]  Feistel  80  64  32  0.18  1320 
LEA  [282]  ARX+GFN  128/192/256  128  24/28/32  0.13  3826 
LED  [252]  AESlike SPN  64/128  64  32/48  0.18  966/1265 
Lilliput  [78]  Extended GFN  80  4  30  0.065  1581 
MANTIS\(_r^{\text{a}}\)  [68]  SPN  128+64 tweakey  64  r ∈{5, 7}  −  − 
mCrypton  [372]  SPN  64/96/128  64  12  −  − 
MIBS  [299]  Feistel  64/80  64  32  0.18  1396 
Midori  [51]  AESlike SPN  128  64/128  16/20  0.09  2450/3661 
MISTY1  [398]  Feistel  128  64  8  −  − 
Mysterion  [306]  SPN+XLSdesign  128/256  128/256  12/16  −  − 
Noekeon  [165]  SPN  128  128  16  −  − 
PICARO  [485]  Feistel  128  128  12  −  − 
Piccolo  [526]  GFN  80/128  64  25/31  −  − 
PRESENT  [101]  SPN  80/128  64  31  0.18  1075/1391 
PRIDE  [17]  SPN  128  64  20  −  − 
PRINCE  [105]  SPN  128  64  12  0.13  3491 
PRINTcipher  [333]  SPN  80/160  48/96  48/96  0.18  402/726 
PUFFIN2  [569]  SPN  80  64  34  0.18  1083 
RC512  [502]  ARX+Feistel  128  64  12  −  − 
RECTANGLE  [598]  SPN  80/128  64  25  0.13  1599.5/2063.5 
RoadRunneR  [63]  Feistel  80/128  64  10/12  −  − 
Robin  [247]  SPN+LSdesign  128  128  16  −  − 
SEA  [542]  Feistel  n = m(6b)  n  odd^{b}  −  − 
SKINNY^{a}  [68]  SPN  (64, 128, 192)/(128, 256, 384) tweakey  64/128  (32, 36, 40)/(40, 48, 56)  0.18  (1223, 1696, 2183)/(2391, 3312, 4268) 
Simeck  [588]  Feistel  64/96/128  32/48/64  32/36/44  0.13  549/778/1005 
SIMON  [65]  Feistel  64/(72, 96)/(96, 128)/(96, 144)/(128, 192, 256)  32/48/64/96/128  32/36/(42, 44)/(52, 54)/(68, 69, 72)  0.13  1234 (SIMON 128/128) 
SPARX  [181]  ARX+SPN  128/128/256  64/128/128  24/32/40  −  − 
SPECK  [65]  ARX+Feistel  64/(72, 96)/(96, 128)/(96, 144)/(128, 192, 256)  32/48/64/96/128  22/(22, 23)/(26, 27)/(28, 29)/(32, 33, 34)  0.13  1280 (SPECK 128/128) 
TWINE  [544]  Type2 GFN  80/128  64  36  0.09  1799 
QARMA^{a}  [39]  SPN  128/256  64/128  16/24  −  − 
XTEA  [436]  Feistel  128  64  64  0.13  3490 
Zorro  [227]  AESlike SPN  128  128  24  −  − 
Lightweight block ciphers (best known attacks)
Best known attack: data complexity/memory/time  

Name  Ref  complexity 
3Way  [164]  Practical relatedkey attack [320], 1 related key pair, 2^{22} CPs 
AES128  [166]  Biclique keyrecovery attack [545]: 2^{56} / − /2^{126.13} 
CLEFIA  [527]  Impossible differential attack [106]: 2^{114.58} / 2^{83.16}B /2^{116.16} 
DESL/  [361]  Linear cryptanalysis on DES [311]: 2^{39} − 2^{41} DES evaluations 
DESLX  Relatedkey attack on DESX[474]:2^{3.5} KPs/− / 2^{56} DES evaluations  
Fantomas  [247]  − 
FLY  [317]  − 
GOST revisited  [487]  Singlekey KP differential attack [159]: 2^{64} / 2^{70}B /2^{179} 
GRANULE  [54]  − 
HIGHT  [283]  Biclique cryptanalysis [15]: 2^{8} / _ /2^{126.07} 
ICEBERG  [541]  Differential cryptanalysis [543]: 2^{63} CPs /2^{96} enc. on 8 rounds 
ITUbee  [315]  − 
KASUMI  [1]  Practical relatedkey attack [192]: 4 related keys, 2^{26} / 2^{30} B / 2^{32} 
KATANn/  [126]  MeetInTheMiddle attack on KTANTANn [104] 
KTANTANn  (3, 2, 2) pairs/ −/(2^{75.17}, 2^{75.044}, 2^{75.584})  
KLEIN  [239]  Truncated differential attack [497]: 2^{48.6} / 2^{32} /2^{54.9} on KLEIN64 
LBlock  [583]  CP relatedkey impossible differential attack[584]: 2^{63} / − /2^{75.42} on 24 rounds 
LEA  [282]  − 
LED  [252]  Randomdifference distinguishers [443]: − / 2^{60}B/2^{60.3} on 40 rounds LED128 
Lilliput  [78]  Keyrecovery attack with the division property [512]: 2^{63} / − /2^{77} on 17 rounds 
MANTIS_{r}  [68]  Practical keyrecovery attack [185]: 2^{28} / − /2^{38} enc. on MANTIS_{5} 
mCrypton  [372]  Relatedkey impossible differential cryptanalysis [388]: 
(2^{59.9}, 2^{59.7}) / (2^{63.9}, 2^{55.7})B /(2^{74.9}, 2^{66.7}) on 9 rounds  
MIBS  [299]  Biclique cryptanalysis [519] (MIBS80): 2^{52}/− /2^{78.98} 
Midori  [51]  Keyrecovery attack for the class of 2^{32} weak keys in Midori64 [250]: 2/− /2^{16} 
MISTY1  [398]  Singlekey integral attack [56]: 2^{64}/− /2^{69.5} 
Mysterion  [306]  − 
Noekeon  [165]  Many related keys (weakness) [334] 
PICARO  [485]  Relatedkey attack [129]: 2^{99}/2^{22}B /2^{107.4} 
Piccolo  [526]  Biclique cryptanalysis [15]: 2^{4}/− /(2^{79.07}, 2^{127.12}) 
PRESENT  [101]  Biclique cryptanalysis (PRESENT80) [15]: 2^{22}/− /2^{79.37} 
PRIDE  [17]  Multiple relatedkey differential attack [167]: 2^{41.6}/− /2^{42.7} 
PRINCE  [105]  Multiple differential attack [128]: 2^{57.94}/2^{61.52} /2^{60.62} on 10 rounds 
PRINTcipher  [333]  Invariance subspace attack [359] applicable to 2^{52}/ 2^{102} weak keys: 
5 CPs/ −/ negligible  
PUFFIN2  [569]  Differential attack [95]: 2^{52.3} CPs/− /2^{74.78} 
RC512  [502]  Differential attack [88]: 2^{44} CPs 
RECTANGLE  [598]  Relatedkey differential attack [521]: 2^{62}/2^{72}B/2^{67.42} on 19 rounds 
RoadRunneR  [63]  − 
Robin  [247]  Keyrecovery attack for the weak key set of density 2^{−32} [360]: 1 CP/− /2^{64} 
SEA  [542]  − 
SKINNY  [68]  Relatedtweakey impossible differential attacks [23]: 2^{71.4}/2^{64} /2^{79} up to 23 rounds 
Simeck  [588]  Linear hull attack with dynamic keyguessing techniques [491]: 
(2^{31.91}, 2^{47.66}, 2^{63.09})/ −/(2^{61.78}, 2^{92.2}, 2^{111.44}) add. and (2^{56.41}, 2^{88.04}, 2^{121.25}) enc.  
SIMON  [65]  Differential cryptanalysis on 12/16/19/28/37 reducedround 
SIMON32/48/64/96/128  
SPARX  [181]  Truncateddifferential attack [24]: 2^{32} /2^{61}/2^{93} on 16 rounds ( SPARX64/128) 
SPECK  [65]  Differential cryptanalysis [537]: 
2^{125.35}/2^{22}/2^{125.35} on 23 rounds of the SPECK128/128  
TWINE  [544]  Impossible differential and multidimensional zero correlation linear attack [373]: 
2^{62.1} KPs/ 2^{60}B / 2^{73} (TWINE80)  
QARMA  [39]  − 
XTEA  [436]  Relatedkey rectangle attack [380]: 2^{63.83} / − / 2^{104.33} on 36 rounds 
Zorro  [227]  Differential attack [55]: 2^{41.5} / 2^{10} / 2^{45} 
The current best FELICS results for scenario 1: Encrypt 128 bytes of data in CBC mode
AVR  MSP  ARM  

Code  RAM  Time  Code  RAM  Time  Code  RAM  Time  
Cipher  (B)  (B)  (Cyc.)  (B)  (B)  (Cyc.)  (B)  (B)  (Cyc.)  FoM 
Speck  966  294  39,875  556  288  31,360  492  308  15,427  5.1 
Speck  874  302  44,895  572  296  32,333  444  308  16,505  5.2 
Simon  1084  363  63,649  738  360  47,767  600  376  23,056  7.0 
Simon  1122  375  66,613  760  372  49,829  560  392  23,930  7.2 
RECTANGLE  1152  352  66,722  812  398  44,551  664  426  35,286  8.0 
RECTANGLE  1118  353  64,813  826  404  44,885  660  432  36,121  8.0 
LEA  1684  631  61,020  1154  630  46,374  524  664  17,417  8.3 
SPARX  1198  392  65,539  966  392  36,766  1200  424  40,887  8.8 
SPARX  1736  753  83,663  1118  760  53,936  1122  788  67,581  13.2 
HIGHT  1414  333  94,557  1238  328  120,716  1444  380  90,385  14.8 
AES  3010  408  58,246  2684  408  86,506  3050  452  73,868  15.8 
Fantomas  3520  227  141,838  2918  222  85,911  2916  268  94,921  17.8 
Robin  2474  229  184,622  3170  238  76,588  3668  304  91,909  18.7 
Robin⋆  5076  271  157,205  3312  238  88,804  3860  304  103,973  20.7 
RC520  3706  368  252,368  1240  378  386,026  624  376  36,473  20.8 
PRIDE  1402  369  146,742  2566  212  242,784  2240  452  130,017  22.8 
RoadRunneR  2504  330  144,071  3088  338  235,317  2788  418  119,537  23.3 
RoadRunneR  2316  209  125,635  3218  218  222,032  2504  448  140,664  23.4 
LBlock  2954  494  183,324  1632  324  263,778  2204  574  140,647  25.2 
PRESENT  2160  448  245,232  1818  448  202,050  2116  470  274,463  32.8 
PRINCE  2412  367  288,119  2028  236  386,781  1700  448  233,941  34.9 
Piccolo  1992  314  407,269  1354  310  324,221  1596  406  294,478  38.4 
TWINE  4236  646  297,265  3796  564  387,562  2456  474  255,450  40.0 
LED  5156  574  2,221,555  7004  252  2,065,695  3696  654  594,453  138.6 
2.2.2 Stream Ciphers
Stream ciphers encrypt small portions of data (one or several bits) at a time. By using a secret key, they generate a pseudorandom keystream, which is then combined with the plaintext bits to produce the ciphertext bits. Very often the combining function is bitwise XORing, and in that case we speak about binary additive stream ciphers. The basic security rule for stream ciphers is not to encrypt two different messages with the same pair of key/IV. So, stream ciphers usually have a large keystream period, and a different key and/or IV should be used after the period elapses. Each stream cipher usually has an initialization phase with some number of rounds (or clockcycles), followed by an encryption phase. A fast initialization phase makes a given cipher suitable for encrypting many short messages, while when several large messages need to be encrypted, stream ciphers with a fast encryption phase are more appropriate.
Lightweight stream ciphers (characteristics)
Max. keystream  

bits per (key,  No. of init.  
Name  Ref  Key size (bits)  IV/nonce (bits)  IS (bits)  Output size (bits)  IV/nonce)  rounds/cycles  Techno (μm).  No. of GEs 
A2U2  [173]  61  64  95  1  var.  −  283 estimated  
A5/1  [92]  64  22  64  1  228  86 + 100  −  − 
BEAN  [350]  80  64  160  2  81  −  −  
CAR30  [172]  128  120  256  128  >2^{122}  160  −  − 
CAvium  [511]  80  80  288  1  −  144  −  − 
ChaCha  [79]  256  64  512  512  2^{73}  8/12/20  0.18  9110 [270] 
E0  [96]  8−128  26+ 48  132  1  240  −  −  
Enocoro  80/  64  176/  8  2^{35}  40/  0.18/  2700/  
128(v2)  272  2^{67}  96  0.09  4100  
Fruit80  [228]  80  70  80  1  2^{43}  160  0.18  960 
Grain  80(v1)/128  64/96  160/256  1  2^{43}  160  0.13  1294/1857 [240]  
LILLE  [53]  80  80  80/100/120  40  2^{32} ⋅ 40  720  0.09  911/991.6/1076.4 
LIZARD  [253]  120  64  121  1  2^{18}  128+128  0.18  1161 
MICKEY 2.0  [48]  80/  80/  200/  1  2^{40}/  260/  0.13  3188/ 
128  128  320  2^{64}  416  5039 [240]  
Plantlet  [421]  80  90  110  1  2^{30}  320  0.18  928 
Rabbit  [98]  128  64  513  128  2^{71}  4+4  0.18  3800 
RAKAPOSHI  [148]  128  192  320  1  2^{64}  448  −  − 
Salsa20  [80]  256  64  512  512  2^{73}  20  0.18  9970 [270] 
SNOW 3G  [204]  128  128  576  32  32  −  −  
Sprout  [27]  80  70  89  1  2^{40}  320  0.18  813 
Trivium  [127]  80  80  288  1  2^{64}  1152  0.35  749 [409] 
Quavium  [555]  80  80  288  1  2^{64}  1152  −  3496 estimated 
WG8  [207]  80  80  160  1  2^{160}  40  0.065  1786 [587] 
ZUC (v 1.6)  [205]  128  128  560  32  32  0.065  12,500 [378] 
Lightweight stream ciphers (best known attacks)
Best known attack: data complexity/memory/time  

Name  Ref  complexity 
A2U2  [173]  Practical keyrecovery attack [524] under the KP attack model 210/−/2^{24.7} 
A5/1  [92]  Practical TimeMemory tradeoff attack [92] 2sec KPs/ 2^{48} preprocessing steps to compute 300GB/ 2^{24} 
BEAN  [350]  Distinguishing attack [13] with 2^{17} keystream bits 
CAR30  [172]  − 
CAvium  [511]  − 
ChaCha  [79]  Multibit differential attack [143]: 2^{28} / −/ 2^{233} on 7 rounds 
E0  [96]  Practical keyrecovery attack [381] using the first 24 bits of 2^{23.8} frames and 2^{38} computations 
Enocoro  −  
Fruit80  [228]  − 
Grain  Fast near collision attack [595]: 2^{19} / 2^{28}/ 2^{75.7} on Grainv1  
LILLE  [53]  − 
LIZARD  [253]  Distinguishing attack [52]: −/2^{76.6}/2^{51.5} random IV enc 
MICKEY 2.0  [48]  Practical related key attack [179] with 65/113 related (K,?IV) pairs and 0.9835/0.9714 success rate 
Plantlet  [421]  Distinguishing attack [422] 
Rabbit  [98]  Differential fault analysis [330] with 128 − 256 faults: −/2^{41.6} B/2^{38} 
RAKAPOSHI  [148]  Related key attack [297]: 2^{38} chosen IVs/−/ 2^{41} 
Salsa20  [80]  Multibit differential attack [143]: 2^{96} / −/ 2^{244.9} on 8 rounds 
SNOW 3G  [204]  Multiset distinguisher [90]: 2^{8} on 13 rounds 
Sprout  [27]  Many, e.g., key recovery attack [50]: −/−/2^{66.7} enc. 
Trivium  [127]  Keyrecovery attack [224]: 2^{77} on 855 rounds 
Quavium  [555]  − 
WG8  [207]  Related key attacks [180] with one related key 2^{52} chosen IVs/−/ 2^{53.32} 
ZUC (v 1.6)  − 
Additionally, Enocoro and Trivium are part of the ISO/IEC 291923:2012 standard, and Rabbit is part of ISO/IEC 180334:2011. SNOW 3G was chosen for the 3GPP encryption algorithms UEA2 and UIA2, while ZUC was chosen for the 3GPP algorithms 128EEA3 and 128EIA3. The profile 2 eSTREAM portfolio includes Grain v1, MICKEY 2.0 and Trivium. There is an IETF implementation of the ChaCha20, published in RFC 7539, with 96bit nonce and maximum message length up to 2^{32} − 1B that can be safely encrypted with the same key/nonce, as a modification.
2.2.3 Hash Functions
A hash function is any function that maps a variable length input message into a fixed length output. The output is usually called a hashcode, message digest, hash value or hash result. Cryptographic hash functions must be preimage (oneway), second preimage and collision resistant.
Usually the message is first padded and then divided into blocks of fixed length. The most common method is to iterate over a socalled compression function, that takes two fixed size inputs, a message block and a chaining value, and produces the next chaining value. This is known as a MerkleDamgård (MD) construction. The sponge construction is based on fixedlength unkeyed permutation (PSponge) or random function (TSponge), that operates on b bits, where b = r + c. b is called the width, r is called the rate (the size of the message block) and the value c the capacity. The capacity determines the security level of the given hash function. There is also a JHlike sponge in which the message block is injected twice.
The main problem of using conventional hash functions in constrained environments is their large internal state. SHA3 uses a 1600 bit IS, and its most compact hardware implementation needs 5522 GE [471] on 0.13 μm technology. On the other hand, SHA256 has a smaller IS (256 bit), but one of its smaller hardware implementations uses 10,868 GE [211] on 0.35 μm technology.
Lightweight hash functions can have smaller internal state and digest sizes (for applications where collision resistance is not required), better performance on short messages, small hardware implementations, etc. In some cases, for example tagbased applications, there is a need only for the oneway property. Also, most tag protocols require hashing of small messages, usually much less than 256 bits.
Lightweight hash functions (cryptographic properties)
Type of  

compression  Message digest  Second  
Name  Ref  Construction  function  (bits)  IS (bits)  Rate (bits)  Preimage  preimage  Collisions  Best known attack 
ARMADILLO2  [49]  MD  BC with datadepend. bit transpositions  80/128 /160/192/256  256/384 /480/576/768  48/64 /80/96/128  2^{80}∕2^{128} ∕2^{160}∕2^{192} ∕2^{256}  2^{80}∕2^{128} ∕2^{160}∕2^{192} ∕2^{256}  2^{40}∕2^{64} ∕2^{80}∕2^{96} ∕2^{128}  Practical freestart collision attack [435] 2^{8.9}∕2^{10.2}∕2^{10.2}∕ 2^{10.2}∕2^{10.2} 
DMPRESENT  [102]  MD  PRESENT in DaviesMeyer mode  64  64  80 / 128  2^{64}  2^{64}  2^{32}  Multidifferential collision attack [343] 2^{29.18} hash comp. on 12 rounds 
HPRESENT  [102]  MD  PRESENT in  128  128  64  2^{128}  2^{128}  2^{64}  − 
doubleblocklength c.  
GLUON  [77]  Tsponge  Based on Feedback  128/160/224  136/176/256  8/16/32  2^{128}∕2^{160}  2^{64}∕2^{80}  2^{64}∕2^{80}  Preimage attack [469] 
with Carry Shift Register  ∕2^{224}  ∕2^{112}  ∕2^{112}  2^{105} complexity  
LesamntaLW  [281]  MD  Type1 GFN 64−round  256  256  128  2^{120}  2^{120}  2^{120}  − 
BC in LW1 mode  
LHash  [582]  PSponge  18round FeistelPG  80/96  96/96  16/16  2^{64}∕2^{80}  2^{40}∕2^{40}  2^{40}∕2^{40}  − 
PHOTON  [251]  PSponge  12 round AESlike permutation  80/128/160/ 224/256  100/144/196/ 256/288  (20,16)/16/ 36/32/32  2^{64}∕2^{112}∕ 2^{124}∕2^{192} 2^{224}  2^{40}∕2^{64}∕ 2^{80}∕2^{112} 2^{128}  2^{40}∕2^{64}∕ 2^{80}∕2^{112} 2^{128}  − 
QUARK  [33]  PSponge  Grainlike permutation 544/704/1024 rounds  136(u)/176(s) /256(d)  136/176/256  8/16/32  2^{128}∕2^{160} 2^{224}  2^{64}∕2^{80} 2^{112}  2^{64}∕2^{80} 2^{112}  − 
sLiSCP  [20]  PSponge  Type 2 GFN Simeck  160/160/192  192/256/256  32/64/64  2^{128}∕2^{128}  2^{80}∕2^{96}  2^{80}∕2^{96}  − 
2^{160}  2^{96}  2^{96}  
SPNHash  [144]  PSponge  SPN permutation  128/256  256/512  128/256  2^{128}∕2^{256}  2^{128}∕2^{256}  2^{64}∕2^{128}  − 
in JH mode  
10 rounds  
SPONGENT  [100]  PSponge  PRESENTlike  80/128/160  88/136/176  8/8/16/16  2^{80}∕2^{120}  2^{40}∕2^{64}  2^{40}∕2^{64}  Linear distinguishers [2] 
permutation  /224/256  /240/272  /16  ∕2^{144}∕2^{208}  ∕2^{80}∕2^{112}  ∕2^{80}∕2^{112}  on 23 rounds of the  
45/70/90 /120/140 r.  ∕2^{240}  ∕2^{128}  ∕2^{128}  SPONGENT permutation 
Lightweight hash functions (implementation properties)
Name  Ref  Techno. (μm)  No. of GEs  Throughput (Kbps @ 100kHz) 

ARMADILLO  [49]  0.18  (2923/4353/5406/6554/8653) vs.  (27/250/250/25/25) vs. 
(4030/6025/7492/8999/11,914)  (109/1000/100/100/100)  
DMPRESENT  [102]  0.18  (1600/1886) vs.  (14.62/22.9) vs. 
(2213/2530)  (242.42/387.88)  
HPRESENT  [102]  0.18  2330 vs. 4253  11.45 vs. 200 
GLUON  [77]  −  2071/2799.3/4724  12.12/32/58.18 
LesamntaLW  [281]  0.09  8240  − 
LHash  [582]  0.18  817/817/1028  2.40/2.40/(1.81, 0.91) 
PHOTON  [251]  0.18  (865/1122/1396/1736/2177) vs.  (2.82/1.61/2.7/1.86/3.21) vs. 
(1168/1708/2117/2786/4362)  (15.15/10.26/20/15.69/ 20.51)  
QUARK  [33]  0.18  (1379/1702/ 2296) vs.  (1.47/2.27/3.13) vs. 
(2392/2819/4640)  (11.76/18.18/50)  
sLiSCP  [20]  0.065  2271/3019/3019  29.62/44.44/22.22 
SPNHash  [144]  0.18  (2777 / 4625) vs. (4600 / 8500)  (36.1 / 35.8) vs. (55.7 / 111.3) 
SPONGENT  [100]  0.13  (738 / 1060 / 1329 / 1728 / 1950) vs.  (0.81 / 0.34 / 0.4 / 0.22 / 0.17) vs. 
(1127 / 1687 / 2190 / 2903 / 3281)  (17.78 / 11.43 / 17.78 / 13.33 / 11.43) 
2.2.4 Message Authentication Codes
A message authentication code (MAC) protects the integrity and authenticity of a given message, by generating a tag from the message and a secret key. MAC schemes can be constructed from block ciphers (e.g., CBCMAC (part of the ISO/IEC 97971:1999 standard) or OCBMAC [504]), from cryptographic hash functions (e.g., HMAC (RFC 2104)), etc. Three lightweight security architectures have been proposed for wireless sensor networks: TinySec [316], MiniSec [382] and SenSec[370]. TinySec and MiniSec recommend CBCMAC and the patented OCBMAC, while SenSec recommends XCBCMAC, for which there is an existential forgery attack [238], and all suggest the use of 32bit tags. 32bit security is not enough—the recommended size is at least 64 bits.
Lightweight MACs (characteristics)
Key size  Block size  Tag size  No. of  Techno.  No. of  

Name  Ref  Type  (bits)  (bits)  (bits)  rounds  (μm)  GEs 
Chaskey  [428]  Permutationbased MAC  128  128  ≥64  8 (12)  3334.33 GE [356] estimated  
LightMAC  [384]  New parallelizable mode with BC and two keys  2 × 80/128  64/128  64/128  Depends of used BC  −  − 
SipHash24  [32]  ARXbased keyed hash function  128  256  64  2 + 4 4 fin. rounds  −  − 
TuLP  [238]  PRESENT BC in ALRED construction  80/160  64/128  64  14  0.18  2252/2764 
2.2.5 Authenticated Encryption Schemes
Authenticated encryption (AE) schemes combine the functions of ciphers and MACs in one primitive, so they provide confidentiality, integrity, and authentication of a given message. Besides the plaintext and the secret key, they usually accept variable length Associated Data (AEAD schemes), a public nonce, and an optional secret nonce. AD is a part of a message that should be authenticated, but not encrypted.
Lightweight authenticated encryption schemes (characteristics)
Name  Ref  Type  Key (bits)  Nonce (bits)  IS (bits)  Block/rate (bits)  Tag (bits)  Techno. (μm)  No. of GEs 

ACORN v3^{a}  [581]  SC (LFSR)  128  128  293  1  128  −  − 
ALE  [103]  SC (AES, LEX leak)  128  128  256  128  128  0.065  2700 
APE  [22]  Sponge (different hash f.) e.g., PHOTON196  160^{d}  36n^{d} (opt.)  196^{d}  36^{d}  160^{d}  0.18  1634^{d} 
ASC1  [300]  SC (AES, LEX leak CFBlike mode)  256  56  512  128  128  0.065  4964 [103] 
Ascon^{a}  [186]  Sponge (SPN)  96/128  96/128  320  64 (128 for Ascon128a)  96/128  0.009  2570 (7970) Ascon128 [245] (SCAprotected) 
CQUARK  [36]  Sponge (LFSR, NFSR)  256  64  384  64  ≥ 64  0.09  4000 
FIDES  [87]  Sponge (AESlike, 16 rounds)  80/96  80/96  160/192  10/12  80/96  0.09  793−2876/ 1001−4792 
Hummingbird2  [200]  Hybrid (SPN)  128  64  128  16  128  0.13  21593220 
Helix  [215]  SC (ARX)  256  128  160  32  128  −  − 
Joltik^{b}  [304]  tweakable BC (JoltikBC)  64/80/96/ 128+64/48/96/64 tweak  32/24/48/32  64  64  64  −  2100/2100/ 2600/2600 (estimated) 
KETJE^{a}  [82 ]  Sponge (Keccakf)  k≤ 182/ k≤ 382  182k/ 382k  200/400  16/32  64  −  − 
LAC^{c}  [596]  SC (LBlocks, LEX leak)  64  80  144  48  64  −  1300 (estimated) 
NORX32 v.3^{a}  [35 ]  Sponge (LRX, 4/6 rounds)  128  64  512  320  128  0.018  62,000 
NORX8 /NORX16  [34 ]  Sponge (LRX, 4/6 rounds)  80/96  32  128/256  40/128  80/196  −  1368/2880 (estimated) 
Sablier^{c}  [594 ]  SC (LFSR)  80  80  208  16  32  −  1925 (estimated) 
SCREAM^{b} /iSCREAM  [246]  tweakable BC (SPN+LSdesigns)  128+ 128 tweak  8−120  128  128  128  −  − 
sLiSCP  [20]  Sponge (Type2 GFS+Simeck)  80/112/128  80/80/128  192/192/256  32/32/64  80/112/128  0.065  2289/2289/3039 
TriviAv2 /uTriviA  [132]  SC (Triviumlike)  128  128  384  64  128  0.065  21,521 / 16,748 
Lightweight authenticated encryption schemes (best known attacks)
Best known attack: data complexity/memory/time  

Name  Ref  complexity 
ACORN v3  [581]  − 
ALE  [103]  Forgery attack [324]: 2^{40}/−/2^{110} 
APE  [22]  − 
ASC1  [300]  − 
Ascon  [186]  Keyrecovery attack [371]: 2^{103.9} time on 7 out of 12 rounds ASCON128 
CQUARK  [36]  − 
FIDES  [87]  Staterecovery/forgery attacks [184]: 1KP/(2^{15}, 2^{18})/(2^{75}, 2^{90}) 
Hummingbird2  [200]  Related keyrecovery attack [525]: 24 pairs of related keys/−/2^{40} 
Helix  [215]  Keyrecovery attack [432]: 2^{17} CP/−/2^{88} 
Joltik  [304]  − 
KETJE  [82]  − 
LAC  [596]  Differential forgery attack [368] with probability 2^{−61.52} 
NORX32 v.3  [35]  − 
NORX8/NORX16  [34]  − 
Sablier  [594]  Practical state/key recovery attack [213]: −/−/2^{44} 
SCREAM/iSCREAM  [246]  Practical forgery attack [530] with 2 queries 
sLiSCP  [20]  − 
TriviAv2/uTriviA  [132]  − 
2.3 Illustrative Issues in Security Evaluation of Certain Encryption Schemes
As a consequence of the simplicity which makes them lightweight, the security evaluation of lightweight encryption schemes arises as an issue of top importance. However, constraints on chapter space limit our discussion of the security evaluation. Consequently, this section shows only a number of illustrative issues relevant for the cryptanalysis of lightweight encryption techniques. In the first part, a generic approach for security evaluation is discussed, and in the second an advanced dedicated approach is pointed out.
2.3.1 Reconsidering TMD Tradeoff Attacks for Lightweight Stream Cipher Designs
We can simply divide the tradeoff attacks against ciphers into two groups, key recovery attacks and internal state recovery attacks. The first tradeoff attack against symmetric ciphers was introduced by Hellman [268] to illustrate that the key length of DES was indeed too short. Hellman prepared several tables containing DES keys. In general, the tradeoff curve is TM^{2} = N^{2} where T is the time complexity and M is the memory complexity. N is the cardinality of the key space. Here, the data complexity D = 1 since only one chosen plaintext is used to define a one way function which produces the (reduction of the) ciphertext of the chosen plaintext for a given key. Then, the tables are prepared during the precomputation phase. In practice, one generally considers the point T = M = N^{2∕3} on the curve since the overall complexity also becomes N^{2∕3}. The precomputation phase costs roughly O(N) encryptions. This is a generic attack which is applicable to any block cipher. Therefore, we can say that the security level diminishes to 2k∕3bit security during the online phase of the Hellman tradeoff attack where k is the key length of a block cipher. However, one must pay a cost equivalent to exhaustive search to prepare the tables during the precomputation phase.
Stream ciphers also suffer from the same affliction by tradeoff attacks in that their keys can be recovered with an effort of 2^{2k∕3} for each of them during the online phase. Stream ciphers consist of two parts. The initialization part uses an IV and a key to produce a seed value S_{0}. Then, S_{0} is used to produce the keystream sequence through a keystream generator. While a state update function updates the internal states S_{i}, an output function produces the keystream bits (or words) z_{i}. It is possible to define a one way function from the key to the first k bits of the keystream sequence by choosing an IV value and fixing it. This is similar to the case of tradeoff attacks on block ciphers with a chosen plaintext. However, the attack may only be mounted on a decryption mechanism since it may not be possible to choose the IV during the encryption. Then, by preparing the Hellman tables, one can recover a key in 2^{2k∕3} encryptions using 2^{2k∕3} memory. The precomputation is 2^{k}. This is similar to the Hellman attack. Therefore, stream ciphers are prone to tradeoff attacks as with block ciphers in the key recovery case.
The other category of tradeoff attacks is aimed at recovering internal states of stream ciphers, rather than keys. Babbage [47] and Golić [236], independently, introduced another type of tradeoff curve DM = N to recover an internal state. One can pick out the point D = M = N^{1∕2} to get an overall complexity of N^{1∕2}. Then, storing \(\sqrt {N}\) internal states with their outputs (keystream parts with an appropriate length), one can recover a keystream used during encryption/decryption if it is loaded in the table. We need roughly \(\sqrt {N}\) data to ensure a remarkable success rate. So, it is conventionally adopted that \(\sqrt {N}\) should be larger than 2^{k} as a security criterion just to ensure that the internal state recovery attack through tradeoff is slower than the exhaustive search. This simply means that the internal state size should be at least twice as large as the key size. This extremely strict criterion has played a very crucial role in raising extra difficulties in designing lightweight stream ciphers.
Another highly effective tradeoff attack for internal state recovery is the BiryukovShamir attack [91]. This simply makes use of Hellman tables. But, instead of recovering just one specific internal state, it is enough to recover only one of D internal states. Then, preparing just one Hellman table is an optimum solution and the table can contain N∕D states. So, the precomputation phase is around O(N∕D) and the tradeoff curve is TM^{2}D^{2} = N^{2} where D is bounded above by \(\sqrt {T}\) since the number of internal states contained in just one table is limited to avoid merging of collisions. We can pick out the point on the curve where time and memory are equal and maximize the data, namely T = M = N^{1∕2} and D = N^{1∕4}. We need N^{1∕2} to be larger than 2^{k} if we want the online phase of the attack to be slower than an exhaustive search. This again simply implies that the internal state size should be at least twice as large as the key size.
The condition on the size of the internal states of stream ciphers makes designing ultralightweight stream ciphers too difficult. Indeed, there are several ultralightweight (say less than 1000 GE) block ciphers recently designed, such as PRESENT [101], LED [252], KTANTAN [126], Piccolo [526], and SIMON/SPECK [65], whereas there are almost no modern stream ciphers with hardware area cost less than 1000 GE.
The security margin for state recovery attacks through tradeoff techniques is k bits, whereas it is much less, 2k∕3 bits, for the key recovery attacks, although any information about the key is assumed to be more sensitive than any information about the internal states. One can produce any internal state once the key is recovered. However, recovery of an internal state may reveal only one session of the encryption/decryption with the corresponding IV . Hence, it seems that the more sensitive data are, contradictorily, protected less against tradeoff attacks!
The security level of tradeoff attacks to recover internal states should be the same as the security level of tradeoff attacks to recover keys, just to be fair. So, the online phase of a tradeoff attack should be at least 2^{2k∕3} instead of 2^{k}. Similarly, the precomputation should be not faster than exhaustive search. In this case, D = M = N^{1∕2} ≥ 2^{2k∕3} for the BabbageGolić attack. Then, N should be at least 2^{4k∕3}. The same bound is valid for BiryukovShamir attack since the smallest overall complexity is attained when T = M = N^{1∕2}.
The precomputation phase of the BiryukovShamir attack is roughly N∕D; which is simply N^{3∕4} when D = N^{1∕4}. So, the precomputation phase is more than 2^{k}. This means that it is slower than an exhaustive search. On the other hand, the precomputation phase of the BabbageGolić attack is M, and hence if the data is restricted to at most 2^{k∕3} for each key we have M ≥ 2^{k} and hence the precomputation phase will be slower than an exhaustive search.
It seems it is enough to take the internal state size as at least 4k∕3, not at least 2k, for security against tradeoff attacks. This simply implies that it is possible to design lightweight stream ciphers with much smaller internal states. However, it is an open question how to design stream ciphers with very small internal states. The security is generally based on the largeness of the states.
2.3.2 GuessandDetermine Based Cryptanalysis Employing Dedicated TMDTO
This section presents an illustrative framework for cryptanalysis employing guessanddetermine and timememorydata tradeoff (TMDTO) methods using the results of security evaluations of the lightweight stream ciphers Grainv1, Grain128 and LILI128, reported in [415, 416], and [417], respectively.
2.3.2.1 Generic Approach

preset certain bits of the internal state to a suitable pattern (the allzeros pattern, for example);

for a given mbit prefix (usually an mzeros prefix) of the keystream segment, algebraically recover up to m bits of the internal state assuming that the remaining internal state bits are known;

recover the assumed bits of the internal state by employing the dedicated TMDTO attack.
2.3.2.2 Summary of Cryptanalysis of Grainv1 Employing GuessandDetermine and Dedicated TMDTO Approaches
The internal state of Grainv1 consists of 160 bits corresponding to the employed nonlinear and linear feedback shift registers NFSR and LFSR, respectively. For a given parameter m, let Ω^{(m)} be a subset of all internal states where three mlength segments of all zeros exist which implies that the state generates m consecutive zero outputs. Let the vectors b^{(i)} and s^{(i)} be the states of the NFSR and LFSR, respectively, at the instant i, s^{(i)} = [s_{i}, s_{i+1}, …, s_{i+79}] and b^{(i)} = [b_{i}, b_{i+1}, …, b_{i+79}]. Let u^{(i)} be the internal state of Grainv1, and accordingly, u^{(i)} = [s^{(i)}b^{(i)}] = [s_{i}, s_{i+1}, …, s_{i+79}, b_{i}, b_{i+1}, …, b_{i+79}]. For a given parameter m, the set Ω^{(m)} is the set of internal state vectors defined as follows Ω^{(m)} = {u^{(i)}s_{i+25−j} = 0, s_{i+64−j} = 0, b_{i+63−j} = 0 , j = 0, 1, …, m − 1}. Consequently, the number of internal states belonging to Ω^{(m)} is upperbounded by 2^{160−3m}.
An illustrative numerical comparison of two algorithms for cryptanalysis of Grainv1
Footnotes
References
 1.3GPP. ETSI (201410). Universal Mobile Telecommunications System (UMTS); LTE; 3G Security; Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 12.0.0 Release 12), 2014.Google Scholar
 2.Mohamed Ahmed Abdelraheem. Estimating the probabilities of lowweight differential and linear approximations on PRESENTlike ciphers. In Taekyoung Kwon, MunKyu Lee, and Daesung Kwon, editors, ICISC 12: 15th International Conference on Information Security and Cryptology, volume 7839 of Lecture Notes in Computer Science, pages 368–382, Seoul, Korea, November 28–30, 2013. Springer.Google Scholar
 13.Martin Ågren and Martin Hell. Cryptanalysis of the stream cipher bean. In Security of Information and Networks, SIN 2011, Sydney, Australia, November 14–19, 2011, pages 21–28, 2011.Google Scholar
 15.Siavash Ahmadi, Zahra Ahmadian, Javad Mohajeri, and Mohammad Reza Aref. Lowdata complexity biclique cryptanalysis of block ciphers with application to piccolo and HIGHT. IEEE Trans. Information Forensics and Security, 9(10):1641–1652, 2014.Google Scholar
 16.Toru Akishita and Harunaga Hiwatari. Very compact hardware implementations of the blockcipher clefia. In Selected Areas in Cryptography, SAC 2011, Ontario, Canada, August 11–12, 2011, pages 278–292, 2011.Google Scholar
 17.Martin R. Albrecht, Benedikt Driessen, Elif Bilge Kavun, Gregor Leander, Christof Paar, and Tolga Yalçin. Block ciphers  focus on the linear layer (feat. PRIDE). In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology – CRYPTO 2014, Part I, volume 8616 of Lecture Notes in Computer Science, pages 57–76, Santa Barbara, CA, USA, August 17–21, 2014. Springer.Google Scholar
 20.Riham AlTawy, Raghvendra Rohit, Morgan He, Kalikinkar Mandal, Gangqiang Yang, and Guang Gong. sliscp: Simeckbased permutations for lightweight sponge cryptographic primitives. In Selected Areas in Cryptography, SAC 2017, Ottawa, Canada, August 16–18, 2017, pages 129–150, 2018.Google Scholar
 22.Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda. Ape: Authenticated permutationbased encryption for lightweight cryptography. In Fast Software Encryption, FSE 2014, London, UK, March 3–5, 2014, pages 168–186, 2015.Google Scholar
 23.Ralph Ankele, Subhadeep Banik, Avik Chakraborti, Eik List, Florian Mendel, Siang Meng Sim, and Gaoli Wang. Relatedkey impossibledifferential attack on reducedround skinny. In Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi, editors, ACNS 17: 15th International Conference on Applied Cryptography and Network Security, volume 10355 of Lecture Notes in Computer Science, pages 208–228, Kanazawa, Japan, July 10–12, 2017. Springer.Google Scholar
 24.Ralph Ankele and Eik List. Differential cryptanalysis of roundreduced sparx64/128. Cryptology ePrint Archive, Report 2018/332, 2018. https://eprint.iacr.org/2018/332.
 27.Frederik Armknecht and Vasily Mikhalev. On lightweight stream ciphers with shorter internal states. In Gregor Leander, editor, Fast Software Encryption – FSE 2015, volume 9054 of Lecture Notes in Computer Science, pages 451–470, Istanbul, Turkey, March 8–11, 2015. Springer.Google Scholar
 32.JeanPhilippe Aumasson and Daniel J. Bernstein. SipHash: A fast shortinput PRF. In Steven D. Galbraith and Mridul Nandi, editors, Progress in Cryptology  INDOCRYPT 2012: 13th International Conference in Cryptology in India, volume 7668 of Lecture Notes in Computer Science, pages 489–508, Kolkata, India, December 9–12, 2012. Springer.Google Scholar
 33.JeanPhilippe Aumasson, Luca Henzen, Willi Meier, and María NayaPlasencia. Quark: A lightweight hash. Journal of Cryptology, 26(2):313–339, April 2013.MathSciNetCrossRefGoogle Scholar
 34.JeanPhilippe Aumasson, Philipp Jovanovic, and Samuel Neves. Norx8 and norx16: Authenticated encryption for lowend systems. IACR Cryptology ePrint Archive 2015/1154, 2015.Google Scholar
 35.JeanPhilippe Aumasson, Philipp Jovanovic, and Samuel Neves. NORX v3.0. candidate for the CAESAR competition. https://norx.io, 2016.
 36.JeanPhilippe Aumasson, Simon Knellwolf, and Willi Meier. Heavy quark for secure aead. In Directions in Authenticated Ciphers, DIAC 2012, Stockholm, Sweden, July 05–06, 2012, 2012.Google Scholar
 39.Roberto Avanzi. The QARMA block cipher family – almost MDS matrices over rings with zero divisors, nearly symmetric EvenMansour constructions with noninvolutory central rounds, and search heuristics for lowlatency Sboxes. Cryptology ePrint Archive, Report 2016/444, 2016. http://eprint.iacr.org/2016/444.
 47.Steve Babbage. Improved “exhaustive search” attacks on stream ciphers. In European Convention on Security and Detection, pages 161–166. IET, May 1995.Google Scholar
 48.Steve Babbage and Matthew Dodd. The MICKEY stream ciphers. In New Stream Cipher Designs  The eSTREAM Finalists, pages 191–209, 2008.Google Scholar
 49.Stéphane Badel, Nilay Dagtekin, Jorge Nakahara, Khaled Ouafi, Nicolas Reffé, Pouyan Sepehrdad, Petr Susil, and Serge Vaudenay. ARMADILLO: A multipurpose cryptographic primitive dedicated to hardware. In Stefan Mangard and FrançoisXavier Standaert, editors, Cryptographic Hardware and Embedded Systems – CHES 2010, volume 6225 of Lecture Notes in Computer Science, pages 398–412, Santa Barbara, CA, USA, August 17–20, 2010. Springer.Google Scholar
 50.Subhadeep Banik. Some results on Sprout. In INDOCRYPT 2015, volume 9462 of LNCS, pages 124–139. Springer, 2015.Google Scholar
 51.Subhadeep Banik, Andrey Bogdanov, Takanori Isobe, Kyoji Shibutani, Harunaga Hiwatari, Toru Akishita, and Francesco Regazzoni. Midori: A block cipher for low energy. In Tetsu Iwata and Jung Hee Cheon, editors, Advances in Cryptology – ASIACRYPT 2015, Part II, volume 9453 of Lecture Notes in Computer Science, pages 411–436, Auckland, New Zealand, November 30 – December 3, 2015. Springer.Google Scholar
 52.Subhadeep Banik, Takanori Isobe, Tingting Cui, and Jian Guo. Some cryptanalytic results on Lizard. IACR Transactions on Symmetric Cryptology, 2017(4):82–98, 2017.CrossRefGoogle Scholar
 53.Subhadeep Banik, Takanori Isobe, and Masakatu Morii. On design of robust lightweight stream cipher with short internal state. IEICE Transactions, 101A(1):99–109, 2018.CrossRefGoogle Scholar
 54.Gaurav Bansod, Abhijit Patil, and Narayan Pisharoty. Granule: An ultra lightweight cipher design for embedded security. IACR Cryptology ePrint Archive 2018/600, 2018.Google Scholar
 55.Achiya BarOn, Itai Dinur, Orr Dunkelman, Virginie Lallemand, Nathan Keller, and Boaz Tsaban. Cryptanalysis of SP networks with partial nonlinear layers. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology – EUROCRYPT 2015, Part I, volume 9056 of Lecture Notes in Computer Science, pages 315–342, Sofia, Bulgaria, April 26–30, 2015. Springer.Google Scholar
 56.Achiya BarOn and Nathan Keller. A 2^{70} attack on the full MISTY1. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, Part I, volume 9814 of Lecture Notes in Computer Science, pages 435–456, Santa Barbara, CA, USA, August 14–18, 2016. Springer.Google Scholar
 63.Adnan Baysal and Sühap Sahin. Roadrunner: A small and fast bitslice block cipher for low cost 8bit processors. In Lightweight Cryptography for Security and Privacy  4th International Workshop, LightSec 2015, Bochum, Germany, September 10–11, 2015, Revised Selected Papers, pages 58–76, 2015.Google Scholar
 65.Ray Beaulieu, Douglas Shors, Jason Smith, Stefan TreatmanClark, Bryan Weeks, and Louis Wingers. The simon and speck lightweight block ciphers. In Proceedings of the 52Nd Annual Design Automation Conference, DAC ’15, pages 175:1–175:6, New York, NY, USA, 2015. ACM.Google Scholar
 68.Christof Beierle, Jérémy Jean, Stefan Kölbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, and Siang Meng Sim. The SKINNY family of block ciphers and its lowlatency variant MANTIS. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, Part II, volume 9815 of Lecture Notes in Computer Science, pages 123–153, Santa Barbara, CA, USA, August 14–18, 2016. Springer.Google Scholar
 77.Thierry P. Berger, Joffrey D’Hayer, Kevin Marquet, Marine Minier, and Gaël Thomas. The GLUON family: A lightweight hash function family based on FCSRs. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, AFRICACRYPT 12: 5th International Conference on Cryptology in Africa, volume 7374 of Lecture Notes in Computer Science, pages 306–323, Ifrance, Morocco, July 10–12, 2012. Springer.Google Scholar
 78.Thierry P. Berger, Julien Francq, Marine Minier, and Gaël Thomas. Extended generalized feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Computers, 65(7):2074–2089, 2016.MathSciNetCrossRefGoogle Scholar
 79.Daniel J. Bernstein. Chacha, a variant of salsa20. In Workshop Record of SASC, volume 8, 2008.Google Scholar
 80.Daniel J. Bernstein. The Salsa20 family of stream ciphers. In New Stream Cipher Designs  The eSTREAM Finalists, pages 84–97, 2008.Google Scholar
 82.Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, and Ronny Van Keer. Caesar submission: Ketje v2. candidate for the caesar competition. http://ketje.noekeon.org/, 2016.
 87.Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, and Qingju Wang. Fides: Lightweight authenticated cipher with sidechannel resistance for constrained hardware. In Guido Bertoni and JeanSébastien Coron, editors, Cryptographic Hardware and Embedded Systems – CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 142–158, Santa Barbara, CA, USA, August 20–23, 2013. Springer.Google Scholar
 88.Alex Biryukov and Eyal Kushilevitz. Improved cryptanalysis of RC5. In Kaisa Nyberg, editor, Advances in Cryptology – EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 85–99, Espoo, Finland, May 31 – June 4, 1998. Springer.Google Scholar
 89.Alex Biryukov and Leo Perrin. State of the art in lightweight symmetric cryptography. Cryptology ePrint Archive, Report 2017/511, 2017. http://eprint.iacr.org/2017/511.
 90.Alex Biryukov, Deike PriemuthSchmid, and Bin Zhang. Multiset collision attacks on reducedround SNOW 3G and SNOW 3G (+). In Jianying Zhou and Moti Yung, editors, ACNS 10: 8th International Conference on Applied Cryptography and Network Security, volume 6123 of Lecture Notes in Computer Science, pages 139–153, Beijing, China, June 22–25, 2010. Springer.Google Scholar
 91.Alex Biryukov and Adi Shamir. Cryptanalytic time/memory/data tradeoffs for stream ciphers. In Tatsuaki Okamoto, editor, Advances in Cryptology – ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 1–13, Kyoto, Japan, December 3–7, 2000. Springer.Google Scholar
 92.Alex Biryukov, Adi Shamir, and David A. Wagner. Real time cryptanalysis of a5/1 on a pc. In Fast Software Encryption, FSE 2000, New York, NY, USA, April 10–12, 2000, pages 1–18, 2001.Google Scholar
 95.Céline Blondeau and Benoît Gérard. Differential Cryptanalysis of PUFFIN and PUFFIN2, 11 2011.Google Scholar
 96.Bluetooth^{TM}. Bluetooth specification, version 5.0, 2016.Google Scholar
 98.Martin Boesgaard, Mette Vesterager, Thomas Pedersen, Jesper Christiansen, and Ove Scavenius. Rabbit: A new highperformance stream cipher. In Thomas Johansson, editor, Fast Software Encryption – FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 307–329, Lund, Sweden, February 24–26, 2003. Springer.Google Scholar
 100.Andrey Bogdanov, Miroslav Knežević, Gregor Leander, Deniz Toz, Kerem Varici, and Ingrid Verbauwhede. Spongent: A lightweight hash function. In Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems – CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 312–325, Nara, Japan, September 28 – October 1, 2011. Springer.Google Scholar
 101.Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. PRESENT: An ultralightweight block cipher. In Pascal Paillier and Ingrid Verbauwhede, editors, Cryptographic Hardware and Embedded Systems – CHES 2007, volume 4727 of Lecture Notes in Computer Science, pages 450–466, Vienna, Austria, September 10–13, 2007. Springer.Google Scholar
 102.Andrey Bogdanov, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, and Yannick Seurin. Hash functions and RFID tags: Mind the gap. In Elisabeth Oswald and Pankaj Rohatgi, editors, Cryptographic Hardware and Embedded Systems – CHES 2008, volume 5154 of Lecture Notes in Computer Science, pages 283–299, Washington, D.C., USA, August 10–13, 2008. Springer.Google Scholar
 103.Andrey Bogdanov, Florian Mendel, Francesco Regazzoni, Vincent Rijmen, and Elmar Tischhauser. ALE: AESbased lightweight authenticated encryption. In Shiho Moriai, editor, Fast Software Encryption – FSE 2013, volume 8424 of Lecture Notes in Computer Science, pages 447–466, Singapore, March 11–13, 2014. Springer.Google Scholar
 104.Andrey Bogdanov and Christian Rechberger. A 3subset meetinthemiddle attack: Cryptanalysis of the lightweight block cipher KTANTAN. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, SAC 2010: 17th Annual International Workshop on Selected Areas in Cryptography, volume 6544 of Lecture Notes in Computer Science, pages 229–240, Waterloo, Ontario, Canada, August 12–13, 2011. Springer.Google Scholar
 105.Julia Borghoff, Anne Canteaut, Tim Güneysu, Elif Bilge Kavun, Miroslav Knežević, Lars R. Knudsen, Gregor Leander, Ventzislav Nikov, Christof Paar, Christian Rechberger, Peter Rombouts, Søren S. Thomsen, and Tolga Yalçin. PRINCE  A lowlatency block cipher for pervasive computing applications  extended abstract. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology – ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 208–225, Beijing, China, December 2–6, 2012. Springer.Google Scholar
 106.Christina Boura, María NayaPlasencia, and Valentin Suder. Scrutinizing and improving impossible differential attacks: Applications to CLEFIA, Camellia, LBlock and Simon. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology – ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pages 179–199, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Springer.Google Scholar
 126.Christophe De Cannière, Orr Dunkelman, and Miroslav Knežević. KATAN and KTANTAN  a family of small and efficient hardwareoriented block ciphers. In Christophe Clavier and Kris Gaj, editors, Cryptographic Hardware and Embedded Systems – CHES 2009, volume 5747 of Lecture Notes in Computer Science, pages 272–288, Lausanne, Switzerland, September 6–9, 2009. Springer.Google Scholar
 127.Christophe De Cannière and Bart Preneel. Trivium. In New Stream Cipher Designs  The eSTREAM Finalists, pages 244–266, 2008.Google Scholar
 128.Anne Canteaut, Thomas Fuhr, Henri Gilbert, María NayaPlasencia, and JeanRené Reinhard. Multiple differential cryptanalysis of roundreduced PRINCE. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption – FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 591–610, London, UK, March 3–5, 2015. Springer.Google Scholar
 129.Anne Canteaut, Virginie Lallemand, and María NayaPlasencia. Relatedkey attack on fullround PICARO. In Orr Dunkelman and Liam Keliher, editors, SAC 2015: 22nd Annual International Workshop on Selected Areas in Cryptography, volume 9566 of Lecture Notes in Computer Science, pages 86–101, Sackville, NB, Canada, August 12–14, 2016. Springer.Google Scholar
 132.Avik Chakraborti, Anupam Chattopadhyay, Muhammad Hassan, and Mridul Nandi. TriviA: A fast and secure authenticated encryption scheme. In Tim Güneysu and Helena Handschuh, editors, Cryptographic Hardware and Embedded Systems – CHES 2015, volume 9293 of Lecture Notes in Computer Science, pages 330–353, SaintMalo, France, September 13–16, 2015. Springer.Google Scholar
 143.Arka Rai Choudhuri and Subhamoy Maitra. Significantly improved multibit differentials for reduced round Salsa and ChaCha. IACR Transactions on Symmetric Cryptology, 2016(2):261–287, 2016. http://tosc.iacr.org/index.php/ToSC/article/view/574.
 144.Jiali Choy, Huihui Yap, Khoongming Khoo, Jian Guo, Thomas Peyrin, Axel Poschmann, and Chik How Tan. SPNhash: Improving the provable resistance against differential collision attacks. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, AFRICACRYPT 12: 5th International Conference on Cryptology in Africa, volume 7374 of Lecture Notes in Computer Science, pages 270–286, Ifrance, Morocco, July 10–12, 2012. Springer.Google Scholar
 148.Carlos Cid, Shinsaku Kiyomoto, and Jun Kurihara. The rakaposhi stream cipher. In Information and Communications Security, ICICS 2009, Beijing, China, December 14–17, 2009, pages 32–46, 2009.Google Scholar
 159.Nicolas T. Courtois. An improved differential attack on full GOST. In The New Codebreakers  Essays Dedicated to David Kahn on the Occasion of His 85th Birthday, pages 282–303, 2016.Google Scholar
 164.Joan Daemen, René Govaerts, and Joos Vandewalle. A new approach to block cipher design. In Ross J. Anderson, editor, Fast Software Encryption – FSE’93, volume 809 of Lecture Notes in Computer Science, pages 18–32, Cambridge, UK, December 9–11, 1994. Springer.Google Scholar
 165.Joan Daemen, Michaël Peeters, Gilles Van Assche, and Vincent Rijmen. Nessie proposal: NOEKEON, 2000. http://gro.noekeon.org/.
 166.Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES  The Advanced Encryption Standard. SpringerVerlag, 2002.CrossRefGoogle Scholar
 167.Yibin Dai and Shaozhen Chen. Cryptanalysis of full PRIDE block cipher. Science China Information Sciences, 60(5):052108, Sep 2016.Google Scholar
 172.Sourav Das and Dipanwita Roy Chowdhury. Car30: a new scalable stream cipher with rule 30. Cryptography and Communications, 5(2):137–162, 2013.Google Scholar
 173.Mathieu David, Damith Chinthana Ranasinghe, and Torben Bjerregaard Larsen. A2U2: A stream cipher for printed electronics RFID tags. 2011 IEEE International Conference on RFID, pages 176–183, 2011.Google Scholar
 179.Lin Ding and Jie Guan. Cryptanalysis of mickey family of stream ciphers. Security and Communication Networks, 6(8):936–941, 2013.CrossRefGoogle Scholar
 180.Lin Ding, Chenhui Jin, Jie Guan, and Qiuyan Wang. Cryptanalysis of lightweight wg8 stream cipher. IEEE Transactions on Information Forensics and Security, 9(4):645–652, 2014.CrossRefGoogle Scholar
 181.Daniel Dinu, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, Johann Großschädl, and Alex Biryukov. Design strategies for ARX with provable bounds: Sparx and LAX. In Jung Hee Cheon and Tsuyoshi Takagi, editors, Advances in Cryptology – ASIACRYPT 2016, Part I, volume 10031 of Lecture Notes in Computer Science, pages 484–513, Hanoi, Vietnam, December 4–8, 2016. Springer.Google Scholar
 182.DumitruDaniel Dinu, Alex Biryukov, Johann Großschädl, Dmitry KhovraTovich, Yann Le Corre, and Léo Perrin. FELICS – fair evaluation of lightweight cryptographic systems. In NIST Workshop on Lightweight Cryptography 2015. National Institute of Standards and Technology (NIST), 2015.Google Scholar
 184.Itai Dinur and Jérémy Jean. Cryptanalysis of fides. In Fast Software Encryption, FSE 2014, London, UK, March 3–5, 2014, pages 224–240, 2015.Google Scholar
 185.Christoph Dobraunig, Maria Eichlseder, Daniel Kales, and Florian Mendel. Practical keyrecovery attack on mantis5. IACR Trans. Symmetric Cryptol., 2016(2):248–260, 2017.CrossRefGoogle Scholar
 186.Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Ascon v1.2. candidate for the CAESAR competition. http://ascon.iaik.tugraz.at/, 2016.
 192.Orr Dunkelman, Nathan Keller, and Adi Shamir. A practicaltime relatedkey attack on the kasumi cryptosystem used in gsm and 3g telephony. In Advances in Cryptology CRYPTO 2010, Santa Barbara, California, USA, August 15–19, 2010, pages 393–410, 2010.Google Scholar
 200.Daniel W. Engels, MarkkuJuhani O. Saarinen, Peter Schweitzer, and Eric M. Smith. The hummingbird2 lightweight authenticated encryption algorithm. In RFID. Security and Privacy  7th International Workshop, RFIDSec 2011, Amherst, USA, June 26–28, 2011, Revised Selected Papers, pages 19–31, 2011.Google Scholar
 204.ETSI/SAGE. Specification of the 3gpp confidentiality and integrity algorithms uea2 & uia2. document 2: Snow 3g specification. technical report, etsi/sage, 2006.Google Scholar
 205.ETSI/SAGE. Specification of the 3gpp confidentiality and integrity algorithms 128eea3 & 128eia3. document 2: Zuc specification, version 1.6, 2011.Google Scholar
 207.Xinxin Fan, Kalikinkar Mandal, and Guang Gong. Wg8: A lightweight stream cipher for resourceconstrained smart devices. In Quality, Reliability, Security and Robustness in Heterogeneous Networks, Qshine 2013, Greader Noida, India, January 11–12, 2013, Revised Selected Papers, pages 617–632, 2013.Google Scholar
 209.Horst Feistel. Cryptography and computer privacy. Scientific American, 228(5):15–23, 1973.CrossRefGoogle Scholar
 211.Martin Feldhofer and Christian Rechberger. A case against currently used hash functions in rfid protocols. In On the Move to Meaningful Internet Systems, OTM 2006, Montpellier, France, October 29  November 3, 2006, pages 372–381, 2006.Google Scholar
 213.Xiutao Feng and Fan Zhang. A practical state recovery attack on the stream cipher sablier v1. IACR Cryptology ePrint Archive 2014/245, 2014.Google Scholar
 215.Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, and Tadayoshi Kohno. Helix: Fast encryption and authentication in a single cryptographic primitive. In Thomas Johansson, editor, Fast Software Encryption – FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 330–346, Lund, Sweden, February 24–26, 2003. Springer.Google Scholar
 224.Ximing Fu, Xiaoyun Wang, Xiaoyang Dong, and Willi Meier. A keyrecovery attack on 855round trivium. Cryptology ePrint Archive, Report 2018/198, 2018. https://eprint.iacr.org/2018/198.
 227.Benoît Gérard, Vincent Grosso, María NayaPlasencia, and FrançoisXavier Standaert. Block ciphers that are easier to mask: How far can we go? In Guido Bertoni and JeanSébastien Coron, editors, Cryptographic Hardware and Embedded Systems – CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 383–399, Santa Barbara, CA, USA, August 20–23, 2013. Springer.Google Scholar
 228.Vahid Amin Ghafari and Honggang Hu. Fruit80: A secure ultralightweight stream cipher for constrained environments. Entropy, 20(3):180, 2018.Google Scholar
 236.Jovan Dj. Golic. Cryptanalysis of alleged A5 stream cipher. In Walter Fumy, editor, Advances in Cryptology – EUROCRYPT’97, volume 1233 of Lecture Notes in Computer Science, pages 239–255, Konstanz, Germany, May 11–15, 1997. Springer.Google Scholar
 238.Zheng Gong, Pieter H. Hartel, Svetla Nikova, Shaohua Tang, and Bo Zhu. Tulp: A family of lightweight message authentication codes for body sensor networks. J. Comput. Sci. Technol., 29(1):53–68, 2014.CrossRefGoogle Scholar
 239.Zheng Gong, Svetla Nikova, and Yee Wei Law. KLEIN: A new family of lightweight block ciphers. In RFID. Security and Privacy  7th International Workshop, RFIDSec 2011, Amherst, USA, June 26–28, 2011, Revised Selected Papers, pages 1–18, 2011.Google Scholar
 240.T. Good and M. Benaissa. Hardware performance of estream phaseiii stream cipher candidates. In In SASC 2008, pages 163–174, 2008.Google Scholar
 245.Hannes Gross, Erich Wenger, Christoph Dobraunig, and Christoph Ehrenhfer. Ascon hardware implementations and sidechannel evaluation. Microprocessors and Microsystems, 22(1):1–10, 2016.Google Scholar
 246.Vincent Grosso, Gaëtan Leurent, FrançoisXavier Standaert, Kerem Varici, Françcois Durvaux, Lubos Gaspar, and Stéphanie Kerckhof. SCREAM & iSCREAM, sidechannel resistant authenticated encryption with masking. submission to the caesar competition, 2014.Google Scholar
 247.Vincent Grosso, Gaëtan Leurent, FrançoisXavier Standaert, and Kerem Varici. LSdesigns: Bitslice encryption for efficient masked software implementations. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption – FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 18–37, London, UK, March 3–5, 2015. Springer.Google Scholar
 250.Jian Guo, Jérémy Jean, Ivica Nikolic, Kexin Qiao, Yu Sasaki, and Siang Meng Sim. Invariant subspace attack against Midori64 and the resistance criteria for Sbox designs. IACR Transactions on Symmetric Cryptology, 2016(1):33–56, 2016. http://tosc.iacr.org/index.php/ToSC/article/view/534.
 251.Jian Guo, Thomas Peyrin, and Axel Poschmann. The PHOTON family of lightweight hash functions. In Phillip Rogaway, editor, Advances in Cryptology – CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, pages 222–239, Santa Barbara, CA, USA, August 14–18, 2011. Springer.Google Scholar
 252.Jian Guo, Thomas Peyrin, Axel Poschmann, and Matthew J. B. Robshaw. The LED block cipher. In Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems – CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 326–341, Nara, Japan, September 28 – October 1, 2011. Springer.Google Scholar
 253.Matthias Hamann, Matthias Krause, and Willi Meier. LIZARD – A lightweight stream cipher for powerconstrained devices. IACR Transactions on Symmetric Cryptology, 2017(1):45–79, 2017.CrossRefGoogle Scholar
 260.George Hatzivasilis, Konstantinos Fysarakis, Ioannis Papaefstathiou, and Charalampos Manifavas. A review of lightweight block ciphers. J. Cryptographic Engineering, 8(2):141–184, 2018.CrossRefGoogle Scholar
 266.Martin Hell, Thomas Johansson, Er Maximov, and Willi Meier. A stream cipher proposal: Grain128. In 2006 IEEE International Symposium on Information Theory, pages 1614–1618, July 2006.Google Scholar
 267.Martin Hell, Thomas Johansson, and Willi Meier. Grain: a stream cipher for constrained environments. IJWMC, 2(1):86–93, 2007.CrossRefGoogle Scholar
 268.Martin E. Hellman. A cryptanalytic timememory tradeoff. IEEE Trans. Information Theory, 26(4):401–406, 1980.MathSciNetCrossRefGoogle Scholar
 270.Luca Henzen, Flavio Carbognani, Norbert Felber, and Wolfgang Fichtner. Vlsi hardware evaluation of the stream ciphers salsa20 and chacha, and the compression function rumba. In 2nd International Conference on Signals, Circuits and Systems, SCS 2008, Monastir, Tunisia, November 7–9, 2008, pages 1–5, 2008.Google Scholar
 281.Shoichi Hirose, Kota Ideguchi, Hidenori Kuwakado, Toru Owada, Bart Preneel, and Hirotaka Yoshida. A lightweight 256bit hash function for hardware and lowend devices: LesamntaLW. In Kyung Hyune Rhee and DaeHun Nyang, editors, ICISC 10: 13th International Conference on Information Security and Cryptology, volume 6829 of Lecture Notes in Computer Science, pages 151–168, Seoul, Korea, December 1–3, 2011. Springer.Google Scholar
 282.Deukjo Hong, JungKeun Lee, DongChan Kim, Daesung Kwon, Kwon Ho Ryu, and DongGeon Lee. LEA: A 128bit block cipher for fast encryption on common processors. In Yongdae Kim, Heejo Lee, and Adrian Perrig, editors, WISA 13: 14th International Workshop on Information Security Applications, volume 8267 of Lecture Notes in Computer Science, pages 3–27, Jeju Island, Korea, August 19–21, 2014. Springer.Google Scholar
 283.Deukjo Hong, Jaechul Sung, Seokhie Hong, Jongin Lim, Sangjin Lee, BonSeok Koo, Changhoon Lee, Donghoon Chang, Jesang Lee, Kitae Jeong, Hyun Kim, Jongsung Kim, and Seongtaek Chee. HIGHT: A new block cipher suitable for lowresource device. In Louis Goubin and Mitsuru Matsui, editors, Cryptographic Hardware and Embedded Systems – CHES 2006, volume 4249 of Lecture Notes in Computer Science, pages 46–59, Yokohama, Japan, October 10–13, 2006. Springer.Google Scholar
 297.Takanori Isobe, Toshihiro Ohigashi, and Masakatu Morii. Slide cryptanalysis of lightweight stream cipher rakaposhi. In Advances in Information and Computer Security, IWSEC 2012, Fukuoka, Japan, November 7–9, 2012, pages 138–155, 2012.Google Scholar
 299.Maryam Izadi, Babak Sadeghiyan, Seyed Saeed Sadeghian, and Hossein Arabnezhad Khanooki. MIBS: A new lightweight block cipher. In Juan A. Garay, Atsuko Miyaji, and Akira Otsuka, editors, CANS 09: 8th International Conference on Cryptology and Network Security, volume 5888 of Lecture Notes in Computer Science, pages 334–348, Kanazawa, Japan, December 12–14, 2009. Springer.Google Scholar
 300.Goce Jakimoski and Samant Khajuria. ASC1: An authenticated encryption stream cipher. In Ali Miri and Serge Vaudenay, editors, SAC 2011: 18th Annual International Workshop on Selected Areas in Cryptography, volume 7118 of Lecture Notes in Computer Science, pages 356–372, Toronto, Ontario, Canada, August 11–12, 2012. Springer.Google Scholar
 304.Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Joltik v1. submission to the caesar competition, 2014.Google Scholar
 306.Anthony Journault, FrançoisXavier Standaert, and Kerem Varici. Improving the security and efficiency of block ciphers based on lsdesigns. Des. Codes Cryptography, 82(1–2):495–509, 2017.MathSciNetCrossRefGoogle Scholar
 309.Ari Juels and Stephen A Weis. Authenticating pervasive devices with human protocols. In Advances in Cryptology–CRYPTO 2005, pages 293–308. Springer, 2005.Google Scholar
 311.Pascal Junod. On the complexity of matsuis attack. In Selected Areas in Cryptography, SAC 2001 Toronto, Ontario, Canada, August 1617, 2001, pages 199–211, 2001.Google Scholar
 315.Ferhat Karakoç, Hüseyin Demirci, and A. Emre Harmanci. Itubee: A software oriented lightweight block cipher. In Lightweight Cryptography for Security and Privacy  Second International Workshop, LightSec 2013, Gebze, Turkey, May 6–7, 2013, Revised Selected Papers, pages 16–27, 2013.Google Scholar
 316.Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: A link layer security architecture for wireless sensor networks. In Embedded networked sensor systems, SenSys04, Baltimore, USA, November 03–05, 2004, pages 162–175, 2004.Google Scholar
 317.Pierre Karpman and Benjamin Grégoire. The Littlun Sbox and the fly block cipher. Lightweight Cryptography Workshop, October 17–18 2016, NIST, 2016.Google Scholar
 320.John Kelsey, Bruce Schneier, and David A. Wagner. Relatedkey cryptanalysis of 3way, bihamdes, cast, desx, newdes, rc2, and tea. In Information and Communication Security, First International Conference, ICICS’97, Beijing, China, November 11–14, 1997, pages 233–246, 1997.Google Scholar
 324.Dmitry Khovratovich and Christian Rechberger. The local attack: Cryptanalysis of the authenticated encryption scheme ale. In Selected Areas in Cryptography, SAC 2013, Burnaby, Canada, August 14–16, 2013, pages 174–184, 2013.Google Scholar
 330.Aleksandar Kircanski and Amr M. Youssef. Differential fault analysis of rabbit. In Selected Areas in Cryptography, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, pages 197–214, 2009.Google Scholar
 333.Lars R. Knudsen, Gregor Leander, Axel Poschmann, and Matthew J. B. Robshaw. PRINTcipher: A block cipher for ICprinting. In Stefan Mangard and FrançoisXavier Standaert, editors, Cryptographic Hardware and Embedded Systems – CHES 2010, volume 6225 of Lecture Notes in Computer Science, pages 16–32, Santa Barbara, CA, USA, August 17–20, 2010. Springer.Google Scholar
 334.Lars R. Knudsen and Havard Raddum. On Noekeon, 2001.Google Scholar
 343.Takuma Koyama, Yu Sasaki, and Noboru Kunihiro. Multidifferential cryptanalysis on reduced DMPRESENT80: Collisions and other differential properties. In Taekyoung Kwon, MunKyu Lee, and Daesung Kwon, editors, ICISC 12: 15th International Conference on Information Security and Cryptology, volume 7839 of Lecture Notes in Computer Science, pages 352–367, Seoul, Korea, November 28–30, 2013. Springer.Google Scholar
 350.Naveen Kumar, Shrikant Ojha, Kritika Jain, and Sangeeta Lal. Bean: a lightweight stream cipher. In Security of Information and Networks, SIN 09, Famagusta, North Cyprus, October 06–10, 2009, pages 168–171, 2009.Google Scholar
 356.Jingjing Lan, Jun Zhou, and Xin Liu. An areaefficient implementation of a message authentication code (mac) algorithm for cryptographic systems. In TENCON 1016, Singapore, Singapore, November 22–25, 2016, pages 601–617, 2016.Google Scholar
 359.Gregor Leander, Mohamed Ahmed Abdelraheem, Hoda AlKhzaimi, and Erik Zenner. A cryptanalysis of PRINTcipher: The invariant subspace attack. In Phillip Rogaway, editor, Advances in Cryptology – CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, pages 206–221, Santa Barbara, CA, USA, August 14–18, 2011. Springer.Google Scholar
 360.Gregor Leander, Brice Minaud, and Sondre Rønjom. A generic approach to invariant subspace attacks: Cryptanalysis of robin, iSCREAM and Zorro. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology – EUROCRYPT 2015, Part I, volume 9056 of Lecture Notes in Computer Science, pages 254–283, Sofia, Bulgaria, April 26–30, 2015. Springer.Google Scholar
 361.Gregor Leander, Christof Paar, Axel Poschmann, and Kai Schramm. New lightweight DES variants. In Alex Biryukov, editor, Fast Software Encryption – FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 196–210, Luxembourg, Luxembourg, March 26–28, 2007. Springer.Google Scholar
 368.Gaëtan Leurent. Differential forgery attack against lac. In Selected Areas in Cryptography, SAC 2015, Sackville, Canada, August 12–14, 2015, pages 217–224, 2016.Google Scholar
 369.Gaëtan Leurent. Improved differentiallinear cryptanalysis of 7round chaskey with partitioning. In Marc Fischlin and JeanSébastien Coron, editors, Advances in Cryptology – EUROCRYPT 2016, Part I, volume 9665 of Lecture Notes in Computer Science, pages 344–371, Vienna, Austria, May 8–12, 2016. Springer.Google Scholar
 370.T. Li, H. Wu, X. Wang, and F. Bao. Sensec design. i ^{2} r sensor network flagship project (snfp: security part): Technical reporttr v1.0, 2005.Google Scholar
 371.Zheng Li, Xiaoyang Dong, and Xiaoyun Wang. Conditional cube attack on roundreduced ascon. IACR Trans. Symmetric Cryptol., 2017(1):175–202, 2017.Google Scholar
 372.Chae Hoon Lim and Tymur Korkishko. mCrypton  a lightweight block cipher for security of lowcost RFID tags and sensors. In Jooseok Song, Taekyoung Kwon, and Moti Yung, editors, WISA 05: 6th International Workshop on Information Security Applications, volume 3786 of Lecture Notes in Computer Science, pages 243–258, Jeju Island, Korea, August 22–24, 2006. Springer.Google Scholar
 373.Li Lin, Wenling Wu, and Yafei Zheng. Automatic search for keybridging technique: Applications to LBlock and TWINE. In Thomas Peyrin, editor, Fast Software Encryption – FSE 2016, volume 9783 of Lecture Notes in Computer Science, pages 247–267, Bochum, Germany, March 20–23, 2016. Springer.Google Scholar
 378.Zongbin Liu, Qinglong Zhang, Cunqing Ma, Changting Li, and Jiwu Jing. Hpaz: a highthroughput pipeline architecture of zuc in hardware. In Design, Automation & Test in Europe, DATE 2016, Dresden, Germany, March 14–18, 2016, pages 269–272, 2016.Google Scholar
 380.Jiqiang Lu. Relatedkey rectangle attack on 36 rounds of the XTEA block cipher. Int. J. Inf. Sec., 8(1):1–11, 2009.CrossRefGoogle Scholar
 381.Yi Lu, Willi Meier, and Serge Vaudenay. The conditional correlation attack: a practical attack on bluetooth encryption. In Advances in Cryptology CRYPTO 2005, Santa Barbara, California, USA, August 14–18, 2005, pages 97–117, 2005.Google Scholar
 382.Mark Luk, Ghita Mezzour, Adrian Perrig, and Virgil Gligor. Minisec: A secure sensor network communication architecture. In 6th International Symposium on Information Processing in Sensor Networks, IPSN 2007, Cambridge, MA, USA, April 25–27, 2007, pages 479–488, 2007.Google Scholar
 384.Atul Luykx, Bart Preneel, Elmar Tischhauser, and Kan Yasuda. A MAC mode for lightweight block ciphers. In Thomas Peyrin, editor, Fast Software Encryption – FSE 2016, volume 9783 of Lecture Notes in Computer Science, pages 43–59, Bochum, Germany, March 20–23, 2016. Springer.Google Scholar
 385.Zhen Ma, Tian Tian, and WenFeng Qi. Internal state recovery of Grain v1 employing guessanddetermine attack. IET Information Security, 11(6):363–368, 2017.CrossRefGoogle Scholar
 388.Hamid Mala, Mohammad Dakhilalian, and Mohsen Shakiba. Cryptanalysis of mcrypton  A lightweight block cipher for security of RFID tags and sensors. Int. J. Communication Systems, 25(4):415–426, 2012.CrossRefGoogle Scholar
 391.Charalampos Manifavas, George Hatzivasilis, Konstantinos Fysarakis, and Yannis Papaefstathiou. A survey of lightweight stream ciphers for embedded systems. Security and Communication Networks, 9(10):1226–1246, 2016.CrossRefGoogle Scholar
 398.Mitsuru Matsui. New block encryption algorithm MISTY. In Eli Biham, editor, Fast Software Encryption – FSE’97, volume 1267 of Lecture Notes in Computer Science, pages 54–68, Haifa, Israel, January 20–22, 1997. Springer.Google Scholar
 404.Kerry A. McKay, Larry Bassham, Meltem Sönmez Turan, and Nicky Mouha. Nistir 8114  report on lightweight cryptography, 2016.Google Scholar
 409.Nele Mentens, Jan Genoe, Bart Preneel, and Ingrid Verbauwhede. A lowcost implementation of Trivium. In SASC 2008, pages 197–204, 2008.Google Scholar
 415.Miodrag J. Mihaljevic, Sugata Gangopadhyay, Goutam Paul, and Hideki Imai. Generic cryptographic weakness of knormal boolean functions in certain stream ciphers and cryptanalysis of grain128. Periodica Mathematica Hungarica, 65(2):205–227, 2012.MathSciNetCrossRefGoogle Scholar
 416.Miodrag J. Mihaljevic, Sugata Gangopadhyay, Goutam Paul, and Hideki Imai. Internal state recovery of grainv1 employing normality order of the filter function. IET Information Security, 6(2):55–64, 2012.CrossRefGoogle Scholar
 417.Miodrag J. Mihaljevic, Sugata Gangopadhyay, Goutam Paul, and Hideki Imai. Internal state recovery of keystream generator LILI128 based on a novel weakness of the employed boolean function. Inf. Process. Lett., 112(21):805–810, 2012.MathSciNetCrossRefGoogle Scholar
 421.Vasily Mikhalev, Frederik Armknecht, and Christian Müller. On ciphers that continuously access the nonvolatile key. IACR Transactions on Symmetric Cryptology, 2016(2):52–79, 2016. http://tosc.iacr.org/index.php/ToSC/article/view/565.Google Scholar
 422.Vasily Mikhalev, Frederik Armknecht, and Christian Müller. On ciphers that continuously access the nonvolatile key. IACR Transactions on Symmetric Cryptology, 2016(2):52–79, 2017.CrossRefGoogle Scholar
 426.Amir Moradi, Axel Poschmann, San Ling, Christof Paar, and Huaxiong Wang. Pushing the limits: A very compact and a threshold implementation of AES. In Kenneth G. Paterson, editor, Advances in Cryptology – EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pages 69–88, Tallinn, Estonia, May 15–19, 2011. Springer.Google Scholar
 428.Nicky Mouha, Bart Mennink, Anthony Van Herrewege, Dai Watanabe, Bart Preneel, and Ingrid Verbauwhede. Chaskey: An efficient MAC algorithm for 32bit microcontrollers. In Antoine Joux and Amr M. Youssef, editors, SAC 2014: 21st Annual International Workshop on Selected Areas in Cryptography, volume 8781 of Lecture Notes in Computer Science, pages 306–323, Montreal, QC, Canada, August 14–15, 2014. Springer.Google Scholar
 432.Frédéric Muller. Differential attacks against the helix stream cipher. In Fast Software Encryption,FSE 2004, Delhi, India, February 5–7 , 2004, pages 94–108, 2004.Google Scholar
 435.Mara NayaPlasencia and Thomas Peyrin. Practical cryptanalysis of armadillo2. In Fast Software Encryption,FSE 2012, Washington, DC, USA, March 19–21, 2012, pages 146–162, 2012.Google Scholar
 436.Roger M. Needham and David J. Wheeler. Tea extensions. Technical report, Computer Laboratory, University of Cambridge, 1997.Google Scholar
 443.Ivica Nikolic, Lei Wang, and Shuang Wu. Cryptanalysis of roundreduced ∖mathttled. In Fast Software Encryption  20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, pages 112–129, 2013.Google Scholar
 469.Léo Perrin and Dmitry Khovratovich. Collision spectrum, entropy loss, Tsponges, and cryptanalysis of GLUON64. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption – FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 82–103, London, UK, March 3–5, 2015. Springer.Google Scholar
 471.Petter Pessl and Michael Hutter. Pushing the limits of sha3 hardware implementations to fit on rfid. In Cryptographic Hardware and Embedded Systems, CHES 2013, Santa Barbara, CA, USA, August 20–23, 2013, pages 126–141, 2013.Google Scholar
 474.Raphael C.W. Phan and Adi Shamir. Improved relatedkey attacks on desx and desx+ . Cryptologia, 32(1):13–22, 2008.Google Scholar
 485.Gilles Piret, Thomas Roche, and Claude Carlet. PICARO  a block cipher allowing efficient higherorder sidechannel resistance. In Feng Bao, Pierangela Samarati, and Jianying Zhou, editors, ACNS 12: 10th International Conference on Applied Cryptography and Network Security, volume 7341 of Lecture Notes in Computer Science, pages 311–328, Singapore, June 26–29, 2012. Springer.Google Scholar
 487.Axel Poschmann, San Ling, and Huaxiong Wang. 256 bit standardized crypto for 650 GE  GOST revisited. In Stefan Mangard and FrançoisXavier Standaert, editors, Cryptographic Hardware and Embedded Systems – CHES 2010, volume 6225 of Lecture Notes in Computer Science, pages 219–233, Santa Barbara, CA, USA, August 17–20, 2010. Springer.Google Scholar
 491.Lingyue Qin, Huaifeng Chen, and Xiaoyun Wang. Linear hull attack on roundreduced simeck with dynamic keyguessing techniques. In Joseph K. Liu and Ron Steinfeld, editors, ACISP 16: 21st Australasian Conference on Information Security and Privacy, Part II, volume 9723 of Lecture Notes in Computer Science, pages 409–424, Melbourne, VIC, Australia, July 4–6, 2016. Springer.Google Scholar
 497.Shahram Rasoolzadeh, Zahra Ahmadian, Mahmoud Salmasizadeh, and Mohammad Reza Aref. An improved truncated differential cryptanalysis of KLEIN. Tatra Mountains Mathematical Publications, 67:135–147, 2017.Google Scholar
 502.Ronald L. Rivest. The RC5 encryption algorithm. In Bart Preneel, editor, Fast Software Encryption – FSE’94, volume 1008 of Lecture Notes in Computer Science, pages 86–96, Leuven, Belgium, December 14–16, 1995. Springer.Google Scholar
 504.Phillip Rogaway, Mihir Bellare, and John Black. Ocb: A blockcipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security, 6(3):365–403, 2003.CrossRefGoogle Scholar
 511.Karmakar Sandip, Mukhopadhyay Debdeep, and Roy Chowdhury Dipanwita. Cavium strengthening trivium stream cipher using cellular automata. Journal of Cellular Automata, 7(2):179–197, 2012.Google Scholar
 512.Yu Sasaki and Yosuke Todo. New differential bounds and division property of Lilliput: Block cipher with extended generalized Feistel network. In Roberto Avanzi and Howard M. Heys, editors, SAC 2016: 23rd Annual International Workshop on Selected Areas in Cryptography, volume 10532 of Lecture Notes in Computer Science, pages 264–283, St. John’s, NL, Canada, August 10–12, 2016. Springer.Google Scholar
 519.Mohammad Hossein Faghihi Sereshgi, Mohammad Dakhilalian, and Mohsen Shakiba. Biclique cryptanalysis of MIBS80 and PRESENT80 block ciphers. Security and Communication Networks, 9(1):27–33, 2016.CrossRefGoogle Scholar
 521.Jinyong Shan, Lei Hu, Ling Song, Siwei Sun, and Xiaoshuang Ma. Relatedkey differential attack on round reduced RECTANGLE80. Cryptology ePrint Archive, Report 2014/986, 2014. http://eprint.iacr.org/2014/986.
 522.Claude Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656–715, 1949.MathSciNetCrossRefGoogle Scholar
 524.Zhenqing Shi, Xiutao Feng, Dengguo Feng, and Chuankun Wu. A realtime key recovery attack on the lightweight stream cipher a2u2. In Cryptology and Network Security, CANS 2012, Darmstadt, Germany, December 1214, 2012, pages 12–22, 2012.Google Scholar
 525.Zhenqing Shi, Bin Zhang, and Dengguo Feng. Practicaltime relatedkey attack on hummingbird2. IET Information Security, 9(6):321–327, 2015.CrossRefGoogle Scholar
 526.Kyoji Shibutani, Takanori Isobe, Harunaga Hiwatari, Atsushi Mitsuda, Toru Akishita, and Taizo Shirai. Piccolo: An ultralightweight blockcipher. In Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems – CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 342–357, Nara, Japan, September 28 – October 1, 2011. Springer.Google Scholar
 527.Taizo Shirai, Kyoji Shibutani, Toru Akishita, Shiho Moriai, and Tetsu Iwata. The 128bit blockcipher CLEFIA (extended abstract). In Alex Biryukov, editor, Fast Software Encryption – FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 181–195, Luxembourg, Luxembourg, March 26–28, 2007. Springer.Google Scholar
 530.Siang Meng Sim and Lei Wang. Practical forgery attacks on scream and iscream. http://www1.spms.ntu.edu.sg/~syllab/m/images/b/b3/ForgeryAttackonSCREAM.pdf.
 537.Ling Song, Zhangjie Huang, and Qianqian Yang. Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In Joseph K. Liu and Ron Steinfeld, editors, ACISP 16: 21st Australasian Conference on Information Security and Privacy, Part II, volume 9723 of Lecture Notes in Computer Science, pages 379–394, Melbourne, VIC, Australia, July 4–6, 2016. Springer.Google Scholar
 541.FrançoisXavier Standaert, Gilles Piret, Gaël Rouvroy, JeanJacques Quisquater, and JeanDidier Legat. ICEBERG: An involutional cipher efficient for block encryption in reconfigurable hardware. In Bimal K. Roy and Willi Meier, editors, Fast Software Encryption – FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 279–299, New Delhi, India, February 5–7, 2004. Springer.Google Scholar
 542.FrançoisXavier Standaert, Gilles Piret, Neil Gershenfeld, and JeanJacques Quisquater. SEA: A scalable encryption algorithm for small embedded applications. In Smart Card Research and Advanced Applications, 7th IFIP WG 8.8/11.2 International Conference, CARDIS 2006, Tarragona, Spain, April 1921, 2006, Proceedings, pages 222–236, 2006.Google Scholar
 543.Yue Sun, Meiqin Wang, Shujia Jiang, and Qiumei Sun. Differential cryptanalysis of reducedround ICEBERG. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, AFRICACRYPT 12: 5th International Conference on Cryptology in Africa, volume 7374 of Lecture Notes in Computer Science, pages 155–171, Ifrance, Morocco, July 10–12, 2012. Springer.Google Scholar
 544.Tomoyasu Suzaki, Kazuhiko Minematsu, Sumio Morioka, and Eita Kobayashi. TWINE: A lightweight, versatile block cipher. In ECRYPT Workshop on Lightweight Cryptography, pages 146–169, 2011.Google Scholar
 545.Biaoshuai Tao and Hongjun Wu. Improving the biclique cryptanalysis of aes. In Information Security and Privacy, ACISP 2015, Brisbane, Australia, June 29  July 1, 2015, pages 39–56, 2015.Google Scholar
 555.Yun Tian, Gongliang Chen, and Jianhua Li. Quavium  a new stream cipher inspired by trivium. Journal of Computers, 7(5):1278–1283, 2012.CrossRefGoogle Scholar
 569.Cheng Wang and Howard M. Heys. An ultra compact block cipher for serialized architecture implementations. In Proceedings of the 22nd Canadian Conference on Electrical and Computer Engineering, CCECE 2009, 36 May 2009, Delta St. John’s Hotel and Conference Centre, St. John’s, Newfoundland, Canada, pages 1085–1090, 2009.Google Scholar
 574.Dai Watanabe, Kota Ideguchi, Jun Kitahara, Kenichiro Muto, Hiroki Furuichi, and Toshinobu Kaneko. Enocoro80: A hardware oriented stream cipher. In Proceedings of the The Third International Conference on Availability, Reliability and Security, ARES 2008, March 47, 2008, Technical University of Catalonia, Barcelona , Spain, pages 1294–1300, 2008.Google Scholar
 575.Dai Watanabe, Kazuto Okamoto, and Toshinobu Kaneko. A hardwareoriented light weight pseudorandom number generator enocoro128v2. In SCIS 2010, 3D13, (2010). In Japanese, 2010.Google Scholar
 581.Hongjun Wu. Acorn: A lighweight authenticated cipher (v3). Candidate for the CAESAR Competition, 2016.Google Scholar
 582.Wenling Wu, Shuang Wu, Lei Zhang, Jian Zou, and Le Dong. Lhash: A lightweight hash function. In Information Security and Cryptology  9th International Conference, Inscrypt 2013, Guangzhou, China, November 2730, 2013, Revised Selected Papers, pages 291–308, 2013.Google Scholar
 583.Wenling Wu and Lei Zhang. LBlock: A lightweight block cipher. In Javier Lopez and Gene Tsudik, editors, ACNS 11: 9th International Conference on Applied Cryptography and Network Security, volume 6715 of Lecture Notes in Computer Science, pages 327–344, Nerja, Spain, June 7–10, 2011. Springer.Google Scholar
 584.Minm Xie, Jingjing Li, and Yuechuan Zang. Relatedkey impossible differential cryptanalysis of lblock. Chinese Journal of Electronics, 26(1):35–41, 2017.CrossRefGoogle Scholar
 586.Dai Yamamoto, Kouichi Itoh, and Jun Yajima. A very compact hardware implementation of the kasumi block cipher. In 4th IFIP WG 11.2 International Workshop WISTP 2010, Passau, Germany, April 1214, 2010, pages 293–307, 2010.Google Scholar
 587.Gangqiang Yang, Xinxin Fan, Mark Aagaard, and Guang Gong. Design space exploration of the lightweight stream cipher wg8 for fpgas and asics. In Workshop on Embedded Systems Security, WESS’13, Article No. 8, Montreal, Quebec, Canada, September 29  October 04, 2013, 2013.Google Scholar
 588.Gangqiang Yang, Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong. The simeck family of lightweight block ciphers. In Tim Güneysu and Helena Handschuh, editors, Cryptographic Hardware and Embedded Systems – CHES 2015, volume 9293 of Lecture Notes in Computer Science, pages 307–329, SaintMalo, France, September 13–16, 2015. Springer.Google Scholar
 594.Bin Zhang, Zhenqing Shi, Chao Xu, Yuan Yao, and Zhenqi Li. Sablier v1. Candidate for the CAESAR Competition, 2014.Google Scholar
 595.Bin Zhang, Chao Xu, and Willi Meier. Fast near collision attack on the Grain v1 stream cipher. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, Part II, volume 10821 of Lecture Notes in Computer Science, pages 771–802, Tel Aviv, Israel, April 29 – May 3, 2018. Springer.Google Scholar
 596.Lei Zhang, Wenling Wu, Yanfeng Wang, Shengbao Wu, and Jian Zhang. LAC: A lightweight authenticated encryption cipher. Candidate for the CAESAR Competition, 2014.Google Scholar
 598.WenTao Zhang, ZhenZhen Bao, DongDai Lin, Vincent Rijmen, BoHan Yang, and Ingrid Verbauwhede. Rectangle: a bitslice lightweight block cipher suitable for multiple platforms. Science China Information Sciences, 58(12):1–15, 2015.Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.