Difference between revisions of "Lightweight Block Ciphers"
Leo.perrin (talk  contribs) (→Rectangle) 
(→Summary) 

Line 539:  Line 539:  
 Specification<ref name=BCGK12></ref>   Specification<ref name=BCGK12></ref>  
    
−  ! rowspan="3"  [[#RC5RC5]]  +  ! rowspan="3"  [[#RC5RC512]] 
 rowspan="3"  Rivest   rowspan="3"  Rivest  
 rowspan="3"  FSE 95<ref name=Riv94></ref>   rowspan="3"  FSE 95<ref name=Riv94></ref> 
Revision as of 17:26, 7 March 2016
Lightweight block ciphers are lightweight cryptographic primitives. On this page, we list 33 lightweight block ciphers and study their properties: properties of the algorithm (structure, block size, number of rounds, etc), hardware implementation properties and known attacks.
Contents
Block Cipher Design
Desirable Properties
The aim of a block cipher is to provide a keyed pseudorandom permutation which is then used as the building block of more complex protocols. For instance, coupled with a proper Mode of operation, they can be used to encrypt data. A "good" blockcipher must be fast and secure, i.e. it must be impossible for an adversary with realistic computing power to retrieve the key used even if she has access to a blackbox capable of encrypting and decrypting the plaintext of her choice (security against chosenciphertext attack).
Design Principles
There are two families of designs for block ciphers: SubstitutionPermutation Networks and Feistel Networks. There are also specific constraints when designing lightweight blockciphers. First of all, memory is very expensive so that implementing Sboxes as lookup table can lead to a large hardware footprint. That is why these ciphers usually have no Sbox at all (SIMON) or very small ones, only 4x4 (PRESENT).
Cost of Implementing Decryption
Implementing decryption alongside encryption should lead to an increase of the area necessary as it requires its own logic. However, depending on the mode of operation of the cipher, it may be possible to ignore the decryption algorithm: for instance, in the case of OFB, decryption is useless. Another way of reducing the additional cost is to build algorithms such that encryption and decryption are very similar. A first approach is to use involutions as components, for instance in KLEIN. The whole structure can be exploited to have involution related properties, for instance αreflexivity in the case of PRINCE or differentiate encryption from decryption simply by a variation in the keyschedule (Feistel networks, mCrypton).
Fixed key?
The designers of symmetric block ciphers have different approaches regarding relted key attacks. The usecase of lightweight cryptography can lead to opposite views concerning the necessity of countermeasure to prevent such attacks.
 Because the key is likely to be "burnt" in the device, i.e. that it will not be possible to change it, there is no point in worrying about related key attacks: the probability for an attacker to obtain several devices keyed with appropriately related keys is too small to be of any importance.
 However, such block ciphers are very likely to be used to build compression functions for hash function with a MerkleDamgård structure. In this context, resilience against related key attakcs is much more important.
Summary
In the following table we list for each block cipher:
 Where it comes from (designers, year, conference/journal where it was introduced...),
 Its basic properties (key size, block size, structure...),
 Its known weaknesses (to the best of our knowledge),
 The properties of its best (to the best of our knowledge) hardware implementation.
Comparisons of the efficiency in time and space of their software implementation can be found in Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor Networks^{[1]} and on the webpage of the BLOC project. Source code for most of these primitives can be found on the github account of the project.
Presentation  Cryptographic Properties  Implementation Properties  

name  designers  reference (design)  block size  key size  structure  rounds  attacks  Technology used  area (#GE)  throughput (Kb/s @ 100kHz)  power consumption (µW)  reference (implementation) 
AES  Rijmen et al.  AES conference 98^{[2]}  128  128  SPN  10 

0.13µm  3100  80    ECRYPT^{[6]} 
192  12            
256  14            
Chaskey Cipher  Mouha et. al.  SAC'14^{[7]}  128  128  ARX  8 

         
CLEFIA  Shirai et al.  FSE 2007^{[9]}  128  128  GFN  18 

0.09µm  4950  355.6    ECRYPT^{[6]} 
192  22            
256  26            
DESLX  Leander et al.  FSE 2007^{[12]}  64  184  Feistel  16 

0.18 µm  2168  44.4  1.6  ECRYPT^{[6]} 
Fantomas  Grosso et al.  FSE'14^{[13]}  128  128  SPN  12 

         
GOST revisited  Poschmann et al.  CHES 10^{[14]}  64  256  Feistel  32 

0.18 µm  651 / 1017  24.24 / 200    Specification^{[14]} 
HIGHT  Hong et al.  CHES 06^{[16]}  64  128  GFS  32 

0.25µm  3048  188.2    ECRYPT^{[6]} 
ITUbee  Karakoç et al.  LightSec'13^{[20]}  80  80  Feistel  20 

         
KASUMI  ETSI  3GPP std^{[21]}  64  128  Feistel  8 

         
KLEIN  Gong et al.  SaP 12^{[23]}  64  64  SPN  12 

0.18 µm  1360 / 2032      Specification^{[23]} 
80  16  1530 / 2202      
96  20  1700 / 2372      
KATAN  De Cannière et al.  CHES 09^{[26]}  32  80  streamcipherlike  254 

0.13 µm  802  12.5  0.381  ECRYPT^{[6]} 
48            
64  0.13 µm  1054  25.1  0.555  ECRYPT^{[6]}  
KTANTAN  De Cannière et al.  CHES 09^{[26]}  32  80  streamcipherlike  254  0.13 µm  462  12.5  0.146  ECRYPT^{[6]}  
48            
64  0.13 µm  688  25.1  0.292  ECRYPT^{[6]}  
LBlock  Wu et al.  ACNS 11^{[30]}  64  80  Feistel  32 

0.18 µm  1320  200    Specification^{[30]} 
LED  Guo et al.  CHES 11^{[36]}  64  64  SPN  32 

0.18 µm  966  5.1    Specification^{[36]} 
128  48  1265  3.4    Specification^{[36]}  
LEA  Hong et al.  WISA 13^{[38]}  128  128  GFN  24 

         
192  28  
256  32  
mCrypton  Lim et al.  ISA 06^{[39]}  64  64  SPN  12 

0.13µm  2420^{[note 3]}  482.3    Specification^{[39]} 
96  2681^{[note 3]}      
128  2949^{[note 3]}      
Midori  Banik et al.  Asiacrypt'15^{[41]}  64  128  SPN  16 

0.09µm^{[note 4]}  1542    60.6^{[note 5]}  Specification^{[41]} 
128  20  2522    89.2^{[note 5]}  
MISTY1  Matsui  FSE'97^{[42]}  64  128  Feistel  8 

         
Mysterion  Journault et al.  WCC 15^{[45]}  128  ?^{[note 6]}  SPN  12 

         
256  ?^{[note 6]}  16          
Noekeon  Daemen et al.  Nessie Workshop^{[46]}  128  128  SPN  16 

         
Piccolo  Shibutani et al.  CHES 11^{[48]}  64  80  GFN  25 

  683 / 1136  14.8 / 237.04   /   Specification^{[48]} 
128  31    758 / 1196  12.12 / 193.9   /   
PRESENT  Bogdanov et al.  CHES 07^{[51]}  64  80  SPN  31 

0.18 µm  1075 / 1570  11.7 / 200  1.4 / 2.78  Poschmann's PhD Thesis^{[55]} 
128  1391 / 1884  11.45 / 200   / 3.67  
PRIDE  Albrecht et al.  CRYPTO 14^{[56]}  64  128  SPN  20 

         
PRINCE  Borghoff et al.  ASIACRYPT 12^{[56]}  64  128  SPN  10 

0.09 µm / 0.13 µm  3286 / 3491  529.9 / 533.3  4.5 / 5.8  Specification^{[56]} 
RC512  Rivest  FSE 95^{[60]}  32  0..2040  ARX  1..255 

        
64  
128  
Rectangle  Zhang et al.  Sci China'15^{[63]}  64  80  SPN  25 

0.13 µm  1599.5    Specification^{[63]}  
128  2063.5    
RoadRunneR  Baysal et. al.  LightSec 15^{[64]}  64  80  Feistel  10 

         
128  12          
Robin  Grosso et al.  FSE'14^{[13]}  128  128  SPN  16 

         
SEA  Standaert et al.  SCRAA 06^{[66]}  96^{[note 7]}  96  Feistel  93 

0.13 µm  449^{[67]}    3.218  MSQ07^{[68]} 
SIMECK  Yang et al.  CHES'15^{[69]}  32  64  Feistel  32 

0.13µm  549 / 765  5.6 / 88.9  0.417 / 0.606  Specification^{[69]} 
48  96  36  778 / 1117  5.0 / 120.0  0.576 / 0.875  
64  128  44  1005 / 1484  4.2 / 133.3  0.754 / 1.162  
SIMON  Beaulieu et al.  eprint.iacr 13^{[72]}  32  64  Feistel  32 

        Specification^{[72]} 
48  72 / 96  36   / 763   / 15.0    
64  96 / 128  42 / 44  838 / 1000  17.8 / 16.7    
96  96 / 144  52 / 54  984 /   14.8 /     
128  128 / 192 / 256  68 / 69 / 72  1317 /  /   22.9 /  /     
SPECK  Beaulieu et al.  eprint.iacr 13^{[72]}  32  64  ARX  22 

        Specification^{[72]} 
48  72 / 96  22 / 23   / 884   / 12.0    
64  96 / 128  26 / 27  984 / 1127  14.5 / 13.8    
96  96 / 144  28 / 29  1134 /   13.8 /     
128  128 / 192 / 256  32 / 33 / 34  1396 /  /   12.1 /  /     
TWINE  Suzaki et al.  Workshop on LC 11^{[80]}  64  80  GFN  36 

0.09 µm  1799  178    Specification^{[80]} 
128 

2285  178    
XTEA  Needham et al.  Note^{[83]}  64  128  Feistel  64 

0.13 µm  3490  57.1  19.5  ECRYPT^{[6]} 
Zorro  Gérard et al.  CHES 13^{[86]}  128  128  SPN  24 

         
SubstitutionPermutation Network
The SubstitutionPermutation Network (SPN) structure is the result of the seminal work of Shannon as it aims to provide both confusion and diffusion using two distinct operations. "Confusion" aims at making the relationship between the plaintext, the key and the ciphertext complicated while "Diffusion" focuses on achieving the avalancheeffect,i.e. a small modification on the plaintext must spread to the whole ciphertext. In an SPN, confusion is performed by a layer of Sboxes. An Sbox is simply a permutation of a small subset of plaintext space and many are used in parallel to act upon the whole plaintext. Diffusion is achieved through the use of a permutation of the whole space, usually linear and sometimes called Pbox. The best example of such a structure is Rijndael, the cipher which has been standardized by the American NIST to become the Advanced Encryption Standard (AES). This cipher had a great influence over the design of other primitives which we gathered in a group we call AESlike. However, it is possible to build a SPNbased cipher which is not as similar to the AES; such designs are presented in this section.
AESlike
We put in this category the block ciphers having a structure derived from that of the AES. As it is the current encryption standard, the cryptographic community has been studying it closely since its publication in 1997 and, as of November 2013, it is still secure.
The lightweight authenticated cipher FIDES could also fit in this category. Furthermore, the stream cipher LEX^{[88]} is based on the AES and serves as a basis for the design of other lightweight authenticated encryption schemes, namely ASC1 and ALE.
AES
 Article: AES proposal: Rijndael, AES conference 98^{[2]}
 Authors: Joan Daemen, Vincent Rijmen
The AES consists in 3 versions of the Rijndael cipher which have been standardized by the NIST. They are called AES128, AES192 and AES256, the number corresponding to the key size. The internal state is always of 128 bits in the standard. An encryption consists in the following operations which are performed over the 128bits internal state organized as a 4x4 matrix of bytes.
 SubBytes: Each cell in the matrix is replaced by its image by a Sbox. The AES Sbox is S(x) = M(x^{1})⊕C where the multiplicative inverse is taken in GF(2^{8}) (0 being mapped to 0), M is a matrix and C a constant. The inverse function is used because of its optimal nonlinearity and differential spectrum (in even characteristic), properties which were known long before^{[89]}. This Sbox is also used for instance in PHOTON.
 ShiftRows: The cells in the first row are left untouched, those in the second are shifted by 1 to the left, those in the third by 2 and those in the fourth by 3. This is to ensure diffusion between columns.
 MixColumns: Each column is multiplied by an invertible MDS matrix to ensure diffusion between the rows.
 AddRoundKey: The current subkey is xored in the internal state.
To have a visual explanation of the inner working of this cipher, the reader may refer to this flash animation by Enrique Zabala, Universidad ORT, Montevideo, Uruguay.
KLEIN
 Article: KLEIN: A New Family of Lightweight Block Ciphers, SaP 12^{[23]}
 Authors: Zheng Gong, Svetla Nikova and Yee Wei Law
 Target: Hardware and Software
The 4x4 Sbox used in the SubNibbles step is an involution. Furthermore, since all the Sboxes in the Sbox layer are identical, it is possible to implement only one in hardware and put all protections against sidechannel attacks in this unique place. The diffusion layer is made of two steps. The 16 4bits nibbles are grouped into 8 bytes which are rotated two steps to the left so that the second byte becomes the last (RotateNibbles). Then, the bytes are split into two groups of 4 bytes which are considered like vectors of (GF(2^{8}))^{4} and multiplied by a matrix (MixNibbles). This last operation is very similar to the MixColumn operation of the AES.
The keyschedule is a Feistel Network involving at each round two calls to the Sbox and a xoring of a round counter.
When discussing the keyschedule, the designers claim (Section 3.2.4^{[23]}):
KLEIN will be used to construct blockcipherbased hash functions and message authentication codes[...]
They also tried to prevent relatedkey attacks and to provide easier masking to prevent sidechannel attacks.
LED
 Article: The LED Block Cipher, CHES 11^{[36]}
 Authors: Jian Guo, Thomas Peyrin, Axel Poschmann, and Matt Robshaw
 Target: Hardware and Software
Lightweight Encryption Device is a SPN heavily based on AES. Encryption is made of "steps" interleaved with xoring of the key, each "step" corresponding to 4 rounds. Each round is made of the xoring of a round constant and AESstyle SubCells, ShitRows and MixColumnsSerial operations. The method used to design the MDS matrix used in the MixColumnsSerial was first used for the hash function PHOTON designed by the same team. The Sbox used in the SubCells step is the PRESENT Sbox.
An interesting characteristic of this design is the key schedule (or lack thereof): a key of 64 bits is xored with internal state as is while a key of 128 bits is cut into two subkeys of 64 bits which are used alternatively. Because of this, it is a variation of the EvenMansour construction like in its best attack^{[37]}.
The authors provide a reference implementation as well as results on the efficiency of their algorithm at led.crypto.sg. Note that the algorithm presented in the proceedings of CHESS 2011 (link) has been modified slightly in the version available on eprint^{[36]}. In particular, the definition of the round constants has been modified and an 80bit version of the cipher was introduced.
Midori
 Article: Midori: A Block Cipher for Low Energy Asiacrypt'15^{[41]}
 Authors: Subhadeep Banik, Andrey Bogdanov, Takanori Isobe, Kyoji Shibutani, Harunaga Hiwatari, Toru Akishita, and Francesco Regazzoni
 Target: Hardware
Midori64 and Midori128 are two block ciphers designed to reduce energy consumption when implemented in hardware. They are both based on the same Midori structure. It uses an AESlike structure where the internal state is divided into a 4x4 matrix of nibbles (Midori64) or bytes (Midori128). Encryption then relies on 4 operations:
 SubCell: application of the 4 or 8bit SBoxes to each cell of the internal state. There are 4 different 8bit SBoxes built with an ASA^{1} structure where S consists in the parallel application of a 4bit SBox (distinct from the one used in Midori64) and A is one of 4 different 8bit permutations.
 ShuffleCell: A sophisticated replacement of the ShiftRow operation of the AES is used. A different permutation of the 4 cells is applied on each row. These were chosen so as to maximize diffusion.
 MixColumn: Each column is replaced by its image by a multiplication with an almostMDS involution matrix M.
 KeyAdd: A key addition. The key schedule is very simple: for the 128bit version, the master key is XORed in the internal state along with a sparse round constant at every round. For the 64bit version, the first half of the master key is XORed in the internal state in odd rounds and the second in even rounds. The XOR of the two halves is used as whitening keys and, again, sparse round constants (equal to 0 except on the LSB of each nibble) are used.
The specification^{[41]} contains a detailed analysis of the power consumption of this algorithm as well as comparison with other algorithms (namely AES, PRINCE, PRESENT, Noekeon and SIMON).
Mysterion
 Article: Improving the Security and Efficiency of Block Ciphers based on LSDesign WCC 15^{[45]}
 Authors: Anthony Journault, FrançoisXavier Standaert and Kerem Varici.
 Target: Software
Mysterion explores the LSdesign paradigm introduced by the designers of Fantomas and Robin and combines it with an AESlike structure to increase the security level.
The internal state of the block cipher is organized into a 4×32 bit matrix for Mysterion128 and a 4×64 bit matrix for Mysterion256. These are subdivided into 4×8 blocks, so that the internal state of Mysterion128 (resp. 256) consists in 4 (resp. 8) such blocks. A round consists in the following operations:
 SBox layer: the 4x4 "Class 13" SBox identified by Ullrich et al.^{[90]} is applied in parallel to each column of the internal state (much like in the Feistel function of RoadRunneR).
 LBox layer: the 8×8 LBox is applied bytewise in parallel on every row of every block: 4 (resp. 8) parallel applications/row for Mysterion128 (resp. Mystertion256).
 ShiftColumns: this operation is similar in spirit to the ShiftRow operation of the AES. For Mysterion256, the first column of each block is left unchanged, the second are rotated by one, etc. For Mysterion128, the columns are grouped 2by2 so that the first 2 columns of each block are left unchanged, the next 2 are rotated by 2, etc. (see picture on the right).
Zorro
 Article: Block Ciphers that are Easier to Mask: How Far Can we Go?, ^{[86]}
 Authors: Benoit Gerard, Vincent Grosso, Maria NayaPlasencia, FrancoisXavier Standaert
 Target: Software
Zorro is a modified version of the AES intended to be easy to mask (like Zorro, the masked hero). To achieve this, fewer calls to the Sbox are made during each round and the Sbox has been modified. To compensate, the number of rounds has been increased to 24. This design also borrows ideas from LED: there is no key schedule but, instead, the addition of round constants at each round. Besides, the execution is split into "steps" of 4 rounds and the key is added only at the end of a step. This the operation AK (add key) which consists simply in xoring the master key. No security claims are made regarding related key attacks.
Each round is made of 4 operations:
 SB* which is a variant of the SubBytes operation where the Sbox is applied to one row of the 4x4 bytes internal state,
 AC is a round constant addition similar to the one used in LED,
 SR is identical to ShiftRows,
 MC is identical to MixColumns.
Much thought has been put in the design of the Sbox: while retaining good cryptographic properties, it minimizes the number of multiplications necessary to compute it. It is based on a small 4round Feistel cipher with mixing layer where the Feistel function is the monomial X^{3} in GF(2^{4}).
Other SPNbased Structures
We put in this category the ciphers with a SPN structure which are not as close to the AES as the others, be it by the structure of the linear layer (e.g. PRESENT) of by their overall structure (e.g. PRINCE).
mCrypton
 Article: mCrypton – A Lightweight Block Cipher for Security of LowCost RFID Tags and Sensors, ISA 06^{[39]}
 Authors: Chae Hoon Lim and Tymur Korkishko
 Target: Hardware
This cipher is a derivative of CRYPTON, a candidate of the AES competition. It has a structure close to that of Rijndael: it is a SPN with an internal space organised like a 4x4 matrix of nibbles of 4 bits. A round consists in the application of an Sbox layer, a bit permutation within each column, a transposition of the matrix representing the state and, finally, xoring of the subkey. There are four different Sboxes, two being the inverse of the other two and they are all based on the inverse function in GF(2^{4}). Encryption and decryption are almost identical except for the key schedule.
Fantomas/Robin
 Article: LSDesigns: Bitslice Encryption for Efficient Masked Software Implementations, FSE'14^{[13]}
 Authors: Grosso, V., Leurent, G., Standaert, F. X., & Varıcı, K.
 Target: Software
These block ciphers are two instances of socalled "LSdesigns" where the internal state of the cipher is a matrix of s×L bits and where:
 the nonlinear layer consists in the parallel applications of a s×s bits permutation (the SBox) on each column of the matrix, and
 the linear layer consists in the application of a linear L×L bits permutation (the LBox) on each line of the matrix.
This structure is intended to ease masking and thus to help thwart sidechannel attacks when this cipher is implemented on a microcontroller. The SBoxes of both ciphers (Fantomas and Robin) were chosen so as to be efficiently implemented in a bitslice fashion.
Robin uses involutions as both its LBox and its SBox but it is not the case for Fantomas. As a consequence, Robin has more rounds. Both have a 8×8 bits SBox and a 16×16 bits LBox.
Noekeon
 Article: The Noekeon Block Cipher, Nessie Proposal^{[46]}
 Authors: Joan Daemen, Michaël Peeters, Gilles Van Assche, Vincent Rijmen
 Target: Software/Hardware
Noekeon is a SubstitutionPermutation Network operating on blocks of 128 bits using a 128bits key. It operates on 4 words of 32 bits except for the SBox layer, "Gamma", which operates on 4bits nibbles. The same round key is used in every round; how it is derived depends on whether relatedkey attacks must be considered or not. However, there exists relatedkey differentials for both key schedules^{[91]} It uses the following operations.
 Gamma: Consists in applying a 4bit involution SBox on nibbles independently. Each of the 32 nibbles considered in Gamma is made of the bits of index i in each of the 4 words for all i in [0, 31]. This leads to a simple bitslice implementation of this layer. Most choices for Gamma generated using the same design criteria would have lead to weak ciphers but the one chosen in Noekeon does not^{[91]}.
 Theta: A linear layer which mixes words with each other and operates at the byte level. It is made of a linear involution, XORing of the round key and an application of the same linear involution again.
 shift operations: Three of the four words are rotated by different offsets, namely 1, 5 and 2. Each rotation and their inverse are used.
A round constant is XORed in the internal state before applying Gamma during encryption. Since the components are involutionbased, decryption can be implemented using the same circuit as encryption. 16 rounds are used.
It is claimed to be suitable for implementation in hardware and on 8bit processors.
The best attack by the designers is a linear attack based on a 2rounds iterative linear trail covering 9 rounds, which is then extended to cover 12 rounds through key guessing.
PRESENT
 Article: PRESENT: An UltraLightweight Block Cipher, CHES 07^{[51]}
 Authors: A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe
 Target: Hardware
This cipher is a SPN but, interestingly, it was not inspired by the AES. Indeed, while many SPNbased ciphers have permutation layers close in structure to that of the AES (see LED or mCrypton), that of PRESENT is completely different: it is bit oriented and is rather simple. It can be implemented in hardware using simple wiring. However, since bitoriented permutations are not softwarefriendly, the target of PRESENT is clearly a hardware implementation. Its Sbox was selected for its good cryptographic properties as well as for its small hardware footprint.
PRESENT is a very important design as it has been an inspiration for many others. For instance, its Sbox has also been reused by GOST revisited and LED as well as the lightweight hash function PHOTON. This cipher also inspired the design of two lightweight hash functions: DMPRESENT and SPONGENT.
While only PRESENT80 is described in the body of the CHES 07 article^{[51]}, PRESENT128 and its modified keyschedule are described in the appendix. This cipher has been standardized and is part of the ISO29192^{[92]} with CLEFIA.
PRIDE
 Article: Block Ciphers  Focus On the Linear Layer (feat. PRIDE), CRYPTO'14^{[93]}
 Authors: Martin R. Albrecht, Benedikt Driessen, Elif Bilge Kavun, Gregor Leander, Christof Paar and Tolga Yalcın
 Target: Software
PRIDE is the output of research focusing on the design of the linear layer in SubstitutionPermutation Networks. Its main target is 8bit microcontrollers. Specifically, the computer assisted search for components of the linear layer was optimized to look for permutations which can be efficiently implemented using the AVR instruction set.
To limit the overhead implied by the implementation of both encryption and decryption, its SBox is an involution. Furthermore, it is implemented in a bitsliced fashion and was chosen so as to minimize the number of instructions necessary to evaluate it.
The keyschedule is very similar to that of PRINCE: the master key is split in two halves, the first being used as whitening key and the second being used to derive subkeys XORed in the internal state at every round. However, unlike in PRINCE, the postwhitening key is the same as the prewhitening key and the subkeys are not derived by XORing round constants but by adding round constants on some bytes using a regular addition modulo 256.
PRINCE
 Article: PRINCE – A Lowlatency Block Cipher for Pervasive Computing Applications, ASIACRYPT 12^{[56]}
 Authors: Julia Borghoff, Anne Canteaut, Tim Guneysu, Elif Bilge Kavun, Miroslav Knezevic , Lars R. Knudsen, Gregor Leander, Ventzislav Nikov, Christof Paar, Christian Rechberger, Peter Rombouts, Søren S. Thomsen, and Tolga Yalcın
 Target: Hardware (low latency)
The main aim of the design of PRINCE is low latency.
There is no real key schedule: three 64 bits keys are derived from the 128 master key. Two are used as whitening keys and the third is simply xored in the internal state during encryption. To make the rounds behave differently from one another, different constants are xored in the internal state at each round. These constants RC_{i} (i=0,..,11) are such that RC_{i}⊕RC_{11i}=α where α is a constant derived from π. This property, combined with the fact that the first 5 rounds are the inverse of the last 5 mean that the decryption algorithm for key k is identical to an encryption with key k⊕α. This property is refered to as "αreflexivity".
The authors challenge the symmetric cryptography community to attack (roundsreduced versions of) this cipher and offer different rewards for "practical" attacks.
Rectangle
 Article: RECTANGLE: A Bitslice UltraLightweight Block Cipher Suitable for Multiple Platforms, Science China Information Sciences'15^{[63]}
 Authors: Wentao Zhang, Zhenzhen Bao, Dongdai Lin, Vincent Rijmen, Bohan Yang, Ingrid Verbauwhede
 Target: Hardware and software
Rectangle is a substitution permutation network. Its state is represented as a 4×16 matrix. The nonlinear layer consists in the parallel application of a 4bit SBox on the columns of the state and the linear layer consists simply in applying a fixed rotation by a different amount on each row. There are two versions of this cipher. The first had a key schedule operating by storing the key in a matrix undergoing a round of encryption except that the SBox is only applied on the first column^{[94]}. It was vulnerable to a relatedkey differential attack against 19 rounds^{[95]}.
The latest version, as published in Science China'15^{[63]}, is not vulnerable to this attack anymore. Its keyschedule is different: it still relies on partially applying an SBox layer to a key state but the overall operation has now a generalized Feistel structure. Compared to the older version, the key schedule of the latest version also performs better in software.
Feistel Networks
Two Branched
In this category, we put all the Feistel networks operating on blocks of size 2n for which the Feistel function maps n bits to n bits.
DESLX
 Article: New Lightweight DES Variants, FSE 07^{[12]}
 Authors: Gregor Leander, Christof Paar, Axel Poschmann, and Kai Schramm
 Target: Hardware
This cipher is a modified version of DES. The 8 Sboxes have been replaced by unique one to make it easier to implement. Besides, the Sbox was chosen so as to achieve better resilience against linear and differential attacks. Another modification is the use of a FX structure to increase the security: parts of the keys are used as whitening keys in the input and in the output.
The idea of using an old design from an era when hardware optimization was critical was also used in GOST revisited.
GOST revisited
 Article: 256 Bit Standardized Crypto for 650 GE – GOST Revisited, CHES 10^{[14]}
 Authors: Axel Poschmann, San Ling, and Huaxiong Wang
 Target: Hardware
The GOST used to be a sovietic counterpart for the American NIST. It still exists as a standards organization for countries of the former USSR. In cryptography, GOST usually refers to the block cipher GOST standard, a 64 bit twobranch Feistel network with a Feistel function using eight unspecified Sboxes. GOST revisited consists simply in the block cipher described in the GOST standard such that it uses eight copies of the PRESENT Sbox. The idea of using such an old design is to benefit from the cryptanalytic scrutiny it has already been subject to. Besides, the GOST cipher had already been standardized for 20 years when the paper was published. The approach consisting in modifying an old standard is similar to that of the designers of DESLX.
There is no real key schedule, different blocks of the master key are used at each round. The Feistel function is simply a modular addition of the key (modulo 2^{32}), an Sbox layer and rotation by 11bits. This very simple structure and the lack of a key schedule explain the very small hardware footprint of the cipher.
The authors compare the footprint of GOST using their Sbox layer and the one used by the Central Bank of Russian Federation and, interestingly, the difference is not so big (identical throughput and 800 or 1000 GE depending on the speed/area tradeoff).
ITUbee
 Article: ITUbee: A Software Oriented Lightweight Block Cipher, Lightweight Cryptography for Security and Privacy 13^{[20]}
 Authors: Ferhat Karakoç, Hüseyin Demirci, and A. Emre Harmancı
 Target: Software
ITUbee is a block cipher using 20 rounds of a Feistel structure with key whitening at the beginning and end of the encryption. Its structure is summarized in the figure on the right where:
 L is a multiplication by a simple 5x5 square matrix operating on bytes,
 S is a substitution layer using the SBox of the AES,
 F(x) = S(L(S(x))).
Its use of a Feistel function based on a small SPN is reminiscent of the Generalized Feistel Network Piccolo. Chunks of the master key are used directly during encryption; the only key schedule consists in adding round constant in a fashion similar to LED or PRINCE. Another Feistel Network with a SASASAS structure as its Feistel function was published later: RoadRunneR.
Its main features are low power consumption and low memory requirement in software (8bits microcontroller) according to simulations on the AVR ATiny45 microcontroller. The authors claim resilience against related key attacks. Unlike many lightweight block ciphers which have a block length of 64 bits, ITUbee uses blocks of 80 bits.
KASUMI/MISTY
MISTY
 Article: New Block Encryption Algorithm MISTY, Fast Software Encryption 97^{[42]}
 Authors: Minoru Matsui
 Target: Software and Hardware
MISTY is a set of two 64bit block ciphers using 4n rounds (usually, 4n=8) with a Feistel structure for MISTY1 and MISTYlike (i.e. the non linear permutation is applied on a branch directly) for MISTY2 along with specific key dependent transformation applied on the branches between the rounds. The structure of the nonlinear function is itself a 3round Feistel Network and the Feistel function used in this second layer has a MISTYlike structure. This recursive structure is shown in the picture on the right. At the final level, 7 and 9bit bijective SBoxes are used. While uncommon, this choice allows the SBoxes to be both APN and bent, a task significantly harder to achieve on 8bit^{[note 8]}.
The design criteria for MISTY is clearly stated:
 MISTY should have a numerical basis for its security,
 MISTY should be reasonably fast in software on any processor,
 MISTY should be sufficiently fast in hardware implementation.
The key schedule of MISTY reuses a component used during encryption, namely the socalled FI function corresponding to a 3round unbalanced MISTYlike structure using the 7 and 9bit SBoxes.
KASUMI
KASUMI is a variant of MISTY1 allowing a more efficient hardware implementation. Its specification can be obtained from the etsi.org website^{[21]}. It is referred to as A5/3 in this specification. It is identical to MISTY1 with 8 rounds (the default) except for its key schedule which simply rotates the bits of the master key and XORs round constants. This simplification lead to a vulnerability against relatedkey attacks^{[22]} which is not present in MISTY1.
LBlock
 Article: LBlock: A Lightweight Block Cipher, ACNS 11^{[30]}
 Authors: Wenling Wu and Lei Zhang
 Target: Hardware and Software
This Feistel Network has two branches of 32 bits and a "twist": the branch which is xored with the output of the F function is first rotated by 8 bits. The Feistel function is made of a xor with a subkey, a layer of 8 distinct 4x4 Sboxes and a word permutation shuffling 4bit words. The permutation used in the Feistel function and the bit rotation of one of the branch make this design very similar to TWINE as explained in the TWINE specification^{[80]}.
The key schedule involves two additional Sboxes which are different from the ones used in the Feistel function.
RC5
 Article: The RC5 Encryption Algorithm, FSE 95^{[60]}
 Authors: Ron Rivest
 Target: Software
RC5 is a an ARX (modular Addition, Rotation, Xor) twobranched Feistel network. It is "word oriented", meaning that all operations are performed over subblocks of size w; w being the bit length of one branch. Thus, RC5 can have a block size of 32, 64 or 128 corresponding respectively to w=16, w=32 and w=64. The key can be made of any number b of bytes between 0 and 255 and the number r of rounds is also a parameter so that an instance of RC5 should be denoted RC5w/r/b. Here, we fix w=32 and b=16 so that RC5r is a shortcut for RC532/r/16. Its most remarkable feature is the use of datadependent rotations.
The key schedule derives an array of subkeys from the master key and "magic constants" derived from the mathematical constants e and the golden ratio.
Like for XTEA, we provide a pseudocode for the encryption routine. It comes from Section 4.1 of the original paper^{[60]}. A is the left branch, B is the right one and S is the array of the subkeys.
A = A + S[0] B = B + S[1] for i = 1 to r do A = ((A ⊕ B) <<< B) + S[2×i] B = ((B ⊕ A) <<< A) + S[2×i+1]
It has been an inspiration for the AES competition finalist RC6. This algorithm is patented by RSA security.
RoadRunneR
 Article: RoadRunneR: A Small And Fast Bitslice Block Cipher For Low Cost 8bit Processors, LightSec 2015^{[64]}
 Authors: Adnan Baysal and Sühap Şahin
 Target: Software
RoadRunneR is a Feistel Network which uses a SPN as its Feistel function. The nonlinear layer of the Feistel funciton is based on the bitsliced implementation of its SBox as can be seen for instance in the LS strategy introduced for Robin and Fantomas. The designers had the following goals:
 Implementation efficiency in 8bit CPUs,
 No table and SRAM usage,
 Low decryption overhead,
 Provable security like in wide trail design strategy.
The key schedule is very simple: 32bit chunks of the master key are used one after another. Once the end of the key is reached, the first bits are used again. Round constants are added to prevent slide attacks.
The Feistel function has a SPN structure consisting in 4 SBox layers, 3 linear layers (much like ITUbee) and 3 key additions. The 4bit SBox was chosen for the very simple circuit that can be used to compute it as well as its good cryptographic properties. It was found in a previous work by Ullrich et al.^{[90]} and is also used by Mysterion. The linear layer is applied on 4 bytes separately and consists in the xor of three different rotations of its input (in a fashion similar to the F_{0} and F_{1} functions of HIGHT): .
SEA
 Article: SEA: A Scalable Encryption Algorithm for Small Embedded Applications, Smart Card Research and Advanced Applications 06^{[66]}
 Authors: FrancoisXavier Standaert, Gilles Piret, Neil Gershenfeld, and JeanJacques Quisquater
 Target: Software and Hardware
SEA is a block cipher which can have an arbitrary block size n (as long as n=6b for some b), word size w and number of rounds n_{r}. A complete description of the algorithm (round function and update of the key) is given on the figure on the right which comes from the original paper^{[66]}. It is based on the following operations:
 Bitwise XOR
 Application of a Sbox S. Interestingly, S is a 3x3 Sbox.
 Rotation of the words in a vector of words
 Bit rotation inside a word
 Addition modulo 2^{b}
SIMECK
 Article: The Simeck Family of Lightweight Block Ciphers, CHES'15^{[69]}
 Authors: Gangqiang Yang, Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong
 Target: Hardware
SIMECK is a family of block ciphers heavily inspired by the SIMON family of block ciphers. Indeed, the round function is the same up to a change in the rotation indices: rotations by 1, 8 and 2 bits are replaced by rotations by 0, 5 and 1 bit. The key schedule reuses the round function, much like in SPECK, hence the name of the primitive.
The security claim of this cipher is based on that of SIMON: SIMECK is intended to be as secure as SIMON. Note that the designers of SIMECK are not affiliated to the National Security Agency (unlike the designers of SIMON and SPECK).
The change in the rotations and the key schedule allow an improved hardware implementation: SIMECK requires a smaller area than SIMON when implemented in hardware.
SIMON and SPECK
 Article: The SIMON and SPECK Families of Lightweight Block Ciphers, eprint.iacr.org, 2013^{[72]}
 Authors: Ray Beaulieu, Douglas Shors, Jason Smith, Stefan TreatmanClark, Bryan Weeks, and Louis Wingers (NSA)
 Target: Hardware (SIMON) and software (SPECK)
These ciphers have been designed by the American National Security Agency (NSA). They are both Feistel networks with two branches but differ by the design of their Feistel function. They are both almost ARX construction, meaning that they rely on Addition, word Rotation and Xor, although SIMON uses And gates instead of additions. Both perform exceptionnally well in both hardware and software, although SIMON is supposed to be more hardwareoriented and SPECK more softwareoriented. Unlike all other ciphers' specification, no security analysis whatsoever is provided.
SIMON
Hardwareoriented, this blockcipher relies only on the following operations: and, rotation, xor. It is a classical Feistel network where the Feistel function consists in applying basic operations on the branch, xoring the in subkey and then xoring the result with the other branch.
SPECK
Softwareoriented, this blockcipher relies only on the following operations: addition, rotation, xor (ARX construction). The structure of the round function is a typical ARX structure similar to the one of the block cipher Threefish used by the hash function Skein^{[96]}.
XTEA
 Article: Tea Extensions^{[83]}
 Authors: Needham R. and Wheeler D.
 Target: Software
XTEA is a cipher designed so as to be described by the smallest amount of code. It is an improvement of a previous design called TEA which had identical goals but several weaknesses. To illustrate the compactness of the Ccode describing encryption, we provide below a possible implementation (suggested on the wikipedia page of XTEA.
#include <stdint.h> /* take 64 bits of data in v[0] and v[1] and 128 bits of key[0]  key[3] */ void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) { unsigned int i; uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9; for (i=0; i < num_rounds; i++) { v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]); sum += delta; v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]); } v[0]=v0; v[1]=v1; }
Generalized Feistel Networks (GFN)
Chaskey Cipher
 Article: Chaskey: An Efficient MAC Algorithm for 32bit Microcontrollers, SAC'14^{[7]}
 Authors: Nicky Mouha, Bart Mennink, Anthony Van Herrewege, Dai Watanabe, Bart Preneel and Ingrid Verbauwhede
 Target: Software
Chaskey (primitive's website) is a lightweight MAC algorithm optimised for 32bit microcontrollers. It is based on a 128bit block cipher, the Chaskey cipher, which uses ARX operations and an EvenMansour structure. This means that there is no key schedule: the 128bit master key is XORed, then a public permutation is applied and then the master key is XORed again. This simplicity is possible at the cost of a weaker security claim as in e.g. PRINCE or PRIDE because a generic attack exists with a time complexity of about 2^{128}/D if the attacker obtains D plaintextciphertext pairs.
The code implementing it is very simple and is given below. It is similar to that of SipHash.
The original paper also suggests doubling the number of rounds of the Chaskey cipher to obtain an even more secure primitive, ChaskeyLTS (Long Time Support), with 16 rounds. It was later suggested^{[97]}, in reaction to Leurent's differentiallinear attack^{[98]}, to use a variant with 12 rounds called Chaskey12.
#include <stdint.h> #define ROTL(x,b) (uint32_t)( ((x) >> (32  (b)))  ( (x) << (b)) ) void encrypt(uint32_t v[4], uint32_t key[4]) { int i; for (i=0; i<4; i++) v[i] ^= key[i]; for (i=0; i<8; i++) { v[0] += v[1]; v[1]=ROTL(v[1], 5); v[1] ^= v[0]; v[0]=ROTL(v[0],16); v[2] += v[3]; v[3]=ROTL(v[3], 8); v[3] ^= v[2]; v[0] += v[3]; v[3]=ROTL(v[3],13); v[3] ^= v[0]; v[2] += v[1]; v[1]=ROTL(v[1], 7); v[1] ^= v[2]; v[2]=ROTL(v[2],16); } for (i=0; i<4; i++) v[i] ^= key[i]; }
CLEFIA
 Article: The 128Bit Blockcipher CLEFIA, FSE 07^{[9]}
 Authors: Taizo Shirai, Kyoji Shibutani, Toru Akishita, Shiho Moriai, and Tetsu Iwata
 Target: Hardware and Software
This cipher is intended for use in DRM protocols. Its "lightweightness" can be debated as an area of 4950 GE is huge. The designers of CLEFIA worked for Sony and some of them were involved in the creation of Piccolo.
CLEFIA has been standardized and is part of the ISO29192^{[92]} with PRESENT.
HIGHT
 Article: HIGHT: A New Block Cipher Suitable for LowResource Device, CHES 06^{[16]}
 Authors: Deukjo Hong, Jaechul Sung, Seokhie Hong, Jongin Lim, Sangjin Lee, BonSeok Koo, Changhoon Lee, Donghoon Chang, Jesang Lee, Kitae Jeong, Hyun Kim, Jongsung Kim, and Seongtaek Chee
 Target: Hardware
HIGHT is an ARX based generalised Feistel network with whitening. The only operations used are addition and substraction modulo 2^{8}, xor and bitwise rotations. The subfunctions F_{0} and F_{1} consist in the xor of three different rotations of the input. The key schedule generates 8 bytes of whitening keys by selecting some bytes of the master key and 128 bytes of subkeys in a more complex way. Both during whitening and during encryption, addition and xor are used at the same time on different part of the internal state (see the round function on the right).
Unlike for instance TWINE, the permutation of the words after addition (or xoring) of the subkeys is a simple rotation.
The first author of HIGHT is also the first author of LEA.
LEA
 Article: LEA: A 128Bit Block Cipher for Fast Encryption on Common Processors, WISA 13^{[38]}
 Authors: Hong, D., Lee, J. K., Kim, D. C., Kwon, D., Ryu, K. H., and Lee, D. G.
 Target: Software
LEA is a 128bit block cipher operating on 4 branches of 32 bits each. The only operations used are 32bit modular addition, XOR and rotation (ARX structure): the designers suppose that "the usage of 32bit and 64bit processors will grow rapidly compared to 8bit and 16bit ones" (see specification^{[38]}, Section 1.1). The round function is described in the picture on the right. Note that the key is added in both datapath going in each modular additions.
The key schedule also follows the ARX paradigm: constants are added modulo 2^{32} to the key state and the different words are then rotated.
The first author of LEA is also the first author of HIGHT.
Piccolo
 Article: Piccolo: an ultralightweight blockcipher, CHES 11^{[48]}
 Authors: Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., & Shirai, T.
 Target: Hardware
Piccolo is a GFS with 4 16bits branches which employs a sophisticated permutation for the diffusion layer instead of a simple shift (like TWINE and as opposed to CLEFIA) as well as whitening. Note that although the branches of the Fesitel structure are made of 16 bits, the permutation operates on words of 8 bits.
The Feistel function is a small SPN where the permutation layer is a multiplication by the same matrix as the one used in the MixNibbles operation in the AES and KLEIN  although in a different field. The 4x4 Sbox was designed especially for Piccolo and, while still having decent nonlinearity and differential uniformity, has a tiny hardware footprint: it can be implemented using only 4 NOR gates, 3 XOR gates and 1 XNOR gate. A small SPN is also used as the Feistel function in ITUbee.
The designers work for Sony and several of them worked on CLEFIA.
TWINE
 Article: TWINE: A Lightweight, Versatile Block Cipher, Workshop on Lightweight Crypto 11^{[80]}
 Authors: Tomoyasu Suzaki, Kazuhiko Minematsu, Sumio Morioka, and Eita Kobayashi
 Target: Hardware and software
TWINE is a generalised Feistel structure (GFS) with 16 4bits branches. The Feistel function, called 8 times per round, consists simply in xoring a subkey and applying a 4x4 Sbox. The key schedule itself is also a GFS.
The diffusion layer is not a simple circular shift, like for instance in CLEFIA and HIGHT, it is a more sophisticated permutation to speedup diffusion. It is based on Suzaki et al.'s Improving the Generalized Feistel (FSE 10)^{[99]}: the permutation used in TWINE requires only half as much rounds as a circular shift for a one subblock difference to diffuse to all the subblocks. The Sbox is based on the inverse function in GF(2^{4}), just like the one of the AES which is based on the inverse function in GF(2^{8}).
The designers of TWINE worked at NEC Corporation, a Japanese company. While a priori different due to its 2branched nature, LBlock actually has a structure very similar to TWINE.
Other Designs
KTANTAN and KATAN
 Article: KATAN and KTANTAN — A Family of Small and Efficient HardwareOriented Block Ciphers, CHES 09^{[26]}
 Authors: Christophe De Cannière, Orr Dunkelman, and Miroslav Knezevic
 Target: Hardware
The optimization of the physical footprint is at the core of these two designs, at the cost of some speed. The only difference between the two families is the key schedule: in KTANTAN, the key is included in the hardware and cannot be changed. The design is based on a variant of the stream cipher trivium called bivium.
The structure of the encryption is best described by the designers themselves:
The structure of the KATAN and the KTANTAN ciphers is very simple — the plaintext is loaded into two registers (whose lengths depend on the block size). Each round, several bits are taken from the registers and enter two nonlinear Boolean functions. The output of the Boolean functions is loaded to the least significant bits of the registers (after they were shifted). Of course, this is done in an invertible manner. To ensure sufficient mixing, 254 rounds of the cipher are executed.
Several attacks based on MeetintheMiddle related concepts have been successfully applied on these ciphers^{[28]}^{[29]}. They exploit the slow diffusion of the key material to the internal state throughout the rounds.
The hash function QUARK borrows ideas from these ciphers.
Notes
 ↑ Since the Sbox used has better properties than the ones of the DES, attacks on DES may not be applicable to DESLX. Furthermore, no attack exists (to the best of our knowledge) on DESLX with its full FX structure.
 ↑ ^{2.0} ^{2.1} ^{2.2} ^{2.3} ^{2.4} ^{2.5} ^{2.6} ^{2.7} To the best of our knowledge.
 ↑ ^{3.0} ^{3.1} ^{3.2} Encryption only.
 ↑ The figures for Midori correspond to an encryptiononly implementation.
 ↑ ^{5.0} ^{5.1} Note that the implementation proposed uses a 10 MHz frequency (unlike the other ciphers in this table).
 ↑ ^{6.0} ^{6.1} The paper in which Mysterion was introduced does not describe a key schedule, only a round function (and a number of round).
 ↑ The blocksize of SEA can actually be chosen arbitrarily among multiples of 6. 96 bits is the smallest size considered in the paper about the hardware implementation of SEA (MSQ07).
 ↑ In fact, whether an 8bit APN permutation exist is still an open problem.
References
 ↑ Cazorla, M., Marquet, K., & Minier, M. (2013). Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor Networks. IDEA, 64(128), 34. pdf at eprint.iacr.org
 ↑ ^{2.0} ^{2.1} Daemen, J., & Rijmen, V. (1998, June). AES proposal: Rijndael. In First Advanced Encryption Standard (AES) Conference.pdf at csci.csusb.edu
 ↑ Mala, H., Dakhilalian, M., Rijmen, V., & ModarresHashemi, M. (2010). Improved impossible differential cryptanalysis of 7round AES128. In Progress in CryptologyINDOCRYPT 2010 (pp. 282291). Springer Berlin Heidelberg. pdf at springer.com
 ↑ Biryukov, A., & Khovratovich, D. (2009). Relatedkey Cryptanalysis of the Full AES192 and AES256. In Advances in Cryptology–ASIACRYPT 2009 (pp. 118). Springer Berlin Heidelberg. pdf at springer.com
 ↑ Bogdanov, A., Khovratovich, D., & Rechberger, C. (2011). Biclique cryptanalysis of the full AES. In Advances in Cryptology–ASIACRYPT 2011 (pp. 344371). Springer Berlin Heidelberg. pdf at kuleuven.be
 ↑ ^{6.0} ^{6.1} ^{6.2} ^{6.3} ^{6.4} ^{6.5} ^{6.6} ^{6.7} ^{6.8} ECRYPT European Network of Excellence in Cryptology II Lightweight Cipher Lounge, http://www.ecrypt.eu.org/lightweight/index.php/Block_ciphers
 ↑ ^{7.0} ^{7.1} Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., & Verbauwhede, I. (2014). Chaskey: An Efficient MAC Algorithm for 32bit Microcontrollers. In Selected Areas in Cryptography  SAC 2014 (pp. 306323). Springer International Publishing. pdf at kuleuven.be
 ↑ Leuren, G. (2015). Differential and Linear Cryptanalysis of ARX with Partitioning for Reduced Data Complexity. In Proceedings of Early Symmetric Crypto 2015 (p. 75). ISBN 9789995981419. pdf at cryptolux.org
 ↑ ^{9.0} ^{9.1} Shirai, T., Shibutani, K., Akishita, T., Moriai, S., & Iwata, T. (2007, January). The 128bit blockcipher CLEFIA. In Fast software encryption (pp. 181195). Springer Berlin Heidelberg. pdf at psu.edu
 ↑ Li, Y., Wu, W., & Zhang, L. (2012). Improved integral attacks on reducedround CLEFIA block cipher. In Information Security Applications (pp. 2839). Springer Berlin Heidelberg. pdf at springer
 ↑ Tezcan, C. (2010). The improbable differential attack: Cryptanalysis of reduced round CLEFIA. In Progress in CryptologyINDOCRYPT 2010 (pp. 197209). Springer Berlin Heidelberg.
 ↑ ^{12.0} ^{12.1} Leander, G., Paar, C., Poschmann, A., & Schramm, K. (2007, January). New lightweight DES variants. In Fast Software Encryption (pp. 196210). Springer Berlin Heidelberg. pdf at springer
 ↑ ^{13.0} ^{13.1} ^{13.2} Grosso, V., Leurent, G., Standaert, F. X., & Varıcı, K. (2014, March). LSdesigns: Bitslice encryption for efficient masked software implementations. In Fast Software Encryption (pp. 1837). Springer Berlin Heidelberg. pdf at hal.inria.fr
 ↑ ^{14.0} ^{14.1} ^{14.2} Poschmann, A., Ling, S., & Wang, H. (2010). 256 bit standardized crypto for 650 GE – GOST revisited. In Cryptographic Hardware and Embedded Systems, CHES 2010 (pp. 219233). Springer Berlin Heidelberg. pdf at springer
 ↑ Dinur, I., Dunkelman, O., & Shamir, A. (2012, January). Improved attacks on full GOST. In Fast Software Encryption (pp. 928). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{16.0} ^{16.1} . Cite error: Invalid
<ref>
tag; name "HLHS06" defined multiple times with different content  ↑ Zhang, P., Sun, B., & Li, C. (2009). Saturation attack on the block cipher HIGHT. In Cryptology and network security (pp. 7686). Springer Berlin Heidelberg. pdf at springer
 ↑ Koo, B., Hong, D., & Kwon, D. (2011). Relatedkey attack on the full HIGHT. In Information Security and CryptologyICISC 2010 (pp. 4967). Springer Berlin Heidelberg. pdf at springer
 ↑ Hong, D., Koo, B., & Kwon, D. (2012). Biclique attack on the full HIGHT. In Information Security and CryptologyICISC 2011 (pp. 365374). Springer Berlin Heidelberg. pdf at springer
 ↑ ^{20.0} ^{20.1} Karakoç, F., Demirci, H., & Harmancı, A. E. (2013). ITUbee: a software oriented lightweight block cipher. In Lightweight Cryptography for Security and Privacy (pp. 1627). Springer Berlin Heidelberg. pdf at springer.com
 ↑ ^{21.0} ^{21.1} ETSI (201410). Universal Mobile Telecommunications System (UMTS); LTE; 3G Security; Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 12.0.0 Release 12). pdf at etsi.org
 ↑ ^{22.0} ^{22.1} Dunkelman, O., Keller, N., & Shamir, A. (2010). A practicaltime relatedkey attack on the KASUMI cryptosystem used in GSM and 3G telephony. In Advances in Cryptology–CRYPTO 2010 (pp. 393410). Springer Berlin Heidelberg. pdf at math.huji.ac.il
 ↑ ^{23.0} ^{23.1} ^{23.2} ^{23.3} Gong, Z., Nikova, S., & Law, Y. W. (2012). KLEIN: a new family of lightweight block ciphers. In RFID. Security and Privacy (pp. 118). Springer Berlin Heidelberg. pdf at eemcs.utwente.nl
 ↑ Aumasson, J. P., NayaPlasencia, M., & Saarinen, M. J. O. (2011). Practical attack on 8 rounds of the lightweight block cipher KLEIN. In Progress in Cryptology–INDOCRYPT 2011 (pp. 134145). Springer Berlin Heidelberg. pdf at springer
 ↑ Lallemand, V., & NayaPlasencia, M. (2014). Cryptanalysis of KLEIN (Full version). IACR Cryptology ePrint Archive, 2014, 90. pdf at eprint.iacr.org
 ↑ ^{26.0} ^{26.1} ^{26.2} De Canniere, C., Dunkelman, O., & Knežević, M. (2009). KATAN and KTANTAN—a family of small and efficient hardwareoriented block ciphers. In Cryptographic Hardware and Embedded SystemsCHES 2009 (pp. 272288). Springer Berlin Heidelberg. pdf at kuleuven.be
 ↑ Albrecht, M. R., & Leander, G. (2013, January). An allinone approach to differential cryptanalysis for small block ciphers. In Selected Areas in Cryptography (pp. 115). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{28.0} ^{28.1} Zhu, B., & Gong, G (2011). Multidimensional MeetintheMiddle Attack and Its Applications to KATAN32/48/64. pdf at eprint.iacr.org
 ↑ ^{29.0} ^{29.1} Bogdanov, A., & Rechberger, C. (2011, January). A 3subset meetinthemiddle attack: cryptanalysis of the lightweight block cipher KTANTAN. In Selected Areas in Cryptography (pp. 229240). Springer Berlin Heidelberg. pdf at dtu.dk
 ↑ ^{30.0} ^{30.1} ^{30.2} Wu, W., & Zhang, L. (2011, January). LBlock: a lightweight block cipher. In Applied Cryptography and Network Security (pp. 327344). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ Minier, M., & NayaPlasencia, M. (2012). A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock. Information Processing Letters, 112(16), 624629. pdf at ac.elscdn.com
 ↑ Soleimany, H., & Nyberg, K. (2012). ZeroCorrelation Linear Cryptanalysis of ReducedRound LBlock. IACR Cryptology ePrint Archive, 2012, 570. pdf at eprint.iacr.org
 ↑ Sasaki, Y., & Wang, L. (2013). Comprehensive study of integral analysis on 22round LBlock. In Information Security and Cryptology–ICISC 2012 (pp. 156169). Springer Berlin Heidelberg. pdf at springer
 ↑ Liu, Y., Gu, D., Liu, Z., & Li, W. (2012). Impossible differential attacks on reducedround LBlock. In Information Security Practice and Experience (pp. 97108). Springer Berlin Heidelberg. pdf at springer
 ↑ Boura, C., Minier, M., NayaPlasencia, M., & Suder, V. (2014). Improved impossible differential attacks against roundreduced LBlock. pdf at hal.archivesouvertes.fr
 ↑ ^{36.0} ^{36.1} ^{36.2} ^{36.3} ^{36.4} Guo, J., Peyrin, T., Poschmann, A., & Robshaw, M. (2011). The LED block cipher. In Cryptographic Hardware and Embedded Systems–CHES 2011 (pp. 326341). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{37.0} ^{37.1} Dinur, I., Dunkelman, O., Keller, N., & Shamir (2013), A. Key Recovery Attacks on 3round EvenMansour, 8step LED128, and Full AES 2. pdf at eprint.iacr.org
 ↑ ^{38.0} ^{38.1} ^{38.2} Hong, D., Lee, J. K., Kim, D. C., Kwon, D., Ryu, K. H., & Lee, D. G. (2014). LEA: A 128bit block cipher for fast encryption on common processors. In Information Security Applications (pp. 327). Springer International Publishing. pdf at springer.com
 ↑ ^{39.0} ^{39.1} ^{39.2} Lim, C. H., & Korkishko, T. (2006). mCrypton–A lightweight block cipher for security of lowcost RFID tags and Sensors. In Information Security Applications (pp. 243258). Springer Berlin Heidelberg. pdf at springer
 ↑ ^{40.0} ^{40.1} Yonglin, H. & Dongxia, B. (2013). A Meetinthemiddle Attack on RoundReduced mCrypton. Cryptology ePrint Archive, Report 2013/756. pdf at eprint.iacr.org
 ↑ ^{41.0} ^{41.1} ^{41.2} ^{41.3} Banik S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., & Regazzoni, F. (2015). Midori: A Block Cipher for Low Energy. In Advances in Cryptology–ASIACRYPT 2015 (To appear). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{42.0} ^{42.1} Matsui, M. (1997, January). New block encryption algorithm MISTY. In Fast Software Encryption (pp. 5468). Springer Berlin Heidelberg. pdf at googlecode.com
 ↑ Todo, Y. (2015). Integral Cryptanalysis on Full MISTY1. In Advances in CryptologyCRYPTO 2015 (pp. 413432). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ BarOn, A. (2015). A 2^{70} Attack on the Full MISTY1. IACR Cryptology ePrint Archive, 2015, 746. pdf at eprint.iacr.org
 ↑ ^{45.0} ^{45.1} Journault, A., Standaert, F.X., & Varici, K. (2015) Proceedings of the 9th International Workshop on Coding and Cryptography, WCC 2015, Paris, France. extended abstract at uclouvain.be.
 ↑ ^{46.0} ^{46.1} ^{46.2} Joan Daemen, Michaël Peeters, Gilles Van Assche, Vincent Rijmen (2000). Nessie Proposal: Noekeon, First Open Nessie Workshop. pdf at googlecode.com
 ↑ Z’aba, M. R., Raddum, H., Henricksen, M., & Dawson, E. (2008, January). Bitpattern based integral attack. In Fast Software Encryption (pp. 363381). Springer Berlin Heidelberg. pdf at springer.com
 ↑ ^{48.0} ^{48.1} ^{48.2} Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., & Shirai, T. (2011). Piccolo: an ultralightweight blockcipher. In Cryptographic Hardware and Embedded Systems–CHES 2011 (pp. 342357). Springer Berlin Heidelberg. pdf at springer
 ↑ Wang, Y., Wu, W., & Yu, X. (2012). Biclique cryptanalysis of reducedround piccolo block cipher. In Information Security Practice and Experience (pp. 337352). Springer Berlin Heidelberg. pdf at springer
 ↑ Minier, M. (2013). On the Security of Piccolo Lightweight Block Cipher against RelatedKey Impossible Differentials. In Progress in Cryptology–INDOCRYPT 2013 (pp. 308318). Springer International Publishing. pdf at springer.com
 ↑ ^{51.0} ^{51.1} ^{51.2} Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J., ... & Vikkelsoe, C. (2007). PRESENT: An ultralightweight block cipher. In Cryptographic Hardware and Embedded SystemsCHES 2007 (pp. 450466). Springer Berlin Heidelberg. pdf at springer
 ↑ Collard, B., & Standaert, F. X. (2009). A statistical saturation attack against the block cipher PRESENT. In Topics in Cryptology–CTRSA 2009 (pp. 195210). Springer Berlin Heidelberg. pdf at uclouvain.be
 ↑ Cho, J. Y. (2010). Linear cryptanalysis of reducedround PRESENT. In Topics in CryptologyCTRSA 2010 (pp. 302317). Springer Berlin Heidelberg. pdf at springer.com
 ↑ Blondeau, C. & Nyberg, K. (2014). Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities. In Advances in Cryptology—EUROCRYPT'14 (To Appear). Springer Berlin Heidelberg. pdf at aalto.fi
 ↑ Poschmann, A. Lightweight Cryptography: Cryptographic Engineering for a Pervasive World. PhD Thesis from Faculty of Electrical Engineering and Information Technology RuhrUniversity Bochum, Germany. pdf at eprint.iacr.org
 ↑ ^{56.0} ^{56.1} ^{56.2} ^{56.3} Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E. B., Knezevic, M., Knudsen, L. R., ... & Yalçın, T. (2012). PRINCE–A LowLatency Block Cipher for Pervasive Computing Applications. In Advances in Cryptology–ASIACRYPT 2012 (pp. 208225). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ Soleimany, H., Blondeau, C., Yu, X., Wu, W., Nyberg, K., Zhang, H., ... & Wang, Y. (2013). Reflection Cryptanalysis of PRINCElike Ciphers. FSE. 13 pdf at aalto.fi
 ↑ Canteaut, A., NayaPlasencia, M., & Vayssiere, B. (2013). Sieveinthemiddle: Improved MITM attacks. In Advances in Cryptology–CRYPTO 2013 (pp. 222240). Springer Berlin Heidelberg. pdf at hal.inria.fr
 ↑ Anne Canteaut, Thomas Fuhr, Henri Gilbert, María NayaPlasencia and JeanRené Reinhard (2014). Multiple Differential Cryptanalysis of RoundReduced PRINCE (Full version), IACR Cryptology ePrint Archive, 2014, 089. pdf at eprint.iacr.org
 ↑ ^{60.0} ^{60.1} ^{60.2} Rivest, R. L. (1995, January). The RC5 encryption algorithm. In Fast Software Encryption (pp. 8696). Springer Berlin Heidelberg. pdf at csail.mit.edu
 ↑ Biryukov, A., & Kushilevitz, E. (1998). Improved cryptanalysis of RC5. In Advances in Cryptology—EUROCRYPT'98 (pp. 8599). Springer Berlin Heidelberg. pdf at springer
 ↑ Borst, J., Preneel, B., & Vandewalle, J. (1999, January). Linear Cryptanalysis of RC5 and RC6. In Fast Software Encryption (pp. 1630). Springer Berlin Heidelberg. pdf at esat.kuleuven.be
 ↑ ^{63.0} ^{63.1} ^{63.2} ^{63.3} ^{63.4} Wentao Zhang, Zhenzhen Bao, Dongdai Lin, Vincent Rijmen, BoHan Yang, Ingrid VerBauwhede. RECTANGLE: a bitslice lightweight block cipher suitable for multiple platforms. Sci China Inf Sci, 2015, 58: 122103(15). pdf at eprint.iacr.org
 ↑ ^{64.0} ^{64.1} Baysal, A., & Ş., Sühap. (2015). RoadRunneR: A Small And Fast Bitslice Block Cipher For Low Cost 8bit Processors. LightSec 2015. pdf at eprint.iacr.org
 ↑ Leander, G., Minaud, B., & Rønjom, S. (2015). A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In Advances in CryptologyEUROCRYPT 2015 (pp. 254283). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{66.0} ^{66.1} ^{66.2} Standaert, F. X., Piret, G., Gershenfeld, N., & Quisquater, J. J. (2006). SEA: A scalable encryption algorithm for small embedded applications. In Smart Card Research and Advanced Applications (pp. 222236). Springer Berlin Heidelberg. pdf at springer
 ↑ This figure corresponds to the datapath only, the plaintext and the key have to be stored elsewhere.
 ↑ Mace, F., Standaert, F. X., & Quisquater, J. J. (2007, July). ASIC implementations of the block cipher sea for constrained applications. In Proceedings of the Third International Conference on RFID SecurityRFIDSec (pp. 103114). pdf at psu.edu
 ↑ ^{69.0} ^{69.1} ^{69.2} Yang, G., Zhu, B., Suder, V., Aagaard, M.D., & Gong, G. (2015). The Simeck Family of Lightweight Block Ciphers. In Cryptographic Hardware and Embedded Systems–CHES 2011 (pp. 342357). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ Kölbl, Stefan, & Roy, Arnab (2015). A Brief Comparison of Simon and Simeck, IACR Cryptology ePrint Archive, 2015, 706. pdf at eprint.iacr.org
 ↑ Qiao, K., Hu, L., & Sun, S. (2015). Differential Security Evaluation of Simeck with Dynamic Keyguessing Techniques. IACR Cryptology ePrint Archive, 2015, 902. pdf at eprint.iacr.org
 ↑ ^{72.0} ^{72.1} ^{72.2} ^{72.3} ^{72.4} Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., & Wingers, L. The SIMON and SPECK Families of Lightweight Block Ciphers. pdf at eprint.iacr.org
 ↑ ^{73.0} ^{73.1} Alex Biryukov, Arnab Roy, and Vesselin Velichkov (2014). Differential Analysis of Block Ciphers SIMON and SPECK, FSE'14 (To appear). pdf at cryptolux.org
 ↑ Ning Wang, Xiaoyun Wang, Keting Jia and Jingyuan Zhao (2014). Improved Differential Attacks on Reduced SIMON Versions, IACR Cryptology ePrint Archive, 2014, 448. pdf at eprint.iacr.org
 ↑ Farzaneh Abed, Eik List, Stefan Lucks and Jakob Wenzel (2013). Differential and Linear Cryptanalysis of ReducedRound Simon, IACR Cryptology ePrint Archive, 2013, 526 pdf at eprint.iacr.org
 ↑ ^{76.0} ^{76.1} Javad Alizadeh, Hoda A. Alkhzaimi, Mohammad Reza Aref, Nasour Bagheri, Praveen Gauravaram and Martin M. Lauridsen (2014). Improved Linear Cryptanalysis of Round Reduced SIMON, IACR Cryptology ePrint Archive, 2014, 681. pdf at eprint.iacr.org
 ↑ Chen, H., & Wang, X. (2015). Improved Linear Hull Attack on RoundReduced Simon with Dynamic Keyguessing Techniques, IACR Cryptology ePrint Archive, 2015, 666. pdf at eprint.iacr.org
 ↑ Dinur, I. (2014). Improved Differential Cryptanalysis of RoundReduced Speck, IACR Cryptology ePrint Archive, 2014, 320. pdf at eprint.iacr.org
 ↑ Farzaneh Abed, Eik List, Stefan Lucks and Jakob Wenzel (2013). Cryptanalysis of the Speck Family of Block Ciphers, IACR Cryptology ePrint Archive, 2013, 568. pdf at eprint.iacr.org
 ↑ ^{80.0} ^{80.1} ^{80.2} ^{80.3} Suzaki, T., Minematsu, K., Morioka, S., & Kobayashi, E. (2011). Twine: A lightweight, versatile block cipher. In ECRYPT Workshop on Lightweight Cryptography (pp. 146169). pdf from nec.co.jp
 ↑ ^{81.0} ^{81.1} Çoban, M., Karakoç, F., & Boztaş, Ö. (2012). Biclique cryptanalysis of TWINE. In Cryptology and Network Security (pp. 4355). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ ^{82.0} ^{82.1} Wang, Y., & Wu, W. (2014, January). Improved Multidimensional ZeroCorrelation Linear Cryptanalysis and Applications to LBlock and TWINE. In Information Security and Privacy (pp. 116). Springer International Publishing. pdf at springer.com
 ↑ ^{83.0} ^{83.1} Needham, R. M., & Wheeler, D. J. (1997). Tea extensions.
 ↑ Lu, J. (2009). Relatedkey rectangle attack on 36 rounds of the XTEA block cipher. International Journal of Information Security, 8(1), 111. pdf at springer.com
 ↑ Sekar, G., Mouha, N., Velichkov, V., & Preneel, B. (2011). Meetinthemiddle attacks on reducedround XTEA. In Topics in Cryptology–CTRSA 2011 (pp. 250267). Springer Berlin Heidelberg. pdf at springer.com
 ↑ ^{86.0} ^{86.1} Gérard, B., Grosso, V., NayaPlasencia, M., & Standaert, F. X. (2013). Block Ciphers that are Easier to Mask: How Far Can we Go?. CHES 2013. pdf at eprint.iacr.org
 ↑ Guo, J., Nikolic, I., Peyrin, T., & Wang, L. Cryptanalysis of Zorro. Cryptology ePrint Archive, Report 2013/713 pdf at eprint.iacr.org
 ↑ Biryukov, A. (2005). A new 128bit key stream cipher LEX. eSTREAM, ECRYPT Stream Cipher Project, Report, 13, 2005. pdf at ecrypt.eu.org
 ↑ Nyberg, K. (1994, January). Differentially uniform mappings for cryptography. In Advances in cryptology—Eurocrypt’93 (pp. 5564). Springer Berlin Heidelberg. pdf at science.unitn.it
 ↑ ^{90.0} ^{90.1} Markus Ullrich, Christophe De Canniere, Sebastiaan Indesteege, Özgül Küçük, Nicky Mouha, and Bart Preneel. Finding optimal bitsliced implementations of 4×4bit sboxes. In SKEW 2011 Symmetric Key Encryption Workshop, Copenhagen, Denmark, pages 16–17, 2011.
 ↑ ^{91.0} ^{91.1} Knudsen, L. R., & Raddum, H. (2001). On noekeon. Report for the NESSIE project. pdf at kuleuven.be
 ↑ ^{92.0} ^{92.1} Website of the International Standard Organization, http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56552
 ↑ Martin R. Albrecht, Benedikt Driessen, Elif Bilge Kavun, Gregor Leander, Christof Paar and Tolga Yalcın (2014). Block Ciphers  Focus On the Linear Layer (feat. PRIDE), Full Version, IACR Cryptology ePrint Archive, 2014, 453. pdf at eprint.iacr.org
 ↑ Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B. & Verbauwhede, I. (2014). RECTANGLE: A Bitslice UltraLightweight Block Cipher Suitable for Multiple Platforms. Cryptology ePrint Archive, Report 2014/084, version 20140207:151850. pdf at eprint.iacr.org
 ↑ Shan, J., Hu, L., Song, L., Sun, S., Ma, X. (2014). RelatedKey Differential Attack on Round Reduced RECTANGLE80. IACR Cryptology ePrint Archive, 2014, 986. pdf at eprint.iacr.org
 ↑ Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., ... & Walker, J. (2010). The Skein hash function family. Submission to NIST (round 3), 7(7.5), 3. pdf at schneier.com
 ↑ Mouha, N. (2015). Chaskey: a MAC Algorithm for Microcontrollers  Status Update and Proposal of Chaskey12 , IACR Cryptology ePrint Archive, 2015, 1182. pdf at eprint.iacr.org
 ↑ Leuren, G. (2015). Differential and Linear Cryptanalysis of ARX with Partitioning  Application to FEAL and Chaskey, IACR Cryptology ePrint Archive, 2015, 968. pdf at eprint.iacr.org
 ↑ Suzaki, T., & Minematsu, K. (2010, January). Improving the generalized Feistel. In Fast Software Encryption (pp. 1939). Springer Berlin Heidelberg. pdf at eprint.iacr.org