Escolar Documentos
Profissional Documentos
Cultura Documentos
Cryptographic Algorithm
Xinxin Fan and Guang Gong
Ken Lauffenburger
Troy Hicks
E&CE Department
University of Waterloo
Waterloo, Ontario, N2L 3G1, CANADA
Email: {x5fan, ggong}@uwaterloo.ca
AbstractHummingbird is a new ultra-lightweight cryptographic algorithm targeted for resource-constrained devices like
RFID tags, smart cards, and wireless sensor nodes. In this paper,
we describe efficient hardware implementations of a stand-alone
Hummingbird component in field-programmable gate array
(FPGA) devices. We implement an encryption only core and
an encryption/decryption core on the low-cost Xilinx FPGA
series Spartan-3 and compare our results with other reported
lightweight block cipher implementations on the same series. Our
experimental results highlight that in the context of low-cost
FPGA implementation Hummingbird has favorable efficiency
and low area requirements.
Index TermsLightweight cryptographic primitive, resourceconstrained devices, FPGA implementations.
I. I NTRODUCTION
Hummingbird is a recently proposed ultra-lightweight cryptographic algorithm targeted for low-cost smart devices like
RFID tags, smart cards, and wireless sensor nodes [3]. It
has a hybrid structure of block cipher and stream cipher and
was developed with both lightweight software and lightweight
hardware implementations for constrained devices in mind.
Moreover, Hummingbird has been shown to be resistant to
the most common attacks to block ciphers and stream ciphers
including birthday attack, differential and linear cryptanalysis,
structure attacks, algebraic attacks, cube attacks, etc. [3].
In practice, Hummingbird has been implemented across a
wide range of different target platforms [3], [5]. Those implementations demonstrate that Hummingbird provides efficient
and flexible software solutions for various embedded applications. However, the hardware performance of Hummingbird
has not yet been investigated in detail. As a result, our main
contribution in this paper is to close this gap and provide
the first efficient hardware implementations of Hummingbird encryption/decryption cores on low-cost FPGAs. Our
implementation results show that on the Spartan-3 XC3S200
FPGA device the speed optimized Hummingbird encryption
core can achieve a throughput of 160.4 Mbps at the cost
of 273 slices, whereas the encryption/decryption core can be
implemented in 558 slices and operate at 128.8 Mbps.
II. T HE H UMMINGBIRD C RYPTOGRAPHIC A LGORITHM
Hummingbird is neither a block cipher nor a stream cipher,
but a rotor machine equipped with novel rotor-stepping rules.
The design of Hummingbird is based on an elegant combination of a block cipher and stream cipher with 16-bit block
size, 256-bit key size, and 80-bit internal state. Figure 1(a)
and Figure 1(b) illustrate the initialization and encryption
processes of the Hummingbird cryptographic algorithm, respectively. Both initialization and encryption consist of four
16-bit block ciphers Eki (i = 1, 2, 3, 4), four 16-bit internal
state registers RSi (i = 1, 2, 3, 4), and a 16-stage Linear Shift
Feedback Register (LFSR). Moreover, the 256-bit secret key
K is divided into four 64-bit subkeys k1 , k2 , k3 and k4 which
are used in the four block ciphers, respectively.
After a system initialization process as shown in Figure 1(a),
a 16-bit plaintext block P Ti is encrypted by passing four
identical block ciphers Eki () (i = 1, 2, 3, 4) in a consecutive
manner, each of which is a typical substitution-permutation
(SP) network with 16-bit block size and 64-bit key as shown
in Figure 1(c). The block cipher consists of four regular rounds
and a final round. The substitution layer is composed of four
S-boxes with 4-bit inputs and 4-bit outputs as shown in Table I.
TABLE I
F OUR S-B OXES IN H EXADECIMAL N OTATION
x
S1 (x)
S2 (x)
S3 (x)
S4 (x)
0
8
0
2
0
1
6
7
E
7
2
5
E
F
3
3
F
1
5
4
4
1
5
C
C
5
C
B
1
1
6
A
8
9
A
7
9
2
A
F
8
E
3
B
D
9
B
A
4
E
A
2
D
6
6
B
4
6
8
B
C
7
F
0
2
D
0
C
7
8
E
D
4
3
9
F
3
9
D
5
m = (m0 , m1 , , m15 )
16
NONCE1
RS1 RS3
P Ti
(i)
16
(i)
(i)
(i)
K1 , K 2 , K 3 , K 4
16
RS1
RS1
+
NONCE2
RS2
Ek 1
RS3
16
Ek 1
16
RS2
+
Linear Transform L
+
NONCE3
S1 S2 S3 S4
Ek 2
Ek 2
after 4 rounds
LFSR
RS3
16
Ek 3
NONCE4
RS4
RS4
(i)
(i)
16
Fig. 1.
(i)
+
CTi
TV
(i)
16
Ek 4
(i)
S 1 S 2 S 3 S4
Ek 4
(i)
K5 = K1 K3
16
Ek 3
m =
K6 = K2 K4
Implementation
Strategy
LUT
BFR
LUT
BFR
LUT
BFR
LUT
BFR
# LUTs
# FFs
186
186
193
186
186
186
190
187
16
16
16
16
16
16
16
16
Total Occupied
Slices
107
109
112
107
101
106
104
109
(i)
(i)
K1
K2
16
16
Fig. 2.
K4
16
16
16
+ 16
16
Linear Transform L
+ 16
Linear Transform L
16
DIN
16
(i)
(i)
K1
16
(i)
K3
16
4
16
4
16
+ 16
(i)
16
DOUT
16
MODE
CNT
1
RSi
16
RS1
16
RS2
16
RS3
16
16
RS4
M5
16
M11
16
M1
CNT
16
CNT
16
ki
16
16
1
16
16
16
M7
16
1
16
RSi
16
64
CET
M4
16
16
16
16
LoopUnrolled
Encryption
CNT
16
MODE
CNT
16
16
16
RS1
16
T1
16
RS3
RS2
RS4
16
16
16
16
16
ki
M4
16
CNT
16
16
CNT
PTO
16
16
CT
16
16
16
16
CNT
16
1
LF SR
16
16
CT I
Time Base
M9
16
CELF SR
T1
16
MODE
CNT
16
16
LoopUnrolled
Encryption
16
16
PT/
SSID
M7
16
M3
16
MODE
CNT
16
CET
64
SUBSEL
M2
MODE
CNT
16
CNT
16
M5
16
16
16
M6
16
M1
16
16
CNT
16
16
16
K4
16
16
M8
16
16
LoopUnrolled
Decryption
16
16
16
16
MODE
CNT
M6
16
16
16
16
MODE
CNT
Fig. 3.
MODE
CNT
CNT
M2
P T I/
SSID
16
CELF SR
LF SR
M10
16
16
CT O
16
16
16
16
M3
16
Time Base
CNT
Fig. 4.
The Datapath of Speed Optimized Hummingbird Encryption/
Decryption Core
# LUTs
# FFs
473
1, 024
120
145
Total Occupied
Slices
273
558
Max. Freq.
(MHz)
40.1
32.2
# CLK Cycles
Init. Enc/Dec
20
Throughput
(Mbps)
160.4
128.8
Efficiency
(Mbps/# Slices)
0.59
0.23
TABLE IV
P ERFORMANCE C OMPARISON OF FPGA I MPLEMENTATIONS OF
C RYPTOGRAPHIC A LGORITHMS
Cipher
PRESENT [7]
Key
Size
256
80
128
80
Block
Size
16
64
64
64
XTEA [8]
128
64
ICEBERG [12]
SEA [9]
AES [2]
128
126
64
126
128
128
Hummingbird
PRESENT [10]
AES [6]
AES [11]
AES [1]
FPGA
Device
Spartan-3 XC3S200-5
Spartan-3 XC3S400-5
Spartan-3E XC3S500
Spartan-3 XC3S50-5
Virtex-5 XC5VLX85-3
Virtex-2
Virtex-2 XC2V4000
Spartan-2 XC2S30-6
Spartan-3 XC3S2000-5
Spartan-2 XC2S15-6
Spartan-2 XC2V40-6
Spartan-3
Total Occupied
Slices
273
176
202
271
254
9, 647
631
424
522
17, 425
264
1, 214
1, 800
Max. Freq.
(MHz)
40.1
258
254
62.6
332.2
145
60
196.1
67
123
150
Throughput
(Mbps)
160.4
516
508
36
20, 645
1, 016
156
166
25, 107
2.2
358
1700
Efficiency
(Mbps/# Slices)
0.59
2.93
2.51
0.14
2.14
1.61
0.368
0.32
1.44
0.01
0.29
0.9
IV. C ONCLUSION
This paper presented the first efficient FPGA implementations of the ultra-lightweight cryptographic algorithm Hummingbird. The proposed speed optimized Hummingbird encryption/decryption cores can encrypt or decrypt a 16-bit
message block with 4 clock cycles, after an initialization
process of 20 clock cycles. Compared to other lightweight
FPGA implementations of block ciphers XTEA, ICEBERG,
SEA and AES, Hummingbird can achieve larger throughput
with smaller area requirement. Consequently, Hummingbird
can be considered as an ideal cryptographic primitive for
resource-constrained environments.
ACKNOWLEDGMENT
This work is supported by an NSERC Discovery Grant and
an NSERC Strategic Project Grant.
R EFERENCES
[1] P. Bulens, F.-X. Standaert, J.-J. Quisquater, and P. Pellegrin, Implementation of the AES-128 on Virtex-5 FPGAs, Progress in Cryptology AFRICACRYPT 2008, LNCS 5023, pp. 16-26, 2008.
[2] P. Chodowiec and K. Gaj, Very Compact FPGA Implementation of
the AES Algorithm, The 5th International Workshop on Cryptographic
Hardware and Embedded Systems - CHES 2003, LNCS 2779, pp. 319333, 2003.
[3] D. Engels, X. Fan, G. Gong, H. Hu, and E. M. Smith, Hummingbird:
Ultra-Lightweight Cryptography for Resource- Constrained Devices, to
appear in the proceedings of The 14th International Conference on
Financial Cryptography and Data Security - FC 2010, 2010.
[4] N. N. Espresso. Available at http://embedded.eecs.berkeley.edu/pubs/
downloads/espresso/index.htm, November 1994.
[5] X. Fan, H. Hu, G. Gong, E. M. Smith and D. Engels, Lightweight
Implementation of Hummingbird Cryptographic Algorithm on 4-Bit
Microcontrollers, The 1st International Workshop on RFID Security and
Cryptography 2009 (RISC09), pp. 838-844, 2009.
[6] T. Good and M. Benaissa, AES on FPGA from the Fastest to the
Smallest, The 7th International Workshop on Cryptographic Hardware
and Embedded Systems - CHES 2005, LNCS 3659, pp. 427-440, 2005.
[7] X. Guo, Z. Chen, and P. Schaumont, Energy and Performance Evaluation
of an FPGA-Based SoC Platform with AES and PRESENT Coprocessors, Embedded Computer Systems: Architectures, Modeling, and
Simulation - SAMOS2008, LNCS 5114, pp. 106-115, 2008.
[8] J.-P. Kaps, Chai-Tea, Cryptographic Hardware Implemenations of
xTEA, The 9th International Conference on Cryptology in India INDOCRYPT 2008, LNCS 5356, pp. 363-375, 2008.
[9] F. Mace, F.-X. Standaert, and J.-J. Quisquater, FPGA Implemenation(s)
of a Scalable Encryption Algorithm, IEEE Transactions on Very Large
Scale Integration (VLSI) Systems, vol. 16, no. 2, pp. 212-216, 2008.
[10] A. Poschmann, Lightweight Cryptography - Cryptographic Engineering
for a Pervasive World, Ph.D. Thesis, Department of Electrical Engineering and Information Sciences, Ruhr-Universit
aet Bochum, Bochum,
Germany, 2009.
[11] G. Rouvroy, F.-X. Standaert, J.-J. Quisquater, and J.-D. Legat, Compact
and Efficient Encryption/Decryption Module for FPGA Implementation
of the AES Rijndael Very Well Suited for Small Embedded Applications, International Conference on Information Technology: Coding and
Computing - ITCC 2004, pp. 583-587, 2004.
[12] F.-X. Standaert, G. Piret, G. Rouvroy, and J.-J. Quisquater, FPGA
Implementations of the ICEBERG Block Cipher, Integration, the VLSI
Journal, vol. 40, iss. 1, pp. 20-27, 2007.
[13] Xilinx Inc., Spartan-3 FPGA Family Data Sheet, DS099, December
4, 2009, available at http://www.xilinx.com/support/documentation/data
sheets/ds099.pdf.