advertisement

International Journal of Engineering & Technology Sciences Volume 03, Issue 01, Pages 13-21, 2015 ISSN: 2289-4152 A Hardware Implementation of Twine Block Cipher High Level Synthesis Approach Ali Nemati a,b, Arash Ahmadi a,b,*, Vahab Al-din Makki a,b a Department of Electrical Engineering, College of Basic Science, Kermanshah Science and Research Branch, Islamic Azad University, Kermanshah, Iran). b Department of Electrical Engineering, College of Basic Science, Kermanshah Branch, Islamic Azad University, Kermanshah, Iran). * Corresponding author. Tel.: +989373919597; E-mail address: [email protected] Abstract Keywords: Lightweight Cryptography, Twine Algorithm, High Level Synthesis, Field Programmable Gate Array (FPGA). Accepted: 23 January2015 Radio frequency identification (RFID) are becoming a part of our everyday life with a wide range of applications such as labeling products and supply chain management and etc. At the same time, security and privacy issues remain as an important problem, thus, with the large deployment of low resource devices such as RFID systems and sensor nodes, increasing need to provide security and privacy among such devices, has arisen. Accordingly, concept of lightweight cryptography is introduced. Encryption algorithms are classified into various types such as block and stream ciphers. Lightweight block cipher plays a major role as a building block for security protocols. In 2011 Tomoyasu Suzaki et al in NEC Corporation proposed a new versatile block cipher named as Twine, which are suitable for extremely constrained environments and multiple platforms. In this paper, we simulate and synthesize the Twine block cipher family. Synthesis estimation results of the Twine cryptography algorithm on a FPGA are presented. © Academic Research Online Publisher. All rights reserved. 1. Introduction Radio Frequency Identification (RFID) technology universal technology, privacy and security are the important problems to be solved [6]. is one of the most important technologies in the field During last decade, lightweight cryptography has of computing that is present everywhere. Although provided security solutions for highly constrained this technology gives many advantages than other devices and embedded systems. A large number of identification systems, there are also related security research works have already been done in this risks that can’t be easily passed. RFID security is a domain, which have specifically achieved optimized significant research subject today, as proved by the block ciphers suitable for lightweight cryptographic great number of research papers published in this applications, for instance Katan, Piccolo and several domain in last decade. As RFID technology is a others [1, 3]. As RFID devices become broadly Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 utilized in different applications, it is vital to provide -128 to denote the corresponding version. The global various levels of security, associating to the structure of Twine is a variant of Type-2 GFS with application. 16 4-bit sub-blocks. Given a 64-bit plaintext, P(64), and a round key, RK(32×36), the cipher produces the Different applications have different security requirements, and in any case to achieve the desired level of security, protocols should be developed. Security has a direct relation with key size, meaning that with the increase of key-length, the level of security grows. Each block cipher is adaptively to initial cryptographic principles and we expect that any lightweight protocol can be based on a block cipher with the suitable data block and key size. Although some standard cryptographic algorithms such as Advance Encryption Standard (AES) have been proposed for lightweight applications, choosing AES is not a good option for highly constrained environments [12, 7]. Only few number cipher text C(64). Round key RK(32×36) is derived from the secret key, K(n) with n ∈ {80, 128}, using the key schedule. A round function of Twine consists of a nonlinear layer using 4-bit S-boxes and a diffusion layer, which permutes the 16 blocks. This round function is iterated for 36 times for both key lengths, where the diffusion layer of the last round is omitted. The encryption process can be written as Algorithm 2.1. The S-box, S, is a 4-bit permutation defined as Table 1. The permutation of block indexes, π : {0, ... , 15} → {0, ... , 15}, where j-th sub-block (for j = 0, ... , 15) is mapped to π[j]-th sub-block, is depicted at Table 2. Round function of Twine algorithm is shown in Figure 1 [2]. of the block ciphers can be implemented on a small circuit with minimal power and area requirements Algorithm 2.1: Twine .Enc (P(64), RK(32×36), C(64)) and We organize this paper as follows: In Section 2 we X1(64) P RK1(32) || … || RK35(36) RK(32×36) for i 1 to 35 Xi0(4) || Xi1(4) || … || Xi14(4) || Xi15(4) Xi(64) RKi0(4) || RKi1(4) || … || RKi6(4) || RKi7(4) RKi(32) for j 0 to 7 do do Xi2j+1 S(Xi2j ⊕ RKij) ⊕ Xi2j+1 for h 0 to 15 do Xi+1π[h] Xih Xi+1 Xi+10 || Xi+11 || … || Xi+114 || Xi+115 for j 0 to 7 do X362j+1 S(X362j ⊕ RK36j) ⊕ X362j+1 C X36 [2] describe the specification of Twine briefly. Section ⊕ denotes bitwise exclusive-OR. For binary strings, 3 presents the synthesis of the Twine block cipher x and y, x∥y denotes the concatenation of x and y. family. In Sections 4 we present the synthesis Let |x| denote the bit length of a binary string x. If |x| estimation results of Twine algorithm on FPGA, = m, x is also written as x(m) to emphasize its bit respectively. Section 5 concludes the paper. length. The key schedule produces RK(32×36) from some others can be embedded on microcontrollers with limited flash, SRAM, and/or power availability [7]. Obviously, any effort to optimize the performance of a parameter on one side will have a negative impact on the performance of other parameters on the other side meaning that the trade-off law is in place. 2. Algorithm Description the secret key, K(n), where n ∈ {80, 128}. The pseudo code of key schedule for 80-bit key is in Algorithm Twine is a 64-bit block cipher with two supported 2.2. Round constant, CONi(6) = CONiH(3) ∥ CONi L(3), key lengths, 80 and 128 bits. If the key length is is defined as 2i in GF(26) with primitive polynomial needed to be specified, we write Twine -80 or Twine Z6+Z+1. The exact values are listed at Table 3 [2]. 14 | P a g e Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 Fig.1: Round Function of Twine [2] Table 1: S-box (hexadecimal) [2] X S(X) 0 C 1 0 2 F 3 A 4 2 5 B 6 9 7 5 8 8 9 3 A D B 7 C 1 D E E 6 F 4 Table 2: Block Shuffle and -1[2] j [j] 1[j] 0 5 1 1 0 2 2 1 11 3 4 6 4 7 3 5 12 0 6 3 9 7 8 4 8 9 10 11 12 13 14 15 13 6 9 2 15 10 11 14 7 10 13 14 5 8 15 12 Table 3: Round Constant [2] i CONi i CONi 1 01 19 0F 2 02 20 1E 3 04 2 3C 4 08 22 3B 5 10 23 35 6 20 24 29 7 03 25 11 8 06 26 22 9 0C 27 07 10 18 28 0E 11 30 29 1C 12 23 30 38 13 05 31 33 14 0A 32 25 15 14 33 09 16 28 34 12 17 13 35 24 18 26 36 0B Table 4: Test Vector (hexadecimal) [2] key length key plaintext ciphertext 80-bit 00112233 44556677 8899 01234567 78ABCDEF 7C1F0F80 B1DF9C28 Algorithm 2.2: Twine key schedule – 80 (K (80), RK (32×36)) WK (80) K WK 0(4) || WK 1(4) || … || WK 18(4) || WK 19(4) WK RK10(4) WK1, RK11(4) WK3 , RK12(4) WK4 , RK13(4) WK6, RK14(4) WK13 , RK15(4) WK14 , RK16(4) WK15 , RK17(4) WK16 RK1(32) RK10 || RK11 || … || RK16 || RK17 for i 2 to 36 WK1 WK1 ⊕ S(WK0) , WK4 WK4 ⊕ S(WK16) WK7 WK7 ⊕ 0||CONi-1H , WK19 WK19 ⊕ 0||CONi-1L do Tmp0 WK0 , Tmp1 WK1 , Tmp2 WK2 , Tmp3 WK3 for j 0 to 3 WK j*4 WKj*4+4 , WK j*4+1 WKj*4+5 do WK j*4+2 WKj*4+6 , WK j*4+3 WKj*4+7 WK16 tmp1 , WK17 tmp2 , WK18 tmp3 , WK19 tmp0 RKi0 WK1 , RKi1 WK3 , RKi2 WK4 , RKi3 WK6 , RKi4 WK13, RKi5 WK14 , RKi6 WK15 , RKi7 WK16 RKi(32) RKi0(4) || RKi1(4) || … || RKi6(4) || RKi7(4) RK(32×36) RK1(32) || RK2(32) || … || RK35(36) || RK36(32) [2] 15 | P a g e 3. High Level Synthesis HLS produces register-transfer level designs from behavioural characteristics in an automatic procedure. A high-level synthesis system which realizes design automation for such a data path needs the following two steps: 1) A high-level synthesis system should prepare a draftsman with more than one possible design options for a given behavioural specification. Thus a designer can choose the optimum design between the options based on several criteria. 2) In order to attain the necessity(1), a high level synthesis systems gives more exact information on performance, area and power wastage for each design options. Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 Table 5: Truth Table I/O No. 0 Input (abcd) Output (wxyz) 0000 1 0001 2 0010 3 0011 4 0100 5 0101 6 0110 7 0111 8 1000 9 1001 A 1010 B 1011 C 1100 D 1101 E 1110 F 1111 1100 0000 1111 1010 0010 1011 1001 0101 1000 0011 1101 0111 0001 1110 0110 0100 Fig.2: Simulation Results High-level synthesis is similar to software compilation transposed to the hardware scope. HLS two sub-sections: 1. Synthesis of S-box layer, 2. Synthesis of data processing part. In view of the tools automate the process that generates RTL architecture from an algorithmic behavior of the original characteristic [8]. S-box table presented in Section 2, Truth table can be used for inputs and outputs are presented in Table 5. To start the simulation and synthesis steps, we have chosen Twine-80 algorithm. According to section 2, it is explicit that data block length = 64 bit, key length = 80 bit and rounds = 36. Also, an example of this type of algorithm is considered in Table 4. At first, we’ve written VHDL code of Twine-80 algorithm for above example and simulated it in As well as it is explicit that according to the truth table proposed in table 5, we can write some relations between inputs and outputs based on the sum of products (minterms) as follows: W = a'b'c'd' + a'b'cd' + a'b'cd + a'bc'd + a'bcd' + ab'c'd' + ab'cd' + abc'd = a'b'd' + ab'd' + bc'd + a'b'cd + a'bcd' = b'd' + bc'd + a'c (b⊕d) (1) Modelsim software. Simulation results are shown in Figure 2. According to this figure, it is clear that X = a'b'c'd' + a'b'cd' + a'bcd + ab'cd' + ab'cd + abc'd + abcd' + abcd = a'b'd' + ab'c + abc + abc'd + a'bcd = ac + a'b'd' clock, plaintext and key are considered as input + bd (a⊕c) (2) parameters and ciphertext is considered as an output parameter. The clock for this simulation is selected 100 KHz. Then due to the structure of the Twine encryption algorithm, synthesis can be divided into Y = a'b'cd' + a'b'cd + a'bc'd' + a'bc'd + ab'c'd + ab'cd + abc'd + abcd' = a'b'c + a'bc' + ab'd + ab (c⊕d) (3) Z = a'b'cd' + a'bc'd + a'bcd' + a'bcd + ab'c'd + ab'cd' + ab'cd + abc'd' = ab'd + b'cd' + a'bc + bc' (a⊕d) (4) 16 | P a g e Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 Regarding the logical relations obtained, data flow step, we are designed hardware required to run the graph can be drawn for S-box. Allocation of S-box that depicted in Figure 4. This hardware operational and storage units and interconnections includes 17Muxes, 3ALUs and 3 standard Registers are a subset of the allocation process. Choosing each and type of the library from operation units that used to sequencer for this hardware is shown in Figure 5. perform the desired operation is process of resource This sequencer includes two AND gates, one allocation. Memory units employed for storing data counter and a very simple controller. According to values. It should be considered that in allocation and the number of control steps, counter determines binding steps, a specific hardware can be used to which outputs of the controller are ‘0’and which are perform several operations, so we've used a concept ‘1’. Sequencer gives necessary instruction execution called resource sharing. Data Flow Graph (DFG) for time of the hardware. Sequencer unit parameters for the S-box is drawn and efficient state for scheduling, this hardware are summarized in Table 6. hardware design is allocation and binding is shown in Figure 3. In next a NOT b ALU 1 NOT c ALU 2 NOT ALU 3 CS 1 b d b a' XOR ALU 3 d c' b' NOT AND ALU 1 c' ALU 2 CS 2 a' REG c AND d ALU 3 b d' AND ALU 1 d AND ALU 2 CS 3 b' AND ALU 2 OR ALU 2 a' d' AND ALU 1 REG REG b' AND ALU 3 AND ALU 3 CS 4 a d' c XOR ALU 1 AND ALU 1 CS 5 a OR ALU 2 AND ALU 3 OR ALU 3 c REG CS 6 a b AND a W ALU 2 b' AND ALU 1 CS 7 c REG d d XOR ALU 2 AND ALU 1 OR ALU 3 CS 8 a' AND ALU 2 REG b AND ALU 1 AND ALU 1 b'd' X c AND ALU 3 CS 9 ab'd c' OR ALU 2 OR ALU 3 CS 10 a'b' REG a c AND ALU 1 REG d XOR ALU 3 AND ALU 3 a'b c AND ALU 2 REG CS 11 bc' OR ALU 1 OR CS 12 OR ALU 2 OR ALU 3 CS 13 Y Z Fig.3: Scheduling, Allocation and Binding for S-box 17 | P a g e ALU 2 efficient. Designed Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 a c' bc' b d b' S0 S1 0 1 2 3 MUX 1 a'b ab' a'b' S0 S1 0 1 2 3 MUX 3 S0 S1 b' S0 S1 0 1 MUX5 b c 0 1 2 3 MUX 2 a'b'c S0 d' a' a'c b'd' c a4 a'b' b' d a7 S0 S1 S0 0 1 2 3 S1 MUX 6 c d c (c d)a6 0 1 2 3 MUX 7 a6 a9 a S0 S1 0 1 2 3 MUX 12 a3 ac ab'd S0 S1 0 1 2 3 MUX 8 a'b'c+a5 a2 S0 S1 0 1 2 3 MUX 9 a'bc a'b a8 S0 S1 S0 0 1 2 3 S1 MUX 14 a d a a'bc+a2 S0 S1 0 1 2 3 MUX 10 S0 S1 0 1 2 3 MUX 11 S0 S1 0 1 2 3 MUX 16 a5 0 1 2 3 MUX 4 d a'ca1 a1 a'ca1+b'd' ALU 1 0 1 2 3 MUX 17 a d REG 3 a6 a7 a8 a9 MUX 1 MUX 2 MUX 3 MUX 4 MUX 5 MUX 6 MUX 7 MUX 8 MUX 9 Fig.4: Hardware Design Clock Ready 1 Ready 2 Ready 3 C0 C1 C2 C3 C0 Input C1 Counter Reset C2 Controller C3 MUX 10 MUX 11 MUX 12 MUX 13 MUX 14 MUX 15 MUX 16 MUX 17 Fig.5: Sequencer Unit 18 | P a g e Start 1 Start 2 Start 3 REG 1-IN REG 1-OUT REG 2-IN REG 2-OUT REG 3-IN REG 3-OUT Z (a d)bc' b'd'c+ab'd b'd'c X (a c)a7 (a c)a7+ac a'b'd' a'b' a5 a'c a4 0 1 2 3 MUX 15 bc' b'd'c (a d)bc' bd ab'd (c d)a6+a9 ab REG 2 a3 d' c' Y a'bc+a2 a2 a'bc (c d)a6+a9 a1 (c d)a6 W REG 1 a'bc' a c ALU 3 c d ab a'ca1 a'ca1+b'd' bd b d b' ab' a'b'c a'bc' a'b a'b'c+a5 ab'd ac a c b'd' bc'd a' bc' bc'd d' 0 1 2 3 MUX 13 (a c)a7 b'd' (a c)a7+ac S0 S1 ALU 2 a'b'd' b d ab'd+b'd'c S0 S1 a' Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 Table 6: Sequencer Unit Parameters MUX 4 (S1S0) 1 0 0 0 0 0 0 0011 1 1 1 1 0 0 0 0 0 0100 1 1 1 0 1 1 0 1 0 0101 1 1 1 0 0 0 0 0 0 0110 1 1 1 1 0 0 1 0 1 0111 1 1 1 0 0 0 0 0 0 1000 1 1 1 0 1 1 0 0 0 1001 1 1 1 0 0 0 1 1 0 1010 1 1 1 0 0 0 0 0 0 1011 1 1 1 1 0 1 0 1 0 1100 1 1 1 0 1 0 1 0 0 1101 0 1 1 0 0 0 0 0 1 × 0 × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 × × × RESET 1110 Xi2j RKij XOR MUX 17 (S1S0) MUX 3 (S1S0) 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 × × × × MUX 16 (S1S0) MUX 2 (S1S0) 1 × × 0 0 0 1 1 0 1 1 1 1 × × 0 1 × × 0 0 1 1 × × × × MUX 15 (S1S0) MUX 1 (S1S0) 0010 0 0 0 1 1 0 1 1 0 0 0 0 0 0 × × 0 1 × × × × × × × × MUX 14 (S1S0) REG 3 OUT 0 MUX 13 (S1S0) REG 3 IN 0 MUX 12 (S1S0) REG 2 OUT 0 MUX 11 (S1S0) REG 2 IN 0 MUX 10 (S1S0) REG 1 OUT 0 MUX 9 (S1S0) REG 1 IN 0 MUX 8 (S1S0) Start 3 1 MUX 7 (S1S0) Start 2 1 MUX 6 (S1S0) Start 1 1 MUX 5 (S0) Control Steps (C3C2C1C0) 0001 0 0 0 0 0 0 0 1 1 0 1 1 0 0 × × × × × × × × × × × × × × 0 0 0 0 0 1 1 0 1 1 × × 0 0 × × × × × × × × × × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 1 × × × × × × 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 × × × × × × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 × × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 × × 0 0 0 1 1 0 1 1 × × × × 0 0 × × × × × × × × × × 0 0 0 1 0 1 1 0 1 1 × × × × × × × × 0 0 × × × × 0 0 × × 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 × × × × × × × × 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 × × 0 0 × × × × 0 0 × × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 × × 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 i 1 + ALU 1 CS 1 ALU 2 ''100100'' S-box COM < CS 2-14 Xi2j+1 XOR CS 15 Xi2j+1 ALU 1 Yes No REG (i<36) REG (i=36) End of Encryption Fig.6: Scheduling, Allocation and Binding for Data Processing 19 | P a g e Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 Table 7: Implementation Result Resource Available Utilization (%) Register 122880 346 1% LUT 122880 419 1% Slice 30720 131 1% IO 960 64 6% BUFG 32 7 21% In next step, for synthesize data processing part, flexibility of the algorithm used in various according to the before step and the keys obtained in applications and environments, data and key length each round, the efficient state of scheduling for data can be selected with different sizes. In Twine-80, processing is depicted in Figure 6, that in each due to having too few resources as shown in our control step, we have needed just 3 ALUs and 1 implementation results, it is very suitable for Comparator. Encryption function is done in 15 lightweight application and embedded systems. control steps, so that whole encryption operation is performed in 36×15 = 540 CS. A noteworthy point References in Figure 6 is that comparator can be used in one of [1] CD Cannière, O Dunkelman, and M Kneževi´c. the steps 2 to 14 according to view of designer. KATAN and KTANTAN - A Family of Small and Efficient 4. Implementation Hardware-Oriented Block Ciphers. Springer-Verlag, [In CHES 2009, Lecture Notes in The Xilinx synthesis technology synthesizes VHDL Computer Science] 2009; 5747: 272–88. code to make Xilinx files with .ngr and .ngc [2] T Suzaki, K Minematsu, S Morioka, and E extensions after the functional simulation [18].We Kobayashi. TWINE: A Lightweight, Versatile implemented the Twine-80 algorithm using Xilinx Block ISE development tools on FPGA model Virtex-5 Shimonumabe, Nakahara-Ku, Kawasaki, Japan, XC5VFX200T. The results and resource utilization 2012. is hardware [3] K Shibutani, T Isobe, H Hiwatari, A Mitsuda, T implementation illustrates that the algorithm can be Akishita, and T Shirai. Piccolo: An Ultra- implemented with very small area requirements Lightweight Blockcipher. Sony Corporation 1-7-1 (practically 131 number of slices and 419 number of Konan, Minato-ku, Tokyo, Japan 2011; 108-0075. Look Up Tables). [4] M Zwolinski. Digital System Design with presented in Table 7. This Cipher. NEC Corporation, 1753 VHDL. 2ndEdition 2004. 5. Conclusion [5] GD Micheli. Synthesis and optimization of In this paper, we have described, synthesized and digital circuits 1994. implemented a lightweight block cipher Twine, [6] E Vahedi, VWS Wong, IF Blake. An Overview which has 64-bit block and 80 or 128- bit key. of Cryptography. Chapter 5, University of British Twine's algorithm is a lightweight flexible algorithm Columbia, Canada 2014. for using in RFID systems and wireless sensor [7] R Beaulieu, D Shors, J Smith, ST Clark, B networks (WSNs) and deployment capabilities in Weeks, L Wingers. The simon and speck of many other applications as well. Due to the lightweight block ciphers. National Security Agency 20 | P a g e Ali Nemati et al. / International Journal of Engineering and Technology Science (IJETS) 3 (1): 13-21, 2015 9800 Savage Road, Fort Meade, MD 20755, USA Cryptography Implementations. IEEE Design & 2013. Test of Computersm 2007; 24(6): 522-533. [8] P Coussy, A Morawiec. High Level Synthesis [20] W Zhang, Z Bao, D Lin, V Rijmen, B Yang. from Algorithm to Digital Circuit. Springer 2008. RECTANGLE: A Bit-slice Ultra-Lightweight Block [9] D Hong, J Sung, S Hong, J Lim, S Lee, B Koo, Cipher Suitable for Multiple Platforms. State Key C Lee, D Chang, J Lee, K Jeong, H Kim, J Kim, S Laboratory of Information Security, Institute of Chee. HIGHT: A new block cipher suitable for low- Information Engineering, Chinese Academy of resource device. CHES’06, LNCS 4249, Springer- Sciences, Beijing, P. R. China and KU Leuven, Verlag 2006; 46–59. ESAT/COSIC and iMinds; Kasteelpark Arenberg [10] G Leander, C Paar, A Poschmann, K Schramm. 10, Leuven, Belgium 2014. New lightweight DES variants. FSE’07 LNCS 4953, [21] M Kumar, SK Pal and A Panigrahi. FeW: A Springer-Verlag 2007; 196–210. Lightweight Block Cipher. Scientific Analysis [11] A Bogdanov, L Knudsen, G Leander, C Paar, A Group, DRDO, Delhi, INDIA, Department of Poschmann, M. J. B. Robshaw, Y Seurin, C Mathematics, University of Delhi, INDIA 2014. Vikkelsoe. PRESENT: An ultra-lightweight block cipher. CHES’07, LNCS 4727, Springer-Verlag 2007; 450–466. [12] FIPS. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. [13] FIPS. Data Encryption Standard. Federal Information Processing Standards Publication 46. [14] M Hell, T Johansson, A Maximov, W Meier. The Grain family of stream ciphers. New Stream Cipher Designs, The eSTREAM Finalists, LNCS 4986, Springer 2008; 179–190. [15] CD Canniere, B Preneel. Trivium. New Stream Cipher Designs, The eSTREAM Finalists, LNCS 4986, Springer 2008; 244–266. [16] T Isobe. A single-key attack on the full GOST block cipher. FSE’11, LNCS 6733, 2011; 290–305. [17] AJ Menezes, PC Van Oorschot and SA Vanstone. Handbook of Applied Cryptography. CRC Press 2001; 202-203. [18] Xilinx, Inc. Virtex-5 User Guide, available at www.xilinx.com. [19] T Eisenbarth, S Kumar, C Paar, A Poschmann and L Uhsadel. 21 | P a g e A Survey of Lightweight