This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

Implementation of a New Lightweight

Encryption Design for Embedded Security
GAURAV BANSOD, NISHCHAL RAVAL, NARAYAN PISHAROTY

Abstract Lightweight cryptography is an interesting field

that strikes the perfect balance in providing security, higher
throughput, low power consumption and compactness. In recent
years, many compact algorithms like PRESENT, CLEFIA, SEA,
TEA, LED, ZORRO, Hummingbird and KANTAN have made
the mark to be used as lightweight crypto engines. In this paper,
we present the design of a new lightweight compact encryption
system based on bit permutation instruction GRP (group
operation) which is widely studied and extensively researched. By
using the S-box of PRESENT, we have added the confusion
property for GRP, because all the existing algorithms using bit
permutation instructions do not have this confusion property. By
comparing the existing S-boxes of compact algorithms and its
cryptanalysis, a new hybrid system is proposed in this paper that
provides more compact results in terms of both memory space
and gate equivalents. A hybrid cryptosystem which consists of
GRP and S-box of PRESENT is designed and implemented on a
32 bit processor. This fusion has resulted in a lightweight cipher
that is the most compact implementation, till now, in terms of
memory requirement. We have tested and verified this on an
LPC2129 processor. Various S-boxes of recently used lightweight
algorithms such as PRESENT, CLEFIA are designed and
analyzed to create a perfect fusion that should be resistant to
attacks. By using the S-box of PRESENT, it helps in further
reducing the gate complexity. This hybrid model results in 2125
GE (Gate Equivalents) which is better than other light variant
models like DESXL, CLEFIA and AES. Moreover, GRP
properties are very helpful not only to attain the desired
avalanche effect but also, as it results in a compact
implementation in hardware. This paper proposes a novel
approach that will have a positive impact in the field of
lightweight encryption protocols.
Index Terms Lightweight cryptography, PRESENT, GRP,
Embedded Security, Encryption, Bit permutation

I. INTRODUCTION

he increasing use of pervasive devices in the field of

electronics has raised the concerns about security. In
embedded applications, implementing a full-fledged
cryptographic environment would not be practical because of
the constraints like power dissipation, area and cost. Due to
these constraints, the focus is on using lightweight

cryptography that needs as less memory space as possible. The

main criterion for the lightweight cipher is to have less
memory space and that which would result into a less Gate
Equivalent (GEs) count for an efficient hardware
implementation without compromising the requirement of
strong security properties. An ISO/IEC standard on
lightweight cryptography requires that the design be made
with 1000-2000 gate equivalents (GEs) [1]. RFID tags may
have 1000-10000 GEs out of that only 300-2100 GEs would
be available for security aspects [2]. Many algorithms have
been designed in the past few years and implemented in the
field of pervasive computing. For security applications, total
GEs available would be approx 2000-3000. Block ciphers
should be limited to less GEs in order to fit in lightweight
applications. Ciphers like AES [3], DES [4][5] would result in
high GEs that make them infeasible for small scale real time
applications. Light variants of DES such as DESL [6], DESXL
[7] have been proposed by slightly modifying the algorithms,
by reducing the S-boxes and by using key whitening to
increase security levels. These lightweight versions consume
around 2200 GEs for encryption. Alternative to this approach
of modifying an existing block cipher and to have an efficient
hardware model, is an entirely new structure that has been
designed called PRESENT. PRESENT is a Substitution
Permutation network based on 80 bit or 128 bit key size and
64 bit block size. PRESENT [8] is a block cipher with 31
rounds and its various variants need 2520 to 3010 GEs to
provide adequate security levels. PRESENT [8] is also
available for ultra small applications with 1000 GEs.
PRESENT is one of the leanest lightweight algorithms
designed and one that has obtained the ISO/IEC standard for
lightweight cryptography. CLEFIA [9][10] is one more
compact algorithm developed by SONY to achieve less GEs
and has two confusion and two diffusion properties that results
in a higher memory requirement. For small devices like RFID,
few lightweight cryptographic algorithms, mostly block
ciphers, have been published like HIGHT [11], mCrypton
[12], SEA [13], TEA [14] and ICEBERG [15]; and these are
summarized in TABLE 1 with respect to their GEs. Most of
these algorithms result in more than 2300 GEs which is the
major limitation for their use in ultra small applications.

Copyright (c) 2013 IEEE. Personal use of this material is permitted.

However, permission to use this material for any other purposes must be
obtained from the IEEE by sending a request to [email protected].
GAURAV BANSOD, NISHCHAL RAVAL and NARAYAN
PISHAROTY are with the Department of Electronics and
Telecommunication, Symbiosis Institute of Technology, Symbiosis
International University, Lavale, Pune, 412115, Maharashtra, INDIA
(E-mail:
[email protected],
[email protected],
[email protected]).

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

TABLE 1
COMPARISON OF LIGHTWEIGHTED ALGORITHMS

Lightweight
Algorithm
HIGHT

Block
Size
64

mCrypton

64

SEA
TEA
ICEBERG
CLEFIA
PRESENT

96
64
64
128
64

Key
Length
128

3048

64
96
128
96
128
128
128
128

2420
2681
3758
3758
2355
7732
2488
1884

GEs

In the cryptographic environment, there are two types of

instructions, one is the SP-network (Substitution
Permutation network) like AES, PRESENT, etc. and other is
the Feistel network like TEA, XTEA, etc. In this paper, we
have focused on SP-network only, as they provide good
resistance against most of the attacks. Stream ciphers are also
widely studied in the cryptographic environment because of its
faster execution, but they are susceptible to attacks compared
to SP network block ciphers. CLEFIA [9][10] is a generalized
Feistel structure with a substitution box. The disadvantage of
generalized Feistel structure is that it requires larger number of
rounds to make the cipher secure, as the input block size is
divided in greater than or equal to three sub blocks. We
therefore have implemented SP network block ciphers and
ciphers that are based on Generalized Feistel network like
CLEFIA on the same platform that is LPC2129, so that
comparison would be easy with our design of PRESENTGRP.
The aim of this paper is to describe the results of a design of
a compact cipher with adequate security for applications like
pervasive computing. Our research work focuses on a compact
hardware implementation of the cipher. Bit permutation
instructions are efficient in such kind of implementations and
they are complex in nature which gives them an edge in
cryptographic environment. Bit permutations are popularly
known to be used in permutation block known as diffusion
property. We have carefully studied the properties and security
aspects of bit permutation instructions like GRP [16] and
OMFLIP [17]. Among all bit permutation instruction GRP
proved to be an efficient instruction in terms of cryptographic
properties, memory size and total number of gate counts. Bit
permutation instructions are widely studied and currently
supported by all word oriented processors. GRP is an
extensively researched instruction set, its cryptanalysis is well
known, and many attacks have been tried in the past on bit
permutation instructions. GRP is known for fast bit
permutation [16]. Alternative to bit permutation is a simple
look up table, but permutation operations are far better than a
look up table. A Look up table typically requires nearly 23
numbers of instructions for a 64 bit permutation while GRP
does the permutation in only six lines of instructions which is
mentioned in Table 1. Lookup tables have large footprint area
thus increases GEs. GRP is complex in nature that makes it

more suitable for cryptographic environment as compared to

operations like shifting, multiply or addition. GRP is suitable
specifically for encryption in an application like remote sensor
continuously encrypting data and sending it to a server
location [16]. Moreover, GRP has good differential properties
because the paths of data bits totally depends on control bits
applied to the structure. Change of even a single control bit
will cause all the data bits to change at the output [16]. This
property helps to achieve desired avalanche effect and makes
design more robust against attacks. Algorithms like DES
[4][5], SERPENT [18] and TWO FISH [19] use bit
permutation instructions in their operations which helps to
resist against linear and differential cryptanalysis. Bit
permutation instructions lack confusion property that is an Sbox. According to Shannon having only the diffusion property
is not sufficient to provide a secure cipher [20]. GRP uses
subword permutation that not only does permutation
efficiently but also accelerates the software cryptography [16].
We have implemented lightweight algorithms on LPC2129
(ARM 7) processor because it has many features which are
suitable for small scale embedded applications.
II. GRP: A BIT PERMUTATION INSTRUCTIONS
As described earlier GRP [16] is one of the most
complicated bit permutation instructions that make it an
obvious choice to be used in cryptographic environment. GRP
performs n bit permutation with log2(n) steps while other
instructions take O(n) steps [16]. Research in this field and
papers [18] [22] have shown the increased strength of cipher
RC5 by introducing GRP instructions. GRP scales very
efficiently to 2n bits on n bit system by using instruction Shift
right pair instruction (SHRP) in PA, RISC and in IA-64
processors [23][24]. Table look up is an alternative to bit
permutation instructions, but it is much slower as it takes 16
cycles on a superscalar processor for the scheduling of
permutation instructions, while GRP does it in only 8 cycles.
By loading control bits, GRP requires 13 numbers of
instructions while a table lookup
needs 31 numbers of
instructions. Table 2 shows the comparison of GRP with Table
lookup on various parameters that shows the edge GRP has
over a table look up, in terms of memory space and execution,
which are the most important aspects in lightweight
cryptography.
TABLE 2
COMPARISON OF GRP WITH TABLE LOOKUP

Maximum no. of
instructions for 64 bit word
size permutation
Maximum no. of
instructions for 128 bit word
size Permutation
No. of cycles for scheduling
of permutation instructions
on Super Scalar processor
Maximum number of
instructions for permuting
64 bit with control bits

Table
LOOK UP

GRP

23

47

16

31

13

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Memory requirement for 64
48
16 kb
bit permutation
bytes
Paper [16] shows key generation by GRP achieving
tremendous speed because most of the permutation
instructions exist in this block.

where P = 32, C value will be 2 and for last stage P = 1, C

value will be 64 which means we will be having 64
combinations of single pair. Fig. 2 represents block diagram
for 128 bit encryption by using GRP. Algorithm for
encrypting 128 bits by using above mentioned variables is
mentioned below:

III. GRP IMPLEMENTATION

Papers [16][25] shows various implementations of GRP at
hardware and at software levels. In this paper, we have
achieved implementation of 128 bit key generation and
encryption. The algorithm is explained in paper [16].
GRP algorithm can generate the different keys at different
rounds from a given integer sequence. Key generation for
respective integer sequence is illustrated with an example in
paper [16]. GRP 128 bit permutation is designed by us, and
implemented on 32 bit processor LPC2129, where the user has
to give an 128 bit input and GRP performs the exact same
operations for 128 bits which is performed for an 8 bit
encryption in Fig. 1. It is a universal design which generates
codewords for n integers. Fig. 1 indicates the basic GRP
encryption operations in terms of AND, OR and NOT gates.
In Fig. 1, key register generates the key according to GRP
algorithm [16], that is based on the user defined integer
sequence and that key is applied as codeword to each of the
permutations to do the encryption. In this paper, 128 bit
encryption is designed and performed based on bit
permutation instructions. The algorithm and the steps involved
while deigning permutation box by using GRP are outlined
below:

for (i=0; i<n; i++)

{
for (j=0; j<P; j++)
{
for (k=0; k<C; k++)
{
temp = x [(2*P*k) + j];
x [(2*P*k) + j] = x [(2*P*k) + j + P];
x [(2*P*k) + j + P] = temp;
}
}
P/=2;
C*=2;
}

Fig. 2: Block diagram for 128 bit GRP Permutation with key generation

IV. LIGHTWEIGHT CRYPTOGRAPHY

Fig. 1: GRP implementing encryption for 8 bit

In a scenario, let us assume that the input is a plain text with

a bit length w = 128 that needs to be permuted with the help of
GRP. To permute 128 bits, the operation needs total 7 stages
as 27 = 128 bits. 7 stages means GRP 128 will perform up to 7
rounds as 27= 128. Similarly, for 64 bit and 8 bit permutations,
we need total of 6 and 3 stages, respectively. Fig. 1 indicates 8
bit permutation. w indicates word length and n indicates
number of stages, where 2n = w. P = w/2 indicates pairing bits
in which if word length is 128 bits then P value will be 64
which depicts in the first stage of permuting 128 bits, first
group is the 0th bit and 64th bit second will be 1st and 65th bit,
third group will be 2nd and 66th bit and similarly last will be
63rd and 127th bit. C represents combination of pairing bits.
For example, for P = 64, C value will be 1, for second stage

Internet of things (IOT) is one of the most discussed topics

today in the digital world. Focus area of researchers is to
implement lightweight design to avoid high power dissipation
and large memory requirement. RFID tag is one of the fastest
growing technologies that would be useful in IOT [1][2]. To
provide a security at RFID level, there is need to have a
lightweight cryptoalgorithm whose coverage area would be
nearly 2100 GE. The standard algorithm like AES [3], DES
[4][5] have huge memory requirement and would not be
feasible to be implemented for embedded system design.
Many lightweight algorithms have been designed in the past
and various attacks have been proven on them. Two of
algorithms that got adopted as the ISO/IEC (29192-2P:2012)
standards for lightweight cryptography are PRESENT [8] and
CLEFIA [9][10]. In this paper, that is the reason why, we have
discussed and implemented PRESENT and CLEFIA rather
than TEA, SEA, XTEA, HIGHT. Various implementations of
PRESENT and CLEFIA have been designed in the past to be
fitted in a small area, which means with a very less gate count
and less memory requirements. In this paper, we too have
implemented a structure of PRESENT and CLEFIA on
LPC2129 to figure out memory requirements. PRESENT [8]
and CLEFIA [9][10] have shown resistance to different
attacks when we analyzed differential and linear cryptanalysis
of them, from various papers [8][9,10]. These lightweight
ciphers can perform encryption well with adequate security
levels of key size of at least 80 bits. Fig. 3 shows block
diagram for PRESENT.

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

and it requires higher number of GEs overall which is shown

in Fig. 10. SEA is based on Feistel structure.

Fig. 3: Block diagram of PRESENT

In this paper, the algorithm of PRESENT with 64 bit block

size and key size of 128 bits is coded in embedded C with Keil
4.0 simulator and results are verified and tested on 32 bit
processor. PRESENT structure is Substitution and
Permutation (SP) design which consists of S and P layer and
consists of 31 rounds. In this paper, separate analysis is done
for S-box as well as for P-box. For this, we referred papers
[8][26], S-box of PRESENT is resistant to brute force attack
and has shown good resistance against linear and differential
cryptanalysis. Similarly, CLEFIA is also designed and
implemented on 32 bit processor (LPC2129) which is based
on Feistel network. Table 3 shows memory requirement for
PRESENT and CLEFIA. This result was verified on 32 a bit
processor by using KEIL 4.0 simulator. E denotes encryption
and D denotes decryption.

Fig. 4: S-box comparison over memory requirement

Fig. 5 shows execution time of S-boxes of algorithms like

PRESENT [8], CLEFIA [9][10], KLEIN [27], PRINCEcore
[28] and SEA [13]. These all algorithms are implemented on a
32 bit processor in order to compare different S-boxes and
their execution times. We studied and implemented them
individually and have made a comparison to understand their
relative compactness over memory space and execution time.

TABLE 3
PRESENT AND CLEFIA MEMORY REQUIREMENT

Algorithm

PRESENT

CLEFIA

Memory Size
(in Bytes)
Flash
RAM
Memory Memory

Key
Size

E/D

128
bit
128
bit
128
bit
128
bit

3200

1320

3252

1384

4708

1256

4880

1256

It is clearly evident from Table 3 that CLEFIA has higher

memory requirement than PRESENT. CLEFIA consists of
two confusion and two diffusion properties while PRESENT
has only one confusion property and one diffusion property.
V. THE IMPLEMENTATION OF E XISTING CIPHERS ON A
PROCESSOR
In this paper, separate S-boxes of PRESENT and CLEFIA
are designed and compared to study the lightweight model.
Fig. 4 shows comparison of S-boxes of PRESENT, CLEFIA
and other lightweight ciphers on LPC2129 (32 bit processor)
in terms of memory requirement. It is clearly seen from figure
4, that the S-box of PRESENT is quite compact in nature as
compared to other lightweight ciphers excluding SEA. Flash
memory needed for S-box of PRESENT is nearly half of the
memory requirement of S-box of CLEFIA. SEA emerges as a
most compact cipher due to use of 3 bit S-box. SEA does the
small encryption routine efficiently with a limited throughput

Fig. 5: S-box comparison over execution time

VI. NEW HYBRID CRYPTOSTRUCTURE, IMPLEMENTATION AND

COMPARISON
After studying carefully properties of bit permutation
instructions like GRP [16], OMFLIP [17], CROSS [29], we
found that GRP has an edge over all other bit permutation
instructions and is useful in accelerating cryptographic
implementations. GRP does the fast bit permutation with less
memory space and its complex structure makes it an attractive
choice in cryptographic algorithms over instructions like
multiply and rotate [16]. The disadvantage of bit permutation
instruction is that it lacks an S-box, which is the most
essential ingredient in designing secure block ciphers. This
element directed our attention towards lightweight
cryptographic algorithms and we carried out many
experiments and studied the properties of algorithms like
PRESENT [8], CLEFIA [9][10], DES [4][5], AES [3], SEA
[13], TEA [14] and KANTAN [30][26][31].
As stated the aim of this paper is to present the design of a
compact cipher with adequate security for applications like
pervasive computing. In this paper, we present results of our

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
research work which focuses on the compact hardware
implementation of a cipher. Bit permutation instructions are
efficient in such types of implementations. Bit permutation
instructions are complex in nature, and that gives them an
edge in the cryptographic environment. The well known
cipher like DES is also implemented with the help of bit
permutation instructions but falls prey to attacks because of
short key lengths. Among all bit permutation instructions,
GRP proved to be an efficient instruction in terms of
cryptographic properties, memory size and total number of
gate counts. OMFLIP has poor differential properties and its
structure is easily susceptible to attacks. Bit permutation
instructions are widely studied and currently supported by all
word oriented processors. We found compactness and
mapping interface of GRP with PRESENT and CLEFIA. In
this paper, we present the results of implementing most of the
standard algorithms in order to identify their memory
requirements, gate equivalents and power consumption. All
standard algorithms are implemented and compared on the
same platform which is LPC2129 a 32 bit processor by NXP
(Philips).
We have implemented AES 128 bit, GRP for 128 bit and 64
bit, PRESENT for 64 bit, CLEFIA for 128 bit and DES for
128 bit block size with different key combinations of 64, 128
and 80 bits. Fig. 6 indicates memory requirement of P-box of
AES [3] and PRESENT [8] with GRP [16] and OMFLIP [17]
computed based on KEIL 4.0 simulator and LPC2129.

Fig. 6: P-box comparison of standard algorithms

In Fig. 6, OMFLIP and GRP are themselves P-boxes. They

are compared with the standard algorithms. Results from Fig.
6 clearly show GRP to be more compact in nature in terms of
memory requirements.

Fig. 7: S-box of PRESENT with P-box of lightweight algorithms

Fig. 7 shows merger of S-box of PRESENT with OMFLIP,

AES and GRP. Results clearly show that PRESENT-GRP has

much less memory requirement as compared to other hybrid
systems. LED [32] is the latest cipher which is combination of
PRESENT-AES which is also SP-network. It has 64 bit block
size and 128 bit key length. LED is faster than PRESENT in
software but it is slower in hardware. Moreover, LED
consumes high energy per bit in embedded applications which
dissipates and consumes more power.
Fig. 8 shows graphical representation of the memory size
requirements of standard algorithms on a 32 bit processor. The
hybrid module structure PRESENT-GRP needs less memory
as compared to other standard algorithms. In this hybrid
module, we have designed the permutation box (P-Box) by
using GRP for 128 and 64 bit block size. This result shows the
compactness of hybrid cryptosystem which is the combination
of PRESENT-GRP. 2980 bytes of flash memory is needed for
PRESENT-GRP while the PRESENT alone which is
lightweight compared to other structure needs 3200 bytes of
memory. CLEFIA also has higher memory requirements
which consume nearly 4708 bytes. PRESENT-GRP in Fig. 8
indicates 128 bit block size and 128 bit key generation while
PRESENT-GRP 64 indicates 64 bit block size and 128 bit key.
KLEIN [27] algorithm is also implemented on 32 bit processor
and its comparison is also shown in Fig. 8.

Fig. 8: Graphical representation of standard algorithms implemented on

LPC2129

VII. PRESENT-GRP: A NEW HYBRID LIGHTWEIGHT DESIGN

In this paper, a hybrid cryptosystem is design is discussed,
which combines the S-box of PRESENT and the P-box of
GRP, to produce a compact secure structure with adequate
security. This fusion structure has both the properties of
PRESENT-GRP and results into a tinier version than the
original algorithm PRESENT. Cryptanalysis for both the
structures is studied and analyzed properly and it shows good
resistance to linear and differential attacks. The same
PRESENT-GRP design is compared with various standard
algorithms like PRESENT [8], AES [3], DES [5] and CLEFIA
[9][10]. All these algorithms were implemented in embedded
C on the same platform. This was done so that we do not
observe any kind of artifacts due to the platform issues, either
in the results or in the comparisons. Results of all algorithms
were tested and verified through 8 bit UART module of
ARM7. An UART module was used in the design to merely
act as a demonstrator in order to verify and to be able to see

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
the encryption / decryption outputs. The baud rate for this
application was set at 9600 bps.
In PRESENT-GRP module, 64 bit / 128 bit blocks were
passed through the S-box of PRESENT and after mapping
according to PRESENT, the output was passed to the
permutation layer which performed encryption based on GRP
algorithms. Keys at each stage were applied based on key
generation method of GRP. In GRP key generation, inputs will
be the bit positions given by user, and based on that GRP
generates a sequence of 0s and 1s which serve as key to the
encryption and decryption process. GRP has very robust
mechanism of key generation which is the necessity in
cryptographic environment. GRP does the key generation as
well as encryption with fast bit permutations.
We have designed an optimized version of GRP by doing
small changes at the algorithmic level. The GRP design
presented in previous papers [25][33] need 3224 bytes of
FLASH memory. In this paper, a compressed version of GRP
is reported, a design that consumes only 3088 bytes of
memory. This optimized structure has been achieved by
reducing many arrays to just two arrays. We have designed an
entirely new logic which supports very less arrays and works
very fast as compared to existing structure. Execution time for
our design is nearly half of the old GRP design at software
level. Few observations we made during optimizing code
which are listed as follows:
Using character data type instead of integer data
type
Reduced instructions i.e. making one instruction that
can perform three operations, instead of using
three different instructions for different operations
Using local variable instead of global variable,
global variable consumes more space
Using minimum functions
Making binary to hex / hex to binary functions
instead of using Power functions (defined)
Using minimum variables as Recursive
Making complex logic for long processes
Passing only one data type into the function instead
of multiple. For example, GRP (a)
All these steps help to achieve a more optimized structure
of GRP which results in 1789 GEs for 64 bit permutation.
Table 4 shows memory requirements for past implementations
of GRP and optimized GRP design. To the best of our
knowledge, this is the most optimized design for GRP 128 bit.
TABLE 4
OPTIMIZED GRP DESIGN

Memory Size of
Old GRP 128
3224 bytes

Memory Size of
Optimized GRP128
2944 bytes

S-box of PRESENT is a very compact design that uses a

4x4 box in order to reduce gate the complexity and the power
consumption. Larger S-boxes result into high GEs that is seen
in case of DES [4][5]. The higher bit S-box has more Boolean

equations resulting in a high gate count. Moreover,

implementation of the S-box of PRESENT has low hardware
cost and less GEs.

Fig. 9: New recent lightweight algorithms implemented and compared with

PRESENT-GRP on LPC2129

Fig. 9 shows comparison of PRESENT-GRP with the latest

lightweight ciphers. LED [32] and ZORRO [34] are recent
lightweight ciphers. All ciphers in Fig. 9 are SP-network.
ZORRO is similar to the AES algorithm. ZORRO has 8 bit Sbox while others have 4 bit S-box. It has 128 bit block size
and 128 bit key. As ZORRO is having 8 bit S-box, it needs
higher GEs compared to other ciphers using 4 bit S-box.
ZORRO needs 24 rounds to secure its structure which results
in higher memory requirement as shown in Fig. 9.
Hummingbird [35] has 128 bit block size and 896 bit key
length. It is a combination of block cipher and stream cipher.
Hummingbird requires a long initialization process as
compared to block ciphers like PRESENT which introduces
latency and higher execution time. Hummingbird has less
encryption speed and its authentication mechanism is less
efficient.
A 4 bit to 4 bit S box of PRESENT needs 21 to 28 GEs
when it is implemented with UMCL18G212T3 library. Table
5 indicates the gate count of standard cell of UMCL18G212T3
library [36].
TABLE 5
GATE COUNT OF UMCL18G212T3 LIBRARY

Standard
Cell

Process

Library

Cell Name

GE

NOT

0.18m

UMCL18
G212T3

HDINVBD1

0.67

AND

0.18m

HDAND2D1

1.33

OR

0.18m

UMCL18
G212T3
UMCL18
G212T3

HDOR2D1

1.33

MUX

0.18m

UMCL18
G212T3

HDMUX2D1

2.33

For the 64 bit operation in our design, we have used 16 four

bit S-boxes of PRESENT whose output is given to GRP for
permutation. By combining PRESENT-GRP, the total gate
count needed are 2125 GEs by considering S-box gate count
as 21 [8][37]. PRESENTs S-box consumes nearly 21 GEs for

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

a single 4 bit S-box. PRESENT-GRP gate counts results in

2125 which is less than other algorithms except for PRESENT
which is implemented based on the round based architecture
and whose gate count is 1884 [8][37].
GEs for other algorithmic design like CLEFIA [9][10],
SEA [13], TEA [14], HIGHT [11], mCRYPTON [12],
ICEBERG [15], DESX and DESXL [7] based on the specific
library functions, is computed and a comparison is made
which is illustrated in Fig. 10.

Fig. 11: Hybrid Crypto structure comparison chart

VIII. SECURITY ANALYSIS

Fig. 10: GEs comparison chart of all standard algorithms with PRESENTGRP

In this paper, we have also designed and implemented

CLEFIA-GRP, where S-box of CLEFIA is used and GRP as
permutation layer. CLEFIA-GRP is compared with
PRESENT-GRP to understand compactness of this hybrid
structures. Fig. 11 represents hybrid implementations and their
comparisons with standard lightweight design like PRESENT
and CLEFIA. In Fig. 11, PRESENT-GRP and PRESENTGRP 64 are compared with other lightweight standard
algorithms like SEA-GRP, PRINCEcore-GRP, KLEIN-GRP
and CLEFIA-GRP. The hybrid structure of PRESENT-GRP
has very less memory requirement as compared to the other
algorithms. SEA-GRP algorithm results in less memory size as
compared to PRESENT-GRP as it has 3 bit of S-Box while
others have 4 bit of S-Box. CLEFIA-GRP fusion results in
4536 bytes of flash memory requirements which depicts a
heavy cryptographic design and may not be suitable for
lightweight applications like RFID tags. Total no of GEs
available in pervasive design for security purpose would range
from 200 - 2100 GEs. Based on the GE limit, our hybrid
design is making a mark in that the GE range is consuming
less memory as compared to all the standard lightweight and
other cryptographic algorithms at the software level. Hybrid
structure, if mapped properly, always has an edge over other
structures as the structure carries good and robust property of
individual design. Paper [38] suggests combination of GRP
and DDR (Data Dependent Rotation) may show good
resistance against differential and linear cryptanalysis which is
later proved by combining RC5 and GRP [39].

One of the most important aspects in designing a block

cipher is to do cryptanalysis on it. Cryptanalysis helps us to
know whether the plain text can be derived from the cipher
text or if some of the bits in the key can be identified. The
most popular attack is brute force attack which decrypts the
text by using all possible keys. Risk of this attack can be
reduced by increasing the key size, as then the possible
combinations will be more and therefore difficult to compute.
But, these attacks need a lot of time to compute robustness.
Two properties or attacks which are of utmost importance are
differential cryptanalysis and linear cryptanalysis. Differential
cryptanalysis works on properties of a round function. For
example, consider O = A operation B, where A denotes the
bits, B denotes how to permute bits and O denotes permuted
bits and operation indicated GRP operation in this paper. In
differential cryptanalysis, the two plain texts are selected with
some difference D and it is measured by exclusive OR
operation, while two plain texts will be converted to cipher
texts with their difference as E. The pair (D, E) is known
to be differential characteristics, where E should have a
larger value than the average probability [16]. In linear
cryptanalysis, we will find a relation between certain bits of
plain text and the key that has probability p 1/2 called linear
approximation. Based on these two properties GRP is
analyzed and evaluated. Table 6 denotes the differential
characteristic of GRP [16].

TABLE 6
DIFFERENTIAL PROPERTIES OF GRP PERMUTATIONS

Operation
GRP

Type A
(es,0) et
0 < p n1/2 +
1/2

Type B
(0, et)
For any t,
E(||) = n/4

Type C
(es, et)
For any t,
E(||) = n/4

es represents n bit word that is zero except for a single one

in bit position s. Three types of permutation operation shown
in Table 6 are Type A, B and C. Type A denotes how the
single bit s is moved when the control bits are randomly
chosen and the probability determines how closely s is moved
to bit t in Z. For Type B and C, diffusion effect is compared

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

by computing the hamming weight of output difference

[16]. A larger hamming weight represents avalanche effect
which shows good differential properties. Type A, B and C
property of GRP shows that a small change in input results
into large changes at the output; the so called avalanche effect.
E(||) represents expected value of difference when the input
sequence is random. As shown in Table 6, from Type A
property, the probability of GRP is totally depends on s and t
which has probability between 0 and 0.5. Type B and C
property of GRP bring about n/4 different output bits for any t.
For Type A characteristics, p is always 1/2n for any value of s
and t which is much smaller and can be neglected. For Type B
characteristics which are based on hamming weight, the
approximate value of O is n/4. For Type C, a single bit
difference in A does not result in too much deviation. With
these characteristics, GRP achieves the necessary avalanche
effect which makes the GRP design robust against differential
attacks. GRP shows good differential properties better than
other bit permutation instructions as data bits path is totally
dependent on control bits. Table 7 shows linear cryptanalysis
of GRP permutation instruction [16].

non linear S-box uses 4 bit structure which yields into less GE
and less power consumption. Extra properties in S-box help
PRESENT to achieve the desired avalanche effect. The
theorem which shows the effect of differential cryptanalysis
on S-box of PRSENT is that Any five differential
characteristics of PRESENT has a minimum number of ten
active S-boxes and results from papers [8][26] shows that
PRESENT has very good and compact S-box. There are 16 Sboxes of PRESENT which are divided into four groups. From
papers [8][26], the characteristics of S-box are outlined below:

TABLE 7
LINEAR APPROXIMATION OF GRP PERMUTATIONS

An advanced technique allows the cryptanalyst to remove

the outer rounds from a cipher to exploit a shorter
characteristic. However, if the attackers consider only 25
rounds out of 31 rounds, then the security bounds are still
more than the given requirement. So, over 25 rounds of
PRESENT must have at least 5 x 10 = 50 active S-boxes. The
maximum differential probability of a PRESENT S-box is 2-2
and so the probability of a single 25-round differential
characteristic is bounded by 2-100. As far as Linear
cryptanalysis of PRESENT is concerned, the interpretation
mentioned is that Let A be the maximal bias of a linear
approximation of four rounds of PRESENT, then A 1/27.
To bound the maximal bias of a 28-round linear
approximation by

Operation
GRP

Type L
(es, 0, et)
b 1/4 + 1/2n+1
Maximum with s
=t=0

Type M
(es, eu, et)
b 1/4 - 1/2n+1
Maximum with s = u
=t=0

For linear approximation, the bias is 0.5 since p is equal to

1. Linear approximation is always in the form of triplets with
the probability p. In linear approximation, Type L and Type M
compare the permutation instructions, based on the control bits
in B. Type L and Type M compare the permutation
instructions based on any control bits Y are indulged in
approximation. b in given Table 7 represent bias. Type L
shows how closely the permutation moves the bit around and
the probability of moving of As to Ot is p, then the probability
of As = Ot is 0.5 + p/2. So the bias for triplet (es,0,et) is p/2.
For GRP, the maximum bias is achieved when s = t = 0. Type
M determines how important the control bit is to determine
path of X to Z. The maximum bias for Type M is achieved at s
= t = u = 0. For GRP operation, the bias of linear
approximation is 1/4 + 1/2n+1. For n-bit GRP operations, the
bias of linear approximation p(A
B = O) is 1/4 - 1/2n+1.
Table 7 depicts GRP has some linear approximation with large
bias, but these can be considered for lightweighted
cryptography where standard algorithm like AES costs more
in terms of memory requirement and power consumption [3].
Research papers [16][18] shows that by inducing GRP in
standard block ciphers like RC5 will tremendously increase
the efficiency of a cipher with same security levels. Papers
[40][18][13] shows RC5 performance with GRP which
suggest the importance of GRP in lightweighted cryptographic
applications. RC5-GRP uses only 6 rounds to achieve THE
desire security level.
PRESENT has an edge over CLEFIA, in that it contains a
linear bitwise permutation and non linear substitution layer. A

1. The input bit to an S-box comes from 4 well defined

S-boxes of the same group.
2. The input bits to a group of four S-boxes come from
16 dierent S-boxes.
3. The four output bits from a particular S-box enter
into four well defined S-boxes, each of them
belongs to a distinct group of S-boxes in the
subsequent round.
4. The output bits of S-boxes in distinct groups will be
fed to distinct S-boxes.

26 x A7 = 26 x (2-7)7 = 2-43
Therefore, by assumption that a cryptanalyst need only
approximate 28 of the 31 rounds from linear cryptanalysis in
order to mount an attack the cipher requires 284 (286??) known
plain text / cipher text which crosses the available text limit
[8]. There are also more attacks which are proven like
structural attacks, algebraic attacks, and key schedule attacks,
other than linear and differential attacks. Some ciphers have
strong word-like structures, where the words are typically
bytes. Algebraic attacks have had better success when applied
to stream ciphers than block ciphers. Algebraic attacks and
key schedule attacks are unlikely to pose a threat to
PRESENT. These properties of PRESENT are sufficient to
resist key schedule-based attacks.
IX. CONCLUSION
Bit permutation instructions increases strength of a block
cipher by allowing them to perform any arbitrary permutations
efficiently with log(n) steps as compared to n. It performs
fast bit permutation and uses subword sorter that makes the
operation faster and can increase the throughput in

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
applications like scanning an image, performing bubble sort
and in the permutations layer in block ciphers. GRP generates
the control words faster, that which helps in increasing the
performance of many embedded systems. Block ciphers like
RC5 , RC6 use DDR instructions which make them vulnerable
to differential attacks. This further increases the number of
rounds and memory requirements. But, by replacing DDR
with GRP not only adds cryptographic strength to the cipher,
but also reduces the memory requirements and the power
consumption. GRPs have better differential and linear
cryptanalysis properties. Though they cannot completely
replace DDR, but they add strength to the block cipher by
removing the weaknesses of DDR. Other ciphers like hash
functions and stream ciphers may get benefited by one
introducing the bit permutation instructions in them. GRP
have all these good properties that provide strength in
cryptographic environment. But, it lacks S-box which is
necessary to provide a more secure design. This shifted our
focus to find a lightweighted S-box that can be mapped onto
GRP to get a secure and efficient hybrid crypto structure.
In the search for an S-box, our research got motivation from
the ISO standard for lightweight cryptography and we shifted
our focus to lightweight design. In this paper, we present the
design with a permutation box (P-box) by using GRP for 128
and 64 bit block size. Key generation is also achieved through
GRP. For designing a lightweight secure cipher, a confusion
property is a must and it should be well mapped with the
diffusion property. The fusion of S-box of various lightweight
block ciphers and P-box of GRPs were made and were
compared in terms of memory space and GEs. We have
implemented latest lightweight ciphers and interfaced them
with GRP. In order to achieve a very compact implementation
of cipher as reported in this paper, we have carefully designed
the permutation box that has resulted in a much lower gate
count. We have carefully analyzed and studied linear and
differential cryptanalysis of P-box of GRP and found it
resistant to attacks like brute force attacks. Similarly, S-box of
latest ciphers like PRESENT, CLEFIA, TEA etc, have been
considered and implemented on a 32 bit processor. We already
know that GRP design is hardware efficient and needs very
few GEs which meets requirement of security in a lightweight
cryptographic design. PRESENT is an engineered cipher
whose S-box is the most compact substitution box among all
the light variants and has good linear and differential
properties. PRESENTs S-box results in a very compact
implementation that consumes merely 21 GEs for a single 4
bit S-box. RAM and Flash memory requirements for
PRESENT-GRP implementation results in very less bytes as
compared to other lightweight algorithms and even with
PRESENT individually.
This paper proposes a novel approach by introducing a
compact hybrid system in terms of memory requirements that
is best suited for lightweight cryptographic design.

ACKNOWLEDGMENT
The authors would like to thank Symbiosis Institute of
Technology, Pune, Symbiosis International University, Pune
and Prof. Ayan Mahanolobis from IISER, Pune, and eminent
professionals from the automotive embedded domain, in Pune
for providing suggestions and valuable inputs that helped us to
carry out this research successfully. Special thanks to Axel
York Poschmann and Zhijie Jerry Shi, whose thesis and work
motivated this research and also provided us with some ideas
to carry on the work in the future.
REFERENCES
[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]
[11]

[12]

[13]

[14]

[15]

K. Finkenzeller, RFID Handbook: Fundamentals and Applications in

Contactless Smart Cards and Identification, 2003 John Wiley & Sons.
Ltd, ISBN: 0-470-84402-7.
A. Juels and S. A. Weis, "Authenticating pervasive devices with human
protocols," In Advances in CryptologyCRYPTO 2005, pages 293-308.
Springer Berlin Heidelberg, 2005.
NIST (National Institute of Standards and Technology), Advanced
Encryption Standard (AES), Federal Information Processing Standards
Publication 197, November 2000.
National Bureau of Standards (NBS), Data Encryption Standard
(DES), Federal Information Processing Standards Publication 46-2,
December 1993.
National Institute of Standards and Technology, Data Encryption
Standard (DES), FIPS 46-3. Available via http://csrc.nist.gov, October
1999.
A. Poschmann, G. Leander, K. Schramm, and C. Paar, New
Lightweight Crypto algorithms for RFID, In IEEE International
Symposium on Circuits and Systems 2007 ISCAS 2007, pages 1843
1846, 2007.
T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, and L. Uhsadel, A
Survey of Lightweight Cryptography Implementations, IEEE Design &
Test of Computers Special Issue on Secure ICs for Secure Embedded
Computing, 24(6): 522-533, November/December 2007.
A. Bogdanov, G. Leander, L.R. Knudsen, C. Paar, A. Poschmann,
M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, PRESENT - An UltraLightweight Block Cipher, In P. Paillier and I. Verbauwhede, editors,
Cryptographic Hardware and Embedded Systems CHES 2007,
number 4727 in Lecture Notes in Computer Science, pages 450-466.
Springer-Verlag, 2007.
T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, The 128
bit blockcipher CLEFIA," In Proceedings of Fast Software EncryptionFSE'07 (A. Biryukov, ed.), number 4593 in LNCS, pages 181-195,
Springer-Verlag, 2007.
The 128 bit blockcipher CLEFIA: Algorithm specification." On-line
document, 2007. Sony Corporation.
D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B. S. Koo, C. Lee, D. Chang,
J. Lee, K. Jeong, H. Kim, J. Kim, and S. Chee, HIGHT: A New Block
Cipher Suitable for Low-Resource Device, In L. Goubin and M.
Matsui, editors, Cryptographic Hardware and Embedded Systems
CHES 2006, number 4249 in Lecture Notes in Computer Science, pages
4659. Springer-Verlag, 2006.
L. Brown, J. Pieprzyk, and J. Seberry, LOKI - A Cryptographic
Primitive for Authentication and Secrecy Applications, In J. Pieprzyk
and J. Seberry, editors, Advances in Cryptology AUSCRYPT 1990,
Vol. 453 of Lecture Notes in Computer Science, pages 229236.
Springer-Verlag, 1990.
F. X. Standaert, G. Piret, N. Gershenfeld, and J. J. Quisquater, SEA: A
Scalable Encryption Algorithm for Small Embedded Applications, In J.
Domingo-Ferrer, J. Posegga, and D. Schreckling, editors, Smart Card
Research and Applications, Proceedings of CARDIS 2006, Vol. 3928 of
Lecture Notes in Computer Science, pages 222236. Springer-Verlag,
2006.
D. Wheeler and R. Needham, TEA, a Tiny Encryption Algorithm, In
B. Preneel, editor, Fast Software Encryption FSE 1994, Vol. 1008 of
Lecture Notes in Computer Science, pages 363366. Springer-Verlag,
1994.
F. X. Standaert, G. Piret, G. Rouvroy, J. J. Quisquater, and J. D. Legat,
ICEBERG: an involutional Cipher Efficient for Block Encryption in
Recongurable Hardware, In B. Roy and W. Meier, editors, Fast

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2014.2365734, IEEE Transactions on Information Forensics and Security

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

[16]

[17]

[18]

[19]

[20]
[21]
[22]

[23]
[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]
[35]

[36]

[37]

Software Encryption FSE 2004, pages 279298. Springer-Verlag,

2004.
Z. Shi and R. B. Lee, Bit permutation instructions for accelerating
software cryptography, In Proceedings of the IEEE International
Conference on Application Specific Systems, Architectures and
Processors (ASAP 2000), pages 138-148, July 2000.
X. Yang and R. B. Lee, Fast subword permutation instructions using
omega and flip network stages, In Proceedings of the International
Conference on Computer Design, pages 15-22, September 2000.
R. Anderson, E. Biham and L. Knudsen, Serpent: a proposal for the
advanced encryption standard, NIST AES proposal, available at
http://www.cl.cam.ac.uk/~rja14/serpent.html, June 1998.
B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N.
Ferguson, TwoFish: a 128-bit block cipher, NIST AES proposal, June
1998.
C.E. Shannon, Communication Theory of Secrecy Systems, Bell
System Technical Journal, 28-4:656715, 1949.
A. Poschmann. "Lightweight cryptography: cryptographic engineering
for a pervasive world," In Ph. D. Thesis. 2009.
R. L. Rivest, The RC5 encryption algorithm, Fast Software
Encryption: Second International Workshop, Lecture Notes in Computer
Science, Vol. 1008, pages 86-96, December 1994.
Intel Corporation, IA-64 Application Developers Architecture Guide.
Intel Corporation May 1999.
R. B. Lee, M. Mahon, and D. Morris, Pathlength reduction features in
the PARISC architecture, In Proceedings of IEEE Compcon, pages129135, February 1992.
Gaurav Bansod, Aman G, Arunika G, Gajraj B, Chitrangdha S, Harshita
A, Experimental analysis and implementation of bit level permutation
instructions for embedded security, In WSEAS Transactions on
Information Science and Applications, 10(9): 303-312 (Scopus; ISSN:
1790-0832).
A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann,
M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, PRESENT: An ultralightweight block cipher, In CHES, Vol. 4727 of LNCS, pages 450-466.
Springer, 2007.
Z. Gong, S. Nikova and Y. W. Law, A New Family of Lightweight
Block Ciphers, In A. Juels and C. Paar, editors, RFIDSec 2011,
Springer,
2011.
Available
via
http://www.
rfidcusp.org/rfidsec/files/RFIDSec2011DraftPapers.zip.
Borghoff, Julia, Anne Canteaut, Tim Gneysu, Elif Bilge Kavun,
Miroslav Knezevic, Lars R. Knudsen, Gregor Leander et al. "Princea
low-latency block cipher for pervasive computing applications," In
Advances in CryptologyASIACRYPT 2012, pages 208-225. Springer
Berlin Heidelberg, 2012.
X. Yang, M. Vachharajani, and R. B. Lee, Fast subword permutation
instructions based on butterfly networks, In Proceedings of Media
Processors 2000 (SPIE 2000), pages 80-86, January 2000.
G. Leander, C. Paar, A. Poschmann, and K. Schramm, A family of
lightweight block ciphers based on des suited for RFID applications, In
FSE, Vol. 4593 of LNCS, pages 196-210. Springer, 2007.
C. De Canniere, O. Dunkelman, and M. Knezevic, Katan and ktantan a family of small and efficient hardware-oriented block ciphers, In
CHES, Vol. 5747 of LNCS, pages 272-288. Springer, 2009.
J. Guo, T. Peyrin, A. Poschmann, and M. Robshaw, The LED Block
Cipher, In Cryptographic Hardware and Embedded Systems CHES
2011, LNCS, Vol. 6917/2011, pages 326-341. Springer, 2011.
G. V. Bansod, Audio Sub word sorter unit on sorter network for sense
transmission, In Proceedings 2011 IEEE International Conference on
Central System, Computing and Engineering, ICCSCE 2011 Penang,
pages 127-131, January, 2012.
J. Guo, I. Nikolic, T. Peyrin, and L. Wang, Cryptanalysis of Zorro, In
IACR Cryptology ePrint Archive, 2013, 713.
D. Engels, X. Fan, G. Gong, H. Hu, and E. M. Smith, Hummingbird:
Ultra- Lightweight Cryptography for Resource-Constrained Devices, In
Proceedings of the 14th International Conference on Financial
Cryptography and Data Security-FC, LNCS, 2010, Vol. 6054/2010,
pages 3-18, 2010.
Virtual Silicon Inc.0.18 um VIP Standard Cell Library Tape Out Ready,
Part Number UMCL18G212T3, Process: UMC Logic 0.18 um Generic
II Technology: 0.18um, July 2004.
B. Kaliski and Y. L. Yin, On differential and linear cryptanalysis of
RC5, In Advances in Cryptology Crypto95, Lecture Notes in
Computer Science, Vol. 963, pages 171-184, Springer-Verlag, August
1995.

10

[38] B. Kaliski and Y.L. Yin, On the security of the RC5 encryption
algorithm, RSA Laboratories Technical Report TR-602, available at
www.rsa.com/rsalabs/aes, September 1998.
[39] S. Devadas and S. Malik, A survey of optimization techniques targeting
low power VLSI circuits, In ACM/IEEE Conference on Design
Automation, pages 242247, 1995.
[40] Zhijie Jerry Shi, Ruby B. Lee, Bit permutation instructions:
architecture, implementation, and cryptographic properties, 2004.

Gaurav Bansod received the M.Tech.

Degree in Embedded Sytems from
Jawaharlal
Nehru
Technological
University, Hyderabad, India in 2008. He
is currently pursing Ph.D from Symbiosis
International University, Pune. He is
having total 8 years of teaching experience
and has worked with 2 to 3 Universities across India.
Currently he is also working as an Assistant Professor in
Symbiosis Institute of Technology, Pune. He has publications
in IEEE international conference and also in WSEAS
transactions on Computers. His research area includes low
power cryptographic design, embedded system and hardware
and software design.

Nishchal Raval received the B.E. Degree in

Electronics and Communication from
Babaria Institute of Technology, Varnama,
Vadodara, in 2011. He is currently studying
towards the M.Tech. degree in Electronics
and Telecommunication in Symbiosis
Institute of Technology, Pune. His research
interests are in the embedded security
system, biometric system, cryptographic design, lightweight
ciphers and embedded automotive system.

Narayan Pisharoty received B.E. degree

from IIT Bombay in 1966, M.Tech. degree
from IIT Kanpur in 1968 and Ph.D from
Carnegie Mellon University, Pittsburgh,
USA in 1971. He held the post of
Managing Director in Systech Ltd from
1972 to 2004 and Business Development
Consultant in Persistent Systems Ltd from
2008 to 2010. Currently he is the Research Mentor for
Engineering at Symbiosis International University, Pune, India
and a Professor in the Electronics & Telecommunication
Department of SIT. He has published many papers in reputed
journals including IEEE transactions on Biomedical
Engineering. He is currently guiding 7 Ph.D. students on
different topics like matrix topology for multimode converters,
UBW microwave antenna, and performance enhancement
using dynamic partial reconfiguration. His research area
includes RFID Applications, Alternate energy sources and
Applications of microcontrollers in Agriculture.

1556-6013 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.