&THE UPCOMING ERA of pervasive computing will be characterized by many smart devices that-because of the tight cost constraints inherent in mass deployments-have very limited resources in terms of memory, computing power, and battery supply. Here, it's necessary to interpret Moore's law differently: Rather than a doubling of performance, we see a halving of the price for constant computing power every 18 months. Because many foreseen applications have extremely tight cost constraints-for example, RFID in tetrapacks-over time, Moore's law will increasingly enable such applications. Many applications will process sensitive health-monitoring or biometric data, so the demand for cryptographic components that can be efficiently implemented is strong and growing. For such implementations, as well as for ciphers that are particularly suited for this purpose, we use the generic term lightweight cryptography in this article.Every designer of lightweight cryptography must cope with the trade-offs between security, cost, and performance. It's generally easy to optimize any two of the three design goals-security and cost, security and performance, or cost and performance; however, it is very difficult to optimize all three design goals at once. For example, a secure and high-performance hardware implementation can be achieved by a pipelined, side-channel-resistant architecture, resulting in a high area requirement, and thus high costs. On the other hand, it's possible to design a secure, low-cost hardware implementation with the drawback of limited performance.In this article, we present a selection of recently published lightweight-cryptography implementations and compare them to state-of-the-art results in their field. This survey covers recent hardware and software implementations of symmetric as well as asymmetric ciphers. We will discuss software and hardware implementations separately, because they have different and sometimes contrary characteristics. For example, bit permutations are virtually free in hardware, whereas in software they can significantly slow down implementations. Also, large substitution tables are often software friendly, but hardware realizations can be relatively costly. Finally, the evaluation metric is different: For software implementations, we compare both RAM and ROM requirements and the required number of clock cycles. For hardware implementations, we focus on the required chip size and the number of clock cycles. We don't compare power consumption for the hardware implementations, because different standard-cell technologies were used and estimates from simulating environments are not accurate. Software implementations let us achieve a rough estimate of power 522 Editor's note:The tight cost and implementation constraints of high-volume products, including secure RFID tags and smart cards, require specialized cryptographic implementations. The authors review recent developments in this area for symmetric and asymmetric ciphers, targeting embedded hardware and software.-Patrick Schaumont, Vi...
