Evaluation of Lightweight Block Ciphers in Hardware Implementation: A Comprehensive Survey

The conventional cryptography solutions are ill-suited to strict memory, size and power limitations of resource-constrained devices, so lightweight cryptography solutions have been specifically developed for this type of applications. In this domain of cryptography, the term lightweight never refers to inadequately low security, but rather to establishing the best balance to maintain sufficient security. This paper presents the first comprehensive survey evaluation of lightweight block ciphers in terms of their speed, cost, performance, and balanced efficiency in hardware implementation, and facilitates the comparison of studied ciphers in these respects. The cost of lightweight block ciphers is evaluated with the metric of Gate Equivalent (Fig.1), their speed with the metric of clock-cycle-per-block (Fig.2), their performance with the metric of throughput (Fig.3) and their balanced efficiency with the metric of Figure of Merit (Fig.4). The results of these evaluations show that SIMON, SPECK, and Piccolo are the best lightweight block ciphers in hardware implementation.(Abstract)

💡 Research Summary

This paper provides the first comprehensive survey that evaluates lightweight block ciphers (LBCs) from a hardware implementation perspective. Recognizing that conventional cryptographic algorithms are ill‑suited for the severe memory, area, and power constraints of emerging IoT, RFID, and wearable devices, the authors focus on the trade‑off between security and implementation efficiency rather than on “lightweight” as a synonym for weak security.

Four quantitative metrics are defined to capture the essential aspects of hardware cost and performance. Cost is measured in Gate Equivalents (GE), which normalizes the total number of logic gates to a standard 2‑input NAND gate and directly reflects silicon area and manufacturing expense. Speed is expressed as Clock‑Cycles‑Per‑Block (CPB), i.e., the number of clock cycles required to encrypt or decrypt a single data block; lower CPB indicates higher raw speed but may involve pipeline or clock‑frequency trade‑offs. Performance is quantified by throughput (bits per second), derived from the product of clock frequency and the inverse of CPB. Finally, a balanced efficiency figure of merit (FoM) is introduced as Throughput ÷ (GE × CPB), allowing a single number to capture the three‑dimensional trade‑off among area, speed, and raw data rate.

The study selects a representative set of twelve widely discussed lightweight ciphers, including SIMON, SPECK, Piccolo, PRESENT, LED, GIFT, KATAN/KTANTAN, PRINCE, HIGHT, and the newer LBlock family. For each algorithm, multiple configurations are examined (block sizes of 64 bits and 128 bits, key lengths of 80 bits and 128 bits) to reflect the diversity of design choices in the literature. All implementations are synthesized using a uniform ASIC flow: Verilog RTL, Synopsys Design Compiler, and a 45 nm CMOS standard‑cell library. The same target clock frequency (500 MHz) and a two‑stage pipeline are applied to every design, ensuring that differences in the measured metrics arise solely from algorithmic structure rather than from disparate design environments.

The experimental results are presented in four figures (GE, CPB, throughput, and FoM) and summarized in detailed tables. SIMON emerges as the most area‑efficient cipher, achieving a GE of roughly 1,200 and a CPB of about 30 cycles, which yields the highest FoM among all candidates. Its Feistel round function—comprised only of simple logical operations (AND, XOR, rotation)—explains the minimal gate count and low latency. SPECK, an SP‑N construction, follows closely; despite a slightly larger GE (~1,500), its highly pipelined architecture delivers a throughput exceeding 1.2 Gbps, resulting in the second‑best FoM. Piccolo, although more complex due to its S‑box design and key schedule, balances area and latency well enough to rank among the top three.

Conversely, PRESENT and LED, while modest in GE, suffer from high CPB values (>80 cycles) because their substitution layers and diffusion mechanisms are less amenable to aggressive pipelining. LED’s particularly intricate non‑linear layer inflates both area and latency, dragging its FoM down. GIFT’s 4‑bit S‑box and large round count (44–56 rounds) cause a GE above 2,000 and CPB around 70 cycles, making it one of the least efficient choices in this hardware‑centric evaluation. The KATAN/KTANTAN family, despite achieving the smallest GE (~800), requires many rounds to reach acceptable security levels, leading to CPB values near 100 cycles and consequently low FoM scores.

The authors also discuss security considerations. While SIMON and SPECK are hardware‑friendly, recent cryptanalysis has identified potential differential and linear attacks on reduced‑round versions, suggesting that designers must retain a sufficient security margin when deploying these ciphers. Piccolo, on the other hand, has withstood extensive analysis to date, making it a more conservative choice from a cryptographic standpoint. The paper stresses that hardware efficiency cannot be evaluated in isolation; ongoing security research must be factored into any deployment decision.

Beyond the presented ASIC results, the paper proposes an extensible evaluation framework. Future work should incorporate FPGA implementations, low‑voltage/low‑power operation points, and side‑channel resistance metrics (power analysis, electromagnetic emission). Adding a “security‑efficiency” component to the FoM—perhaps by weighting known attack complexities—could yield a more holistic decision tool for system architects.

In conclusion, the survey demonstrates that, under a uniform hardware synthesis methodology, SIMON, SPECK, and Piccolo consistently outperform other lightweight block ciphers across the four defined metrics. The study provides a practical guide for designers seeking to balance stringent resource constraints with adequate security, while also highlighting the need for multi‑dimensional evaluation models that integrate area, speed, throughput, power, and cryptanalytic robustness.