Microelectronics Reliability 123 (2021) 114202

Contents lists available at ScienceDirect

Microelectronics Reliability
journal homepage: www.elsevier.com/locate/microrel

A low cost fault-attack resilient AES for IoT applications

Saeideh Sheikhpour a, Seok-Bum Ko b, Ali Mahani a, *
a
Reliable and Smart System (RSS) Research Lab, Department of Electrical Engineering, Shahid Bahonar University of Kerman, Kerman, Iran
b
Department of ECE, Div. of Biomedical Engineering, University of Saskatchewan, Saskatchewan, Canada

A R T I C L E I N F O A B S T R A C T

Keywords: The Internet of Things (IoT) as an emerging infrastructure has an essential rule in daily lives in many domains,
Advanced encryption standard (AES) ranging from healthcare wearable devices to complex industrial systems. Nevertheless, its security is a chal­
Error detection lenging issue that has to be addressed. The security can be settled by utilizing cryptographic techniques such as
Internet-of-things (IoTs)
Advanced Encryption Standard (AES) for encryption and authentication. In this paper, we propose 32-bit ar­
Compact implementation
Fault-attack resiliency
chitecture AES encryption/decryption for utilizing in IoT infrastructure and similar resource-constrained ap­
plications. On the other hand, providing robustness against existing malicious attacks is a significant factor in
ensuring communication reliably and so securely. Therefore, we propose a low-cost fault-resilient integrated
architecture, named LC-FRAES, for data-path and also on-the-fly key expansion unit by exploiting of resource
sharing between encryption and decryption processes. The results of both ASIC and FPGA implementations of the
proposed architecture are reported and also compared with those of similar recent designs. The comparisons
illustrate that the LC-FRAES outperforms its counterparts in many architectural features which make it suitable
for IoT applications. Moreover, we provide a comparison between our proposal and lightweight cryptographic
designs from literature. The comparisons verify the consistency and appropriateness of proposed architecture for
IoT applications. Finally, through the extensive experimental results, we show that LC-FRAES can detect almost
all injected faults.

1. Introduction inherently low-cost devices with constrained area budget, constrained

memory footprint, and constrained power/energy budget. Therefore it
Recently, Internet of Things (IoT) has emerged as the next generation seems essential to optimize hardware implementation of cryptographic
of communication infrastructures in which numerous smart nodes in the algorithms in terms of power consumption, throughput and mainly
perception layer collect data from their surrounding and interact with occupied area. However, these are different design metrics which often
the physical world and also among themselves for creating smart envi­ are in contrast with each other, and it is difficult to optimize them
ronments [1]. IoT as new wireless technology has penetrated into all simultaneously. In this paper, our focus is on the implementation area
aspect of our modern life ranging from smart home [2] and smart city optimization of Advanced Encryption Standard (AES) [8] as a primary
[3] to smart transportation [4] and smart parking system [5]. Lack of aim alongside its throughput and power consumption optimization as a
human intervention in the IoT interactions causes increasing security secondary aim. AES is an extensively-used symmetric block cipher for
issues such as identification, availability, privacy attacks and organized providing security in IoT well-known standards, such as IEEE 802.15.4,
cybercrimes. Unavoidably, almost all communications in IoT infra­ LoraWAN, Sigfox, and ZWave [9]. The 128-bit AES is the recommended
structure are wireless. Due to the broadcast nature of the wireless me­ algorithm for use as part of the cryptosystems for top-secret communi­
dium, wireless communications are prone to various malicious attacks cations by the National Institute of Standards and Technology (NIST).
[6]. With day by day growing the value and confidentiality of IoT in­ According to the current NIST guidance, 128-bit AES will be sufficient
formation, the concerns about its security are increased [7]. Encryption for providing security in the general-purpose products until 2030 [10].
is conceivably the best approach to guarantee sensitive data security for On the other hand, there are several fault injection attacks on the
IoT device data communication. This has motivated the integration of AES are reported in the literature [11–13]. Because of the existence of
cryptography into smart IoT devices. It is assumed that IoT devices are such malicious attacks, the use of unprotected implementation of

* Corresponding author.
E-mail address: [email protected] (A. Mahani).

https://doi.org/10.1016/j.microrel.2021.114202
Received 2 February 2021; Received in revised form 9 May 2021; Accepted 8 June 2021
Available online 7 July 2021
0026-2714/© 2021 Elsevier Ltd. All rights reserved.
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

cryptographic algorithms does not guarantee that secure information is algorithms is also provided in Section 2.2.
transferred reliably. Hence, in order to avoid compromising secure
communication and achieve IoT robustness against attacks, it is neces­ 2.1. Low-cost implementation of AES
sary to incorporate fault-resilient techniques into the considered cryp­
tographic hardware, so that only the allowed receiver with the Security is one of the biggest challenges in critical resource -con­
encryption key can retrieve the original information [14–16]. To protect strained applications. This leads to introducing a large number of opti­
the AES implementation against fault injection attacks, we incorporate mized AES architectures in terms of different design metrics [9,17–22].
strong error detection schemes into our proposed architecture. The Some of these architectures were implemented on ASIC platform
proposed architecture comprises two nearly well-balanced pipeline [9,17–21,23–26], others on FPGA [23–26]. The authors in [17,18]
stages. We designate an appropriate detection technique for each pipe­ proposed optimized AES encryption hardware architecture for low-
line state according to inherent features of the operations performed in power applications. The main focus of these works was on power con­
each of them. sumption, but despite the fact that the area is the main criterion, they
The main contributions of this paper are as follows. placed less importance on the implementation area. An 8-bit area-
We develop a 32-bit low-cost fault-resilient integrated AES (LC- efficient AES architecture was proposed by Shahbazi et al. in [22]
FRAES) architecture with online error detection mechanism which which needs 527 clock cycle per encryption. Kim et al. in [9] focused on
supports both encryption and decryption process for safety-critical real- the optimization of power consumption of AES with 32 and 8-bit data-
time IoT applications. path in the smallest possible area. Their proposed architecture needs
186 clock cycle per encryption, which makes it a bit slow. In some ap­
1. We exploit effective resource-sharing between encryption and plications, cryptosystems should include both encryption and decryp­
decryption for area minimization as the main aim and throughput tion modules. In some block cipher modes of operation like CBC and
optimization as the secondary aim. ELmD, it is also needed to access to both encryption and decryption
2. We employ sixteen 8-bit registers in an organization such that modules [20]. Most of the works for low-area and low-power AES pro­
perform ShiftRow and its inverse operation and also be inconsistent posed encryption module or encryption and decryption modules sepa­
with our timing specification. rately. This may achieve low-cost architecture for each of them
3. We propose a 32-bit small on-the-fly key expansion unit for round exclusively but not for both of them together. There are several works
key generation for both encryption and decryption processes. dealing with integrate architecture for AES [19–21,23–25]. Haghighi­
4. We evaluate the fault-resilient capability of the LC-FRAES through zadeh et al. presented a compact integrated 8-bit AES architecture for
extensive fault injection scenarios in the simulation level. resource-constrained applications where both encryption and decryp­
5. Finally, we implement the proposed 32-bit LC-FRAES architecture on tion is needed in [19]. Their architecture requires 160 clock cycles and
four different Xilinx field programmable gate array (FPGA) devices consumes 5.6 k GE. In [20], the authors reported an 8-bit serialized AES,
and ASIC platform using TSMC 180-nm CMOS technology to confirm which supports both encryption and decryption. They changed the low-
the achieved objectives. Moreover, to investigate the practicality and cost AES encryption core proposed by Moradi et al. in [26] so that it can
effectiveness of the proposed architecture in resource -constrained accomplish both encryption and decryption processes. Although their
applications, we compare its implementation results with those of architecture occupies the smallest area among previous works (around
similar low-cost implementation of AES and also different proposed 2.645 k GE), it provides low throughput as it requires 226 clock cycles
fault-resilient hardware implementation of lightweight block ciphers for each encryption. In [21], Satoh et al. introduced a 32-bit integrated
in literature. AES architecture. Their proposed design emphasizes utilizing S-box
implementation based on tower field and also MixColumn imple­
The rest of this paper is organized as follows. Section 2 reviews mentation using an optimized circuit. The size of this implementation is
different low-cost AES implementations. It also gives an overview of the around 5.4 k GE at 311.09 Mbps data rate. Bani-Hani et al. in [23]
various lightweight block ciphers as an emerging potential solution for proposed a compact 32-bit FPGA design for the AES encryption/
IoT applications. We describe the proposed LC-FRAES architecture in decryption. In fact, the authors presented a suit integrated architecture
detail in Section 3. The implementation results of the LC-FRAES on for foot-print low-power embedded applications via combining Mix­
different FPGA Xilinx devices and also ASIC are discussed and compared Column and SubByte into a single operation by the use of BRAMs. The
with those of previous low-cost AES implementations in Section 4. design of cryptosystems should provide protection against the various
Moreover, we compare our architecture with proposed lightweight types of vulnerabilities. NIST outlined security requirements for cryp­
block cipher implementations in terms of various architectural aspects tosystems in FIPS 140 [27]. According to FIPS 140, at security Level 4,
in this section. Section 5 reports the results of our extensive error sim­ the physical security mechanisms must provide complete protection for
ulations. Finally, Section 6 concludes the paper. the cryptosystems with the aim of detecting and responding to any un­
authorized attempts at physical access. Legat et al. in [24] addressed
2. Related work another compact integrated 32-bit architecture with on-line error-
detection capability for AES. Their developed solution was specially
Existing efforts to enhance security within resource- constrained designed for FPGA platform since it was tuned to specific resource ele­
applications mainly focused on two directions: ments of FPGAs. This architecture achieves 294.4 Mbps throughput for
both encryption and decryption while utilizing 287 slices and 3 BRAMs
1. Developing low-cost AES as the NIST recommended block cipher (equal to 671 slices) on Xilinx Spartan 3 XC3S50 FPGA. The proposed
algorithm with a high level of security. error-detection by Legat et al. is based on parity checking and provides
2. Introducing new lightweight block ciphers which require low area about 88% fault coverage for AES combinational logic.
implementation and power consumption. A Fault-Resistant architecture against differential fault attacks
capable of performing encryption and decryption processes on a 32-bit
In this paper, our focus is primarily on proposing a low-cost fault- data-path with 128-bit key length was proposed in [25]. They sug­
resilient integrated hardware for AES so that its throughput is kept as gested a hybrid error detection countermeasure to secure AES using the
high as possible to conform to IoT and such resource-constrained ap­ parity checking for linear operations and detection based on time
plications. Section 2.1 is a review of low-cost hardware architectures for redundancy for SubByte operation. This design uses a total of 556 slices
AES reported in the literature. An overview of recent works in the in 256.5 MHz as operating frequency on Xilinx Virtex-5 FPGA device and
hardware implementation of the emerging lightweight block cipher offers about 98.82% fault coverage against injected faults.

2
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

2.2. Implementation of lightweight block ciphers

As we discuss in the previous subsection, many research works are

focusing on the low-cost implementation of AES as the NIST standard,
which aims at developing security primitives fitting the requirements of
extremely resource-constrained applications. In recent years, several
cryptographic algorithms tailored for constrained applications, which
are known as lightweight block cipher algorithms, was introduced
[28–36]. They require a small implementation area and consume limited
power amount but offer reduced security [9]. A group of researchers
concentrated on the efficient implementation of these emerging block
ciphers [33,37–52]. PRESENT is an ultra-lightweight block cipher al­
gorithm which developed by the Orange Labs, Ruhr University Bochum
and the Technical University of Denmark in 2007 [28]. Several archi­
tectures aim at achieving low-cost implementation for PRESENT
encryption was proposed in [37–39]. Two optimized integrated archi­
tectures of PRESENT can also be found in [40,53]. Furthermore, the
authors in [40] addressed an integrated architecture for HIGHT as a
hardware-oriented lightweight block cipher which was proposed by
Hong et al. [41]. Fig. 1. The block diagram of the proposed 32-bit AES (LC-FRAES).
The LED block cipher designed by Guo et al. [29] at CHES 2011 is
another lightweight cryptographic algorithm. Subramanian et al. [42] decryption. The main advantage of such implementation is the use of
presented an efficient low-cost architecture incorporate with a resource sharing for low-cost implementation and also error detection
signature-based error detection technique for LED block cipher algo­ task. In fact, LC-FRAES benefits from resource sharing across the
rithm. In [42] an error detection technique based on Recomputing with required hardware for MixColumn and inv-MixColumn (MC and MC− 1),
Encoded Operands was also proposed for Hight block cipher fault- SubByte and inv-SubByte (SB and SB− 1), ShiftRow and inv-ShiftRow (SR
resilient hardware implementation. and SR− 1), AddRoundKey (AD) in initial and other rounds and key
The Simon and Speck as two members of lightweight block cipher expansion unit in encryption and decryption. This mechanism also en­
family were proposed by a group of researchers in the US National Se­ ables fault-attack tolerance on our AES architecture without extra
curity Agency's Research Directorate [30]. Beaulieu et al. addressed the hardware.
hardware implementation of Simon and Speck in [44]. They focused on Downsizing also benefits for low-power factor [9]. It should be noted
the ASIC performance of different implementations of Simon and Speck that in our analyses and fault simulations, we consider those transient
with different key sizes. Ahir et al. in [45] proposed to add a variant of faults which affect process in one clock cycle and each fault can be
recomputing with encoded operands to architectures of Simon and injected anywhere.
Speck to achieve reliable implementations of them with the low area and We will explain the proposed architecture for 32-bit data-path and
power overheads. key expansion unit in the next two subsections.
The Tiny Encryption Algorithm (TEA) is one of the fastest light­
weight block ciphers algorithms [31]. An optimized implementation of 3.1. Proposed thirty-two-bit data-path
TEA concerning the consumed implementation area was proposed by Yu
et al. in [46]. In [47], Tian proposed two error detection techniques As previously discussed, in order to suit lightweight applications, we
based on parity checking and recomputing with rotated operands propose an integrated 32-bit architecture for AES. The data-path of the
(RERO) for encryption process of xtended Tiny Encryption Algorithm proposed architecture is presented in Fig. 2. As can be seen in the Fig. 2,
(XTEA) which is an extended of TEA lightweight block cipher [32]. the data-path consists of two pipeline stages. Dividing the data-path into
ICEBERG is one of the first block cipher that was proposed by two pipeline stages, in addition to preventing the reduction of
Standaert in FSE 2004 [33]. A compact integrated architecture of throughput due to error detection task, gives us the ability to exploit an
ICEBERG was presented in [33]. appropriate error detection mechanism for each of them, according to its
CLEFIA is a new lightweight block cipher algorithm developed by inherent and also structural features.
Sony [36]. A novel low-cost integrated hardware architecture by using In the 1st pipeline stage, AddRoundKey (AD), 32-bit XOR, and MC/
composite field-based pipeline S1-box and algebraic normal form based MC− 1 [54], Fig. 3, operations are applied on the 32-bit data (equivalent
S0-box for CLEFIA-128 was proposed and was prototyped on FPGA in to one state column). Since both of these operations are linear, we
[50]. developed a modified temporal redundancy for this pipeline stage to
The GIFT block cipher is an improved version of PRESENT which detect transient and permanent faults occurring at run time. The pro­
offers good performances and even surpasses some lightweight block posed error detection is accomplished with the use of Re-computation
ciphers for round-based implementations [49,52]. with Dynamic Permuted operands, called RDP. The RDP is a lightweight
and strong error detection technique which provides a reliable and
3. Proposed architecture secure implementation for any linear operation. Fig. 4(a) is the basis of
our proposed RDP for the 1st pipeline stage of LC-FRAES. In the basic
Fig. 1 illustrates the block diagram of the proposed Low-Cost Fault- temporal redundancy, let S be input to main computation and f(S) be its
Resilient 32-bit AES, named LC-FRAES. The LC-FRAES includes three corresponding output. The S itself is considered as input, and f(S) is
main parts: a 32-bit data-path, a 32-bit key expansion unit, and a obtained again in re-computation. The result of the main computation is
controller, accompanied with three buffers: input, key and output compared with the result of the re-computation. In this technique,
buffers. LC-FRAES takes four 32-bit words for the input data, one by one, permanent faults and also those transient faults which affect both
processes them independently, and finally, produces four 32-bit output computation and re-computation will not be detected. To deal with this
words. problem, one may use functions P and Q, so that f(S) = Q(f(P(S))). To
The proposed LC-FRAES is an ultra-low-cost implementation of AES error detection purpose, the S and (P(S)) are processed through unit f in
with error detection capability which supports both encryption and computation and re-computation processes, respectively.

3
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Fig. 2. LC-FRAES data-path.

Fig. 3. The gate-level implementation of MC/MC− 1.

A fault affects data processing in computation and re-computation in The output of the proposed shift/shift− 1Row shift register is one
different ways if P and Q are appropriately selected [55]. Functions P column of the state matrix after SR/SR− 1 operation. At the re-
and Q can be inverses of each other, i.e., Q(P(S)) = S for all S. If functions computation, we inverse permute output of this stage and compare it
P and Q are fixed, an attacker can extract secret data by obtaining in­ with the corresponding shift/shift− 1Row shift register content. To
formation about it. implement such shift/shift− 1Row shift register, the basic idea is taken
For solving this issue, we propose dynamic byte permutation instead from [9]. We apply some changes on shift register in [9] so that it is
of using a fixed permutation function. This is achieved by integrating compatible with proposed 32-bit LC-FRAES. We also employ a temporal
permutation (data rearrangement) with a random process. For the 1st register with the same organization as shift/shift− 1Row shift register, in
pipeline stage in Fig. 2, we add three multiplexers, a comparator (cmp1) which the output of the 1st pipeline stage in computation process is
and a linear feedback shift register (LFSR). α is a dynamic permutation of stored to the next pipeline stage check against error.
the input data to re-computation, which is randomly chosen by utilizing The way shift/shift− 1Row shift register and temporal register are
LFSR. α− 1 is the inverse permutation. The function of this pipeline stage loaded in each clock cycle is described in Table 1. The SB/SB− 1 opera­
can be represented as AK(k, MC(S)), where S is its 32-bit input. In dy­ tion is applied on the output of the shift/shift− 1Row shift register. In the
namic permutation, according to Theorem 1 in [55], the following SB(SB− 1) operation 8-bit is substituted by S-box (S-box− 1) which is a
equation is always true unless an error occurs. nonlinear transformation in Galois field GF(28). We select the composite
field-based S-box [56,57] due to its small implementation area. Another
AK(k, MC(S) ) = α− 1 (AK(α(k) , MC((α(S) ) ) ) ) (1)
reason for selecting this type of S-box implementation is to easily use the
A 128-bit shift register with a special organization which composed resources sharing between encryption and decryption data-path for low-
of sixteen 8-bit registers is performed as pipeline register to hold the cost AES implementation (see Fig. 5(a)). It can be said that such S-box
intermediate 128-bit state array in the computation process. This Shift implementation is too fit for our purpose.
register also applies SR/SR− 1 operation on its content. Since SB/SB− 1 is a byte-oriented operation, for 32-bit data we

4
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Table 1
Sequence of loading data in shift/shift− 1Row shift register to perform SR/SR− 1

operation.
Clock Register loading sequence Output Output
cycle # (En) (De)

r13 ← r12 ←
r15 ← In r14 ← In
In In – –
[31:24] [23:16]
[15:8] [7:0]
8i-3: 8i, 1 r8 ←
r11 ← r15 r10 ← r14 r9 ← r13 – –
≤i≤ r12
11 r4 ←
r7 ← r11 r6 ← r10 r5 ← r9 – –
r8
r10 ←
r3 ← r7 r2 ← r6 r1 ← r5 – –
r3
Out Out
r12 ←
r15 ← r3 r14 ← r6 r13 ← r1 [31:24] [31:24]
r0
← r3 ← r3
Out Out
8j + 1: 8j r8 ←
r11 ← r15 r10 ← r14 r9 ← r13 [23:16] [23:16]
+ 4, 1 r12
← r6 ← r14
≤j≤
Out Out
10 r4 ←
r7 ← r11 r6 ← r10 r5 ← r9 [15:8] ← [15:8] ←
r8
r9 r9
r0 ← Out[7:0] Out[7:0]
r3 ← r7 r2 ← r6 r1 ← r5
r3 ← r12 ← r4

this stage. As shown in Fig. 7, the process of the first column of state
array, i.e. S0, 0, S0, 1, S0, 2, S0, 3 is completed in this stage, before starting
the computation in the next pipeline stage. At the output of each S/S− 1,
we use an 8-bit register to store the first output byte which is not shown
in Fig. 5(a). The other columns of the state array are processed in the
proposed S/S− 1 in both encryption and decryption computation and re-
computation processes.
Supporting both encryption and decryption can not only lead to low-
area implementation but also can facilitate error detection mechanism.
Developed error detection mechanism for the 2nd pipeline stage exploits
the inverse relationship properties at the operation level of symmetric
block ciphers in combination with temporal redundancy. We show the
concept of this error detection technique in Fig. 4(b). Theorem 1: The 2nd
pipeline stage in the encryption process can be represented as SB(S).
where S is the 32-bit input to this pipeline stage. The following
equation holds true if SB− 1 is the inverse function of SubByte (SB)
operation.

S = SB− 1 (SB(S) ) (2)

Proof: Suppose an arbitrary function f : A → B is bijective. Let y is an
arbitrary point so that y ∈ B. Since the function f is bijective, it follows
that there is a unique point x in A; x ∈ A; so that f(x) = y.
Therefore, according to definition we have f− 1(f(x)) = f(y) = x.
In the decryption process, also we have the following equation
Fig. 4. Concept of error detection techniques in: (a) pipeline stage I, RDP (b) instead of Eq. (2), which are similar.
pipeline stage II, modified temporal redundancy with inverse operation. ( )
S = SB SB− 1 (S) (3)

require four S/S− 1-boxes (In brief S/S− 1). The main weakness of this SB/ In the 2nd pipeline stage the inverse operation is applied to its output
SB− 1 implementation is its long critical path, which reduces the in the re-computation. The output of re-computation must be equal to
throughput of the AES. To solve this issue and achieve a smaller the input of the computation in this stage according to Theorem 1. This
implementation area, we propose to use two S/S− 1 with seven stages of property can be taken into account in order to error detection mecha­
the pipeline instead of four S/S− 1 in this LC-FRAES stage, as shown in nisms, with high error detection capability, especially for non-linear
Fig. 5(a). The basis for selecting such pipeline stages is having a operations. In fact, in LC-FRAES for the 2nd pipeline stage, the output
balanced number of gates in each pipeline stage’ critical path with the of re-computation is always equal to the input of computation unless an
lowest number of registers. To prepare the data on time for processing in error occurs. To implement this pipeline stage, we need two pipelined S/
the next pipeline stage, the internal registers of this stage must be S− 1, a comparator (cmp2), and a multiplexer and a de-multiplexer.
clocked with clk2x, i.e. a clock signal with twice the frequency of whole
system clock (clkx). It should be noted that the clk2x is the input clock
3.2. Proposed thirty-two-bit key expansion unit
signal to our design. We use a T-flipflop as the frequency-divider to build
the clkx. The explicit expression of 32-bit processing is shown in Fig. 7.
In the proposed LC-FRAES, the round-keys are generated on-the-fly,
In other words, this Figure shows how to process a 32-bit in this pipeline
reducing the storage requirements. The proposed 32-bit key expansion,
stage. A pipeline deep shift register (Fig. 6(b)) holds the 32-bit output of
which can expand round-keys for both encryption and decryption pro

5
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Fig. 5. S/S− 1: (a) composite filed based S/S− 1-box implementation (b) S/S− 1-box with seven pipeline stages.

cesses by efficiently sharing the common modules, as shown in Fig. 8(a). A deep shift register with a particular organization which is capable of
The round keys are generated according to the Eqs. (4) and (5) for doing RotWord, is used as IEC input register (Fig. 8(c)). We also inte­
encryption and decryption process, respectively, through our proposed grate the AddRoundConstant with IEC output register, as shown in Fig. 8
architecture for key expansion. (d). We describe the 32-bit key generation in each clock cycle for both
⎧ encryption and decryption in Table 3.
⎪ ( )
⎪
⎪ k3i− 1 XOR IEC k0i− 1
⎪ j=3 The different operational modes of LC-FRAES are summarized in
⎪
⎪
⎨ ki XOR ki− 1 j=2 Table 2.
i
kj = 3
i
2
i− 1
(4)
⎪
⎪ k XOR k j=1
⎪
⎪
⎪
2 1
4. Implementation result and comparison
⎪ i
⎩ k1 XOR k0
i− 1
j=0
Our LC-FRAES is described using Verilog, synthesized using Xilinx
⎧
⎪
⎪ ( ) Synthesis Technology (XST) and Synopsys Design Compiler, and
⎪
⎪
⎪ k3i− 1 XOR I EC k0i− 1 XOR k1i− 1 j=3 implemented using Cadence SOC Encounter using TSMC 180-nm tech­
⎪
⎨ ki− 1 XOR ki− 1
kji = 3 2 j=2
(5) nology and Xilinx ISE 14.7 on ASIC and FPGA platforms, respectively.
The results for both ASIC and FPGA implementations are reported in
⎪ i− 1 i− 1
⎪
⎪ k2 XOR k 1 j=1
⎪
⎪
⎪ i− 1
⎩ k1 XOR k0
i− 1
j=0 Table 3. There are a variety of AES hardware implementations which are
optimized in terms of area, power consumption or throughput, but very
As can be seen in Fig. 8(a), the proposed integrated key expansion few of these implementations are incorporated with a fault-attack
hardware implementation requires an IntermediatE Computation, i.e. resilient technique. Therefore, a set of different cited 32(8)-bit AES ar­
IEC unit, five registers, 64 XOR gates and four multiplexers. We depict chitectures targeted for small area and low power designs are taken to
the internal structure of IEC unit in Fig. 8(b). The IEC unit is responsible draw a comparison with LC-FRAES for evaluation of design metrics
for applying SubWord, RotWord and AddRoundConstant in the key include area (Occupied slices and NAND gate equivalent (GE) for FPGA
generation process. In this unit, for low-cost implementation, instead of and ASIC, respectively), frequency, throughput (Eq. (6)) and efficiency
4 S-boxes for SubWord operation, an S-box with five pipeline stages is (Eq. (7)) in Table 4. Some of these designs support both encryption and
proposed (Fig. 8(b)). This work efficiently saves the hardware resources. decryption. Notice, because of pipeline structure of LC-FRAES, the

6
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

number of clock cycles for its throughput calculation in Eq. (6) is

considered equal to 88.
Number of processed bits*clock frequency
Throu. = (6)
Number of clock cycles

Throu.
Eff. = (7)
Area
Table 4 shows that the two integrated AES designs proposed in [20]
result in very small AES implementation area (2.645 and 2.976 k GE)
thanks to its 8-bit data-path and good resource sharing between
encryption and decryption. These designs need 226 clock cycles per
encryption (decryption) leading to low throughput budget, about 94 and
57 Mbps. Another 8-bit integrated AES ASIC implementation reported in
[19] offers better throughput as compared to designs in [20], i.e. 104
Mbps. However, it requires almost 2.1 times more area, i.e. 5.6 k GE.
Although our LC-FRAES is a fault-attack resistant architecture which
supports both encryption and decryption, it occupies the smallest area
on ASIC platform, i.e. 3.55 k GE and also achieves the best throughput
and efficiency, i.e. 334.5 Mbps and 94.22 Mbps/k GE, respectively,
among all 32-bit AES implementations. However, the other 32-bit de­
signs are unprotected AES implementations against fault attacks which
only support encryption [9,17,18]. The most important factors that
make our implementation resource efficient are:

• The use of two 7-stage pipelined S/S− 1 instead of four non-pipeline

S/S− 1s in the data-path.
• The use of one 5-stage pipelined S-box instead of four non-pipeline S-
boxes in the key expansion unit.
• The employment of registers in a special organization so that they
Fig. 6. Data-path registers: (a) shift/shift− 1Row shift register (b) pipeline Deep can perform operations such as RotWord and shift/shift− 1Row.
shift register.

Fig. 7. 32-bit SubByte operation in encryption (0 ≤ j ≤ 11, 1 ≤ i ≤ 11).

7
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Fig. 8. Key expansion: proposed (a) architecture (b) S-box with 5 pipeline stages (c) Input register (d) output register.

achieves a higher level of security (because of larger key size, i.e. 80 vs.
Table 2
128) and reliability with the surplus of only 78 % increase in area and 11
Description of the cryptographic process by LC-FRAES.
% reduction in throughput. The reported implementation of LED,
Clock cycle # 1st stage 2nd stage Error flag HIGHT, Simon and XTEA block ciphers in [42,45,47] fall in the category
1, 2, 3, 4 Computation – – of low-cost fault-attack resilient designs and therefore consume more
8i-3: 8i, 1 ≤ i ≤ 11 Re-computation Computation E1 & E2 FPGA resources as compared to unprotected compact block cipher
8j + 1: 8j + 4, 1 ≤ j ≤ 10 Computation Re-computation –
implementations. LC-FRAES uses almost 27 and 9 % more occupied
slices than reported fault-resilient LED and HIGHT in [42] but instead it
• The use of architectures for MixColumn and SubByte and key supports both encryption and decryption and also uses larger cipher key
expansion unit which exploit the optimum resource sharing between size (128 vs. 64), which implies greater security. Table 5 shows that the
encryption and decryption. fault-resilient Simon reported in [45] supporting only encryption, takes
a few slices, i.e. 95, due to its small key size of 48 bits. However, LC-
We also report the results of implementation of LC-FRAES on FRAES offers about 50% better throughput. For Kintex-7, the number
different Xilinx FPGA devices, i.e. Spartan-6 xc6slx9-3tqg144, Virtex-5 of occupied slices for two compact fault-resilient XTEA designs reported
xc5vlx110t-3ff1136, Virtex-7 xc7vx330t-3ffg1157 and Kintex-7 in [47] are 228 and 203, which is a bit lower than the slice utilization of
xc7k70t-3fbg676 in Table 4. LC-FRAES. However, the throughput and efficiency of LC-FRAES are
Tables 5 and 6 report the evaluation parameters and comparison much higher than those of both XTEA designs.
metrics for some of the lightweight block ciphers implementations and A comparison of our architecture with existing low-cost architectures
LC-FRAES for FPGA and ASIC, respectively, whereas Fig. 8 compares the for other lightweight block ciphers is provided in Table 5. To have a fair
efficiency values of different block ciphers ASIC implementations. We comparison, only compact ASIC designs implemented using 180-nm
implement LC-FRAES on the FPGA devices on which the authors of technology at 100 MHz are picked. As shown in Table 5, none of the
[42,45,47,53] implemented their proposed designs, to make our com­ designs is fault-attack resilient, while almost all of them are optimized
parison results more fair. Comparison to integrated PRESENT imple­ for small-area and low-power.
mentation on Virtex-5 reported in [53] in Table 5 reveals that LC-FRAES Although LC-FRAES needs more area compared to other designs, it

8
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Table 3
Round key generation in different clock cycles for encryption and decryption (0 ≤ i, n ≤ 11).
clkx clk2x Encryption Decryption

Registers IEC operations Key generation Registers IEC operations Key generation
operations operations

1 KR1 ← k03 – – KR1 ← k03 –

1
2
3 KR1 ← k02 – KR1 ← k02
2
4 KR2 ← KR1 – KR2 ← KR1 – –
5 KR1 ← k01 KR1 ← k01
3
6 KR2 ← KR1 – – KR2 ← KR1 – –
KR3 ← KR2 KR3 ← KR2
– KR1 ← k00 IS ← Rotate(I)
7 KR1 ← k00 IS ← Rotate(k00) KR2 ← KR1 I ← k00 xor k01(KR1)
KR2 ← KR1 – KR3 ← KR2
4
KR3 ← KR2 KPS1 ← IEC1(k00, 3) KR4 ← KR3 KPS1 ← IEC1(I3)
8 KR4 ← KR3
KPS1 ← IEC1(ki−0, 10) KPS1 ← IEC1(I0)
16n-7 KR1 ← KR4 KPS2 ← IEC2(KPS1) KR1 ← KR4 KPS2 ← IEC2(KPS1)
KR2 ← KR1 KR2 ← KR1
8i-3
KR3 ← KR2 KPS1 ← IEC1(ki−0, 11) – KR3 ← KR2 KPS1 ← IEC1(I1) –
16n-6 KR4 ← KR3 KPS2 ← IEC2(KPS1) KR4 ← KR3 KPS2 ← IEC2(KPS1)
KPS3 ← IEC3(KPS2) KPS3 ← IEC3(KPS2)
KPS1 ← IEC1(ki−0, 12) KPS1 ← IEC1(I2)
KPS2 ← IEC2(KPS1) KPS2 ← IEC2(KPS1)
16n-5 KR1 ← KR4 KPS3 ← IEC3(KPS2) KR1 ← KR4 KPS3 ← IEC3(KPS2)
KR2 ← KR1 KPS4 ← IEC4(KPS3) – KR2 ← KR1 KPS4 ← IEC4(KPS3)
8i-2
KR3 ← KR2 KPS2 ← IEC2(KPS1) KR3 ← KR2 KPS2 ← IEC2(KPS1)
KR4 ← KR3 KPS3 ← IEC3(KPS2) KR4 ← KR1 KPS3 ← IEC3(KPS2)
16n-4 KPS4 ← IEC4(KPS3) KPS4 ← IEC4(KPS3)
OS0 ← IEC5(KPS4) OS0 ← IEC5(KPS4)
KPS3 ← IEC3(KPS2) KPS3 ← IEC3(KPS2)
16n-3 KPS4 ← IEC4(KPS3) KPS4 ← IEC4(KPS3)
KR1 ← KR4 OS0 ← IEC5(KPS4) KR1 ← KR4 OS0 ← IEC5(KPS4)
KR2 ← KR1 OS1 ← OS0 – KR2 ← KR1 OS1 ← OS0 –
8i-1
KR3 ← KR2 KPS4 ← IEC4(KPS3) KR3 ← KR2 KPS4 ← IEC4(KPS3)
16n-2 KR4 ← KR3 OS0 ← IEC5(KPS4) KR4 ← KR3 OS0 ← IEC5(KPS4)
OS1 ← OS0 OS1 ← OS0
OS2 ← OS1 OS2 ← OS1
KR1 ← KR4 OS0 ← IEC5(KR4) KR1 ← KR4 OS0 ← IEC5(KPS4)
16n-1 KR2 ← KR1 OS1 ← OS0 KR2 ← KR1 OS1 ← OS0
8i KR3 ← KR2 OS2 ← OS1 ki3 ← IEC(ki−0 1) xor ki−3 1(KR3) KR3 ← KR2 OS2 ← OS1 ki3 ← IEC(I) xor ki−3 1(KR3)
KR4 ← KR3 OS3 ← OS2 KR4 ← KR3 OS3 ← OS2
16n KR5 ← ki3 – KR5 ← ki3 –
8i + 1 16n + 1 KR5 ← ki2 – ki2 ← ki3(KR5) xor ki−2 1(KR3) KR5 ← ki2 – ki2 ← ki−3 1(KR4) xor ki−2 1(KR3)
KR1 ← KR5 KR1 ← KR5
16n + 2 – –
16n + 3 KR5 ← ki1 – KR5 ← ki1 –
8i + 2 KR1 ← KR5 – ki1 ← ki2(KR5) xor ki−1 1(KR3) KR1 ← KR5 – k − 1i ← ki−2 1(KR4) xor ki−1 1(KR3)
16n + 4 KR2 ← KR1 – KR2 ← KR1 –

16n + 5 KR5 ← ki0 KR5 ← ki0

8i + 3 KR1 ← KR5 – ki0 ← ki1(KR5) xor ki−0 1(KR3) KR1 ← KR5 – ki0 ← ki−1 1(KR4) xor ki−0 1(KR3)
KR2 ← KR1 KR2 ← KR1
16n + 6 KR3 ← KR2 KR3 ← KR2 –
KR1 ← KR5 KR1 ← KR5
16n + 7 KR2 ← KR1 IS ← Rotate(ki0) KR2 ← KR1 IS ← Rotate(I)
8i + 4 KR3 ← KR2 – KR3 ← KR2 I ← ki0 xor ki1(KR1)
16n + 8 KR4 ← KR3 KPS1 ← IEC1(ki0, 3) KR4 ← KR3 KPS1 ← IEC1(I3)

allows an excellent trade-off between security, fault-attack tolerance, are unprotected compact implementations of the lightweight block ci­
implementation area, efficiency, power consumption and throughput, phers supporting only encryption process and the unprotected designs
which are relevant to secure IoT applications. The integrity of encryp­ reported in [40,50,51] support both encryption and decryption. It
tion and decryption is an attractive feature of proposed LC-FRAES which should be noted that the provided throughput by LC-FRAES (241–480
is offered only by designs for PRESENT and PUFFIN reported in [34,53], Mbps, depending on the targeted platform) fulfil the demand for high-
respectively, as demonstrated in Table 5. A careful examination of throughput IoT applications [9].
Table 5 and Fig. 9 shows that the efficiency value of LC-FRAES is 42.03,
which is more than the average efficiency for all block ciphers picked for 5. Fault simulation
comparison, i.e. 38.13.
Fig. 10 shows the scatter plot for area vs. throughput for the reported Extensive fault simulations are performed to illustrate the fault
lightweight block ciphers and LC-FRAES implementations at the detection ability of the LC-FRAES against random transient and per­
maximum operating frequency. As shown in this Figure, LC-FRAES is manent faults. Random faults mean that the faults are injected in
comparable to other block cipher designs in terms of implementation random locations at random clock cycles of random rounds. In our fault
cost. It is worth mentioning that the design reported in [38,39,44,52] simulations, different types of faults, i.e. single and multiple random

9
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Table 4
Comparison with other compact AES implementations.
Target Device (tech.) Architecture Key size Data- # cycles per Area Operating freq. Throu. Eff. Fault attack En/
platform path En/De (MHz) tolerant De

ASIC 90 nm Banik [18] 128 32 44 5.5 – 28 5.09 No En

28 nm Bui [17] 128/ 32 44, 52, 60 8.6 – 28 3.2 No En
192/
256
65 nm Kim [9] 128 8, 32 186 5.4 – 6.88 1.27 No En
90 nm Banik [20] 128 8 226 2.645 167 94.4 35.75 No Both
65 nm Banik [20] 128 8 226 2.976 102 57.8 19.46 No Both
180 nm Haghighizadeh 128 8 160 5.6 130 104 18.57 No Both
[19]
180 nm LC-FRAES 128 32 88 3.55 230 334.5 94.22 Yes Both
FPGA Spartan 3 Legat [24] 128 32 44 287 + 3 101.2 294.4 0.43 Yes Both
XC3S50 BRAMs = 671
XC5VFX70t- Benhadjyoussef 128 32 46 556 256.5 712.3 1.28 Yes En
2FF1136 [25]
XC5VLX30 Bani-Hani [23] 128 32 44 69 + 3 257 747.6 1.65 No Both
BRAMs = 453
Kintex7 Bani-Hani [23] 128 32 44 20 + 3 293 852.3 2.1 No Both
BRAMs = 404
xc6slx9- LC-FRAES 128 32 88 283 166 241.4 0.85 Yes Both
3tqg144
xc5vlx110t- LC-FRAES 128 32 88 280 226 328.7 1.17 Yes Both
3ff1136
xc7vx330t- LC-FRAES 128 32 88 277 310 450.9 1.62 Yes Both
3ffg1157
xc7k70t- LC-FRAES 128 32 88 271 330 480 1.77 Yes Both
3fbg676

Table 5
Comparison with compact FPGA implementations of other lightweight block ciphers.
Architecture Device (tech.) Key size Data-path # cycles per En/De Area Operating freq. (MHz) Throug. Eff. Fault attack tolerant En/De

PRESENT [53] xc5vlx110t-3ff1136 80 64 32 157 186.3 372.6 2.37 No Both

LC-FRAES xc5vlx110t-3ff1136 128 32 88 280 226 328.7 1.17 Yes Both
LED [42] xc7vx330t-3ffg1157 64 64 32 217 169.09 338.18 1.55 Yes En
HIGHT [42] xc7vx330t-3ffg1157 64 128 32 252 372.3 744.6 2.95 Yes En
Simon [45] xc7vx330t-3ffg1157 48 96 36 95 219 292 3.07 Yes En
LC-FRAES xc7vx330t-3ffg1157 128 32 88 277 310 450.9 1.62 Yes Both
XTEA [47] xc7k70tlfbg676-2 L 128 64 – 228 345.9 26.42 0.115 Yes En
XTEA [47] xc7k70tlfbg676-2 L 128 64 – 203 203.5 28.69 0.14 Yes En
LC-FRAES xc7k70t-3fbg676 128 32 88 271 330 480 1.77 Yes Both

Table 6
Comparison with compact ASIC implementations of other lightweight block ciphers at 100 KHz.
Target Architecture Key block # cycles per En/ Area Throug. (@ 100 Eff. Power (@ 100 Fault attack En/
platform size size De KHz) KHz) tolerant De

ASIC PRESENT [35] 128 64 528 1.339 12.12 9.05 – No En

EPCBC-96 [35] 96 96 792 1.333 12.12 9.09 – No En
En/
PRESENT [53] 80 64 32 2.285 200 87.52 5.52 No
De
PRESENT [37] 128 64 559 1.391 11.45 8.23 2.08 No En
Simon [44] 128 128 140 1.665 91.4 54.89 – No En
Speck [44] 128 128 132 2.179 96.96 44.46 – No En
TEA [46] 128 64 64 2.355 100 42.46 3.53 No En
En/
PUFFIN [34] 128 64 32 2.577 200 77.6 3.86 No
De
180 nm
LED [29] 128 64 1872 0.7 3.42 4.88 – No En
mCrypton [48] 128 64 190 2.76 33.51 12.14 4.14 No En
En/
ICEBERG [33] 128 64 16 5.817 400 68.17 8.72 No
De
NOEKEON
128 128 3720 2.862 3.44 1.2 4.3 No En
[48]
HIGHT [43] 128 64 34 2.608 188.2 72.16 – No En
En/
LC-FRAES 128 128 88 3.46 145.45 42.03 11.01 Yes
De

stuck-at-0, stuck-at-1, and bit-flip faults with different numbers of bits, time of faults. Fault simulations are performed over 10,000,000 times.
are injected into the proposed LC-FRAES architecture. Our fault simulations show that (a) for random faults which are injected
A random number generator determines the location, size, type, and only in combinational part of LC-FRAES data-path, we have error

10
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

Fig. 9. Efficiency comparison.

Fig. 10. Area vs. Throughput for various block ciphers.

coverage of 100%, (b) for random faults which are injected in both an effective resource sharing for data-path and on-the-fly key expansion
combinational and sequential parts, we have the error coverage of unit between encryption and decryption.
around 99.99922%. As we expected, most of the faults are detected by In our proposed design the linear operations of AES, i.e.
LC-FRAES. Thus, our architectures provide sufficient reliability against AddRoundKey and MixColumn are located in one pipeline stage and the
both natural and malicious faults which makes it a practical secure only nonlinear operation, i.e. SubByte is located in another pipeline
communication/data solution for a variety of resource-constrained stage. This is one of the most important characteristics of the LC-FRAES
applications. because it enables us to choose appropriate detection techniques for
these AES operations according to their structural features. Our fault
6. Conclusion injections in simulation level show that the fault coverage of LC-FRAES
is close to 100%.
In safety-critical real-time resource-constrained applications such as The proposed design offers data rates in the range of 241–480 Mbps
some IoT applications, the occurrence of random and malicious faults; while utilizing 271–283 slices (3.55 k GE), depending on the imple­
because of the nature of VLSI circuit technology and fault attacks, mentation platform. The comparison results show that our LC-FRAES is
respectively; has become a severe problem in secure implementations. not only beneficial for IoT design metrics such as area and throughput
Incorporating cryptographic implementations with an error detection but also the security and reliability features.
technique can significantly improve their security and reliability. In this
paper, we present LC-FRAES, which is a very low-cost 32-bit integrated
architecture with error detection capability for AES. LC-FRAES exploits

11
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

CRediT authorship contribution statement Theory and Application of Cryptology and Information Security, Springer, 2001,
pp. 239–254.
[22] Karim Shahbazi, Seok-Bum Ko, Area-efficient nano-aes implementation for
Saeideh Sheikhpour: Conceptualization, Methodology, Investigation, internet-of-things devices, IEEE Trans. Very Large Scale Integr. VLSI Syst. (2020).
Software (Implementation), Verification, Investigation, Writing, [23] Raed Bani-Hani, Khaldoon Mhaidat, Salah Harb, Very compact and efficient 32-bit
Reviewing and Editing. aes core design using fpgas for small-footprint low-power embedded applications,
J. Circuits Syst. Comput. 25 (07) (2016) 1650080.
Seok-Bum Ko: Reviewing and Editing. [24] Uroš Legat, Anton Biasizzo, Franc Novak, A compact aes core with on-line error-
Ali Mahani: Supervision, Reviewing and Editing. detection for fpga applications with modest hardware resources, Microprocess.
Microsyst. 35 (4) (2011) 405–416.
[25] Noura Benhadjyoussef, Mouna Karmani, Mohsen Machhout, Belgacem Hamdi,
Declaration of competing interest A hybrid countermeasure-based fault-resistant aes implementation, J. Circuits Syst.
Comput. 29 (03) (2020) 2050044.
All people who meet authorship criteria are listed as authors, and all [26] Amir Moradi, Axel Poschmann, San Ling, Christof Paar, Huaxiong Wang, Pushing
the limits: a very compact and a threshold implementation of aes, in: Annual
authors certify that they have participated sufficiently in the work to International Conference on the Theory and Applications of Cryptographic
take public responsibility for the content, including participation in the Techniques, Springer, 2011, pp. 69–88.
concept, design, analysis, writing, or revision of the manuscript. [27] Sushil Jajodia, Henk C.A. van van Tilborg, Encyclopedia of Cryptography and
Security: A-K, Springer, 2011.
Furthermore, each author certifies that this material or similar material [28] Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar,
has not been and will not be submitted to or published in any other Axel Poschmann, Matthew J.B. Robshaw, Yannick Seurin, Charlotte Vikkelsoe,
publication before its appearance in the Microelectronics Reliability Present: an ultra-lightweight block cipher, in: International Workshop on
Cryptographic Hardware and Embedded Systems, Springer, 2007, pp. 450–466.
Journal. [29] Jian Guo, Thomas Peyrin, Axel Poschmann, Matt Robshaw, The led block cipher,
in: International Workshop on Cryptographic Hardware and Embedded Systems,
References Springer, 2011, pp. 326–341.
[30] Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks,
Louis Wingers, The simon and speck families of lightweight block ciphers, IACR
[1] Teng Xu, James B. Wendt, Miodrag Potkonjak, Security of iot systems: design
Cryptol. 404 (2013) ePrint Arch.
challenges and opportunities, in: Proceedings of the 2014 IEEE/ACM International
[31] David J. Wheeler, Roger M. Needham, Tea, a tiny encryption algorithm, in:
Conference on Computer-aided Design, IEEE Press, 2014, pp. 417–423.
International Workshop on Fast Software Encryption, Springer, 1994, pp. 363–366.
[2] Yin Jie, Ji Yong Pei, Li Jun, Yun Guo, Xu Wei, Smart home system based on iot
[32] Roger M. Needham, David J. Wheeler, Tea Extensions. Report, Cambridge
technologies, in: 2013 International Conference on Computational and Information
University, 1997.
Sciences, IEEE, 2013, pp. 1789–1791.
[33] Huiju Cheng, Howard M. Heys, Compact asic implementation of the iceberg block
[3] M. Mazhar Rathore, Awais Ahmad, Anand Paul, Seungmin Rho, Urban planning
cipher with concurrent error detection, in: 2008 IEEE International Symposium on
and building smart cities based on the internet of things using big data analytics,
Circuits and Systems, IEEE, 2008, pp. 2921–2924.
Comput. Netw. 101 (2016) 63–80.
[34] Huiju Cheng, Howard M. Heys, Cheng Wang, Puffin: a novel compact block cipher
[4] P.S. Saarika, K. Sandhya, T. Sudha, Smart transportation system using iot, in: 2017
targeted to embedded digital systems, in: 2008 11th EUROMICRO Conference on
International Conference on Smart Technologies For Smart Nation
Digital System Design Architectures, Methods and Tools, IEEE, 2008, pp. 383–390.
(SmartTechCon), IEEE, 2017, pp. 1104–1107.
[35] Huihui Yap, Khoongming Khoo, Axel Poschmann, Matt Henricksen, Epcbc-a block
[5] Thanh Nam Pham, Ming-Fong Tsai, Duc Binh Nguyen, Chyi-Ren Dow, Der-
cipher suitable for electronic product code encryption, in: International Conference
Jiunn Deng, A cloud-based smart-parking system based on internet-of-things
on Cryptology and Network Security, Springer, 2011, pp. 76–97.
technologies, in: IEEE Access 3, 2015, pp. 1581–1591.
[36] Taizo Shirai, Kyoji Shibutani, Toru Akishita, Shiho Moriai, Tetsu Iwata, The 128-bit
[6] Mario Frustaci, Pasquale Pace, Gianluca Aloi, Giancarlo Fortino, Evaluating critical
blockcipher clefia, in: International Workshop on fast Software Encryption,
security issues of the iot world: present and future challenges, IEEE Internet Things
Springer, 2007, pp. 181–195.
J. 5 (4) (2017) 2483–2495.
[37] A. Poschmann, Lightweight Cryptography-cryptographic Engineering for a
[7] Sye Loong Keoh, Sandeep S. Kumar, Hannes Tschofenig, Securing the internet of
Pervasive World, Ph. D. Thesis, Ruhr University Bochum, 2009.
things: a standardization perspective, IEEE Internet Things J. 1 (3) (2014)
[38] Carsten Rolfes, Axel Poschmann, Gregor Leander, Christof Paar, Ultra-lightweight
265–275.
implementations for smart devices–security for 1000 gate equivalents, in:
[8] National Institute of Standards and Technology, Advanced Encryption Standard
International Conference on Smart Card Research and Advanced Applications,
197, NIST FIPS PUB, 2001.
Springer, 2008, pp. 89–103.
[9] Ho Keun Kim, Myung Hoon Sunwoo, Low power aes using 8-bit and 32-bit
[39] Wang Cheng, Howard M. Heys, An ultra compact block cipher for serialized
datapath optimization for small internet-of-things (iot), J. Signal Process. Syst. 91
architecture implementations, in: 2009 Canadian Conference on Electrical and
(11–12) (2019) 1283–1289.
Computer Engineering, IEEE, 2009, pp. 1085–1090.
[10] David Kleidermacher, Mike Kleidermacher, Embedded Systems Security: Practical
[40] Bahram Rashidi, Efficient and high-throughput application-specific integrated
Methods for Safe and Secure Software and Systems Development, Elsevier, 2012.
circuit implementations of hight and present block ciphers, IET Circuits Devices
[11] Jinbao Zhang, Ning Wu, Jianhua Li, Fang Zhou, A novel differential fault analysis
Syst. 13 (6) (2019) 731–740.
using two-byte fault model on aes key schedule, IET Circuits Devices Syst. 13 (5)
[41] Deukjo Hong, Jaechul Sung, Seokhie Hong, Jongin Lim, Sangjin Lee, Bon-
(2019) 661–666.
Seok Koo, Changhoon Lee, Donghoon Chang, Jesang Lee, Kitae Jeong, et al., Hight:
[12] Trevor E. Pogue, Nicola Nicolici, Incremental fault analysis: relaxing the fault
s new block cipher suitable for low-resource device, in: International Workshop on
model of differential fault attacks, IEEE Trans. Very Large Scale Integr. VLSI Syst.
Cryptographic Hardware and Embedded Systems, Springer, 2006, pp. 46–59.
28 (3) (2019) 750–763.
[42] Srivatsan Subramanian, Mehran Mozaffari-Kermani, Reza Azarderakhsh,
[13] Gilles Piret, Jean-Jacques Quisquater, A differential fault attack technique against
Mehrdad Nojoumian, Reliable hardware architectures for cryptographic block
spn structures, with application to the aes and khazad, in: International Workshop
ciphers led and hight, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 36 (10)
on Cryptographic Hardware and Embedded Systems, Springer, 2003, pp. 77–88.
(2017) 1750–1758.
[14] Hassen Mestiri, Fatma Kahri, Belgacem Bouallegue, Mohsen Machhout, A high-
[43] Sufyan Salim Mahmood AlDabbagh, I.A. Shaikhli, Lightweight block ciphers: a
speed aes design resistant to fault injection attacks, Microprocess. Microsyst. 41
comparative study, J. Adv. Comput. Sci. Technol. Res. 2 (4) (2012) 159–165.
(2016) 47–55.
[44] Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks,
[15] Saeide Sheikhpour, Ali Mahani, Nasour Bagheri, High throughput fault-resilient
Louis Wingers, Implementation and Performance of the Simon and Speck
aes architecture, IET Comput. Digit. Tech. 13 (4) (2018) 312–323.
Lightweight Block Ciphers on Asics, 2016.
[16] Saeide Sheikhpour, Ali Mahani, Nasour Bagheri, Practical fault resilient hardware
[45] Prashant Ahir, Mehran Mozaffari-Kermani, Reza Azarderakhsh, Lightweight
implementations of aes, IET Circuits Devices Syst. 13 (5) (2019) 596–606.
architectures for reliable and fault detection simon and speck cryptographic
[17] Duy-Hieu Bui, Diego Puschini, Simone Bacles-Min, Edith Beigné, Xuan-Tu Tran,
algorithms on fpga, ACM Trans. Embed. Comput. Syst. 16 (4) (2017) 1–17.
Aes datapath optimization strategies for low-power low-energy multisecurity-level
[46] Y. Yu, Y. Yang, Y. Fan, H. Min, Security Scheme for rfid Tag, Auto-ID Labs Fudan
internet-of-things applications, IEEE Trans. Very Large Scale Integr. VLSI Syst. 25
University, 2006. White Paper.
(12) (2017) 3281–3290.
[47] Kai Tian, Fault-resilient Lightweight Cryptographic Block Ciphers for Secure
[18] Subhadeep Banik, Andrey Bogdanov, Francesco Regazzoni, Exploring energy
Embedded Systems, Thesis, 2014.
efficiency of lightweight block ciphers, in: International Conference on Selected
[48] Thomas Plos, Christoph Dobraunig, Markus Hofinger, Alexander Oprisnik,
Areas in Cryptography, Springer, 2015, pp. 178–194.
Christoph Wiesmeier, Johannes Wiesmeier, Compact hardware implementations of
[19] F. Haghighizadeh, H. Attarzadeh, M. Sharifkhani, A compact 8-bit aes crypto-
the block ciphers mcrypton, noekeon, and sea, in: International Conference on
processor, in: 2010 Second International Conference on Computer and Network
Cryptology in India, Springer, 2012, pp. 358–377.
Technology, IEEE, 2010, pp. 71–75.
[49] Naina Gupta, Arpan Jati, Anupam Chattopadhyay, Somitra Kumar Sanadhya,
[20] Subhadeep Banik, Andrey Bogdanov, Francesco Regazzoni, Atomic-aes: a compact
Donghoon Chang, Threshold implementations of gift: a trade-off analysis, IACR
implementation of the aes encryption/decryption core, in: International
Cryptol. 1040 (2017) ePrint Arch.
Conference on Cryptology in India, Springer, 2016, pp. 173–190.
[50] P. Saravanan, S. Subha Rani, S. Shanthi Rekha, H.S. Jatana, An efficient asic
[21] Akashi Satoh, Sumio Morioka, Kohji Takano, Seiji Munetoh, A compact rijndael
implementation of clefia encryption/decryption algorithm with novel s-box
hardware architecture with s-box optimization, in: International Conference on the

12
S. Sheikhpour et al. Microelectronics Reliability 123 (2021) 114202

architectures, in: 2019 IEEE 1st International Conference on Energy, Systems and Saeideh Sheikhpour received her Ph.D. in Electrical Engineering from Shahid Bahonar
Information Processing (ICESIP), IEEE, 2019, pp. 1–6. University, Kerman, Iran, in 2019. Her current research interests in the areas of: fault-
[51] Bahram Rashidi, Low-cost and two-cycle hardware structures of prince lightweight tolerant design, reliable and secure cryptographic hardware design, circuit and system
block cipher, Int. J. Circuit Theory Appl. (2020). reliability and quality, soft computing, artificial intelligence and sensor networks.
[52] Christof Beierle, Gregor Leander, Amir Moradi, Shahram Rasoolzadeh, Craft:
lightweight tweakable block cipher with efficient protection against dfa attacks,
Seok-bum Ko is currently a Professor at the Department of Electrical and Computer En­
IACR Trans. Symmetric Cryptol. 2019 (1) (2019) 5–45.
gineering and the Division of Biomedical Engineering, University of Saskatchewan, Can­
[53] Wei Zhao, Yi Wang, Renfa Li, A unified architecture for dparesistant present, in:
ada. He got his PhD degree from the University of Rhode Island, USA in 2002. His research
2012 International Conference on Innovations in Information Technology (IIT),
interests include computer architecture/arithmetic, efficient hardware implementation of
IEEE, 2012, pp. 244–248.
compute-intensive applications, deep learning processor architecture and biomedical en­
[54] Chung-Yi Li, Chih-Feng Chien, Jin-Hua Hong, Tsin-Yuan Chang, An efficient area-
gineering. He is a senior member of IEEE circuits and systems society and associate editors
delay product design for mixcolumns/invmixcolumns in aes, in: 2008 IEEE
of IEEE TCAS I and IEEE Access.
Computer Society Annual Symposium on VLSI, IEEE, 2008, pp. 503–506.
[55] Xiaofei Guo, Ramesh Karri, Recomputing with permuted operands: a concurrent
error detection approach, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 32 Ali Mahani received the B.Sc. degree in electronic engineering from Shahid Bahonar
(10) (2013) 1595–1608. University of Kerman, Iran, in 2001, The M.Sc. and Ph.D. degrees both in Electronic En­
[56] Nabihah Ahmad, S.M. Rezaul Hasan, Low-power compact composite field aes s- gineering from Iran University of Science and Technology (IUST), Tehran, Iran, in 2003
box/inv s-box design in 65 nm cmos using novel xor gate, Integration 46 (4) (2013) and 2009 respectively. Since then he has been with the electrical engineering department
333–344. of Shahid Bahonar University of Kerman, where he is currently an associate professor. His
[57] Karim Shahbazi, Seok-Bum Ko, High throughput and area-efficient fpga research interests focus on Fault-tolerant design, FPGA-based accelerators, approximate
implementation of aes for high-traffic applications, IET Comput. Digit. Tech. 14 (6) digital circuits, stochastic computing and Networked System.
(2020) 344–352.

13