0018-9340 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2018.2811467, IEEE Transactions on Computers IEEE TRANSACTIONS ON COMPUTERS, VOL. NN, NO. N, NN 2018 1 Towards a Cryptographic Minimal Design: The sLiSCP Family of Permutations Riham AlTawy, Raghvendra Rohit, Morgan He, Kalikinkar Mandal, Gangqiang Yang, and Guang Gong, Fellow, IEEE Abstract—The security of highly resource constrained applications is often viewed in the literature from a single aspect of a specific cryptographic primitive. More precisely, most of the proposed lightweight cryptographic primitives focus on providing a single functionality within the available hardware area dedicated for security purposes. In this paper, we argue that for such applications, a cryptographic primitive that follows the cryptographic minimal design strategy maybe the only realistically adopted security solution where there is a constrained GE budget for all security functionalities. Indeed, it is reasonable, if not desirable, for the adopted cryptographic design to have well justified building components and to provide minimal overhead for multiple cryptographic functionalities including encryption, hashing, authentication, and pseudorandom bit generation. Following such a strategy, we propose the sLiSCP family of lightweight cryptographic permutations which employs two of the most hardware efficient and extensively cryptanalyzed constructions, namely a 4-subblock Type-2 Generalized Feistel-like Structure (GFS) and round-reduced unkeyed Simeck. In addition to the hardware efficiency, we follow restrictive security design goals which enable us to provide resistance against differential and linear cryptanalysis, as well as guaranteed resistance to diffusion-based, algebraic, and self-symmetry distinguishers, and accordingly, we claim that there exist no structural distinguishers for sLiSCP-b with a complexity below 2 b/2 where b is the state size. Moreover, we present the sLiSCP duplex sponge mode to illustrate how the permutations can be used in a unified design that provides (authenticated) encryption, hashing, and pseudorandom bit generation functionalities. Finally, we report two efficient parallel hardware implementations for the sLiSCP unified duplex sponge mode when using sLiSCP-192 (resp. sLiSCP-256) in CMOS 65 nm ASIC with area of 2289 (resp. 3039) GE and a throughput of 29.62 (resp. 44.44) kbps, and their areas in CMOS 130 nm are 2498 (resp. 3319) GE. Index Terms—Lightweight cryptography, Cryptographic permutation, Simeck block cipher, Generalized Feistel Structure, Sponge duplexing, Authenticated encryption, Hash function. ✦ 1 I NTRODUCTION N IST’ S recent interest in lightweight cryptography which has started in 2013 and currently is turning into a standardization competition [1] due to the noticeable lack of such standards, has caused a flurry in the research area. Nonetheless, such a lack has been anticipated by the cryptographic community for over a decade and even before NIST’s lightweight cryptography project, metrics for what constitutes a lightweight cryptographic design have been studied. More precisely, researchers have investigated throughput, power consumption, latency, but most impor- tantly hardware area. In fact, it is long commonly set in the literature that an upper bound of 2000 GE hardware area is what defines a lightweight design [2], [3]. Such a bound is derived from passive RFID tags whose areas range between 1000 and 10000 GE, out of which, a maximum of 20% is to be used for all security functionalities [3]. Although lightweight applications span over a spectrum of devices which vary from highly constrained in terms of area and power consumption such as Electronic Product Code (EPC) tags [3], [4] and implantable medical devices [5] to less constrained ones such as vehicular embedded system where latency may be the most important metric [1], [6], researchers propose cryptographic algorithms based only on one set of criteria including the 2000 GE bound. • R. AlTawy, R. Rohit, M. He, K. Mandal, G. Yang, and G. Gong are with the Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, CANADA. E-mail: {raltawy, rsrohit, myhe, kmandal, g37yang, ggong}@uwaterloo.ca In this paper, we emphasize the importance of crypto- graphic designs that follow the cryptographic minimal design strategy. Similar to the advantage of having an encryption algorithm where both encryption and decryption use the same round function, the concept of cryptographic minimal design aims to unify one design for as many cryptographic functionalities as possible without compromising the secu- rity. While such concept has been studied before with the introduction of the permutation-based sponge construction [7], a minimal cryptographic design should utilize justified hardware efficient building blocks, where such justifica- tion should accommodate the application operation require- ments. For example, in an airbag vehicular embedded sys- tem where the response time is of paramount importance, a Substitution-Permutation Network (SPN)-based design is well justified over a Feistel structure which usually requires more number of rounds to achieve the same security with lower hardware footprint. As a trade-off for having a minimal design, some redun- dancy may be introduced and thus, latency and throughput of individual functionalities may not be optimized. Nev- ertheless, what remains the most important aspect in an acceptable realistic secure lightweight cryptographic design is its hardware footprint given that it offers acceptable metrics for throughput and latency. As a result, we find that permutation-based sponge duplexing [8] is well suited for a minimal cryptographic design and thus, we resolve to designing a lightweight family of permutations to effi- ciently provide multiple cryptographic functionalities with