Received June 25, 2021, accepted July 18, 2021, date of publication July 26, 2021, date of current version August 3, 2021. Digital Object Identifier 10.1109/ACCESS.2021.3100104 A Flexible Gimli Hardware Implementation in FPGA and Its Application to RFID Authentication Protocols SAFIULLAH KHAN 1 , WAI-KONG LEE 2 , (Member, IEEE), AND SEONG OUN HWANG 2 , (Senior Member, IEEE) 1 Department of IT Convergence Engineering, Gachon University, Seongnam 13120, Republic of Korea 2 Department of Computer Engineering, Gachon University, Seongnam 13120, Republic of Korea Corresponding author: Seong Oun Hwang (sohwang@gachon.ac.kr) This work was supported in part by the National Research Foundation of Korea (NRF) Grant by the Korean Government [Ministry of Science and ICT (MSIT)] under Grant 2020R1A2B5B01002145, and in part by the Gachon University Research Fund of 2020 under Grant GCU-202004370001. ABSTRACT Radio Frequency Identification (RFID) systems have bestowed numerous conveniences in a multitude of applications, but the underlying wireless communications architecture makes it vulnerable to several security threats. To mitigate these issues, various authentication protocols have been proposed. The literature accommodates comprehensive proposals and analysis of authentication protocols, but not many of them provide hardware implementations. In addition, there is diverse demand for hardware area and throughput (TP) requirements from RFID system components (tags, readers, database servers), which demand a flexible implementation strategy. This paper proposes a flexible implementation strategy for the lightweight authenticated encryption (AE) and hash function called Gimli, and applies it to a state-of-the- art authentication protocol. This allows the authentication protocol to be implemented efficiently, wherein the area and TP can be adjusted flexibly according to the RFID system requirements. This implementation strategy is generic; it can be used to implement any other AE and hash functions. This strategy can also be applied to other authentication protocols that heavily use AE and hash functions. To provide a detailed analysis, the hardware optimization techniques in each component of the RFID system for a state-of- the-art authentication protocol are analyzed. When implemented with the most area-optimized versions, we achieve TP of 740 Mbps and 420 Mbps for Gimli hash and Gimli AE, respectively, and for throughput- oriented implementation, the results are 3.08 Gbps and 1.43 Gbps, respectively. This shows that the proposed implementation strategies allow us to implement authentication protocols in a flexible manner to meet the differing requirements in TP and area for RFID applications. INDEX TERMS Authenticated encryption, FPGA, Gimli, lightweight cryptography, RFID. I. INTRODUCTION The Internet of Things (IoT) is a network of devices linked via the Internet such that the devices can be monitored and man- aged remotely [1]. Common applications involve remote data collection and transmission, such as cyber physical systems, Radio Frequency Identification (RFID), smart cities, sensor networks, smart vehicles, etc. One of the most commonly used technologies in building IoT sensor nodes is RFID [2]. With the increasing acceptance of IoT technology by the pub- lic, the horizon for RFID utilization has gradually expanded. The associate editor coordinating the review of this manuscript and approving it for publication was Kuo-Hui Yeh . RFID systems have been employed in a wide range of appli- cations, ranging from object tracking to health care [3]. RFID systems consist of tags, readers, and a database server. The tag is an electronic device that can exchange data with the readers in the RFID system [4]. Generally, a tag has a small amount of storage and little computation capability [5]. RFID tags can be either passive or active. The RFID reader is the core component of the RFID system, having moderate storage and computation capabilities. The reader can activate the tags and can send and receive messages to and from the tags. In addition, it is responsible for availability of tag information at the application level [6]. The database server has a considerable storage capability and a high computation VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ 105327