Blockcipher >256 bit (for hardware implementation)

Hi,

I'm looking for suggestions for a blockcipher.

The implementation will be done in hardware (FPGA), so the encryption
and decryption function should be "cheap" on hardware resources. It
should do 10-100MByte/s throughput, and provide low latency (ie process
only one block at a time). It's convenient (but not necessary) that
encryption and decryption share the same resources. The key expansion
will be implemented in software and thus is not subject to limited
hardware resources.

The blocksize must be 320 bits (or slightly more), and the key size 128
bits (or more). I'm targetting an overall security of 2^64. That is,
despite the large block and key sizes, I can live with known attacks as
long as their complexity is 2^64 or higher. I suppose lots of
academically broken ciphers would still qualify for me.

Until now, I've checked most popular algorithms, but didn't find a good
fit. The blocksize requirement is the hardest part. Most algorithms
don't operate on such large blocks (256 bits being the largest I've
seen).

A DES-like algorithm would be perfect, but there's no published 320bit
wide variant (and I can't come up with secure SBOX values myself). RC5
is configurable for the blocksize, but implementating a 320-bit
barrelshifter is very costly. I might come up with an AES variant for
the blocksize (Rijndael specifies 128/192/256 bit blocks), but the FPGA
implementation will be either slow or large (replicated SBOXes).

Do you have a suggestion for me? What other blockcipher could I
consider?

Regards,
Marc

.