Amazing Fast Crypto for IoT — US NIST Fingers ASCON

Implementing modern cryptography standards on tiny IoT devices is hard. They’re underpowered, need to sip battery charge and something like AES is often overkill.

After many years of testing and thinking, the U.S. National Institute of Standards and Technology (NIST) has published its standard crypto algorithm for low-power devices. The “ASCON” suite is the winner.

It’ll be useful on cheap, tiny devices such as RFID chips (pictured), which cost about 25¢ (also pictured). In today’s SB Blogwatch, in NIST we trust—or do we?

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ChatGPT is a perfectly balanced AI with no exploits.

CAESAR Winner Wins Again

What’s the craic? Jeff Burt reports—“NIST weighs up algorithms for small devices … with light crypto”:

Lightweight cryptography
[NIST] wants to protect all devices great and small, and is getting closer to settling on next-gen cryptographic algorithms. … Internet of Things (IoT) gadgets include everything from implanted medical devices and keyless car fobs to wearable devices and smart cities systems. … They often … are security-challenged by their limited size and low-power processors.

After years of testing and winnowing down dozens of contenders, NIST announced … it has tapped ASCON – a package of seven algorithms for authenticated encryption and related operations – as the choice to safeguard data collected by IoT devices. [NIST] asked for cryptography solutions in 2018, receiving 57 submissions. Cryptographers pulled apart and searched for weaknesses in the algorithms before choosing ten finalists and then getting down to one to rule them all.

Two algorithms [are] among the most important for lightweight cryptography: …
Authenticated encryption with associated data (AEAD) … ensures a message remains confidential but allows other information like message headers or a device’s IP address to be included but not encrypted. It also ensures the protected data is authentic and wasn’t changed in transit.
With hashing, a short digital fingerprint of a message is created, letting the recipient determine if the message was changed.

Why so important? Bill Toulas explains—“NIST unveils winning encryption algorithm for IoT”:

Standard 128-bit nonce
Small IoT devices are becoming increasingly popular and omnipresent, used in wearable tech, “smart home” applications, etc. However, they are still used to store and handle sensitive personal information, such as health data, financial details, and more. … Implementing a standard for encrypting data is crucial in securing people’s data.

ASCON was eventually picked as the winner for being flexible, encompassing seven families, energy efficient, speedy on weak hardware, and having low overhead for short messages. [And] the algorithm had withstood the test of time, having been developed in 2014 … and winning the CAESAR cryptographic competition’s “lightweight encryption” category in 2019.

NIST says the scheme is powerful enough to offer some resistance to attacks from powerful quantum computers at its standard 128-bit nonce. However … lightweight cryptography algorithms should only be used for protecting ephemeral secrets.

Horse’s mouth? NIST computer scientist Kerry McKay—“Designed to protect data created and transmitted by … small electronics”:

A good all-around choice
The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation. These algorithms should cover most devices that have these sorts of resource constraints.

The goal of this project is not to replace AES or our hash standards: NIST still recommends their use on devices that don’t have the resource constraints that these new algorithms address. There are native instructions in many processors that support fast, high-throughput implementations. In addition, these algorithms are included in many protocols and should continue to be supported for interoperability purposes.

Mathematician Meltem Sönmez Turan [and I] considered a number of criteria to be important. The ability to provide security was paramount, but we also had to consider factors such as a candidate algorithm’s performance and flexibility in terms of speed, size and energy use. In the end we made a selection that was a good all-around choice.

Why? ELI5? angry_octet explains why you might want to use this instead of AES (like we’re five):

The tiniest devices are things like RFID chips.

– Time/space tradeoffs, to enable use on limited memory devices: Large block and keys sizes and Lists are undesirable, even if more cycles are required.
– Time/margin tradeoffs: If the attacker can only meaningfully attack in the next 24 hours, do you need margin to protect against all of AWS crunching for a million years? Or would you like the computation done in a tenth the time?
– Architectural properties, such as the susceptibility to differential power analysis: Maybe you will risk that more via a LUT in exchange for lower power.
– As you increase the number of rounds, algorithms tend to get stronger. But some algorithms have … good avalanche properties for many fewer rounds.

Clear as mud? Try ras’s explainer:

ASCON is targeting slightly-more-expensive-than-dirt, slightly-less-common-than-sand … devices that ideally can run on a button battery for a few years. … If you look ASCON’s throughput and power consumption figures on constrained hardware it is literally orders … of magnitude better than AES.

In NIST we trust? This slightly cynical Anonymous Coward alleges an allegation:

“Lightweight cryptography,” or more misdirection? Recent work here at White Hat Towers has found a very interesting dichotomy:
1) Encryption and decryption using huge prime numbers is actually quite fast, even using pathetic, low end hardware.
2) But finding useful huge prime numbers takes forever, even with reasonably powerful workstations.

It seems that this NIST project is focusing on item #1, but failing to tell us that item #2 might be a real problem—particularly if citizens are going to actually control the security of their own hardware. Yup, let’s use the “recommended” prime numbers (or the “recommended” elliptical curve)—supplied by NIST!

It’s not just about software. It can easily be implemented in hardware, too—as oneng explains:

Ascon, depending on the implementation, requires far less logic gates than AES to implement in hardware and requires less power, which would be an eventual cost savings. … Most importantly though is that by not going with an ARX-based design (Addition, Rotation, XOR), it’s much easier for cryptographers to perform cryptanalysis.

The IoT device is one thing, but what about the server side? ctilsie242 wonders aloud:

I wonder when OpenSSL/LibreSSL/GnuPG, and the Linux kernel will support this algorithm, and if it will wind up in the next TLS spec? … Hopefully we will see a useful implementation of this soon, so it can be tested and used in SoC and SBC applications. … There is a big difference between basic stuff implementing the algorithm versus optimized and throughly audited source code that is going to be hammered on and looked at, line by line, by many, many blackhats and nation-states.

Meanwhile, u/jedisct1 is very disappointed:

I’m very disappointed. … ASCON uses big endian. Big endian.

[a/k/a] requires-useless-shuffles-on-any-cpu-from-the-past-20-years order. … Why, oh why?

And Finally:

Jailbreaking ChatGPT

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Matthew Gosselin (cc:by-nc-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi