The US National Institute of Standards and Technology (NIST) announced that a group of cryptographic algorithms called Ascon will be published as NIST’s lightweight cryptography standard later in 2023. The algorithms are designed to protect data created and transmitted by the Internet of Things and other small electronics.
The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators. They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles. Devices like these need “lightweight cryptography” — protection that uses the limited amount of electronic resources they possess. The newly selected algorithms should be appropriate for most devices with resource constraints, including small devices for tasks ranging from sensing to identification to machine control.
Several important criteria were considered in making the selection, with the ability to provide security paramount. Other considerations included a candidate algorithm’s performance and flexibility in terms of speed, size, and energy use.
There are currently seven members of the Ascon family, some or all of which may become part of NIST’s published lightweight cryptography standard. As a family, the variants give a range of functionality that will offer designers options for different tasks. Two of these tasks are among the most important in lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing.
AEAD protects the confidentiality of a message, but it also allows extra information — such as the header of a message, or a device’s IP address — to be included without being encrypted. The algorithm ensures that all the protected data is authentic and has not changed in transit. AEAD can be used in vehicle-to-vehicle communications, and it also can help prevent counterfeiting of messages exchanged with the radio frequency identification (RFID) tags that often help track packages in warehouses.
Hashing creates a short digital fingerprint of a message that allows a recipient to determine whether the message has changed. In lightweight cryptography, hashing might be used to check whether a software update is appropriate or has downloaded correctly.
Currently, the most efficient NIST-approved technique for AEAD is the Advanced Encryption Standard (defined in FIPS 197) used with the Galois/Counter Mode (SP 800-38D), and for hashing, SHA-256 (defined in FIPS 180-4) is widely used. These standards remain in effect for general use.
The goal of this project is not to replace AES or hash standards. NIST still recommends their use on devices that don’t have the resource constraints that these new algorithms address. There are native instructions in many processors, which support fast, high-throughput implementations. In addition, these algorithms are included in many protocols and should continue to be supported for interoperability purposes.
Neither are the new algorithms intended to be used for post-quantum encryption, another current concern of the cryptography community that NIST is working to address using a similar public review process for potential algorithms. According to NIST, post-quantum encryption is primarily important for long-term secrets that need to be protected for years. Generally, lightweight cryptography is important for more ephemeral secrets.
The specification of Ascon includes multiple variants, and the finalized standard may not include all of them. The NIST team plans to work with Ascon’s designers and the cryptography community to finalize the details of standardization. Additional information may be found on NIST’s project website.