The problem of security on small devices is a serious one so it is a good job we have the NIST on the case. Its latest effort is to point us in the direction of a new set of cryptographic functions which are "lightweight" enough to be actually used.

The very first thing I have to say is that I am not convinced that the new functions are actually much better than what we already have. Most smallish devices use AES symetric encryption and don't have much trouble with it as it is readily available off the shelf in the form of OpenSSL or mbedTLS to name just two open-source crypto libraries. What most such devices have problems with is key exchange and implementing complex protocols such as SSL/TSL as part of, say, HTTPS. Now that really is a waste of time. Just watch a dump of the handshake phase of an HTTPS connection and you will quickly realize that this was not designed to be quick. Put this together with, say, elliptic curve-based key exchange and good luck with getting the device to do anything else - like looking after a reactor core or targeting a drone - during the connection.

There is also the question of how efficient the new Ascon functions are. NIST says:

"The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things."

Indeed, you can find papers that claim that it is three times faster and uses 33% less RAM than AES - see Ascon: The Lightweight Cryptography As A Better Cipher Than AES 128 for 802.11bp. However, I can also find studies that claim that for smallish packets there is little difference between the two and for larger packets AES is faster and uses about the same amount of RAM - see Analysis of Practical Application of Lightweight Cryptographic Algorithm ASCON  Who to believe? I'm not taking sides.

There are three new functions:

ASCON-128 AEAD - AEAD stands for Authenticated Encryption with Associated Data. It takes plaintext, associated data and a nonce and produces a ciphertext for just the plaintext and an authentication tag that is a digital signature for the plaintext and the associated data. This allows you to check that the plaintext and associated data have not been changed while leaving the associated data in the clear.

ASCON-Hash 256 takes all the data it encrypts and uses it to create a short “hash” a few characters long. It is a lightweight alternative to NIST’s SHA-3 family of hash algorithms.

ASCON-XOF 128 and ASCON-CXOF 128 are hash functions with a twist: Both algorithms allow the user to change the size of the hash. This option can benefit small devices because using shorter hashes allows the device to spend less time and energy on the encryption process.

As for the technology, Ascon is based on using sponge functions which are the hot crypto topic at the moment. The name comes from the analogy of putting a liquid into a sponge and then squeezing it back out to get a mixed up liquid. In the case of a digital sponge, it absorbs bits during an absorbing phase and then spits them back out in permuted order during the squeeze phase. 

The main thing to realize is that these new functions implement symmetric encryption where both parties, Alice and Bob, say, need to have the same key. How they get that key is a problem left to another standard. Hardware devices could have the key programmed into secure memory, but this is only going to be secure from a software attack. If the hardware is in the hands of an attacker, then the chances are the key will be revealed and all of the devices will be compromised.

As already mentioned, using key exchange methods is much more demanding than simple symmetric encryption - so we don't have a solution yet.

The good news is that Ascon is open source and there are good references implementations in C, which you would expect, and Java and Python which are more suprising. The C functions look easy to use, so if you want to reveal how effecient Ascon is feel free to benchmark them in a way that makes sense to you.

More Information

NIST Finalizes ‘Lightweight Cryptography’ Standard to Protect Small Devices

Ascon

https://github.com/ascon/ascon_collection

Python implementation of Ascon

Related Articles

NIST Announces Post-Quantum Cryptographic Algorithms

NIST Selects Lightweight Crypto For The IoT

Public Key Encryption

What Does The NSA Think Of Cryptographers?

Master The Pico WiFi: Random Numbers

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info