NIST chooses encryption algorithms for lightweight IoT devices

ASCON is the name of the group of lightweight authenticated encryption and hashing algorithms that the U.S. National Institute of Standards and Technology (NIST) has chosen to secure the data generated by Internet of Things (IoT) devices: implanted medical devices, keyless entry fobs, “smart home” devices, etc.

Gathered under the ASCON label are seven algorithms, some of which may not end up being included in the lightweight cryptography standard NIST is plans to publish later this year.

Why are the ASCON encryption algorithms a good choice for IoT devices?

In August 2018, NIST formally asked cryptographers to submit algorithms that would work on small devices that have limited electronic resources. After severals review rounds, NIST whittled the list down to ten finalists.

ASCON, developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University, has now been chosen as the winner of the contest, due to its many qualities, which include speed, ease of implementation, energy efficiency, and scalability.

NIST also required submitted algorithms to have authenticated encryption with associated data (AEAD) and optional hashing functionalities, and ASCON fits the bill.

“AEAD protects the confidentiality of a message, but it also allows extra information — such as the header of a message, or a device’s IP address — to be included without being encrypted. The algorithm ensures that all of the protected data is authentic and has not changed in transit. AEAD can be used in vehicle-to-vehicle communications, and it also can help prevent counterfeiting of messages exchanged with the radio frequency identification (RFID) tags that often help track packages in warehouses,” NIST explained.

“Hashing creates a short digital fingerprint of a message that allows a recipient to determine whether the message has changed. In lightweight cryptography, hashing might be used to check whether a software update is appropriate or has downloaded correctly.”

Finally, an additional quality was also crucial for ASCON getting selected: it has been examined by many third-party cryptographers and was not found wanting.

NIST plans to publish a document (NIST IR 8454) that will detail the selection and the evaluation process they went through.

What is ASCON not for?

“Small devices have limited resources, and they need security that has a compact implementation. These algorithms should cover most devices that have these sorts of resource constraints,” NIST computer scientist Kerry McKay commented, and noted that the ASCON algorithms should be suitable for use in “most forms of tiny tech.”

But ASCON is not expected to replace existing advanced encryption and hashing standards – the AES algorithm and the SHA-256 hash function, respectively – that are used on devices that don’t have the resource constraints.

Also, it is not intended to withstand attacks enabled by quantum computers; other algorithms have been and will be chosen for that purpose.

“One of the ASCON variants offers a measure of resistance to the sort of attack a powerful quantum computer might mount. However, that’s not the main goal here,” McKay noted. “Post-quantum encryption is primarily important for long-term secrets that need to be protected for years. Generally, lightweight cryptography is important for more ephemeral secrets.”