NIST finalizes lightweight cryptography standard for small devices

The National Institute of Standards and Technology (NIST) has finalized a lightweight cryptography standard to protect even the smallest networked devices from cyberattacks.

Published as Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232), the standard offers tools for securing data created and transmitted by billions of IoT devices, along with other small electronics such as RFID tags and medical implants. These technologies often have far less computing power than smartphones or laptops, yet still need strong protection. Lightweight cryptography is designed for these resource-limited environments.

“We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography,” said NIST computer scientist Kerry McKay, who co-led the project with her NIST colleague Meltem Sönmez Turan. “It will benefit industries that build devices ranging from smart home appliances to car-mounted toll registers to medical implants. One thing these electronics have in common is the need to fine-tune the amount of energy, time and space it takes to do cryptography. This standard fits their needs.”

The standard is based on algorithms in the Ascon family, selected in 2023 after a multiround public review. Ascon was first developed in 2014 by researchers from Graz University of Technology, Infineon Technologies, and Radboud University. It gained recognition in 2019 as the top choice for lightweight encryption in the CAESAR competition, a sign it had withstood extensive cryptographic review.

The standard includes four Ascon variants that offer different options for various use cases. They address two main needs: authenticated encryption with associated data (AEAD) and hashing.

ASCON-128 AEAD is used when a device must encrypt data, verify that it has not been altered, or do both. Many small devices are vulnerable to “side-channel attacks,” where attackers gather clues by monitoring things like power use or timing. While no algorithm can fully eliminate this risk, ASCON is easier to implement in a side-channel-resistant way than many older approaches. Devices that can benefit include RFID tags, medical implants, and toll transponders.

ASCON-Hash 256 creates a short “hash” that serves as a fingerprint of the data. Any change to the original data changes the hash, making it useful for verifying integrity during software updates or ensuring no tampering has occurred. It can also protect passwords and digital signatures, offering a lightweight alternative to NIST’s SHA-3 family.

ASCON-XOF 128 and ASCON-CXOF 128 are flexible hash functions that allow the hash length to be adjusted. Shorter hashes can save small devices time and energy. The CXOF variant also lets users add a custom label to the hash, reducing the risk of two devices producing the same hash for the same operation, which could help an attacker.

McKay said the standard is designed for immediate adoption but can also expand to meet future needs.

“We’ve taken the community’s feedback and tried to provide a standard that can be easily followed and implemented, but we are also trying to be forward-looking in terms of being able to build on it,” she said. “There are additional functionalities people have requested that we might add down the road, such as a dedicated message authentication code. We plan to start considering these possibilities very soon.”