Infineon crypto algorithm chosen as standard for IoT devices
The US National Institute of Standards and Technology (NIST) has chosen a set of algorithm as the standard for protecting data generated by small devices in the Internet of Things (IoT).
The cryptographic algorithms, called Ascon, were developed by Infineon Technologies and the University of Graz in Austria and will be published as NIST’s lightweight cryptography standard later this year.
The chosen algorithms are designed to protect data from sensors and actuators as well as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles. These all need lightweight cryptography without heavy processing overhead.
Ascon was developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University. It was selected in 2019 as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition.
“The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation,” said Kerry McKay at NIST. “These algorithms should cover most devices that have these sorts of resource constraints.”
To determine the strongest and most efficient lightweight algorithms, NIST held a development program that took several years, first communicating with industry and other organizations to understand their needs and then requesting potential solutions from the world’s cryptography community in 2018. After receiving 57 submissions, McKay and mathematician Meltem Sönmez Turan managed a multi-round public review process in which cryptographers examined and attempted to find weaknesses in the candidates, eventually whittling them down to 10 finalists before selecting Ascon as the winner.
“We considered a number of criteria to be important,” said McKay. “The ability to provide security was paramount, but we also had to consider factors such as a candidate algorithm’s performance and flexibility in terms of speed, size and energy use. In the end we made a selection that was a good all-around choice.”
Seven crypto variant
There are currently seven members of the Ascon family, some or all of which may become part of NIST’s published lightweight cryptography standard. As a family, the variants give a range of functionality that will offer designers options for different tasks. Two of these tasks are among the most important in lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing.
AEAD protects the confidentiality of a message, but it also allows extra information — such as the header of a message, or a device’s IP address — to be included without being encrypted. The algorithm ensures that all of the protected data is authentic and has not changed in transit. AEAD can be used in vehicle-to-vehicle communications, and it also can help prevent counterfeiting of messages exchanged with the radio frequency identification (RFID) tags that often help track packages in warehouses.
Hashing creates a short digital fingerprint of a message that allows a recipient to determine whether the message has changed. In lightweight cryptography, hashing might be used to check whether a software update is appropriate or has downloaded correctly.
Currently, the most efficient NIST-approved technique for AEAD is the Advanced Encryption Standard (defined in FIPS 197) used with the Galois/Counter Mode (SP 800-38D), and for hashing, SHA-256 (defined in FIPS 180-4) is widely used. McKay said that these standards remain in effect for general use.
“The goal of this project is not to replace AES or our hash standards,” she said. “NIST still recommends their use on devices that don’t have the resource constraints that these new algorithms address. There are native instructions in many processors, which support fast, high-throughput implementations. In addition, these algorithms are included in many protocols and should continue to be supported for interoperability purposes.”
Neither are the new algorithms intended to be used for post-quantum encryption.
“One of the Ascon variants offers a measure of resistance to the sort of attack a powerful quantum computer might mount. However, that’s not the main goal here,” said McKay. “Post-quantum encryption is primarily important for long-term secrets that need to be protected for years. Generally, lightweight cryptography is important for more ephemeral secrets.”
The specification of Ascon includes multiple variants, and the finalized standard may not include all of them. The NIST team plans to work with Ascon’s designers and the cryptography community to finalize the details of standardization.
csrc.nist.gov/Projects/lightweight-cryptography/finalists; www.infineon.com
Related encryption articles