[Cryptography] Formal definition of lightweight crypto
dj at deadhat.com
dj at deadhat.com
Fri Jan 1 15:20:33 EST 2016
>
> Is there a formal definition of lightweight cryptographic algorithms?
> The SPECK and SIMON algorithms by NSA (and many others) are declared to be
> lightweight, but I did not find any definitions except
>
> "These lightweight cryptographic primitives are designed to be efficient,
> yet secure, when limited hardware resources are available. Consequently,
> the main motive for current efforts of constructing lightweight
> cryptographic primitives is to maintain a reasonable trade-off between
> security, efficient hardware performance and low overall cost, measured by
> a number of metrics. These metrics include, but are not limited to: area
> (in terms of gate equivalences), throughput, power/energy consumption and
> production cost."
>
I've designed circuits using algorithms claiming to be lightweight crypto
and there seems to be two common properties of lightweight crypto
algorithms (1) The smallest instantiations are less secure, using shorter
keys and/or shorter block sizes. and (2) they are more scalable, since the
inner round functions are very small, so there is a lot more unrolling
flexibility, so you can build small slow ones and big fast ones and many
points in between those extremes.
The consensus at the NIST lightweight crypto conference last year was that
we shouldn't compromise on security. So the real important feature of
algorithms is efficiency and scalability and lightweight algorithms
generally meet those criteria. Simon for instance turns out to be 3X more
efficient than AES at the same strength and performance so it is a much
better algorithm overall than AES.
More information about the cryptography
mailing list