[Cryptography] What is missing today, why NIST lightweight competition is interesting

sebastien riou matic at nimp.co.uk
Thu May 9 15:16:36 EDT 2019

No matter if one trust NIST or not, one has to admit the following point:
As of today there isn't a well reviewed AEAD+hash primitive optimised for
IoT edge devices

By IoT edge devices I mean:
- RAM in the single digit KBytes
- exposed to the threats of physical attacks (EM side channels, glitch or
laser fault attacks...)

libsodium does not solve the issue: chacha is ARX, ARX is costly to secure
against side channel attacks (not talking about trivial timing/cache
attacks here, EM side channel attacks is the problem. Bertoni and al. wrote
something about it (https://keccak.team/2017/not_arx.html). Having worked
on the issue for more than a decade, I very much confirm this fact.
Basically AES is hard to secure against EM side channel and anything ARX is
harder.(hard here is short for "large area, high power consumption, low

It is somewhat ironic that all crypto standardized so far is mostly
optimized for running on servers conveniently protected against physical
attacks and that ressource constrained devices, which are far more cost
sensitive and numerous, have to follow.

NIST finally recognized this and did the right thing: launch an open
competition which takes into account the contraints of the low end, most
exposed devices.
Crucially, unlike the CAESAR competition, they will take into account:
- the possibility to get AEAD and hash from the same primitive
- the ease to protect against physical attacks
CAESAR competition also have another limitation: it selected 7 winners
instead of 1 like AES or SHA-3 competitions. Selecting a single winner is
crucial for adoption, the 7 winners of CAESAR are never going to end up in
a hardware accelerator, implementing 7 small primitive instead of AES
defeats the point (and implementers don't choose a winner nor the customers
who just know they want "security" without accepting any additional price

In short, this competition is good news for anyone careing about security
outside the cloud and secure rooms.
Most submissions to this competition are most likely completly independant
from NIST/NSA/KGB and friends (at least that's the case for DryGASCON and I
trust it is also the case for ASCON and ISAP).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190509/af8cde21/attachment.html>

More information about the cryptography mailing list