Dear forum members,
The NIST Lightweight Cryptography Team has reviewed the finalists based on their submission packages, status updates, third-party security analysis papers, and implementation and benchmarking results, as well as the feedback received during workshops and through the lwc-forum. The selection was challenging since most of the finalists exhibited performance advantages over NIST standards on various target platforms without introducing security concerns.
The team has decided to standardize the Ascon family for lightweight cryptography applications as it meets the needs of most use cases where lightweight cryptography is required.
Congratulations to the Ascon team! NIST thanks all of the finalist teams and the community members who provided feedback that contributed to the selection.
NIST’s next steps will be to:
Thanks,
NIST Lightweight Cryptography Team
--
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to lwc-forum+...@list.nist.gov.
--
Hi,
Ascon seems like a very good choice. Congratulations to the Ascon team!
I think ASCON will find its way into a large number of applications.
NIST Lightweight Cryptography Team wrote:
>discuss various aspects of standardization (e.g., additional variants, functionalities, and parameter selections)
Below are comments on the current ASCON 1.2 specification that I would like to see addressed already in the NIST draft specification:
Additional comments:
(I will likely submit an expanded version of the comments above as a position paper to the upcoming public workshop).
Cheers,
John
That's not a contradiction to Roberts request, is it? It well might be the case that resource constrained devices need to do EdDSA - in case they'll use Ascon for encryption it sounds beneficial to me if they can also use it for hashing in the asymmetric schemes. It doesn't mean, EdDSA should solely support Ascon - SHA versions will stay for sure. On February 8, 2023 7:34:39 AM UTC, Arne Padmos <h...@arnepadmos.com> wrote:
-- To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum --- To unsubscribe from this group and stop receiving emails from it, send an email to lwc-forum+...@list.nist.gov.
-- Dr. Friedrich Wiemer, orcid.org/0000-0003-2998-6777
Hi,
Ascon seems like a very good choice. Congratulations to the Ascon team!
I think ASCON will find its way into a large number of applications.
NIST Lightweight Cryptography Team wrote:
>discuss various aspects of standardization (e.g., additional variants, functionalities, and parameter selections)
Below are comments on the current ASCON 1.2 specification that I would like to see addressed already in the NIST draft specification:
- I would like to see 160-bit nonces as an option. This seems possible with 128-bit keys. Use of random nonces are common practice and increasing the nonce length increases the number of instantiations that can be allowed with a single key. The limited number of instantiations with random nonces is a big problem with AES-GCM.
- I would like to see shorter tags as an option. Either tag length as a variable or a smaller set of allowed tag lengths (e.g., 32, 64, 96, 128). 32-bit tags are standard in most radio link layers including 5G. 64-bit tags are very common in the Internet of things. 32 and 64-bit tags are also common for protection of audio frames (also in future proposals like IETF SFRAME).
- I would like to see zero tag length as an option. IND-CPA encryption has several use cases: Header encryption in DTLS 1.3 and QUIC, message_2 encryption in EDHOC, as well as in systems where integrity is provided by a signature. IETF COSE has decided to reintroduce IND-CPA encryption such as AES-CTR for this purpose.
- I strongly think NIST should standardize one of the variable-length hash-functions Ascon-Xof or Ascon-Xofa. I don't see any reason whatsoever to standardize one of the fixed-length hash function. Anybody wanting 256-bit digest can use the variable-length hash function with l = 256. Shorter digests will be needed. For SHA2, NIST has afterwards introduced two different variable-length hash functions based on the fixed-length hash function. SHA-256/t being simple truncation to t bits and the SHA-512/t which also changes some of the inner constants. Longer digests will also be needed for sure.
- I strongly think NIST should specify a keyed ASCON hash function that can be used as a MAC and KDF. That can likely be done much more optimal than with 2-pass HMAC and 4-pass HKDF. I think a keyed ASCON hash function should be available from the start and not years later.
Additional comments:
- I don’t see any strong need for the version with a 160-bit key. Even if a CRQC that can break RSA and ECC is hours is ever build, it seems completely unpractical for a huge cluster of such CRQCs to break ASCON with 128-bit keys. I assume that ASCON with a 128-bit key requires less gates than AES-128 and therefore falls slightly under the NIST PQC security level I. It is still unclear how NIST will define security levels in the future. One solution is to define level I as at least as hard as ASCON. I don’t think the choice of AES-128 or ASCON makes much of a practical difference.
- I agree with the earlier comment from Bob Moskowitz that NIST should specify the use of ASCON in Ed25519.
- Consider adding customization string and parallelization from the start like instead of adding it later like SP 800-185.
Many congratulations to the ASCON team for winning the NIST
lightweight competition!
Although of course we would have liked to win ourselves, we think
ASCON is an excellent scheme and congratulate NIST for choosing a
permutation-based cipher!
Kind regards,
The Xoodyak team
Gilles, Joan, Michaël, Ronny, Seth and Silvia
--
- I strongly think NIST should standardize one of the variable-length hash-functions Ascon-Xof or Ascon-Xofa. I don't see any reason whatsoever to standardize one of the fixed-length hash function. Anybody wanting 256-bit digest can use the variable-length hash function with l = 256. Shorter digests will be needed. For SHA2, NIST has afterwards introduced two different variable-length hash functions based on the fixed-length hash function. SHA-256/t being simple truncation to t bits and the SHA-512/t which also changes some of the inner constants. Longer digests will also be needed for sure.
- I strongly think NIST should specify a keyed ASCON hash function that can be used as a MAC and KDF. That can likely be done much more optimal than with 2-pass HMAC and 4-pass HKDF. I think a keyed ASCON hash function should be available from the start and not years later.
Regarding the requests for an Ascon based MAC that have been made in this thread: Wouldn’t it be sufficient to use Ascon-AEAD with a 0-length plaintext and the message as additional data to be authenticated? Apologies if my question is a little naïve; it has been a while since I last looked at new symmetric constructions and I may very well be missing something obvious.
I can understand if you need Ascon-AEAD with 0-length plaintext to be added as MAC in a NIST standard but I’d rather not add a new, dedicated MAC mode of operation unless it provides an advantage that Ascon-AEAD can not. That advantage should then be clearly stated.