Dear all,
NIST hosted the Sixth Lightweight Cryptography Workshop (virtual) on June 21-22, 2023 to explain the selection process and to discuss various aspects of standardization
of the Ascon family. The slides and the videos are available online: https://csrc.nist.gov/events/2023/lightweight-cryptography-workshop-2023
During the workshop, the NIST lightweight cryptography team received a number of suggestions for the standardization phase. We would like to raise some of the issues in this and upcoming emails to receive more public feedback.
AEAD variants. The Ascon family includes two recommended AEAD variants: Ascon-128 (primary) and Ascon-128a. Our first decision is to decide which AEAD variants to include in the draft standard. This is a choice between standardizing only Ascon-128, only Ascon-128a, or standardizing both variants.
XOF vs. Hash functions. NIST is considering to standardize only Ascon-XOF, which covers the use cases of both extendable output functions and hash functions.
Suggestions and comments on these decision points are welcome.
Thanks,
Kerry
--
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to lwc-forum+...@list.nist.gov.
Hi,
- Regarding Ascon-128 (primary) and Ascon-128a I don't think NIST should standardize both variants unless
there is a strong reason to do so. I have not seen any arguments for standardizing both.
- Regarding Ascon-XOF I strongly think NIST should only standardize Ascon-XOF. I also strongly think NIST should use the term "variable-length hash function". NIST already uses this term several times in SP 800-185.
Cheers,
John
Regarding XOF vs Hash functions, I do think a XOF variant would be sufficient, too.
Besides these, for the automotive industry an option for authentication-only that does not require a nonce-input, i.e. cannot be misused by failing to handle nonces correctly, would be very helpful I think.
I’d appreciate an Ascon-MAC as part of the standard.
Mit freundlichen Grüßen / Best regards
Dr. Friedrich Wiemer
Engineering Cyber Security (XC-AN/ECS1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart |
GERMANY | www.bosch.com
Mobile +49 1522 4695820 | Friedric...@de.bosch.com
Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer; Managing Directors: Dr. Stefan Hartung,
Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus Heyn, Dr. Tanja Rückert
On July 19, 2023 1:34:55 PM UTC, Robert Moskowitz <r...@labs.htt-consult.com> wrote:
>I have already stated my preference for XOF only. It is all that I use of the SHA3 family in my protocol designs.
>
>
>On 7/19/23 09:26, 'McKay, Kerry A. (Fed)' via lwc-forum wrote:
>>
>> Dear all,
>>
>>
>> NIST hosted the Sixth Lightweight Cryptography Workshop (virtual) on June 21-22, 2023 to explain the selection process and to discuss various aspects of standardization of the Ascon family. The slides and the videos are available online: https://csrc.nist.gov/events/2023/lightweight-cryptography-workshop-2023
>>
>> During the workshop, the NIST lightweight cryptography team received a number of suggestions for the standardization phase. We would like to raise some of the issues in this and upcoming emails to receive more public feedback.
>>
>> *AEAD variants.*The Ascon family includes two recommended AEAD variants: Ascon-128 (primary) and Ascon-128a. Our first decision is to decide which AEAD variants to include in the draft standard. This is a choice between standardizing only Ascon-128, only Ascon-128a, or standardizing both variants.
>>
>> *XOF vs. Hash functions.*NIST is considering to standardize only Ascon-XOF, which covers the use cases of both extendable output functions and hash functions.