Standardization issues
McKay, Kerry A. (Fed)
Dear all,
NIST hosted the Sixth Lightweight Cryptography Workshop (virtual) on June 21-22, 2023 to explain the selection process and to discuss various aspects of standardization
of the Ascon family. The slides and the videos are available online: https://csrc.nist.gov/events/2023/lightweight-cryptography-workshop-2023
During the workshop, the NIST lightweight cryptography team received a number of suggestions for the standardization phase. We would like to raise some of the issues in this and upcoming emails to receive more public feedback.
AEAD variants. The Ascon family includes two recommended AEAD variants: Ascon-128 (primary) and Ascon-128a. Our first decision is to decide which AEAD variants to include in the draft standard. This is a choice between standardizing only Ascon-128, only Ascon-128a, or standardizing both variants.
XOF vs. Hash functions. NIST is considering to standardize only Ascon-XOF, which covers the use cases of both extendable output functions and hash functions.
Suggestions and comments on these decision points are welcome.
Thanks,
Kerry
Robert Moskowitz
--
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to lwc-forum+...@list.nist.gov.
Robert Moskowitz
Owner
HTT Consulting
C: 248-219-2059
F: 248-968-2824
E: r...@labs.htt-consult.com
There's no limit to what can be accomplished if it doesn't matter who gets the credit
John Mattsson
Hi,
- Regarding Ascon-128 (primary) and Ascon-128a I don't think NIST should standardize both variants unless
there is a strong reason to do so. I have not seen any arguments for standardizing both.
- Regarding Ascon-XOF I strongly think NIST should only standardize Ascon-XOF. I also strongly think NIST should use the term "variable-length hash function". NIST already uses this term several times in SP 800-185.
Cheers,
John
Wiemer Friedrich (XC-AN/ECS1)
Regarding XOF vs Hash functions, I do think a XOF variant would be sufficient, too.
Besides these, for the automotive industry an option for authentication-only that does not require a nonce-input, i.e. cannot be misused by failing to handle nonces correctly, would be very helpful I think.
I’d appreciate an Ascon-MAC as part of the standard.
Mit freundlichen Grüßen / Best regards
Dr. Friedrich Wiemer
Engineering Cyber Security (XC-AN/ECS1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart |
GERMANY | www.bosch.com
Mobile +49 1522 4695820 | Friedric...@de.bosch.com
Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer; Managing Directors: Dr. Stefan Hartung,
Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus Heyn, Dr. Tanja Rückert
On July 19, 2023 1:34:55 PM UTC, Robert Moskowitz <r...@labs.htt-consult.com> wrote:
>I have already stated my preference for XOF only. It is all that I use of the SHA3 family in my protocol designs.
>
>
>On 7/19/23 09:26, 'McKay, Kerry A. (Fed)' via lwc-forum wrote:
>>
>> Dear all,
>>
>>
>> NIST hosted the Sixth Lightweight Cryptography Workshop (virtual) on June 21-22, 2023 to explain the selection process and to discuss various aspects of standardization of the Ascon family. The slides and the videos are available online: https://csrc.nist.gov/events/2023/lightweight-cryptography-workshop-2023
>>
>> During the workshop, the NIST lightweight cryptography team received a number of suggestions for the standardization phase. We would like to raise some of the issues in this and upcoming emails to receive more public feedback.
>>
>> *AEAD variants.*The Ascon family includes two recommended AEAD variants: Ascon-128 (primary) and Ascon-128a. Our first decision is to decide which AEAD variants to include in the draft standard. This is a choice between standardizing only Ascon-128, only Ascon-128a, or standardizing both variants.
>>
>> *XOF vs. Hash functions.*NIST is considering to standardize only Ascon-XOF, which covers the use cases of both extendable output functions and hash functions.
Arne Padmos
During the open discussion at the LWC 2023 workshop, besides the options
of standardising Ascon-128, Ascon-128a, or both, the option of
standardising both with aligned round numbers was mentioned.
Specifically, it was stated that 'Ascon-128a uses more rounds, but we
could make it so that we get the higher rate and we keep the same round
number'. As the slides mention aligning to b=8 rounds, I take this to
statement to mean increasing the round number of the primary variant so
that both variants are aligned (i.e. not an Ascon-128 variant with a
higher rate). Is that option still on the table or has it already been
excluded? I'm not saying picking more than one variant is a good idea,
just wondering what happened to those plans.
Regards,
Arne
On 2023-07-24 22:59, 'Wiemer Friedrich (XC-AN/ECS1)' via lwc-forum
wrote:
> sufficient, too.
>
>
>
> Besides these, for the automotive industry an option for
> authentication-only that does not require a nonce-input, i.e. cannot
> be misused by failing to handle nonces correctly, would be very
> helpful I think.
>
> I’d appreciate an Ascon-MAC as part of the standard.
>
> Mit freundlichen Grüßen / Best regards
>
> Dr. Friedrich Wiemer
>
> Engineering Cyber Security (XC-AN/ECS1)
> Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
> www.bosch.com
> Mobile +49 1522 4695820 |
> Registered Office: Stuttgart, Registration Court: Amtsgericht
> Stuttgart, HRB 14000;
> Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer;
> Managing Directors: Dr. Stefan Hartung,
> Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus
> Heyn, Dr. Tanja Rückert
>
>
>
>
> On July 19, 2023 1:34:55 PM UTC, Robert Moskowitz
Arne Padmos
On your note that you would 'appreciate an Ascon-MAC as part of the
standard' and that 'an option for authentication-only that does not
require a nonce-input [...] would be very helpful': are you referring to
a specific MAC variant published in https://eprint.iacr.org/2021/1574,
to any of the variants presented by Khairallah & Yadhunathan at the LWC
2023 workshop, or to something different? Relatedly, could you share
some insights into the kinds of messages your process, their sizes and
number, and any protocols they are part of?
Regards,
Arne
On 2023-07-24 22:59, 'Wiemer Friedrich (XC-AN/ECS1)' via lwc-forum
wrote:
> sufficient, too.
>
>
>
> Besides these, for the automotive industry an option for
> authentication-only that does not require a nonce-input, i.e. cannot
> be misused by failing to handle nonces correctly, would be very
> helpful I think.
>
> I’d appreciate an Ascon-MAC as part of the standard.
>
> Mit freundlichen Grüßen / Best regards
>
> Dr. Friedrich Wiemer
>
> Engineering Cyber Security (XC-AN/ECS1)
> Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY |
> www.bosch.com
> Mobile +49 1522 4695820 |
> Registered Office: Stuttgart, Registration Court: Amtsgericht
> Stuttgart, HRB 14000;
> Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer;
> Managing Directors: Dr. Stefan Hartung,
> Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus
> Heyn, Dr. Tanja Rückert
>
>
>
>
> On July 19, 2023 1:34:55 PM UTC, Robert Moskowitz
McKay, Kerry A. (Fed)
At this time, there has not been a final decision on which variants will be standardized. The option to align the round numbers is still a possibility if we standardize both AEAD variants.
Regards,
Kerry
> Mobile +49 1522 4695820 |
> Friedric...@de.bosch.com <mailto:Friedric...@de.bosch.com><mailto:Friedric...@de.bosch.com <mailto:Friedric...@de.bosch.com>>
> Registered Office: Stuttgart, Registration Court: Amtsgericht
> Stuttgart, HRB 14000;
> Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer;
> Managing Directors: Dr. Stefan Hartung,
> Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus
> Heyn, Dr. Tanja Rückert
>
>
>
>
> On July 19, 2023 1:34:55 PM UTC, Robert Moskowitz
>
>> I have already stated my preference for XOF only. It is all that I
>> use of the SHA3 family in my protocol designs.
>
>>
>
>>
>
>> On 7/19/23 09:26, 'McKay, Kerry A. (Fed)' via lwc-forum wrote:
>
>>>
>
>>> Dear all,
>
>>>
>
>>>
>
>>> NIST hosted the Sixth Lightweight Cryptography Workshop (virtual) on
>>> June 21-22, 2023 to explain the selection process and to discuss
>>> various aspects of standardization of the Ascon family. The slides
>>> and the videos are available online:
>>>
>
>>> During the workshop, the NIST lightweight cryptography team received
>>> a number of suggestions for the standardization phase. We would like
>>> to raise some of the issues in this and upcoming emails to receive
>>> more public feedback.
>
>>>
>
>>> *AEAD variants.*The Ascon family includes two recommended AEAD
>>> variants: Ascon-128 (primary) and Ascon-128a. Our first decision is
>>> to decide which AEAD variants to include in the draft standard. This
>>> is a choice between standardizing only Ascon-128, only Ascon-128a, or
>>> standardizing both variants.
>
>>>
>
>>> *XOF vs. Hash functions.*NIST is considering to standardize only
>>> Ascon-XOF, which covers the use cases of both extendable output
>>> functions and hash functions.
>
>>>
>
>>>
>
>>> Suggestions and comments on these decision points are welcome.
>
>>>
>
>>>
>
>>> Thanks,
>
>>>
>
>>> Kerry
>
>>>
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov <mailto:lwc-forum+...@list.nist.gov>
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum <https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum>
Wiemer Friedrich (XC-AN/ECS1)
I did not refer to any specific variant, https://eprint.iacr.org/2021/1574 would probably be fine (to be honest I haven't checked them in detail).
There was a talk at the CAN in Automative Member Day ("CANsec data link layer add-on function", by Infineon), which sketched the use of Ascon in the CANsec protocol, that is currently developed for CAN XL: https://www.can-cia.org/about-us/general-assembly/cia-member-day/
Sadly, I'm not aware of any public source for the slides of the talk.
There is however some information on CANsec available, see e.g. here: https://www.renesas.com/eu/en/blogs/art-networking-series-8-cansec-can-xl-layer-2-security-protocol, but Ascon is not mentioned in that blog post, b/c. the discussion started afterwards only.
You can get an idea on the payload sizes from it: it ranges from (0 byte data payload + header size overhead) to (2048 byte data payload + CAN XL header size overhead). There is some info on CAN XL available as well, see e.g. here: https://www.can-cia.org/can-knowledge/can/can-xl/.
Another use case one could image is an application for legacy busses such as Classic CAN (8 byte payload + header overhead messages) or CAN FD (64 byte payload + header overhead messages).
Mit freundlichen Grüßen / Best regards
Dr. Friedrich Wiemer
Engineering Cyber Security (XC-AN/ECS1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Mobile +49 1522 4695820 | Friedric...@de.bosch.com
Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer; Managing Directors: Dr. Stefan Hartung,
Dr. Christian Fischer, Dr. Markus Forschner, Stefan Grosch, Dr. Markus Heyn, Dr. Tanja Rückert
From: Arne Padmos <h...@arnepadmos.com>
Sent: Donnerstag, 3. August 2023 23:54
To: Wiemer Friedrich (XC-AN/ECS1) <Friedric...@de.bosch.com>
Cc: lwc-...@list.nist.gov
Subject: Re: [lwc-forum] Standardization issues
On your note that you would 'appreciate an Ascon-MAC as part of the standard' and that 'an option for authentication-only that does not require a nonce-input [...] would be very helpful': are you referring to a specific MAC variant published in https://eprint.iacr.org/2021/1574 to any of the variants presented by Khairallah & Yadhunathan at the LWC 2023 workshop, or to something different? Relatedly, could you share some insights into the kinds of messages your process, their sizes and number, and any protocols they are part of?
>>> rc.nist.gov%2Fevents%2F2023%2Flightweight-cryptography-workshop-2023
>>> &data=05%7C01%7CFriedrich.Wiemer%40de.bosch.com%7C07f27871c82e41a798
>>> 1d08db946c2e6c%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C63826696
>>> 4597763876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
>>> zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=b1h6mXCK5Vlj
>>> K3eq6pMzcq1QC3rWysyrBR7V7IDemmk%3D&reserved=0