The US National Institute of Standards and Technology (NIST) has finalised a lightweight cryptography standard to protect IoT and embedded electronics from cyberattack.

The Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232) contains tools designed to protect information created and transmitted IoT and electronic devices such as RFID tags and medical implants.

To defend very small electronic devices with limited compute and memory, NIST has opted for a lightweight cryptography approach based on the Ascon family of crytographic algorithms. NIST selected the Ascon family in 2023 as the basis for its lightweight cryptography standard after a multi-round public review process.

Ascon was developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies and Radboud University. In 2019 it emerged as the primary choice for lightweight encryption in the CAESAR competition, a sign that Ascon had withstood years of examination by cryptographers.

The Ascon cryptography family

In the standard are four variants from the Ascon cryptography family. These give designers different options for different use cases. The variants focus on two of the main tasks of lightweight cryptography: authenticated encryption with associated data (AEAD); and hashing.

ASCON-128 AEAD is designed for when a device needs to encrypt its data, verify the authenticity of the data, or both. The aim is particularly to defend against side-channel attacks, which are a particular vulnerability of small devices. Side channel attacks occur when attackers extract sensitive information by observing physical characteristics such power consumption or timing. No cryptographic algorithm is inherently immune to such attacks. However, ASCON is designed to support side-channel-resistant implementations more easily than many traditional algorithms. Devices that can benefit from its approach include RFID tags, implanted medical devices, and toll-registration transponders attached to car windshields.

ASCON-Hash 256 takes all the data it encrypts and uses it to create a short “hash” a few characters long, which functions like a fingerprint of the data. A small change to the original data results in a recognisable change in the hash. This makes the algorithm useful for maintaining data integrity. This includes during software updates, which ensure that no malware has been installed. It can also protect passwords and digital signatures used in online bank transfers.

It is a lightweight alternative to NIST’s SHA-3 family of hash algorithms, which are used for many of the same purposes.

Crypto Hashing and Labelling

ASCON-XOF 128 and ASCON-CXOF 128 are hash functions that allow the user to change the size of the hash. This benefits small devices as shorter hashes allow the device to spend less time and energy on the encryption process.

The CXOF variant adds the ability to attach a customised “label” a few characters long to the hash. If many small devices perform the same encryption operation, there is a small but significant chance that two of them could output the same hash, which would help attackers defeat the encryption. Adding customised labels allow users to sidestep this potential problem.

NIST has listened to community feedback and have aimed to provide a standard that is easy to implement. The standards body is looking to add further capabilities in future. These include adding a dedicated message authentication code.