There’s a very serious point here. Cryptographers are and always have been deeply concerned with performance. Some of the most skilled low level optimization people I know work on cryptography. It is only relatively recently that computer hardware has gotten powerful enough that cryptography isn’t a serious bottleneck for production systems. In all the recent new crypto standards, a big decision in the whittling down of the finalists was performance.If someone is telling you that we need a new, faster standard for cryptography, and the selling point is “faster,” you’d better wonder why that wasn’t the standard already in use. If there is not some novel, brand new algorithm that is being employed, the answer is because it is insecure. Or at least that it doesn’t meet the level of security for general use, which took a cryptographer is approximately the same thing.

I feel like you need to be read in, at least a little bit, into what&#x27;s going on in cryptography research before you take statements like this at face value, because a lot of pretty serious people work on lightweight cryptography constructions and primitives.(I&#x27;m not dissing Green here; I&#x27;m saying, I don&#x27;t think he meant that statement to be proxied to a generalist audience as an effective summation of lightweight cryptography).

That&#x27;s one of the tradeoffs but the most subtextual of them; the bigger tradeoff is that lightweight constructions are optimized for constrained environments, and outperform only on platforms that don&#x27;t already do a good job with things like AES. That&#x27;s the answer for why we wouldn&#x27;t &quot;just call it cryptography&quot;: things that perform well (1) on constrained platforms (2) for the kinds of messages exchanged by constrained platforms will probably tend to get their asses kicked by AES on non-constrained platforms.

I am in now way a crypto expert, just someone who enjoys casually reading about it. But in my mind even a security for speed trade off can be worthwhile. Otherwise the alternative is often: no crypto at all because it won&#x27;t run on that tiny MCU and we don&#x27;t have the budget for a hardware accelerator.

I am not up to speed on these new algorithms. I still remember there was a light weight cryptography algorithm a few years ago championed by the NSA that had a subtle (possibly deliberate) flaw in it.When dealing with cryptography it is always necessary to remember cryptography is developed and operates in an adversarial environment.

That feels too reductive.The point of these primitives is not to trade security for ease of computation. The point is to find alternatives that are just as strong as AES-128 but with less computation. The trade-off is in how long and hard people have tried to break it.

RFID tags might be rather in the area of $0.03. Other devices might have some hard memory constraints. For other targets it is rather about making hacking a bit more difficult rather that protecting sensitive data against malicious international actors. 
&gt; Devices that can benefit from its approach include RFID tags, implanted medical devices, and toll-registration transponders attached to car windshields

That would be correct if the question was ‘For a $2000 32-core desktop should we switch to lightweight cryptography’.The question is should we switch from some ridiculously insecure crappy crypto on a $3 part to this better lightweight crypto implementation.Yah, we probably should, it’s better than what we had right?

Eh, the problem with AES is side channel attacks in software implementations. They aren&#x27;t necessarily obvious, especially if you&#x27;re deploying on an oddball CPU architecture.This standard targets hardware without AES accelerators like microcontrollers. Now, realistically, ChaCha20-Poly1305 is probably a good fit for most of those use cases, but it&#x27;s not a NIST standard so from the NIST perspective it doesn&#x27;t apply. Ascon is also a fair bit faster than ChaCha20 on resource constrained hardware (1.5x-3x based on some benchmarks I found online).

Good news. We’ve waited so long that AES is pretty damn lightweight now too.

&gt; We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography

&gt; Some protection is better than no protection.No, not really.Algorithms tend to fall pretty squarely in either the “prevent your sibling from reading your diary” or the “prevent the NSA and Mossad from reading your Internet traffic” camps.Computers get faster every year, so a cipher with a very narrow safety margin will tend to become completely broken rapidly.

This is facetious. Some protection is better than no protection.If &quot;every little bit helps&quot; is true for the environment, it&#x27;s also true for cryptography, and vice versa.

Those qualifiers in front of cryptography are very different from lightweight. Lightweight doesn’t convey a good meaning in general and that is the main issue.I haven’t looked at the lightweight crypto proposals though but if NIST is proposing it I am optimistic. If the proposals from various cryptographers around the world made through all the process it’s pretty good.

Nothing stops us from qualifying &quot;cryptography&quot; with an adjective to refer to a specific part of it, while still referring to full-fledged cryptography. See the Wikipedia article for examples.&quot;Elliptic Curve Cryptography&quot;&quot;Post-quantum cryptography&quot;&quot;Public-key cryptography&quot;<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Cryptography" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Cryptography</a>

The IETF has published TLS cipher suites with zero cryptography, &quot;TLS 1.3 Authentication and Integrity-Only Cipher Suites&quot;:* <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc9150" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc9150</a>Lightweight cryptography could be a step between the above zero and the &#x27;heavyweight&#x27; ciphers like AES.

&gt; If lightweight cryptography was a good idea, we’d just call it “cryptography.”<a href="https:&#x2F;&#x2F;x.com&#x2F;matthew_d_green&#x2F;status&#x2F;1948476801824485606" rel="nofollow">https:&#x2F;&#x2F;x.com&#x2F;matthew_d_green&#x2F;status&#x2F;1948476801824485606</a>

i too approve of their choice of cryptographic functions, if not a little miffed they didnt come to me first

They chose Ascon which is a good set of same sponge-based cryptographic functions if you don&#x27;t have hardware acceleration for AES or the CPU resources for chacha20 which is the intention of the standard. The security is 128-bits (comparable to AES-128).&lt;<a href="https:&#x2F;&#x2F;ascon.isec.tugraz.at&#x2F;specification.html" rel="nofollow">https:&#x2F;&#x2F;ascon.isec.tugraz.at&#x2F;specification.html</a>&gt;

Right, it&#x27;s a competition to standardize authenticated encryption constructions, not entire cryptosystems.

My point was that AES and SHA are not the reason IOT cryptography is so often broken or missing.
Instead its getting the keys onto the system in a halfway secure manner that is the blocking issue.Hence I&#x27;d be a lot more enthusiastic about NIST guidance on these points.

By the same token AES is useless as well, because it doesn&#x27;t address key exchange. This was not the goal of this standardization process.

The world that the algorithm targets is exactly where is this doable. MCUs typically have a protected OTP area that makes it a good place to inject keys right in the factory.

This is pretty cool. But IOT tends to fail hard on key agreement. And nothing here solves that. This seems to pretty much require a pre installed key, otherwise the overhead of securely installing a key would probably nullify the advantage of this encryption.

Also for currently-constrained platforms for which hardware updates are infeasible, software updates aren&#x27;t, and cryptographic security is currently compromised due to lack of availability of appropriate constructions.

Any remote control&#x27;s microcontroller would be in deep sleep most of the time, and computationally expensive key exchange would be rare.I have a few of these ESP-8266 remotes, and battery life is fine. <a href="https:&#x2F;&#x2F;github.com&#x2F;mcer12&#x2F;Hugo-ESP8266" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mcer12&#x2F;Hugo-ESP8266</a>

You&#x27;d change the coin cell in an ESP32 powered garage door fob monthly... Unacceptable to most.

Are these for garage doors and doorbells? Those devices could definitely use more security (it&#x27;s not hard to stuff a proper TLS stack in a microcontroller but manufacturers balk at even putting something as cheap as a ESP32 in their BOM).

There is a lot of cryptanalysis on it: <a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;search?q=ASCON" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;search?q=ASCON</a>
Furthermore, it is not designed by NIST.

Did I miss something recent? Or are we going back to the DES days?

Yup, NIST has no business putting their names on anything cryptographic anymore.

I wonder whether this is backdoored by NSA as well

No? SHA-256 has only eight 32-bit words of state which is even less than Ascon. BLAKE2s looks the same.<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;SHA-2" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;SHA-2</a><a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc7693" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc7693</a>

This says very little about the strength of the cipher.The initial state of ChaCha20 also has only at most 320 unknown bits (512 bits - 128 constant bits - 64 bits of a nonce). Actually you normally also know the counter, so there are only 256 unknown bits.Of course the actual strength of the cipher cannot exceed the size of the state, but the design strength must be much lower for this cipher. It competes with AES-128, which is designed for an 128-bit strength.320 bits of state is more than enough for a cipher that must have an 128-bit strength, or even for a cipher designed for a 256-bit strength, like AES-256 or ChaCha20.

Sponges divide state into rate (r) and capacity (c). They &quot;absorb&quot; incoming bytes, perform permutation (moving bits around without losing any of them) on the whole state, and &quot;squeeze&quot; out bytes from the rate, while capacity remains hidden.For the secure hash function, the capacity should be at least twice the target, that is for 128-bit security you need 256 bits of capacity. ASCON hash uses 256 bit capacity and 320-256 = 64 bit rate, so to get a 32-byte hash of a 8-byte string (without padding), you&#x27;ll need to do at least 4 permutations.If you can design a secure permutation that permutes 257 bits, you can make a secure, but impractical hash function from it by setting the rate to 1 bit.For the duplex mode that&#x27;s used for authenticated encryption, capacity can be lower, because it&#x27;s keyed -- it&#x27;s 192 bits in ASCON.This assumes the permutation of the 320-byte state itself is secure, of course.

Wikipedia says Ascon has 320 bits of state and uses 5 bit s-boxes. That’s tiny compared to sha-256 or Blake2. One would think a pre image attack would be much more tractable at that scale.<a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Ascon_(cipher)" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Ascon_(cipher)</a>

Your front door isn&#x27;t a hardened steel vault door... I&#x27;m assuming you still lock it.This is a bad analogy, even it it&#x27;s apt. Only in that an encryption scheme can be technically weaker than another, but still plenty secure. As long as it does the job and hasn&#x27;t been broken.For example, part of the spec is simply hashing and packet signing... not necessarily making the packets secret, but authenticating the origin&#x2F;source. It isn&#x27;t necessarily about creating the most secure vault in the world, but securing what might otherwise be completely insecure channels of communications&#x2F;attack. It&#x27;s also not about a $1000 smart phone, but a micro controller that&#x27;s a fraction of a dollar on devices that have a total BoM that is very low cost or small.

If these primitives are less resource intensive than what we use today with the same level of security, then why don&#x27;t we just use these everywhere? If they are not as secure, then why would be use these anywhere?

Why not use chacha20 or xtea for embedded devices? They are lighter than AES..

While I know people where a little sceptical of it. I honestly liked the speck cipher that was published.This cipher is a lot more heavy.

&quot;Lightweight&quot; here doesn&#x27;t stop it from proper cryptography. In this case, the qualifier doesn&#x27;t take away from the original meaning, just focuses it on a subset. Like &quot;public-key cryptography&quot;.

A land shanty is just called a song. 
It&#x27;s protective cryptography or not. Binary.

Really glad a sponge function won, they are a big step forward in terms of crypto engineering!

NIST Finalizes 'Lightweight Cryptography' Standard to Protect Small Devices