Lightweight Cryptography Standard for IoT - November 2023 IEEE Presentation

 
A
s
c
o
n
:
 
T
h
e
 
L
i
g
h
t
w
e
i
g
h
t
 
C
r
y
p
t
o
g
r
a
p
h
y
S
t
a
n
d
a
r
d
 
f
o
r
 
I
o
T
 
D
a
t
e
:
 
2
0
2
3
-
1
1
-
1
5
 
November 2023
 
Slide 1
 
Authors:
 
Florian Mendel, Infineon Technologies
 
M
o
t
i
v
a
t
i
o
n
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 2
 
I
n
t
e
r
n
e
t
 
o
f
 
T
h
i
n
g
s
 
T
h
e
r
e
 
a
r
e
 
o
v
e
r
 
1
5
 
b
i
l
l
i
o
n
 
c
o
n
n
e
c
t
e
d
 
I
o
T
 
d
e
v
i
c
e
s
 
w
o
r
l
d
w
i
d
e
T
h
i
s
 
n
u
m
b
e
r
 
i
s
 
e
x
p
e
c
t
e
d
 
t
o
 
d
o
u
b
l
e
 
b
y
 
2
0
3
0
Increasing number of devices running on battery power
 
C
o
n
n
e
c
t
e
d
 
d
e
v
i
c
e
s
 
a
r
e
 
s
u
b
j
e
c
t
 
t
o
 
a
n
 
i
n
c
r
e
a
s
e
d
 
a
t
t
a
c
k
 
s
u
r
f
a
c
e
Devices connected to the Internet can be attacked if not properly protected
Each connected device adds a doorway for attackers
 
S
t
r
o
n
g
 
n
e
e
d
 
t
o
 
p
r
o
t
e
c
t
 
d
a
t
a
 
o
n
 
I
o
T
 
d
e
v
i
c
e
s
Secured data storage
Secured communication
 
Slide 3
 
Florian Mendel, Infineon Technologies
 
November 2023
P
a
l
o
 
A
l
t
o
 
N
e
t
w
o
r
k
s
 
2
0
2
0
I
o
T
 
T
h
r
e
a
t
 
R
e
p
o
r
t
:
9
8
%
 
o
f
 
a
l
l
 
I
o
T
 
d
e
v
i
c
e
 
t
r
a
f
f
i
c
 
i
s
u
n
e
n
c
r
y
p
t
e
d
!
 
N
I
S
T
 
s
e
l
e
c
t
s
 
A
s
c
o
n
 
a
s
 
t
h
e
 
s
t
a
n
d
a
r
d
 
t
o
 
p
r
o
t
e
c
t
 
s
m
a
l
l
 
d
e
v
i
c
e
s
 
T
h
e
 
a
l
g
o
r
i
t
h
m
s
 
a
r
e
 
d
e
s
i
g
n
e
d
 
t
o
 
p
r
o
t
e
c
t
 
d
a
t
a
 
c
r
e
a
t
e
d
 
a
n
d
 
t
r
a
n
s
m
i
t
t
e
d
 
 
b
y
 
t
h
e
 
I
n
t
e
r
n
e
t
 
o
f
 
T
h
i
n
g
s
 
a
n
d
 
o
t
h
e
r
 
s
m
a
l
l
 
e
l
e
c
t
r
o
n
i
c
s
.
 
Slide 4
 
Florian Mendel, Infineon Technologies
 
November 2023
 
N
I
S
T
 
L
W
C
 
c
o
m
p
e
t
i
t
i
o
n
 
(
2
0
1
9
-
2
0
2
3
)
A
u
t
h
e
n
t
i
c
a
t
e
d
 
e
n
c
r
y
p
t
i
o
n
 
a
n
d
 
h
a
s
h
i
n
g
5
7
 
s
u
b
m
i
s
s
i
o
n
s
,
 
3
 
r
o
u
n
d
s
,
 
1
 
w
i
n
n
e
r
h
t
t
p
s
:
/
/
c
s
r
c
.
n
i
s
t
.
g
o
v
/
p
r
o
j
e
c
t
s
/
l
i
g
h
t
w
e
i
g
h
t
-
c
r
y
p
t
o
g
r
a
p
h
y
 
Inspired by
NIST AES, SHA-3, PQC competitions
 
W
h
y
 
A
s
c
o
n
?
 
W
e
 
h
a
v
e
 
A
E
S
 
a
n
d
 
S
H
A
!
 
A
s
c
o
n
 
p
r
o
v
i
d
e
s
 
a
u
t
h
e
n
t
i
c
a
t
e
d
 
e
n
c
r
y
p
t
i
o
n
 
a
n
d
 
h
a
s
h
i
n
g
 
w
i
t
h
 
m
i
n
i
m
a
l
 
o
v
e
r
h
e
a
d
 
C
o
m
p
a
r
a
b
l
e
 
s
e
c
u
r
i
t
y
 
l
e
v
e
l
 
a
s
 
A
E
S
-
1
2
8
,
 
S
H
A
-
2
5
6
 
a
n
d
 
S
H
A
K
E
1
2
8
 
M
o
r
e
 
e
f
f
i
c
i
e
n
t
 
o
n
 
l
o
w
-
e
n
d
 
d
e
v
i
c
e
s
 
(
A
s
c
o
n
-
1
2
8
 
v
s
 
A
E
S
1
2
8
-
G
C
M
)
U
p
 
t
o
 
3
-
5
x
 
s
p
e
e
d
 
o
n
 
m
i
c
r
o
c
o
n
t
r
o
l
l
e
r
s
U
p
 
t
o
 
2
x
 
t
h
r
o
u
g
h
p
u
t
 
w
i
t
h
 
0
.
5
x
 
e
n
e
r
g
y
 
i
n
 
h
a
r
d
w
a
r
e
 
V
e
r
y
 
e
f
f
i
c
i
e
n
t
 
t
o
 
p
r
o
t
e
c
t
 
a
g
a
i
n
s
t
 
p
h
y
s
i
c
a
l
 
a
t
t
a
c
k
s
No table lookups, easy to mask, key used less often
 
A
s
c
o
n
 
a
l
l
o
w
s
 
t
o
 
s
e
c
u
r
e
 
d
a
t
a
,
 
w
h
e
r
e
 
t
h
i
s
 
w
a
s
 
t
o
o
 
c
o
s
t
l
y
 
b
e
f
o
r
e
(
e
n
e
r
g
y
,
 
a
r
e
a
,
 
l
a
t
e
n
c
y
)
 
 
Slide 5
 
Florian Mendel, Infineon Technologies
 
November 2023
 
A
s
c
o
n
 
i
n
 
8
0
2
.
1
1
 
Alternative to AES-GCMP 128
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 6
A
E
S
 
G
C
M
P
 
(
1
2
8
 
o
r
 
2
5
6
)
:
 
E
n
c
a
p
s
u
l
a
t
i
o
n
 
a
n
d
 
e
n
c
r
y
p
t
i
o
n
Increment the PN, to obtain a fresh nonzero PN for each MPDU,
so that the PN never repeats for the same temporal key.
Retransmitted MPDUs are not modified on retransmission.
Use the fields in the MPDU header to construct the additional
authentication data (AAD) for GCM. The GCM algorithm provides
integrity protection for the fields included in the AAD. MPDU
header fields that might change when retransmitted are muted by
being masked out when calculating the AAD.
Construct the GCM nonce from the PN and A2, where A2 is
MPDU Address 2.
Construct the GCMP header.
Use the temporal key (16/32 octets), AAD (22-30 octets or 16-28
octets), nonce (12 octets), and MPDU data to form the ciphertext
and the MIC. This step is known as GCM originator processing.
Form the encrypted MPDU by combining the original MPDU
header, the GCMP header, the encrypted data and the MIC.
NIST SP 800-38D describes the GCM authenticated encryption
function given a key, nonce, AAD, and plaintext data to produce
ciphertext and a tag (MIC)
Slide 7
Florian Mendel, Infineon Technologies
November 2023
Ascon
encyption
 
A
E
S
 
G
C
M
P
 
(
1
2
8
 
o
r
 
2
5
6
)
:
 
D
e
c
r
y
p
t
i
o
n
 
a
n
d
 
d
e
c
a
p
s
u
l
a
t
i
o
n
 
The encrypted MPDU is parsed to construct the AAD and GCM
nonce values.
The MIC is extracted for use in GCM integrity checking.
GCM recipient processing uses the temporal key (16/32 octets),
AAD (22-30 octets or 16-28 octets), GCM nonce (12 octets),
MIC, and MPDU ciphertext data to recover the MPDU plaintext
data as well as to check the integrity of the AAD and MPDU
plaintext data by checking the MIC. This is performed by
comparing the received MIC with a MIC calculated as described
in GCMP cryptographic encapsulation. The plaintext is returned
only if the MIC check is successful.
The received MPDU header and the MPDU plaintext data from
GCM recipient processing are concatenated to form a plaintext
MPDU.
The decryption processing prevents replay of MPDUs by
validating that the PN in the MPDU is greater than the replay
counter maintained for the session.
 
Slide 8
 
Florian Mendel, Infineon Technologies
 
November 2023
Ascon
decyption
 
A
s
c
o
n
:
 
A
u
t
h
e
n
t
i
c
a
t
e
d
 
e
n
c
r
y
p
t
i
o
n
 
Ascon-128 and Ascon-128a
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 9
 
A
s
c
o
n
:
 
S
i
m
p
l
e
 
r
o
u
n
d
 
f
u
n
c
t
i
o
n
 
Slide 10
 
Florian Mendel, Infineon Technologies
 
November 2023
 
S-box layer
 
Linear layer
 
P
r
o
p
e
r
t
i
e
s
 
o
f
 
t
h
e
 
p
e
r
m
u
t
a
t
i
o
n
 
Strong security properties
High diffusion and proven bounds
 
Simplicity
Small 320-bit state size
Defined on five 64-bit words
Using bitwise Boolean functions
 
Flexible in hardware
Small area to high speed
 
Slide 11
 
Florian Mendel, Infineon Technologies
 
November 2023
 
Fast in Software
Up to 5 instructions in parallel
Bit-sliced S-box (64 in parallel)
Bit-interleaving on 32-bit processors
 
Very efficient SCA countermeasures
No S-box table look-ups
Easy to mask in HW and SW
Lower randomness requirements
 
A
s
c
o
n
-
1
2
8
:
 
A
u
t
h
e
n
t
i
c
a
t
e
d
 
e
n
c
r
y
p
t
i
o
n
 
Encryption & Authentication
(K, N, A, M) 
 (C, T)
 
Slide 12
 
Florian Mendel, Infineon Technologies
 
November 2023
 
A
s
c
o
n
-
1
2
8
:
 
A
u
t
h
e
n
t
i
c
a
t
e
d
 
d
e
c
r
y
p
t
i
o
n
 
Decryption & Verification
(K, N, A, C, T) 
 {M, 
}
 
Slide 13
 
Florian Mendel, Infineon Technologies
 
November 2023
 
A
s
c
o
n
-
1
2
8
 
v
s
 
A
s
c
o
n
-
1
2
8
a
 
Same security, different trade-off (block size vs. number of rounds)
Both scrutinized for years in cryptographic competitions
Most security analysis can be applied to both algorithms
Tight security proof for Ascon (
https://eprint.iacr.org/2023/775
)
Ascon-128a: 33% more performance, more rounds, larger rate
Ascon-128: higher robustness in case of state recovery (
https://eprint.iacr.org/2023/796
)
 
Slide 14
 
Florian Mendel, Infineon Technologies
 
November 2023
 
A
s
c
o
n
:
 
H
a
s
h
 
a
n
d
 
e
X
t
e
n
d
a
b
l
e
-
O
u
t
p
u
t
 
F
u
n
c
t
i
o
n
 
Ascon-Hash and Ascon-XOF
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 15
 
A
s
c
o
n
 
H
a
s
h
 
/
 
X
O
F
 
Ascon provides hashing at low overhead
Similar structure, same permutation as AEAD
 
 
 
 
 
 
 
 
 
Hash: Fixed output size (e.g. 256 bits)
XOF: Variable output size
 
Slide 16
 
Florian Mendel, Infineon Technologies
 
November 2023
 
I
m
p
l
e
m
e
n
t
a
t
i
o
n
s
 
Fast and small
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 17
 
A
S
I
C
 
h
a
r
d
w
a
r
e
 
b
e
n
c
h
m
a
r
k
s
 
Throughput in [bits/cycles]
 
Slide 18
 
Florian Mendel, Infineon Technologies
 
November 2023
 
https://eprint.iacr.org/2021/049
 
E
m
b
e
d
d
e
d
 
i
m
p
l
e
m
e
n
t
a
t
i
o
n
s
 
Time to process NIST testvectors in [µs]
 
 
 
 
 
 
Code size in [bytes]
 
 
Slide 19
 
Florian Mendel, Infineon Technologies
 
November 2023
 
https://lwc.las3.de/
 
https://lwc.las3.de/
 
A
s
c
o
n
 
h
a
r
d
w
a
r
e
 
e
x
t
e
n
s
i
o
n
s
/
i
n
s
t
r
u
c
t
i
o
n
s
 
A Fast and Compact RISC-V Accelerator for RV32 (also ARM)
RI5CY Ascon with 4.7kGE: speedup factor 50x
Reuse 10 registers of CPU register file
https://eprint.iacr.org/2020/1083
 
ARM Custom Datapath Extension, RISC-V Bitmanip Extension, ...
32-bit funnel shift instructions
    
(RV32B: FSRI, ESP32: SRC)
32-bit interleaving instructions
   
(RV32B: ZIP/UNZIP, ARM CDE: CX3)
Fused AND/XOR, BIC/XOR instructions   
 
(ARM A64: BCAX, ARM CDE: CX3A)
SHA-2 like Sigma instructions
    
(ARM CDE: CX3DA)
 
Slide 20
 
Florian Mendel, Infineon Technologies
 
November 2023
 
S
u
m
m
a
r
y
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 21
 
S
u
m
m
a
r
y
 
S
e
c
u
r
i
t
y
Security level comparable as AES-128 and SHA-256
Well analyzed/understood, large security margin
High amount of external analysis
 
E
f
f
i
c
i
e
n
c
y
More efficient on constraint devices in HW and SW
Allows efficient side-channel protection
Fast on modern CPUs
 
F
l
e
x
i
b
i
l
i
t
y
Additional constructions like MAC, PRF, …
 
Slide 22
 
Florian Mendel, Infineon Technologies
 
November 2023
 
W
h
a
t
s
 
n
e
x
t
?
 
W
h
a
t
s
 
n
e
x
t
 
w
i
t
h
 
N
I
S
T
?
NIST work with the Ascon designers to draft the new lightweight cryptography standard
Draft will be available for public comments soon
Ascon will be used in higher level standards, protocols and implementations
 
W
h
a
t
s
 
n
e
x
t
 
i
n
 
I
E
E
E
 
8
0
2
.
1
1
?
802 tutorial (discussions ongoing with 802.11 chair)
Contributions to LRTG/802.11bn for consideration in adoption in UHR
 
 
Slide 23
 
Florian Mendel, Infineon Technologies
 
November 2023
 
B
a
c
k
u
p
 
s
l
i
d
e
s
 
November 2023
 
Florian Mendel, Infineon Technologies
 
Slide 24
 
L
a
r
g
e
r
 
n
o
n
c
e
,
 
s
h
o
r
t
e
r
 
t
a
g
s
 
We think that support for shorter tags is useful
Recommend e.g., 64, 96 and 128 bits
We would recommend to encode the size of the tag in the IV
We do not see the immediate need to support larger nonce than 128 bits, considering
the limit on messages that can be encrypted under a single key
In case someone would like to use a fixed prefix in the nonce, we suggest to put this
prefix into the associated data
 
Slide 25
 
Florian Mendel, Infineon Technologies
 
November 2023
 
S
e
c
r
e
t
 
n
o
n
c
e
,
 
l
a
r
g
e
r
 
k
e
y
s
 
Also done in AES-GCM in TLS (RFC 8446)
Increases key size to 256 bits
Improves multi-user security (
https://eprint.iacr.org/2023/924
)
 
Slide 26
 
Florian Mendel, Infineon Technologies
 
November 2023
Slide Note

doc.: IEEE 802.11-23/0003r38

November 2023

Stephen McCann, Huawei

Page

Embed
Share

IEEE 802.11-23/2069r1 presents Ascon as a lightweight cryptography standard for IoT devices. With the increasing number of connected devices, protecting data on IoT devices becomes crucial. NIST selects Ascon to safeguard small devices, offering authenticated encryption and hashing efficiently. Ascon proves to be an effective alternative to AES and SHA, providing enhanced security with minimal overhead, increased speed, and improved energy efficiency.


Uploaded on Apr 05, 2024 | 3 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon: The Lightweight Cryptography Standard for IoT Date: 2023-11-15 Authors: Name Affiliations Address Phone email Florian Mendel Infineon Technologies Neubiberg, DE florian.mendel@infineon.com Martin Schl ffer Infineon Technologies Neubiberg, DE martin.schlaeffer@infineon.com Hui Luo Infineon Technologies New Jersey, USA hui.luo@infineon.com Rakesh Taori Infineon Technologies Texas, USA rakesh.taori@infineon.com Submission Slide 1 Florian Mendel, Infineon Technologies

  2. November 2023 doc.: IEEE 802.11-23/2069r1 Motivation Submission Slide 2 Florian Mendel, Infineon Technologies

  3. November 2023 doc.: IEEE 802.11-23/2069r1 Internet of Things There are over 15 billion connected IoT devices worldwide This number is expected to double by 2030 Increasing number of devices running on battery power Connected devices are subject to an increased attack surface Devices connected to the Internet can be attacked if not properly protected Each connected device adds a doorway for attackers Strong need to protect data on IoT devices Secured data storage Secured communication Palo Alto Networks 2020 IoT Threat Report: 98% of all IoT device traffic is unencrypted! Submission Slide 3 Florian Mendel, Infineon Technologies

  4. November 2023 doc.: IEEE 802.11-23/2069r1 NIST selects Ascon as the standard to protect small devices The algorithms are designed to protect data created and transmitted by the Internet of Things and other small electronics. NIST LWC competition (2019-2023) Authenticated encryption and hashing 57 submissions, 3 rounds, 1 winner https://csrc.nist.gov/projects/lightweight-cryptography Inspired by NIST AES, SHA-3, PQC competitions Submission Slide 4 Florian Mendel, Infineon Technologies

  5. November 2023 doc.: IEEE 802.11-23/2069r1 Why Ascon? We have AES and SHA! Ascon provides authenticated encryption and hashing with minimal overhead Comparable security level as AES-128, SHA-256 and SHAKE128 More efficient on low-end devices (Ascon-128 vs AES128-GCM) Up to 3-5x speed on microcontrollers Up to 2x throughput with 0.5x energy in hardware Very efficient to protect against physical attacks No table lookups, easy to mask, key used less often Ascon allows to secure data, where this was too costly before (energy, area, latency) Submission Slide 5 Florian Mendel, Infineon Technologies

  6. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon in 802.11 Alternative to AES-GCMP 128 Submission Slide 6 Florian Mendel, Infineon Technologies

  7. November 2023 doc.: IEEE 802.11-23/2069r1 AES GCMP (128 or 256): Encapsulation and encryption Increment the PN, to obtain a fresh nonzero PN for each MPDU, so that the PN never repeats for the same temporal key. Retransmitted MPDUs are not modified on retransmission. Use the fields in the MPDU header to construct the additional authentication data (AAD) for GCM. The GCM algorithm provides integrity protection for the fields included in the AAD. MPDU header fields that might change when retransmitted are muted by being masked out when calculating the AAD. Construct the GCM nonce from the PN and A2, where A2 is MPDU Address 2. Construct the GCMP header. Use the temporal key (16/32 octets), AAD (22-30 octets or 16-28 octets), nonce (12 octets), and MPDU data to form the ciphertext and the MIC. This step is known as GCM originator processing. Form the encrypted MPDU by combining the original MPDU header, the GCMP header, the encrypted data and the MIC. NIST SP 800-38D describes the GCM authenticated encryption function given a key, nonce, AAD, and plaintext data to produce ciphertext and a tag (MIC) encyption Ascon Submission Slide 7 Florian Mendel, Infineon Technologies

  8. November 2023 doc.: IEEE 802.11-23/2069r1 AES GCMP (128 or 256): Decryption and decapsulation The encrypted MPDU is parsed to construct the AAD and GCM nonce values. The MIC is extracted for use in GCM integrity checking. GCM recipient processing uses the temporal key (16/32 octets), AAD (22-30 octets or 16-28 octets), GCM nonce (12 octets), MIC, and MPDU ciphertext data to recover the MPDU plaintext data as well as to check the integrity of the AAD and MPDU plaintext data by checking the MIC. This is performed by comparing the received MIC with a MIC calculated as described in GCMP cryptographic encapsulation. The plaintext is returned only if the MIC check is successful. The received MPDU header and the MPDU plaintext data from GCM recipient processing are concatenated to form a plaintext MPDU. The decryption processing prevents replay of MPDUs by validating that the PN in the MPDU is greater than the replay counter maintained for the session. decyption Ascon Submission Slide 8 Florian Mendel, Infineon Technologies

  9. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon: Authenticated encryption Ascon-128 and Ascon-128a Submission Slide 9 Florian Mendel, Infineon Technologies

  10. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon: Simple round function S-box layer Linear layer x0 x0 x1 x1 x1 x2 x2 x3 x3 x4 x4 Submission Slide 10 Florian Mendel, Infineon Technologies

  11. November 2023 doc.: IEEE 802.11-23/2069r1 Properties of the permutation Strong security properties High diffusion and proven bounds Fast in Software Up to 5 instructions in parallel Bit-sliced S-box (64 in parallel) Bit-interleaving on 32-bit processors Simplicity Small 320-bit state size Defined on five 64-bit words Using bitwise Boolean functions Very efficient SCA countermeasures No S-box table look-ups Easy to mask in HW and SW Lower randomness requirements Flexible in hardware Small area to high speed Submission Slide 11 Florian Mendel, Infineon Technologies

  12. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon-128: Authenticated encryption Encryption & Authentication (K, N, A, M) (C, T) Submission Slide 12 Florian Mendel, Infineon Technologies

  13. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon-128: Authenticated decryption Decryption & Verification (K, N, A, C, T) {M, } Submission Slide 13 Florian Mendel, Infineon Technologies

  14. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon-128 vs Ascon-128a Same security, different trade-off (block size vs. number of rounds) Both scrutinized for years in cryptographic competitions Most security analysis can be applied to both algorithms Tight security proof for Ascon (https://eprint.iacr.org/2023/775) Ascon-128a: 33% more performance, more rounds, larger rate Ascon-128: higher robustness in case of state recovery (https://eprint.iacr.org/2023/796) Submission Slide 14 Florian Mendel, Infineon Technologies

  15. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon: Hash and eXtendable-Output Function Ascon-Hash and Ascon-XOF Submission Slide 15 Florian Mendel, Infineon Technologies

  16. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon Hash / XOF Ascon provides hashing at low overhead Similar structure, same permutation as AEAD Hash: Fixed output size (e.g. 256 bits) XOF: Variable output size Submission Slide 16 Florian Mendel, Infineon Technologies

  17. November 2023 doc.: IEEE 802.11-23/2069r1 Implementations Fast and small Submission Slide 17 Florian Mendel, Infineon Technologies

  18. November 2023 doc.: IEEE 802.11-23/2069r1 ASIC hardware benchmarks Throughput in [bits/cycles] Throughput Area Throughput / Area 25.60 1.49 17.18 Ascon-128a 16.00 1.56 10.25 Ascon-128 11.63 2.75 4.22 AES128-GCM https://eprint.iacr.org/2021/049 Submission Slide 18 Florian Mendel, Infineon Technologies

  19. November 2023 doc.: IEEE 802.11-23/2069r1 Embedded implementations Time to process NIST testvectors in [ s] Uno F1 ESP F7 R5 1981 66.4 18.4 11.8 7.3 Ascon-128a 2337 76.7 22.3 13.8 8.5 Ascon-128 - 332.8 67.2 35.8 23.7 AES128-GCM https://lwc.las3.de/ Code size in [bytes] Uno F1 ESP F7 R5 2544 2252 1200 1240 1792 Ascon-128a 2552 2157 1120 1180 1792 Ascon-128 - 9908 14832 9836 14272 AES128-GCM https://lwc.las3.de/ Submission Slide 19 Florian Mendel, Infineon Technologies

  20. November 2023 doc.: IEEE 802.11-23/2069r1 Ascon hardware extensions/instructions A Fast and Compact RISC-V Accelerator for RV32 (also ARM) RI5CY Ascon with 4.7kGE: speedup factor 50x Reuse 10 registers of CPU register file https://eprint.iacr.org/2020/1083 ARM Custom Datapath Extension, RISC-V Bitmanip Extension, ... 32-bit funnel shift instructions 32-bit interleaving instructions Fused AND/XOR, BIC/XOR instructions (ARM A64: BCAX, ARM CDE: CX3A) SHA-2 like Sigma instructions (RV32B: FSRI, ESP32: SRC) (RV32B: ZIP/UNZIP, ARM CDE: CX3) (ARM CDE: CX3DA) Submission Slide 20 Florian Mendel, Infineon Technologies

  21. November 2023 doc.: IEEE 802.11-23/2069r1 Summary Submission Slide 21 Florian Mendel, Infineon Technologies

  22. November 2023 doc.: IEEE 802.11-23/2069r1 Summary Security Security level comparable as AES-128 and SHA-256 Well analyzed/understood, large security margin High amount of external analysis Efficiency More efficient on constraint devices in HW and SW Allows efficient side-channel protection Fast on modern CPUs Flexibility Additional constructions like MAC, PRF, Submission Slide 22 Florian Mendel, Infineon Technologies

  23. November 2023 doc.: IEEE 802.11-23/2069r1 What s next? What s next with NIST? NIST work with the Ascon designers to draft the new lightweight cryptography standard Draft will be available for public comments soon Ascon will be used in higher level standards, protocols and implementations What s next in IEEE 802.11? 802 tutorial (discussions ongoing with 802.11 chair) Contributions to LRTG/802.11bn for consideration in adoption in UHR Submission Slide 23 Florian Mendel, Infineon Technologies

  24. November 2023 doc.: IEEE 802.11-23/2069r1 Backup slides Submission Slide 24 Florian Mendel, Infineon Technologies

  25. November 2023 doc.: IEEE 802.11-23/2069r1 Larger nonce, shorter tags We think that support for shorter tags is useful Recommend e.g., 64, 96 and 128 bits We would recommend to encode the size of the tag in the IV We do not see the immediate need to support larger nonce than 128 bits, considering the limit on messages that can be encrypted under a single key In case someone would like to use a fixed prefix in the nonce, we suggest to put this prefix into the associated data Submission Slide 25 Florian Mendel, Infineon Technologies

  26. November 2023 doc.: IEEE 802.11-23/2069r1 Secret nonce, larger keys Also done in AES-GCM in TLS (RFC 8446) Increases key size to 256 bits Improves multi-user security (https://eprint.iacr.org/2023/924) Submission Slide 26 Florian Mendel, Infineon Technologies

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#