There are several emerging areas (e.g. sensor networks, healthcare, distributed control systems, the Internet of Things, cyber physical systems) in which highly-constrained devices are interconnected, typically communicating wirelessly with one another, and working in concert to accomplish some task. Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into constrained devices.  

NIST has initiated a process to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable. NIST has published a call for algorithms (test vector generation code) to be considered for lightweight cryptographic standards. The deadline for submitting algorithms has passed.

Round 1 Candidates

NIST received 57 submissions to be considered for standardization. After the initial review of the submissions, 56 were selected as Round 1 Candidates.   

Round 2 Candidates

Due to the large number of submissions and the short timeline of the NIST lightweight cryptography standardization process, some of the candidates were eliminated from consideration early in the first evaluation phase in order to focus analysis on the more promising candidates. Of the 56 Round 1 candidates, 32 were selected to continue to Round 2.

Round 2 Candidate Status Updates

NIST invited submitters of the Round 2 candidates to provide a short (up to 5 pages) update on their algorithms. Specifically, NIST was interested in updates on:

• new proofs/arguments supporting the security claims,
• new software and hardware implementations (including ones that protect against side channel attacks),
• new third-party analysis and its implications,
• platforms and metrics in which the candidate performs better than current NIST standards,
• target applications and use cases for which the candidate is optimized,
• planned tweak proposals, if submission accepted as a finalist, and
• any other relevant information.

27 submission teams submitted updates, which can be found on the Round 2 Candidates page. 

Finalists

On March 29, 2021, NIST announced the finalists as ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak

Guidelines for preparing finalist submission packages to the NIST lightweight cryptography standardization process
Deadline: May 17, 2021

NIST is inviting the finalist teams to provide updated submission packages for the last round of the NIST Lightweight Cryptography Standardization Process. In this round, submitters are allowed to make design modifications (i.e., tweaks) to improve the security or the performance of their candidates. As a general guideline, NIST expects these modifications to be relatively minor, and not invalidating previous security analysis. Larger modifications may signal that the algorithm is not mature enough for standardization for some time. It is acceptable to add new variants or remove a subset of the existing variants. Additionally, it is also acceptable to change the designation of the primary to another previously submitted variant. NIST requires a short document explaining what changes were made to the design and the reasons for the changes.

For submissions that provide both AEAD and hashing functionalities, NIST recommends that submitters also include a combined software implementation of at least the primary AEAD variant and the primary hash variant as a separate implementation supporting both functionalities. Sample source code for the combined implementation is provided.

The packages must meet the same submission requirements and the minimum acceptability criteria as specified in the original call for algorithms. NIST does not require new signed intellectual property statements unless new team members have been added or the status of intellectual property for the submission has changed. If either of these cases apply, please contact NIST in advance.

Submission packages must be sent to lightweight-crypto@nist.gov by 9:00PM EDT May 17, 2021. If the deadline poses a problem, please contact NIST in advance. NIST will review the submitted packages as quickly as possible and post the candidate submission packages which are “complete and proper” on the LWC project webpage. General questions may be asked on the lwc-forum. For more specific questions, please contact NIST at lightweight-crypto@nist.gov.

Software Benchmarking

• Microcontroller Benchmarking by NIST LWC team
• AVR/ARM Microcontroller Benchmarking by Rhys Weatherley
• AVR/ARM/RISC-V Microcontroller Benchmarking by Sebastian Renner, Enrico Pozzobon, and Jürgen Mottok
• RISC-V Benchmarking by Fabio Campos, Lars Jellema, Mauk Lemmen, Lars Müller, Daan Sprenkels, and Benoit Viguier
• eBACS (ECRYPT Benchmarking of Cryptographic Systems): General-purpose Processor (Intel, AMD, ARM Cortex-A, Qualcomm) Benchmarking

Hardware Benchmarking

• Athena: FPGA Benchmarking by Kamyar Mohajerani, Richard Haeussler, Rishub Nagpal, Farnoud Farahmand, Abubakr Abdulgadir, Jens-Peter Kaps, and Kris Gaj
• ASIC Benchmarking by Mustafa Khairallah, Thomas Peyrin, and Anupam Chattopadhyay

Next Steps

• The final round of the standardization process is expected to last approximately 12 months. NIST will give the finalist submission teams the opportunity to provide updated specifications and implementations. Further guidelines on the tweak proposals will be provided soon.
   

Timeline