There are several emerging areas (e.g. sensor networks, healthcare, distributed control systems, the Internet of Things, cyber physical systems) in which highly-constrained devices are interconnected, typically communicating wirelessly with one another, and working in concert to accomplish some task. Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into constrained devices.
NIST has initiated a process to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable. NIST has published a call for algorithms (test vector generation code) to be considered for lightweight cryptographic standards. The deadline for submitting algorithms has passed.
NIST received 57 submissions to be considered for standardization. After the initial review of the submissions, 56 were selected as Round 1 Candidates.
Due to the large number of submissions and the short timeline of the NIST lightweight cryptography standardization process, some of the candidates were eliminated from consideration early in the first evaluation phase in order to focus analysis on the more promising candidates. Of the 56 Round 1 candidates, 32 were selected to continue to Round 2.
NIST invited submitters of the Round 2 candidates to provide a short (up to 5 pages) update on their algorithms. Specifically, NIST was interested in updates on:
27 submission teams submitted updates, which can be found on the Round 2 Candidates page.
On March 29, 2021, NIST announced the finalists as ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak
Guidelines for preparing finalist submission packages to the NIST lightweight cryptography standardization process
Deadline: May 17, 2021
NIST is inviting the finalist teams to provide updated submission packages for the last round of the NIST Lightweight Cryptography Standardization Process. In this round, submitters are allowed to make design modifications (i.e., tweaks) to improve the security or the performance of their candidates. As a general guideline, NIST expects these modifications to be relatively minor, and not invalidating previous security analysis. Larger modifications may signal that the algorithm is not mature enough for standardization for some time. It is acceptable to add new variants or remove a subset of the existing variants. Additionally, it is also acceptable to change the designation of the primary to another previously submitted variant. NIST requires a short document explaining what changes were made to the design and the reasons for the changes.
For submissions that provide both AEAD and hashing functionalities, NIST recommends that submitters also include a combined software implementation of at least the primary AEAD variant and the primary hash variant as a separate implementation supporting both functionalities. Sample source code for the combined implementation is provided.
The packages must meet the same submission requirements and the minimum acceptability criteria as specified in the original call for algorithms. NIST does not require new signed intellectual property statements unless new team members have been added or the status of intellectual property for the submission has changed. If either of these cases apply, please contact NIST in advance.
Submission packages must be sent to lightweight-crypto@nist.gov by 9:00PM EDT May 17, 2021. If the deadline poses a problem, please contact NIST in advance. NIST will review the submitted packages as quickly as possible and post the candidate submission packages which are “complete and proper” on the LWC project webpage. General questions may be asked on the lwc-forum. For more specific questions, please contact NIST at lightweight-crypto@nist.gov.
The final round of the standardization process is expected to last approximately 12 months. NIST will give the finalist submission teams the opportunity to provide updated specifications and implementations. Further guidelines on the tweak proposals will be provided soon.
Date | Event |
July 20-21, 2015 | First Lightweight Cryptography Workshop at NIST |
August 11, 2016 | (Draft) NISTIR 8114 is published. |
October 17-18, 2016 | Second Lightweight Cryptography Workshop at NIST |
October 31, 2016 | End of public comment period to Draft NISTIR 8114 Public comments received (August 11 - October 31,2016) |
March 28, 2017 |
NISTIR 8114, Report on Lightweight Cryptography is published. |
April 26, 2017 | (Draft) Profiles for Lightweight cryptography standardization process is published. |
June 16, 2017 | Public comments received (April 26 - June 16, 2017) |
May 14, 2018 | (Draft) Submission Requirements and Evaluation Criteria for the Lightweight cryptography standardization process is published. |
May 14, 2018 | Federal Register Notice is published. |
June 28, 2018 | End of public comment period to the submission requirement. Public comments received (May 14-June 28, 2018). |
August 27, 2018 | Federal Register Notice is published |
August 27, 2018 | Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process is published. |
January 4, 2019 | Early submission deadline for early feedback |
February 25, 2019 | Submission deadline |
March 29, 2019 | Amendment Deadline |
April 18, 2019 | Announcement of the Round 1 Candidates |
August 30, 2019 | Announcement of Round 2 Candidates |
October 7, 2019 | NISTIR 8268, Status Report on the First Round of the NIST Lightweight Cryptography Standardization Process is published |
November 4-6, 2019 | Third Lightweight Cryptography Workshop at NIST |
October 19-21, 2020 | Fourth Lightweight Cryptography Workshop (virtual) |
March 29, 2021 | Announcement of Finalist Candidates |
Security and Privacy: cryptography