NIST helps YOU WITH CRYPTOGRAPHY

getting cryptography best isn’t easy, and it’s a lot worse on constrained devices like microcontrollers. RAM is typically the bottleneck — you will smash your stack computing a SHA-2 hash on an AVR — but other resources like computing power and flash code storage space are also at a premium. Trimming down a standard algorithm to work within these constraints opens up the Pandora’s box of implementation-specific flaws.

NIST stepped up to the plate, starting a lightweight cryptography project in 2013 which has now come out with a first report, and here it is as a PDF. The project is ongoing, so don’t expect a how-to guide. Indeed, many of the report is a description of the problems with crypto on small devices. given the state of IoT security, just defining the problem is a huge contribution.

Still, there are some concrete recommendations. here are some spoilers. For encryption, they recommend a trimmed-down version of AES-128, which is a well-tested block cipher on the big machines. For message authentication, they’re pleased with Galois/Counter mode and AES-128.

I was many interested in hashing, and came away disappointed; the conclusion is that the SHA-2 and SHA-3 families simply require too much state (and RAM) and they make no recommendation, leaving you to pick among less-known functions: check out PHOTON or SPONGENT, and they’re still being actively researched.

If you think small-device safety and security is easy, read through the 22-question checklist that starts on page twelve. and if you’re searching for a good starting point to read up on the state of the art, the bibliography is extensive.

Your tax dollars at work. Thanks, NIST!

And thanks [acs] for the tip!