Which Will Become The Light-weight Encryption Standard? Will it be Sparkling or be an Elephant?

Standardization takes time, and often this is for a good reason. For this, you can have a competition for the best technology, and then for…
Photo by Chris Ried on Unsplash

Which Will Become The Light-weight Encryption Standard? Will it be Sparkling or be an Elephant?

Standardization takes time, and often this is for a good reason. For this, you can have a competition for the best technology, and then for a whole community to review the methods presented. Then you have a balanced scorecard which assessess the key features of each of the methods. For NIST, this has been the way that they have defined the standards in cryptography, and to focus down on one or two core methods.

AES became a standard

In symmetric key, for example, NIST focused the industry in identifying just one method, and for all the other symmetric key methods (such as 3DES, RC4, and so on) to eventually be replaced by the new standard: AES (Advanced Encryption Standard). This standard came from the Rijndael method, and has since become the de facto standard for symmetric key encryption. But, being a standard doesn’t mean you always stay as the only method to use. In fact, just having one method is not healthy, as a flaw in it could bring down the Internet. And, so, we often have alternatives. For AES, we now have ChaCha20, and which is more light-weight in its approach.

Keccak became a standard

With MD-5 and SHA-1 on the way out, and SHA-2 (SHA-256) being the main focus, NIST again saw that an alternative to SHA-2 was required. With SHA-2, we had a fast hashing method, but was it actually efficient in low-powered devices, and did it drain too much energy? And, so, NIST, again set up a competition for the SHA-3 standard, and it was a close-run thing. With the BLAKE hash running Keccak closely. But, in the end, Keccak won, but since then BLAKE has also become a commonly used hash. Generally, BLAKE has been shown to be much faster than Keccak, and it is excellent for applications that require fast hashing.

How are they assessed?

And, so, since 2016, researchers have been probing the submitted methods, and in 2022 NIST published the final 10: ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak (Table 1). A particular focus is on the security of the methods, along with their performance on low-cost FPGAs/embedded processes and their robustness against side-channel attacks.

Table 1: Specifications of the NIST LWC finalist algorithms [3]

The current set of benchmarks includes running on an Arduino Uno R3 (AVR ARmega 328P — Figure 1), Arduino Nano Every (AVR ARmega 4809), Arduino MKR Zero (ARM Cortex M10+) and Arduino Nano 33 BLE (ARM Cortex M4F). These are just 8-bit processors and fit into an Arduino board. Along with their processing limitations, they are also limited in their memory footprint (to run code and also to store it). The lightweight cryptography method must thus overcome these limitations, and still, be secure and provide a good performance level. Running AES in block modes on these devices is often not possible, as there is not enough resources. Overall we use a benchmark for encryption — with AEAD (Authenticated Encryption with Additional Data) and for hashing. With AEAD we add extra information — such as the session ID — into the encryption process. This type of method can bind the encryption to a specific stream.

Figure 1: Microchip ATmega328P

ARM Cortex M3

In Table 2 [1], we see a sample run using an Arduino Due with an ARM Cortex M3 running at 84MHz. The tests are taken in comparison with the ChaCha20 stream cipher and defined for AEAD, and where the higher the value the better the performance. We can see that Sparkle, Xoodyak and ASCON are the fastest of all. Sparkle has a 100% improvement, and Xoodyak gives a 60% increase in speed over ChaCha20. Elephant, ISAP and PHOTON-Beetle have the worst performance for encryption (with around 1/20th of the speed of ChaCha20).

Table 2: Arduino Due with an ARM Cortex M3 running at 84MHz for encryption against ChaCha20 [1]

Not all of the finalists can do hash functions. Table 3 outlines these.

Table 3: Arduino Due with an ARM Cortex M3 running at 84MHz for hashing against BLAKE2s [1]

Again, we see Sparkle and Xoodyak in the lead, with Sparkle actually faster in the test than BLAKE2s, and Xoodyak just a little bit slower. ASCON has a weaker performance, and PHOTON-Beetle is relatively slow. For all the tests, the ranking for authenticated encryption is (and where the higher the rank the better):

and for hashing SPARKLE and Xoodyak are ranked the same:

Uno Nano performance

For AEAD on Uno Nano Every [2], the benchmark is against AES GCM. We can see in Table 4, that SPARKLE is 4.7 times faster than AES GCM for 128-bit data sizes, and Xoodyak comes in second with a 3.3 times improvement over AES GCM. When it comes to 8-bit data sizes TinyJambu actually is the fastest, but where Sparkle and Xoodyak still perform well. PHOTON-Beetle, Grain128 and ISAP do not do well, and only slightly improve on AES GCM. In fact, Grain128 and ISAP are actually slower than AES GCM.

Table 4: Uno Nano for AEAD against AES GCM and showing cycles [2] (showing fastest of the method)

And so for AEAD (performance):

1. Sparkle
2. Xoodyak
3. Ascon
4. GIFT-COFB. 
5. Elephant. 
6. Romulus. 
7. Tiny Jambu. 
8. PHOTON-Beetle.
9. Grain128 
10. ISAP.

For hashing on an Uno Nano Every [2], Table 5 shows a similar performance level as to the ARM Cortex M3 assessment. In this case, the benchmark hash is SHA-256, and we can see that it takes Sparkle twice as many cycles for a 128-bit hash, and 2.9 times for Xoodyak. PHOTON-Beetle is way behind with a 128-bit hash and which is 17.4 times slower than SHA-256. That said, though, PHOTON-Beetle could be more focused on reducing power consumption rather than speed. GIMLI and SKINNY are included to show a comparison with well-designed methods in lightweight hashing. It can be seen that every method beats SKINNY, but only SPARKLE and Xoodyak beat GIMLI.

Table 5: Uno Nano for hashing against SHA-256 and showing cycles [2] (showing fastest of the method for hashing)

And so for hashing (performance):

  1. Sparkle.
  2. Xoodyak.
  3. Ascon
  4. PHOTON-Beetle.

Conclusions

We watch and wait for the light-weight announcement, and while performance benchmarks put Xoodyak and Sparkle seem way out in front in terms of performance. But, there are other assessments, such as security, energy footprint, and memory footprint. So it is not a given that Xoodyak and Sparkle will win in the end, but for performance in both Authenticated Encryption with Additional Data (AEAD) and hashing, they are well out in front in terms of performance.

You can access the performance evaluation page here:

https://asecuritysite.com/light/light

and more about the methods here:

https://asecuritysite.com/light/

Reference

[1] https://rweather.github.io/lightweight-crypto/performance.html

[2] https://github.com/usnistgov/Lightweight-Cryptography-Benchmarking/blob/main/benchmarks/results_nano_every_hash_all.csv

[3] Madushan, H., Salam, I., & Alawatugoda, J. (2022). A Review of the NIST Lightweight Cryptography Finalists and Their Fault Analyses. Electronics, 11(24), 4199.