They chose Ascon which is a good set of same sponge-based cryptographic functions if you don't have hardware acceleration for AES or the CPU resources for chacha20 which is the intention of the standard. The security is 128-bits (comparable to AES-128).
This is pretty cool. But IOT tends to fail hard on key agreement. And nothing here solves that. This seems to pretty much require a pre installed key, otherwise the overhead of securely installing a key would probably nullify the advantage of this encryption.
Are these for garage doors and doorbells? Those devices could definitely use more security (it's not hard to stuff a proper TLS stack in a microcontroller but manufacturers balk at even putting something as cheap as a ESP32 in their BOM).
Wikipedia says Ascon has 320 bits of state and uses 5 bit s-boxes. That’s tiny compared to sha-256 or Blake2. One would think a pre image attack would be much more tractable at that scale.
Sponges divide state into rate (r) and capacity (c). They "absorb" incoming bytes, perform permutation (moving bits around without losing any of them) on the whole state, and "squeeze" out bytes from the rate, while capacity remains hidden.
For the secure hash function, the capacity should be at least twice the target, that is for 128-bit security you need 256 bits of capacity. ASCON hash uses 256 bit capacity and 320-256 = 64 bit rate, so to get a 32-byte hash of a 8-byte string (without padding), you'll need to do at least 4 permutations.
If you can design a secure permutation that permutes 257 bits, you can make a secure, but impractical hash function from it by setting the rate to 1 bit.
For the duplex mode that's used for authenticated encryption, capacity can be lower, because it's keyed -- it's 192 bits in ASCON.
This assumes the permutation of the 320-byte state itself is secure, of course.
If these primitives are less resource intensive than what we use today with the same level of security, then why don't we just use these everywhere? If they are not as secure, then why would be use these anywhere?
Your front door isn't a hardened steel vault door... I'm assuming you still lock it.
This is a bad analogy, even it it's apt. Only in that an encryption scheme can be technically weaker than another, but still plenty secure. As long as it does the job and hasn't been broken.
For example, part of the spec is simply hashing and packet signing... not necessarily making the packets secret, but authenticating the origin/source. It isn't necessarily about creating the most secure vault in the world, but securing what might otherwise be completely insecure channels of communications/attack. It's also not about a $1000 smart phone, but a micro controller that's a fraction of a dollar on devices that have a total BoM that is very low cost or small.
15 comments
[ 5.1 ms ] story [ 25.5 ms ] threadhttps://x.com/matthew_d_green/status/1948476801824485606
<https://ascon.isec.tugraz.at/specification.html>
https://en.m.wikipedia.org/wiki/Ascon_(cipher)
For the secure hash function, the capacity should be at least twice the target, that is for 128-bit security you need 256 bits of capacity. ASCON hash uses 256 bit capacity and 320-256 = 64 bit rate, so to get a 32-byte hash of a 8-byte string (without padding), you'll need to do at least 4 permutations.
If you can design a secure permutation that permutes 257 bits, you can make a secure, but impractical hash function from it by setting the rate to 1 bit.
For the duplex mode that's used for authenticated encryption, capacity can be lower, because it's keyed -- it's 192 bits in ASCON.
This assumes the permutation of the 320-byte state itself is secure, of course.
This cipher is a lot more heavy.
This is a bad analogy, even it it's apt. Only in that an encryption scheme can be technically weaker than another, but still plenty secure. As long as it does the job and hasn't been broken.
For example, part of the spec is simply hashing and packet signing... not necessarily making the packets secret, but authenticating the origin/source. It isn't necessarily about creating the most secure vault in the world, but securing what might otherwise be completely insecure channels of communications/attack. It's also not about a $1000 smart phone, but a micro controller that's a fraction of a dollar on devices that have a total BoM that is very low cost or small.