15 comments

[ 5.1 ms ] story [ 25.5 ms ] thread
They chose Ascon which is a good set of same sponge-based cryptographic functions if you don't have hardware acceleration for AES or the CPU resources for chacha20 which is the intention of the standard. The security is 128-bits (comparable to AES-128).

<https://ascon.isec.tugraz.at/specification.html>

This is pretty cool. But IOT tends to fail hard on key agreement. And nothing here solves that. This seems to pretty much require a pre installed key, otherwise the overhead of securely installing a key would probably nullify the advantage of this encryption.
Are these for garage doors and doorbells? Those devices could definitely use more security (it's not hard to stuff a proper TLS stack in a microcontroller but manufacturers balk at even putting something as cheap as a ESP32 in their BOM).
Wikipedia says Ascon has 320 bits of state and uses 5 bit s-boxes. That’s tiny compared to sha-256 or Blake2. One would think a pre image attack would be much more tractable at that scale.

https://en.m.wikipedia.org/wiki/Ascon_(cipher)

Sponges divide state into rate (r) and capacity (c). They "absorb" incoming bytes, perform permutation (moving bits around without losing any of them) on the whole state, and "squeeze" out bytes from the rate, while capacity remains hidden.

For the secure hash function, the capacity should be at least twice the target, that is for 128-bit security you need 256 bits of capacity. ASCON hash uses 256 bit capacity and 320-256 = 64 bit rate, so to get a 32-byte hash of a 8-byte string (without padding), you'll need to do at least 4 permutations.

If you can design a secure permutation that permutes 257 bits, you can make a secure, but impractical hash function from it by setting the rate to 1 bit.

For the duplex mode that's used for authenticated encryption, capacity can be lower, because it's keyed -- it's 192 bits in ASCON.

This assumes the permutation of the 320-byte state itself is secure, of course.

While I know people where a little sceptical of it. I honestly liked the speck cipher that was published.

This cipher is a lot more heavy.

Really glad a sponge function won, they are a big step forward in terms of crypto engineering!
I wonder whether this is backdoored by NSA as well
A land shanty is just called a song. It's protective cryptography or not. Binary.
Why not use chacha20 or xtea for embedded devices? They are lighter than AES..
If these primitives are less resource intensive than what we use today with the same level of security, then why don't we just use these everywhere? If they are not as secure, then why would be use these anywhere?
Your front door isn't a hardened steel vault door... I'm assuming you still lock it.

This is a bad analogy, even it it's apt. Only in that an encryption scheme can be technically weaker than another, but still plenty secure. As long as it does the job and hasn't been broken.

For example, part of the spec is simply hashing and packet signing... not necessarily making the packets secret, but authenticating the origin/source. It isn't necessarily about creating the most secure vault in the world, but securing what might otherwise be completely insecure channels of communications/attack. It's also not about a $1000 smart phone, but a micro controller that's a fraction of a dollar on devices that have a total BoM that is very low cost or small.