DOCSLIB.ORG

General Cryptography Part 1 of 2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

General Cryptography Part 1 of 2 Table of Contents Cryptography .................................................................................................................................. 2 Cryptography Interoperability ........................................................................................................ 3 Cryptography in Everyday Use ........................................................................................................ 5 Common Terms in Cryptography -1 ................................................................................................ 6 Common Terms in Cryptography - 2 ............................................................................................... 8 Common Terms in Cryptography - 3 ............................................................................................... 9 Kerckhoff’s Principle ..................................................................................................................... 12 Symmetric Cryptosystem .............................................................................................................. 14 Asymmetric Cryptosystems .......................................................................................................... 16 Asymmetric Algorithms ................................................................................................................ 18 Block Cipher .................................................................................................................................. 21 Block Cipher Modes -1 .................................................................................................................. 22 Block Cipher Modes -2 .................................................................................................................. 25 Block Cipher Modes -1 .................................................................................................................. 26 Block Cipher Modes -2 .................................................................................................................. 27 Block Cipher Examples .................................................................................................................. 28 Stream Cipher ............................................................................................................................... 30 Stream Cipher Examples ............................................................................................................... 32 Notices .......................................................................................................................................... 33 Page 1 of 33 Cryptography Cryptography Used to protect data at-rest and data in-transit from being compromised or misused. Assures confidentiality and integrity of data • Protected communications are not visible by others. • Verifies data has not been altered or corrupted. Provides authentication • Verifies identity of participants. Non-repudiation • Undeniable transactions – sender sent it, recipient received it. • Usually requires an independent third party (Certificate Authority). • Digital signatures provide the mechanisms behind the concept. 6 **006 First, before we go any further whatsoever, the idea of cryptography is to communicate in the presence of adversaries. You and I want to talk, and we don't want them to listen in. So what we want in cryptography is we want to use mathematical transforms of different kinds to ensure that our communication is protected, confidential. We also want to make sure that our communications aren't interrupted by a man in the middle that can swap our communications out and put something else in. Page 2 of 33 We also want to provide authentication. How do you know it wasn't somebody else that jumped into this? There's no take- backsies." That's what nonrepudiation is. It says you can't deny that you said something. You can't take it back. Nonrepudiation typically involves a certification authority. You could do it without. So then with cryptography, we need to talk about the tools that we use. Cryptography Interoperability Cryptography Interoperability Achieved when crypto systems work together seamlessly. • For example, web-browser based SSL Good design goal when designing new systems. • For example, does a WAP support WEP, WPA, WPA2, or all 3? Validate any vendor claims of interoperability. • Common Criteria, NIST, and the Cryptographic Module Validation Program (CMVP). 7 **007 When we use those tools, can you use the same tool that I do? So Page 3 of 33 what we have to do is all agree that we're going to use the same protocol and the same encryption methodologies for it to all work out. And the reason why old cryptography stays in place for a really long time is because not only do you and I have to agree, but we have to get the whole world to agree. And when we design new systems, we need to make sure that that system-- well, that it thinks about the other possibilities in the future. A perfect example of a good system gone bad is our first try at encryption for wireless communications, in WEP. Also, we need to roll this out to the vendors and they need to be able to implement it. And in a lot of cryptography, what we do is we use hardware, special purpose ASIX chips that are designed for that one thing. So think about chip fabrication. How long do you think that takes? That's years. Then once we create a design, once we create an implementation-- maybe even once we create chips-- how do we know that that is verifiable and valid for the uses that we put it to? And that's where we start reaching out to cryptographic module validation programs; we start reaching out to governments and asking them to review our design. Page 4 of 33 Cryptography in Everyday Use Cryptography in Everyday Use E-mail • Messages and attachments can be encrypted. • Implementations are S/MIME, PGP, and PEM. E-commerce • Transactions can be encrypted. • Implementations include SSL/TLS, and PCI-DSS. 8 **008 We use this every single day in ecommerce. There's no doubt about it. Some of us use it every single day in email. You don't have to have any fancy setup to use cryptography on a day-to-day basis, because it's built into most of the things that we're doing. Some regulations require that we have cryptography end-to-end. Page 5 of 33 Common Terms in Cryptography -1 Common Terms in Cryptography -1 Cryptosystem – the system of algorithm, parameters, key, and/or password used for encrypting and decrypting data. Code – a cryptosystem that uses substitution of words for the original text. Cipher – a procedure to scramble a message so only the person with the knowledge of how it was scrambled (the key) can read it. Steganography – process of hiding information in another message or file. 9 **009 Cryptosystems. This is all of the mathematical transforms that are all jammed together. This is where the key sits. This is where the algorithm sits. There is where all the parameters can be changed within the system, and if it's got a password, this is where it encrypts and decrypts. This could be a chip right with current Intel processors. There is actually a separate chip within most Intel processors today that does AES encryption and decryption as a separate chip. When we talk about code, that is usually a substitution, a trade for one thing or the other. For example, Page 6 of 33 code talker. So, in World War II, we wanted to have communications from ship to shore, and the way we did that was we didn't use what everybody else used. We had our own special cryptographers, which were Native Americans. What they did was is they took information from the ships and translated it into their native language, which there was no written record of that native language for our adversaries. And then on the other side, the other Native American on the other side would retranslate that back into issued orders. There was no record of this, so there was no way to do that code translation. Well, these code talkers had to come up with codes that fit with artillery movements and words that weren't in their language. So a code is to trade one for another, or substitution. A cipher is a way to scramble things. I want to encipher or decipher. And so we'll create a mathematical transformation that predictively scrambles those things. And when we run that math the other way-- or run it the same way in some cases, especially for symmetric encryption-- it will decipher it so that we can read it again. So ciphering is the procedure for scrambling. Steganography is covert communications. And the best way that I can give you an example of this is when we do invisible ink. We Page 7 of 33 still have to pass something back and forth, but when our adversaries look at it, they just see, "Oh, he's handing them a piece of paper." Common Terms in Cryptography - 2 Common Terms in Cryptography -2 Plain text – the original, unencrypted data. Cipher text – the encrypted data. Substitution – each character is replaced with another to form the cipher text. • Simple – one to one Message Nfttbhf • Homophonic – one to many Message Nafbtctdbehffg • Polygram – block to block Message Actksisiwksiea • Polyalphabetic – multiple alphabets Message Transposition – reorders plain text to form cipher text. MES MESSAGE SAG MSEEA0SG0 E00 10 **010 Some other common cryptology terms that dig down into what we're doing. Plain text-- that's the stuff that humans can read. Cipher text-- that's the stuff that's been transformed
Recommended publications
  • A Quantitative Study of Advanced Encryption Standard Performance

    A Quantitative Study of Advanced Encryption Standard Performance

    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
  • Atlantic Highly Migratory Species Stock Assessment and Fisheries Evaluation Report 2019

    Atlantic Highly Migratory Species Stock Assessment and Fisheries Evaluation Report 2019

    Atlantic Highly Migratory Species Stock Assessment and Fisheries Evaluation Report 2019 U.S. Department of Commerce | National Oceanic and Atmospheric Administration | National Marine Fisheries Service 2019 Stock Assessment and Fishery Evaluation Report for Atlantic Highly Migratory Species Atlantic Highly Migratory Species Management Division May 2020 Highly Migratory Species Management Division NOAA Fisheries 1315 East-West Highway Silver Spring, MD 20910 Phone (301) 427-8503 Fax (301) 713-1917 For HMS Permitting Information and Regulations • HMS recreational fishermen, commercial fishermen, and dealer compliance guides: www.fisheries.noaa.gov/atlantic-highly-migratory-species/atlantic-hms-fishery- compliance-guides • Regulatory updates for tunas: hmspermits.noaa.gov For HMS Permit Purchase or Renewals Open Access Vessel Permits Issuer Permits Contact Information HMS Permit HMS Charter/Headboat, (888) 872-8862 Shop Atlantic Tunas (General, hmspermits.noaa.gov Harpoon, Trap), Swordfish General Commercial, HMS Angling (recreational) Southeast Commercial Caribbean Small (727) 824-5326 Regional Boat, Smoothhound Shark www.fisheries.noaa.gov/southeast/resources- Office fishing/southeast-fisheries-permits Greater Incidental HMS Squid Trawl (978) 281-9370 Atlantic www.fisheries.noaa.gov/new-england-mid- Regional atlantic/resources-fishing/vessel-and-dealer- Fisheries permitting-greater-atlantic-region Office Limited Access Vessel Permits Issuer Permits Contact Information HMS Permit Atlantic Tunas Purse Seine (888) 872-8862 Shop category hmspermits.noaa.gov
  • Optimizing the Block Cipher Resource Overhead at the Link Layer Security Framework in the Wireless Sensor Networks

    Optimizing the Block Cipher Resource Overhead at the Link Layer Security Framework in the Wireless Sensor Networks

    Proceedings of the World Congress on Engineering 2008 Vol I WCE 2008, July 2 - 4, 2008, London, U.K. Optimizing the Block Cipher Resource Overhead at the Link Layer Security Framework in the Wireless Sensor Networks Devesh C. Jinwala, Dhiren R. Patel and Kankar S. Dasgupta, data collected from different sensor nodes. Since the Abstract—The security requirements in Wireless Sensor processing of the data is done on-the-fly, while being Networks (WSNs) and the mechanisms to support the transmitted to the base station; the overall communication requirements, demand a critical examination. Therefore, the costs are reduced [2]. Due to the multi-hop communication security protocols employed in WSNs should be so designed, as and the in-network processing demanding applications, the to yield the optimum performance. The efficiency of the block cipher is, one of the important factors in leveraging the conventional end-to-end security mechanisms are not performance of any security protocol. feasible for the WSN [3]. Hence, the use of the standard In this paper, therefore, we focus on the issue of optimizing end-to-end security protocols like SSH, SSL [4] or IPSec [5] the security vs. performance tradeoff in the security protocols in WSN environment is rejected. Instead, appropriate link in WSNs. As part of the exercise, we evaluate the storage layer security architecture, with low associated overhead is requirements of the block ciphers viz. the Advanced Encryption required. Standard (AES) cipher Rijndael, the Corrected Block Tiny Encryption Algorithm (XXTEA) using the Output Codebook There are a number of research attempts that aim to do so.
  • Block Ciphers and the Data Encryption Standard

    Block Ciphers and the Data Encryption Standard

    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
  • Protocol Failure in the Escrowed Encryption Standard

    Protocol Failure in the Escrowed Encryption Standard

    Protocol Failure in the Escrowed Encryption Standard Matt Blaze AT&T Bell Laboratories [email protected] August 20, 1994 Abstract The proposal, called the Escrowed Encryption Stan- dard (EES) [NIST94], includes several unusual fea- The Escrowed Encryption Standard (EES) de¯nes tures that have been the subject of considerable de- a US Government family of cryptographic processors, bate and controversy. The EES cipher algorithm, popularly known as \Clipper" chips, intended to pro- called \Skipjack", is itself classi¯ed, and implemen- tect unclassi¯ed government and private-sector com- tations of the cipher are available to the private sec- munications and data. A basic feature of key setup be- tor only within tamper-resistant modules supplied by tween pairs of EES processors involves the exchange of government-approved vendors. Software implementa- a \Law Enforcement Access Field" (LEAF) that con- tions of the cipher will not be possible. Although Skip- tains an encrypted copy of the current session key. The jack, which was designed by the US National Security LEAF is intended to facilitate government access to Agency (NSA), was reviewed by a small panel of civil- the cleartext of data encrypted under the system. Sev- ian experts who were granted access to the algorithm, eral aspects of the design of the EES, which employs a the cipher cannot be subjected to the degree of civilian classi¯ed cipher algorithm and tamper-resistant hard- scrutiny ordinarily given to new encryption systems. ware, attempt to make it infeasible to deploy the sys- By far the most controversial aspect of the EES tem without transmitting the LEAF.
  • Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*

    Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*

    1 Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform Claude Carlet and Xi Chen* Abstract The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication.
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
  • KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
  • Ohio IT Standard ITS-SEC-01 Data Encryption and Cryptography

    Ohio IT Standard ITS-SEC-01 Data Encryption and Cryptography

    Statewide Standard State of Ohio IT Standard Standard Number: Title: ITS-SEC-01 Data Encryption and Cryptography Effective Date: Issued By: 03/12/2021 Ervan D. Rodgers II, Assistant Director/State Chief Information Officer Office of Information Technology Ohio Department of Administrative Services Version Identifier: Published By: 2.0 Investment and Governance Division Ohio Office of Information Technology 1.0 Purpose This state IT standard defines the minimum requirements for cryptographic algorithms that are cryptographically strong and are used in security services that protect at-risk or sensitive data as defined and required by agency or State policy, standard or rule. This standard does not classify data elements; does not define the security schemes and mechanisms for devices such as tape backup systems, storage systems, mobile computers or removable media; and does not identify or approve secure transmission protocols that may be used to implement security requirements. 2.0 Scope Pursuant to Ohio Administrative Policy IT-01, “Authority of the State Chief Information Officer to Establish Ohio IT Policy,” this state IT standard is applicable to every organized body, office, or agency established by the laws of the state for the exercise of any function of state government except for those specifically exempted. 3.0 Background The National Institute for Science and Technology (NIST) conducts extensive research and development in cryptography techniques. Their publications include technical standards for data encryption, digital signature and message authentication as well as guidelines for implementing information security and managing cryptographic keys. These standards and guidelines have been mandated for use in federal agencies and adopted by state governments and private enterprises.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
  • The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and its Applications to Counter Mode Encryption? Ga¨etanLeurent and Ferdinand Sibleyras Inria, France fgaetan.leurent,[email protected] Abstract. The counter mode (CTR) is a simple, efficient and widely used encryption mode using a block cipher. It comes with a security proof that guarantees no attacks up to the birthday bound (i.e. as long as the number of encrypted blocks σ satisfies σ 2n=2), and a matching attack that can distinguish plaintext/ciphertext pairs from random using about 2n=2 blocks of data. The main goal of this paper is to study attacks against the counter mode beyond this simple distinguisher. We focus on message recovery attacks, with realistic assumptions about the capabilities of an adversary, and evaluate the full time complexity of the attacks rather than just the query complexity. Our main result is an attack to recover a block of message with complexity O~(2n=2). This shows that the actual security of CTR is similar to that of CBC, where collision attacks are well known to reveal information about the message. To achieve this result, we study a simple algorithmic problem related to the security of the CTR mode: the missing difference problem. We give efficient algorithms for this problem in two practically relevant cases: where the missing difference is known to be in some linear subspace, and when the amount of data is higher than strictly required. As a further application, we show that the second algorithm can also be used to break some polynomial MACs such as GMAC and Poly1305, with a universal forgery attack with complexity O~(22n=3).
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.