NISTIR8369 StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 NISTIR8369 StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey ComputerSecurityDivision InformationTechnologyLaboratory Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 July2021 U.S.DepartmentofCommerce GinaM.Raimondo,Secretary NationalInstituteofStandardsandTechnology James K. Olthoff, Performing the Non-Exclusive Functions and Duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology Certaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribe an experimental procedure or concept adequately. Such identification is not intended to imply recommendationorendorsementbytheNationalInstituteofStandardsandTechnology,norisitintendedto implythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose. NationalInstituteofStandardsandTechnology InteragencyorInternalReport8369 Natl.Inst.Stand.Technol.Interag.Intern.Rep.8369,81pages(July2021) Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Abstract TheNationalInstituteofStandardsandTechnology(NIST)initiatedapublicstandardiza- tionprocesstoselectoneormoreAuthenticatedEncryptionwithAssociatedData(AEAD) andhashingschemessuitableforconstrainedenvironments. InFebruary2019,57candi- This datesweresubmittedtoNISTforconsideration. Amongthese,56wereacceptedasfirst- publication roundcandidatesinApril2019. Afterfourmonths,NISTselected32ofthecandidates forthesecondround. InMarch2021,NISTannounced10finaliststomoveforwardto thefinalroundoftheselectionprocess. ThefinalistsareASCON,Elephant,GIFT-COFB, Grain-128AEAD,ISAP,PHOTON-Beetle,Romulus,SPARKLE,TinyJAMBU,andXoodyak. Thisreportdescribestheevaluationcriteriaandselectionprocess,whichisbasedonpublic is available feedbackandinternalreviewofthesecond-roundcandidates. Keywords free authenticatedencryption· cryptography· hashfunctions· lightweightcryptography of charge from: https://doi.org/10.6028/NIST.IR.8369 i ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Acknowledgments NIST thanks the second-round submission teams, who developed and designed the second-roundcandidates,andthecryptographiccommunity,whoanalyzedthecandidates, sharedtheircommentsthroughthe ,andpublishedpapersonvarioustechnical This lwc-forum aspectsofthecandidates. publication NISTalsothanksthedevelopers,whoprovidedoptimizedimplementationsofthecan- didatesaswellasthehardwareandsoftwarebenchmarkinginitiatives,fortheircontribution totheunderstandingoftheperformancecharacteristicsofthealgorithmsonvarioustarget platforms. Specifically,NISTthanksallthosewhocontributedtothefollowingprojects:(i)FPGA is available benchmarkingbyK.Mohajerani,R.Haeussler,R.Nagpal,F.Farahmand,A.Abdulgadir, J.-P.Kaps,andK.Gaj;(ii)ASICbenchmarkingbyM.AagaardandN.Zidaric;(ˇ iii)ASIC benchmarkingbyM.Khairallah, T.Peyrin, andA.Chattopadhyay; (iv)Microcontroller benchmarkingbyS.Renner,E.Pozzobon,andJ.Mottok;(v)Microcontrollerbenchmark- free ingbyR.Weatherley;(vi)RISC-VbenchmarkingbyF.Campos,L.Jellema,M.Lemmen, L. Muller,D.Sprenkels,andB.Viguier;¨ (vii)RISC-VbenchmarkingbyG.Nisanci,R. of charge Atay,M.K.Pehlivanoglu,E.B.Kavun,andT.Yalc¸ın;and(viii)eBACS(ECRYPTBench- markingofCryptographicSystems)benchmarkingbyD.J.BernsteinandT.Lange. Theauthorsofthisreportacknowledgeandappreciatecontributionsfromtheircol- from: leaguesatNIST–LilyChen,AndrewRegenscheid,SaraKerman,NoahWaller,IsabelVan Wyk,RayPerlner,Lu´ısBrandao,SherylTaylor,DustinMoody,andMichaelJ.Fagan–˜ https://doi.org/10.6028/NIST.IR.8369 whoprovidedtechnicalandadministrativesupportandparticipatedinmeetingstodiscuss theselectionofthefinalists. ii ______________________________________________________________________________________________________ Contents 1 Introduction 1 2 EvaluationCriteria 2 This 3 Second-RoundCandidates 3 3.1 ClassificationoftheSecond-RoundCandidates 3 publication 3.2 EvaluationoftheSecond-RoundCandidates 4 3.2.1 ACE 5 3.2.2 ASCON 6 3.2.3 COMET 7 is 3.2.4 DryGASCON 8 available 3.2.5 Elephant 8 3.2.6 ESTATE 9 3.2.7 ForkAE 10 free 3.2.8 GIFT-COFB 11 3.2.9 Gimli 11 of 3.2.10 Grain-128AEAD 12 charge 3.2.11 HyENA 13 3.2.12 ISAP 14 3.2.13 KNOT 15 from: 3.2.14 LOTUS-AEADandLOCUS-AEAD 16 3.2.15 mixFeed 16 https://doi.org/10.6028/NIST.IR.8369 3.2.16 ORANGE 17 3.2.17 Oribatida 18 3.2.18 PHOTON-Beetle 19 3.2.19 Pyjamask 19 3.2.20 Romulus 20 3.2.21 SAEAES 22 3.2.22 SATURNIN 22 3.2.23 SKINNY-AEAD andSKINNY-HASH 23 3.2.24 SPARKLE 24 3.2.25 SPIX 25 3.2.26 SpoC 25 3.2.27 Spook 26 3.2.28 Subterranean2.0 27 3.2.29 SUNDAE-GIFT 28 3.2.30 TinyJAMBU 28 3.2.31 WAGE 29 3.2.32 Xoodyak 30 3.3 AdditionalConsiderations 30 3.3.1 Side-ChannelResistance 30 3.3.2 Nonce-MisuseSecurity 31 iii ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport 3.3.3 RUPSecurity 32 3.3.4 ImpactsofStateRecovery 32 3.3.5 Post-QuantumSecurity 33 4 PerformanceBenchmarking 34 This 4.1 SoftwareBenchmarking 34 4.1.1 MicrocontrollerBenchmarkingbyNIST 34 publication 4.1.2 MicrocontrollerBenchmarkingbyRenneretal. 35 4.1.3 MicrocontrollerBenchmarkingbyWeatherley 36 4.1.4 AdditionalResults 37 4.2 HardwareBenchmarking 37 is 4.2.1 FPGABenchmarkingbyGMUCERG 38 available 4.2.2 ASICBenchmarkingbyKhairallahetal. 38 4.2.3 ASICBenchmarkingbyAagaardandZidaricˇ 39 5 SelectingtheFinalists 40 free 6 NextSteps 41 of References 42 charge A NISTSoftwareBenchmarkingResults 67 from: https://doi.org/10.6028/NIST.IR.8369 iv ______________________________________________________________________________________________________ ListofTables Table1 TimelineoftheNISTLightweightCryptographyStandardizationProcess 2 Table2 Underlyingprimitivesofthesecond-roundcandidates 4 Table3 AEADmode-of-operationclassificationofprimaryvariants 5 This Table4 Hashingmodesofthe12candidateswithhashingfunctionalities 6 publication Table5 SummaryofattacksonASCON family 7 Table6 Anon-exhaustivesummaryofattacksonGIFT-128 12 Table7 SummaryofattacksonGimli 13 Table8 SummaryofdistinguishingattacksonPHOTON256 19 Table9 Summaryofbestkey-recoveryattacksonSKINNY-128-256andSKINNY- is available 128-384 21 Table10 Specificationsofmicrocontrollersusedinbenchmarkinginitiatives 35 Table11 Summaryofthehardwarebenchmarkinginitiatives 39 Table12 Code sizes (in bytes) for the smallest implementations of the primary free AEADvariantsonmicrocontrollers 69 Table13 Codesizes(inbytes)forthesmallestimplementationsoftheprimaryhash of charge variantsonmicrocontrollers 70 Table14 Timings(inµs)forthefastestimplementationsofprimaryAEADvari- antsforauthenticatedencryptionof16-bytemessageand16-byteADon from: microcontrollers 71 Table15 Timings(inµs)forthefastestimplementationsofprimaryhashvariants https://doi.org/10.6028/NIST.IR.8369 forprocessing16-bytemessageonmicrocontrollers 72 v ______________________________________________________________________________________________________ ListofFigures Figure1 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonATmega328P 73 Figure2 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- This thenticatedencryptionof16-bytemessageand16-byteADonATmega4809 73 publication Figure3 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonSAMD21 74 Figure4 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonnRF52840 74 is available Figure5 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonPIC32MX 75 Figure6 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonESP8266 75 free Figure7 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega328P 76 Figure8 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega4809 77 of charge Figure9 RelativespeedsofthecandidatescomparedtoAES-GCMonSAMD21 78 Figure10RelativespeedsofthecandidatescomparedtoAES-GCMonnRF52840 79 Figure11RelativespeedsofthecandidatescomparedtoAES-GCMonPIC32MX 80 from: Figure12RelativespeedsofthecandidatescomparedtoAES-GCMonESP8266 81 https://doi.org/10.6028/NIST.IR.8369 vi ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Acronyms AD AssociatedData AEAD AuthenticatedEncryptionwithAssociatedData This AES AdvancedEncryptionStandard publication ARX Addition-Rotation-Xor ASIC ApplicationSpecificIntegratedCircuit is CAESAR CompetitionforAuthenticatedEncryption: Security,Applicability,andRo- available bustness CBC CipherBlockChaining free CCA ChosenCiphertextAttack of CCAm CCAwithnoncemisuse-resilience charge CI CiphertextIntegrity from: CIM CiphertextIntegritywithMisuse-resistance CTR Counter https://doi.org/10.6028/NIST.IR.8369 eBACS ECRYPTBenchmarkingofCryptographicSystem eSTREAM ECRYPTSTREAMcipherproject FOBOS FlexibleOpensourceworkBenchfOrSide-channelanalysis