[cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

dj at deadhat.com dj at deadhat.com
Tue May 12 04:19:16 EDT 2015

> On the lightweight side, I get the impression that block ciphers are
> also a big topic, but that there isn't a ton of work being done
> there... besides the NSA ciphers, SIMON and SPECK. John Kelsey
> mentioned these at RWC. The NSA came to NIST and said "Check out these
> ciphers!" and NIST said "Those look cool, but please publish them for
> academic review so we're not favoring you in any way."  So they did.
> But now the onus is on the community to analyze them and either poke
> holes in them or present something better.
> -tom

Simon and speck have had quite a few cryptanalyses published and time has
passed. Simon is a lovely thing to implement in hardware. It goes up to
256,128 key and data size as is more efficient than AES in that
configuration by about a factor of 3 in hardware for the same performance.

If you don't read ISO specs for amusement (I can't blame you, they charge
money) PRESENT and CLEFIA are approved lightweight ciphers in ISO. But
they aren't as lightweight as Simon.

So all other things being equal, it seems to have something over PRESENT,
CLEFIA and AES. But all other things are not equal. The parentage is
unfortunate, because as an implementor, I really want Simon to make it
into the standards space, enabling us to deploy it in products where
standards compliance is mandatory.

My request to Doug Shors (who was at SC27 last week promoting Simon and
Speck for WG2) was - Add the missing 256 bit block size. It's the same
Achilles heel that AES has. The maximum block size is too small. The idea
that there is a need for lightweight crypto has poisoned the design of
lightweight ciphers. They are efficient ciphers, whether with small or big
key sizes or small or big block sizes. The more tasteful ones are smoothly
scalable in terms of width, unrolling and pipelining. But when they stop
at 64 bit block sizes or 128 bit key sizes, they limit the deployability
and performance limits.


More information about the cryptography mailing list