Score:11

Crypto

What are the drawbacks of "lightweight crypto"?

Timur Timak

2/3/24, 3:26 AM

Last year I learned about another NIST competition. https://csrc.nist.gov/projects/lightweight-cryptography/finalists

And I thought to myself: "why would I continue to use heavyweight cryptography in my desktop and server environments, if we have these new schemes?" Or are they flawed in some way?

I like to liken the encryption to natural languages. If there are too few people speaking a particular protocol, then why would you learn it, right? This might be one con.

They might be broken, it just hasn't been discovered yet. That's another.

I asked Cihangir Tezcan, the first person in my search on YouTube, he says they are as secure as conventional AES and the SHA family of functions and there are no drawbacks, is it true? We always trade something for something, time and space, freedom and security, mass and energy.

1916

1 + 1

kodlu

2/3/24, 12:25 PM

I wonder if the OP was being tongue in cheek when they said "another NIST non-competition"?

Score:15

Crypto

Mark

2/3/24, 3:57 AM

As a caveat, I haven't been involved with the process, so can't speak fully to it (and would welcome an answer from someone more in-the-know).

That being said, it is worth mentioning how "light" or "heavy" a scheme is is highly context-dependent. For example AES is not particularly fast to implement in software --- typically ARX ciphers (things like ChaChaPoly1305) are much faster. But many processors have dedicated AES instructions, making them faster on these computing platforms. So AES is "heavy" in some settings (where there isn't chip space for a dedicated instruction), and "light" in others (when there is).

What is the context of the LWC competition? You can read older NIST reports for some indication. Copying from page 10, we see

Microcontrollers are available with a wide array of performance attributes. Although 8-bit, 16-bit and 32-bit microcontrollers are the most common, there are significant sales of 4-bit microcontrollers for certain ultra-low cost applications. A wide variety of instruction sets exist, typically only simple instructions are supported, and the number of instructions is often very limited. This may result in a high number of cycles to execute common cryptographic algorithms, which may make them too slow or energy-consuming for the intended application. This is particularly a problem when it is necessary to satisfy real-time constraints using a limited amount of energy.

From this, we see constraints such as

limited instruction sets
limited register sizes (potentially sub-16 bit),
energy efficiency is a priority

These are all design constraints that don't appear in the desktop environment. It's therefore plausible that if you design cryptosystems without these constraints, you can get faster schemes.

For fun, we can compare

"Standard" crypto (on desktop), with
a LWC crypto finalist (on desktop)

using benchmarks like SUPERCOP. It looks like we are a few weeks out from the selection occuring, so I will look at benchmarks for the alphabetically-first LWC finalist, ASCON. It has a number of different algorithms listed on SUPERCOP, and I won't claim to know the differences between them. I will point out this page, where one sees that for desktop-grade processors (say AMD Ryzen 5 5560U --- this might be a laptop processor, I can't remember), that "heavyweight cryptography" is significantly faster than ASCON variants.

So "lightweight" crypto is not faster in all contexts, and seems to be a good deal slower in comparison to standard crypto in standard computing environments.

+ 3

forest

2/3/24, 11:41 AM

I'd say that AES is only "heavy" on processors without hardware acceleration if the implementation is side-channel resistant. The reason a software implementation of ChaCha is often faster than a software implementation of AES is simply that ARX designs can be made side-channel resistant without taking a serious performance hit.

Peter Cordes

2/4/24, 7:02 AM

Yes, Ryzen 5 5560U is a mobile CPU with a TDP configurable from 10 to 25W (default 15W), Zen 3 microarchitecture, 6 physical cores, max boost clock 4.0GHz. https://www.amd.com/en/products/apu/amd-ryzen-5-5560u . For Intel, the U suffix means "ultra-low-voltage", as opposed to higher power mobile chips; presumably it means about the same thing for AMD. Anyway, **Zen 3 has hardware instructions for AES, and SHA1 / SHA256** ([SHA-NI](https://en.wikipedia.org/wiki/Intel_SHA_extensions), new for Intel with Goldmont low-power, but not until Ice Lake for mainstream performance cores.)

Peter Cordes

2/4/24, 7:27 AM

(Fast SHA-512 performance on high-end CPUs is due to manually vectorized implementations, using 16 or 32-byte vectors to process a lot of data at once. This works well since [it consumes a lot of data at once for its compression steps](https://crypto.stackexchange.com/questions/26336/sha-512-faster-than-sha-256), and in 64-bit chunks so SIMD shuffles don't have as many elements to deal with. And for scalar, so each scalar operation operates on more bits at once, consuming more bytes per same number of operations.)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What are the drawbacks of "lightweight crypto"?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.