Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29192-8: Lightweight Cryptography — Authenticated Encryption for Resource-Limited Devices
Comprehensive Analysis of AEAD Schemes for IoT and Embedded Security
ISO/IEC 29192-8 defines lightweight authenticated encryption with associated data (AEAD) schemes that simultaneously provide confidentiality, integrity, and authenticity verification. These algorithms are critical for securing communications in resource-constrained environments where separate encryption and authentication would impose prohibitive overhead. The standard specifies AEAD schemes optimised for both hardware and software implementations, targeting applications in IoT, embedded systems, RFID, and other domains where power, area, and computational resources are severely limited.
Authenticated Encryption Schemes in ISO/IEC 29192-8
The standard specifies two primary AEAD algorithms: ASCON and GIFT-COFB. ASCON is a family of lightweight authenticated encryption schemes based on a sponge construction, offering two primary variants: ASCON-128 (128-bit security) and ASCON-128a (128-bit security with higher throughput). ASCON was selected as the primary choice for lightweight authenticated encryption in the NIST Lightweight Cryptography competition, confirming its cryptographic robustness. The algorithm uses a 320-bit internal state with a duplex sponge mode, processing data in 64-bit or 128-bit blocks depending on the variant.
GIFT-COFB combines the GIFT lightweight block cipher with the COFB (COmbined FeedBack) mode of operation to provide authenticated encryption. GIFT is a substitution-permutation network cipher available in GIFT-64 (64-bit block, 128-bit key) and GIFT-128 (128-bit block, 128-bit key) variants. The COFB mode processes data in a rate-1 fashion, meaning one block cipher call per plaintext block, making it highly efficient. Both ASCON and GIFT-COFB support associated data (AAD) that is authenticated but not encrypted, which is essential for protocol headers and other metadata that must remain in the clear.
| Algorithm | Key Size | Nonce Size | Tag Size | Security Level | Throughput (Hardware) |
|---|---|---|---|---|---|
| ASCON-128 | 128 bits | 128 bits | 128 bits | 128 bits | ~4.5 Gbps @ 400 MHz |
| ASCON-128a | 128 bits | 128 bits | 128 bits | 128 bits | ~7.2 Gbps @ 400 MHz |
| GIFT-COFB-64 | 128 bits | 96 bits | 64 bits | 128 bits | ~3.1 Gbps @ 400 MHz |
| GIFT-COFB-128 | 128 bits | 128 bits | 128 bits | 128 bits | ~2.8 Gbps @ 400 MHz |
ASCON-128a offers the best throughput among the specified algorithms while maintaining 128-bit security, making it ideal for applications that process larger data volumes on constrained platforms. For hardware implementations with extreme area constraints, GIFT-COFB-64 provides an excellent trade-off between security and resource usage.
Security Guarantees and Cryptographic Properties
The AEAD schemes in ISO/IEC 29192-8 provide robust security guarantees when implemented correctly. Confidentiality is ensured through the encryption component, preventing an adversary from learning any information about the plaintext from the ciphertext. Integrity protection ensures that any unauthorised modification of the ciphertext or associated data is detected during decryption. Authenticity guarantees that the data originated from a party possessing the correct secret key. These properties hold under the standard security notions for AEAD: IND-CPA (indistinguishability under chosen plaintext attack) and INT-CTXT (integrity of ciphertext).
ASCON’s security is based on the sponge construction’s resistance against differential, linear, and algebraic cryptanalysis. The ASCON permutation has undergone extensive third-party analysis, with security margins well above practical threat levels. GIFT-COFB’s security relies on the GIFT block cipher’s resistance to known attacks, combined with the COFB mode’s provable security bounds. The standard specifies that implementations must verify the authentication tag before releasing decrypted plaintext, a critical requirement to prevent padding oracle and other side-channel attacks. Both algorithms provide defense-in-depth against timing attacks when implemented with constant-time programming techniques.
The ASCON family’s selection by NIST as the standard for lightweight authenticated encryption represents a strong industry consensus on its security properties. Implementations following the standard can be confident in their cryptographic robustness for applications up to 128-bit security requirements.
AEAD security guarantees are void if nonces are reused with the same key. Unlike some block cipher modes where nonce reuse only affects confidentiality, in AEAD schemes nonce reuse can completely break both confidentiality and authenticity. Implementations must use reliable nonce generation mechanisms, such as hardware random number generators or monotonic counters.
Implementation Strategies and Performance Trade-offs
Implementing ISO/IEC 29192-8 AEAD schemes requires balancing multiple performance objectives including throughput, latency, power consumption, memory footprint, and side-channel resistance. In hardware, ASCON implementations range from approximately 6,000 gate equivalents for a serialised architecture focused on minimum area to 20,000+ GE for fully unrolled, high-throughput designs. GIFT-COFB implementations typically require 3,000-5,000 GE for the GIFT core plus additional logic for the COFB mode controller. The choice between serial and parallel datapaths depends on the application’s throughput requirements and available silicon area.
In software, both algorithms perform well across a range of microcontroller architectures. On 32-bit ARM Cortex-M platforms, ASCON achieves approximately 15-25 cycles per byte for encryption and authentication combined, while 8-bit AVR implementations achieve 80-150 cycles per byte. GIFT-COFB tends to be more efficient on platforms with limited register files due to its simpler round structure. The standard provides guidance on memory management for AEAD implementations, including buffer handling for associated data and plaintext, tag verification strategies, and secure clearing of sensitive material after operation completion.
One of the most common implementation pitfalls in AEAD schemes is releasing decrypted plaintext before tag verification. This enables padding oracle attacks and can completely undermine the authentication guarantee. Always verify the tag before releasing any decrypted data to the application layer.
Q: What is the difference between authenticated encryption and separate encryption+MAC?
A: AEAD provides confidentiality and authentication in a single, tightly integrated operation. This is more efficient than encrypt-then-MAC or MAC-then-encrypt compositions, reduces implementation complexity, and avoids subtle security vulnerabilities that can arise from improper composition of independently designed cryptographic primitives.
Q: Can ISO/IEC 29192-8 AEAD algorithms be used for disk encryption?
A: While technically possible, these algorithms are optimised for constrained environments. For disk encryption on general-purpose systems, dedicated disk encryption modes like XTS-AES are more appropriate. The lightweight AEAD schemes in 29192-8 are best suited for network protocols, sensor data streams, and embedded storage.
Q: How does the standard address side-channel attack resistance?
A: The standard recommends specific countermeasure techniques including constant-time implementations, masking of intermediate values, and hardware-level protection mechanisms. It provides guidance on implementing ASCON and GIFT-COFB with resistance against timing attacks, power analysis, and electromagnetic analysis.
Q: What is the recommended nonce size and generation strategy?
A: The standard specifies nonce sizes of 128 bits for ASCON variants and 96-128 bits for GIFT-COFB. Nonces should be generated using a reliable random number generator or a monotonic counter that is guaranteed never to repeat under the same key. For systems without hardware RNG, a counter combined with a device-specific secret provides a robust nonce generation strategy.
