> On the lightweight side, I get the impression that block ciphers are > also a big topic, but that there isn't a ton of work being done > there... besides the NSA ciphers, SIMON and SPECK. John Kelsey > mentioned these at RWC. The NSA came to NIST and said "Check out these > ciphers!" and NIST said "Those look cool, but please publish them for > academic review so we're not favoring you in any way." So they did. > But now the onus is on the community to analyze them and either poke > holes in them or present something better. > > -tom >
Simon and speck have had quite a few cryptanalyses published and time has passed. Simon is a lovely thing to implement in hardware. It goes up to 256,128 key and data size as is more efficient than AES in that configuration by about a factor of 3 in hardware for the same performance. If you don't read ISO specs for amusement (I can't blame you, they charge money) PRESENT and CLEFIA are approved lightweight ciphers in ISO. But they aren't as lightweight as Simon. So all other things being equal, it seems to have something over PRESENT, CLEFIA and AES. But all other things are not equal. The parentage is unfortunate, because as an implementor, I really want Simon to make it into the standards space, enabling us to deploy it in products where standards compliance is mandatory. My request to Doug Shors (who was at SC27 last week promoting Simon and Speck for WG2) was - Add the missing 256 bit block size. It's the same Achilles heel that AES has. The maximum block size is too small. The idea that there is a need for lightweight crypto has poisoned the design of lightweight ciphers. They are efficient ciphers, whether with small or big key sizes or small or big block sizes. The more tasteful ones are smoothly scalable in terms of width, unrolling and pipelining. But when they stop at 64 bit block sizes or 128 bit key sizes, they limit the deployability and performance limits. David _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography