Securing Tiny Tech: NIST Finalises Lightweight Cryptography Standard
A brief on NIST SP 800-232, the lightweight cryptography standard for constrained devices.
As our world becomes increasingly interconnected, tiny electronic devices like medical implants, RFID tags, commodity sensors, and smart home gadgets (commonly known as the Internet of Things or IoT devices) are turning into low-power battlegrounds. These devices lack the resources to handle traditional cryptography like the Advanced Encryption Standard (AES) and other resource-intensive algorithms, yet often transmit sensitive data that must be protected. After a multi-year public review process, the National Institute of Standards and Technology (NIST) has finalised a lightweight cryptography standard that can finally tackle this longstanding issue.
So, What's Been Announced?
On August 13, 2025, NIST formally released its new standard, Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232). The standard defines four Ascon-family cryptographic primitives for authenticated encryption with associated data (AEAD) and hashing. Ascon was developed in 2014 and has withstood over a decade of scrutiny by cryptographers, finally being selected by NIST in 2023 as the planned standard for lightweight cryptography. The finalised standard offers strong security with minimal resource useYes and is more resilient to side-channel attacks.
Lightweight Cryptography Algorithms
ASCON-128 AEAD - Authenticated Encryption with Associated Data
This algorithm provides both confidentiality (encryption) and authenticity (integrity check) in one operation, helpful for devices that lack CPU or memory cycles to run separate encryption and authentication routines. It also supports "associated data", a feature that is critical for protocols that need metadata in clear text. ASCON-128 AEAD has a small state size, minimal RAM requirements, and is built with a sponge-based permutation design, which simplifies resistance to timing and power analysis, making it less vulnerable to side-channel attacks.
ASCON Hash 256 - Fixed-length Hash Function
This algorithm compresses arbitrary-length input into a fixed 256-bit (32-byte) digest, serving as a reliable "fingerprint" for the data. This makes it ideal for integrity verification e.g. validating firmware during software updates. It can also be used for securing passwords by hashing them with a salt, and to prepare data for digital signatures. Compared to SHA-3, ASCON-Hash 256 delivers similar collision resistance while requiring significantly fewer computational resources.
ASCON-XOF 128 - Extendable Output Function
This algorithm is also a hash function, but with user-chosen hash output length, allowing for a good trade-off between performance and security. This makes it ideal for constrained devices where even a 256-bit digest is an overkill.
ASCON-CXOF 128 - Customisable Extendable Output Function
The CXOF variant adds the ability to attach a customised label to the hash, reducing the risk of hash collisions across multiple devices. It prevents accidental or malicious output reuse across different systems, and defeats multi-protocol attacks related to the same digest in unrelated contexts. This makes it ideal for multi-tenant IoT gateways, ensuring tenant separation using labeled hashes.