NIST Finalizes ‘Lightweight Cryptography’ Standard to Protect Small Devices

Four related algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics.

• Many networked devices do not possess the electronic resources that larger computers do, but they still need protection from cyberattacks. NIST’s lightweight cryptography standard will help. 
• The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things. 
• NIST has finalized the standard after a multiyear public review process followed by extensive interaction with the design community.

August 13, 2025 -- It’s the little things that matter most, as the saying goes, and the National Institute of Standards and Technology (NIST) has got their back. NIST’s newly finalized lightweight cryptography standard provides a defense from cyberattacks for even the smallest of networked electronic devices. 

Released as Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232), the standard contains tools designed to protect information created and transmitted by the billions of devices that form the Internet of Things (IoT) as well as other small electronics, such as RFID tags and medical implants. Miniature technologies like these often possess far fewer computational resources than computers or smartphones do, but they still need protection from cyberattacks. The answer is lightweight cryptography, which is designed to defend these sorts of resource-constrained devices.

“We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography,” said NIST computer scientist Kerry McKay, who co-led the project with her NIST colleague Meltem Sönmez Turan. “It will benefit industries that build devices ranging from smart home appliances to car-mounted toll registers to medical implants. One thing these electronics have in common is the need to fine-tune the amount of energy, time and space it takes to do cryptography. This standard fits their needs.” 

The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023 as the planned basis for its lightweight cryptography standard after a multiround public review process. Ascon was developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies and Radboud University. In 2019 it emerged as the primary choice for lightweight encryption in the CAESAR competition, a sign that Ascon had withstood years of examination by cryptographers. 

In the standard are four variants from the Ascon family that give designers different options for different use cases. The variants focus on two of the main tasks of lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing. 

ASCON-128 AEAD is useful when a device needs to encrypt its data, verify the authenticity of the data, or — crucially — both. A common weakness of small devices is their vulnerability to “side-channel attacks,” in which an attacker can extract sensitive information by observing physical characteristics like power consumption or timing. While no cryptographic algorithm is inherently immune to such attacks, ASCON is designed to support side-channel-resistant implementations more easily than many traditional algorithms. Devices that can benefit from its approach include RFID tags, implanted medical devices, and toll-registration transponders attached to car windshields.

ASCON-Hash 256 takes all the data it encrypts and uses it to create a short “hash” a few characters long, which functions like a fingerprint of the data. Even a small change to the original data results in an instantly recognizable change in the hash, making the algorithm useful for maintaining the data’s integrity — such as during a software update, to ensure that no malware has crept in. Other uses are for protecting passwords and the digital signatures we use in online bank transfers. It is a lightweight alternative to NIST’s SHA-3 family of hash algorithms, which are widely used for many of the same purposes.

ASCON-XOF 128 and ASCON-CXOF 128 are hash functions with a twist: Both algorithms allow the user to change the size of the hash. This option can benefit small devices because using shorter hashes allows the device to spend less time and energy on the encryption process. 

The CXOF variant also adds the ability to attach a customized “label” a few characters long to the hash. If many small devices perform the same encryption operation, there is a small but significant chance that two of them could output the same hash, which would offer attackers a clue about how to defeat the encryption. Adding customized labels would allow users to sidestep this potential problem.

McKay said the NIST team intends the standard not only to be of immediate use, but also to be expandable to meet future needs. 

“We’ve taken the community’s feedback and tried to provide a standard that can be easily followed and implemented, but we are also trying to be forward-looking in terms of being able to build on it,” she said. “There are additional functionalities people have requested that we might add down the road, such as a dedicated message authentication code. We plan to start considering these possibilities very soon.” 

For more information on the standard, visit the NIST Lightweight Cryptography Project page.