NIST seeks 'lightweight' encryption standards

The National Institute of Standards and Technology will seek public comment next week on the best way to design evaluation criteria dictating new encryption standards for small computing devices.

The agency will eventually call for cryptographers and researchers to submit algorithms to encrypt data on smaller "constrained devices," such as RFID tags, industrial controllers, sensor nodes and smart cards. Such components are often present in automobile systems, internet-of-things devices, the smart grid and distributed control systems.

NIST is asking for feedback on the requirements and evaluation criteria that will guide that process. According to a notice scheduled to be published in the Federal Register on May 14, current NIST encryption standards were designed for "general purpose computing platforms" like personal computers and tablets, and the agency says they have not been optimized for smaller devices and could lead to performance issues.

"The shift from desktop computers to small devices brings a wide range of new security and privacy concerns," the notice reads. "It is challenging to apply conventional cryptographic standards to small devices, because the tradeoff between security, performance and resource requirements was optimized for desktop and server environments, and this makes the standards difficult or impossible to implement in resource-constrained devices."

The 45-day comment period is scheduled to begin when the notice officially publishes on May 14. Following that process, NIST will put out a call for public submissions of encryption algorithms from security experts, cryptographers, academia and government. The algorithms will be subject to a year of public review and an additional 10 to 11 months of analysis by NIST officials before being considered for standardization.