ISO/IEC 29192-1:2012

INTERNATIONAL ISO/IEC
STANDARD 29192-1
First edition
2012-06-01
Information technology — Security
techniques — Lightweight
cryptography —
Part 1:
General
Technologies de l'information — Techniques de sécurité —
Cryptographie pour environnements contraints —
Partie 1: Généralités
Reference number
©
ISO/IEC 2012
©  ISO/IEC 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2012 – All rights reserved

Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Terms and definitions . 1
3  Categories of constraints for lightweight cryptography . 2
3.1  Chip area . 2
3.2  Energy consumption . 2
3.3  Program code size and RAM size . 2
3.4  Communication bandwidth . 2
3.5  Execution time . 3
4  Requirements . 3
4.1  Security requirements . 3
4.2  Classification requirements . 3
4.3  Implementation requirements . 4
5  Lightweight cryptographic mechanisms . 5
5.1  Block ciphers . 5
5.2  Stream ciphers . 6
5.3  Mechanisms using asymmetric techniques . 6
Annex A (informative) Selection criteria for inclusion of mechanisms in ISO/IEC 29192 . 7
Annex B (informative) Obtaining metrics for hardware implementation comparison . 8
Annex C (normative) Metrics for hardware targeted block and stream ciphers . 11
Annex D (informative) Gate equivalents . 12
Bibliography . 13

© ISO/IEC 2012 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 29192-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 29192 consists of the following parts, under the general title Information technology — Security
techniques — Lightweight cryptography:
 Part 1: General
 Part 2: Block ciphers
 Part 3: Stream ciphers
 Part 4: Mechanisms using asymmetric techniques
Further parts may follow.
iv © ISO/IEC 2012 – All rights reserved

Introduction
ISO/IEC 29192 is a multi-part International Standard that specifies lightweight cryptography for the purposes
of data confidentiality, authentication, identification, non-repudiation, and key exchange. Lightweight
cryptography is suitable in particular for constrained environments. The constraints normally encountered can
be any of the following:
 chip area;
 energy consumption;
 program code size and RAM size;
 communication bandwidth;
 execution time.
The purpose of ISO/IEC 29192 is to specify standardized mechanisms which are suitable for lightweight
cryptographic applications, including radiofrequency identification (RFID) tags, smart cards (e.g. contactless
applications), secure batteries, health-care systems (e.g. Body Area Networks), sensor networks, etc.
This part of ISO/IEC 29192 sets the security requirements, classification requirements and implementation
requirements of mechanisms that are proposed for inclusion in subsequent parts of ISO/IEC 29192.
Lightweight cryptography delivers adequate security in the context for which it is intended. The cryptographic
mechanisms standardized in ISO/IEC 29192 provide their full security strength if they are used within the
limitations of the mechanisms as specified.
EXAMPLE For a block cipher with a block size of n bits and a key size of k bits, when limiting the use of the block
cipher to encrypting no more than 2n/2 blocks of plaintext under a single key in say counter mode, it will provide k-bit
security. The security degrades with more than 2n/2 blocks.
There are overlaps in some security techniques between ISO/IEC 29192 and existing standards such as
ISO/IEC 18033, ISO/IEC 9798, and ISO/IEC 11770. The exclusion of particular mechanisms does not imply
that these mechanisms are not suitable for lightweight cryptography. The criteria used to select the
cryptographic mechanisms specified in subsequent parts of ISO/IEC 29192 are described in Annex A.

© ISO/IEC 2012 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 29192-1:2012(E)

Information technology — Security techniques — Lightweight
cryptography —
Part 1:
General
1 Scope
This part of ISO/IEC 29192 provides terms and definitions that apply in subsequent parts of ISO/IEC 29192.
This part of ISO/IEC 29192 sets the security requirements, classification requirements and implementation
requirements for mechanisms that are proposed for inclusion in subsequent parts of ISO/IEC 29192.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
chip area
area occupied by a semiconductor circuit
2.2
communication bandwidth
number of bits per second that can be transmitted over a specified communication channel
2.3
energy consumption
power consumption over a certain time period
NOTE In ISO/IEC 29192, energy consumption during the cryptographic process is evaluated. In some constrained
devices the total energy required to perform the cryptographic operation is important, for instance, in RFID and sensors.
2.4
gate equivalent
unit of measure which allows for the specification of the complexity of digital electronic circuits, commonly the
silicon area of a two-input drive-strength-one NAND gate
2.5
latency
delay introduced by the cryptographic mechanism in real-time communication systems
2.6
lightweight cryptography
cryptography tailored for implementation in constrained environments
NOTE The constraints can be aspects such as chip area, energy consumption, memory size, or communication
bandwidth.
© ISO/IEC 2012 – All rights reserved 1

2.7
program code size
size of a cryptographic mechanism code in bytes
2.8
RAM size
size of temporary storage space a cryptographic mechanism requires in random access memory including the
registers in the processor
2.9
security strength
number associated with the amount of work (i.e. the number of operations) that is required to break a
cryptographic algorithm or system
NOTE 1 A security strength of n implies that the required workload of breaking the cryptosystem is equivalent to 2n
executions of the cryptosystem.
NOTE 2 In ISO/IEC 29192, security strength is specified in bits, e.g. 80, 112, 128, 192, and 256.
2.10
short input performance
performance of the cryptographic primitive when processing short messages
2.11
side-channel attack
attack based on information gained from the physical implementation of a cryptosystem, rather than on brute
force or theoretical weaknesses in the underlying algorithms
EXAMPLE Timing information, power consumption, or electromagnetic emissions can provide extra sources of
information and can be exploited to attack the system.
3 Categories of constraints for lightweight cryptography
3.1 Chip area
Where cryptographic mechanisms are implemented in hardware, the actual chip area that the cryptographic
mechanism requires may be constrained in some applications (e.g. RFID tags). For the purposes of this
international standard, the chip area will be measured in gate equivalents.
3.2 Energy consumption
Energy consumption can be constrained in lightweight cryptography applications. Energy consumption is
related to several factors including the processing time, the chip area (when implemented in hardware), the
operating frequency and the number of bits transmitted between entities (in wireless transmissions, in
particular). To minimize energy consumption, all of the related factors should be considered.
3.3 Program code size and RAM size
Program code size (loosely referred to as ROM) and RAM size can be constrained on what are loosely
referred to as low end processors. These processors have simple instruction sets and limited space available
for the program code, as well as limited available space in RAM for computations (e.g. embedded processors)
when compared to general purpose computer processors.
3.4 Communication bandwidth
Communication bandwidth is limited in certain cases with respect to the maximum number of bits that can be
transmitted during a session (e.g. RFID tags). Mechanisms that fall into this category are therefore tailored to
2 © ISO/IEC 2012 – All rights reserved

be more economical with regard to the number of bits that need to be transmitted over the communications
channel when compared to other more generally used cryptographic mechanisms.
3.5 Execution time
For some applications such as contactless cards and RFID, for correct operation the execution time is
constrained by the implementation (e.g. how long the card/token is present in the field). Note that this
constraint typically occurs in applications where the constraints treated in previous subsections also apply.
4 Requirements
4.1 Security requirements
In ISO/IEC 29192, the security strength of a cryptographic mechanism is measured as defined in 2.9. This
notion can be used for different cryptographic mechanisms. Two mechanisms are considered to be of
comparable strength if the amount of work needed to break the mechanisms or determine the keys is
approximately the same using a given resource.
In ISO/IEC 29192, 80-bit security is considered to be the minimum security strength for lightweight
cryptography.
Resistance against side-channel attacks may be important in some applications of lightweight cryptography.
Countermeasures against side-channel analysis often require additional chip area (for hardware targeted
algorithms) or additional program code (for software targeted algorithms). The countermeasures vary
depending on the technology, and the specific side-channel method applicable to a specific implementation.
Side-channel resistance is therefore outside the scope of this international standard.
NOTE Many organisations recommend using cryptographic mechanisms with more than 80-bit security after 2010.
However, there are some lightweight cryptographic applications that may allow lower security requirements, i.e. do not
have to assume all powerful adversaries. In cases where 80-bit keys are used, this implies that less data can be encrypted
safely with a single key before rekeying is re
...