[Paper Review] Time-Complexity Characterization of NIST Lightweight Cryptography Finalists
The paper develops a symbolic three-phase time-complexity model to derive and compare expressions for the ten NIST LWC finalists, clarifying how design choices affect scaling on constrained devices.
Lightweight cryptography is becoming essential as emerging technologies in digital identity systems and Internet of Things verification continue to demand strong cryptographic assurance on devices with limited processing power, memory, and energy resources. As these technologies move into routine use, they demand cryptographic primitives that maintain strong security and deliver predictable performance through clear theoretical models of time complexity. Although NIST's lightweight cryptography project provides empirical evaluations of the ten finalist algorithms, a unified theoretical understanding of their time-complexity behavior remains absent. This work introduces a symbolic model that decomposes each scheme into initialization, data-processing, and finalization phases, enabling formal time-complexity derivation for all ten finalists. The results clarify how design parameters shape computational scaling on constrained mobile and embedded environments. The framework provides a foundation needed to distinguish algorithmic efficiency and guides the choice of primitives capable of supporting security systems in constrained environments.
Motivation & Objective
- Introduce a unified symbolic time-complexity framework for NIST LWC finalists.
- Decompose each algorithm into initialization, data processing, and finalization phases.
- Derive symbolic time-complexity expressions for encryption and decryption across finalists.
- Compare how design choices affect scaling on resource-constrained platforms.
- Provide insights to guide deployment decisions in constrained environments.
Proposed method
- Model total time as T_total = T_init + T_process + T_finalize.
- Derive T_init = c_k + c_n for key/nonce setup.
- Decompose T_process into T_A and T_M with associated parameters (a, m, T_p, c_A, c_M).
- Specify T_finalize = c_f for constant tag computation (or other finalization costs).
- Apply the framework to the ten finalists and categorize by construction (permutation-based, block-cipher based, stream, hybrid).
- Present symbolic expressions and discuss scaling behavior with respect to input lengths and design parameters (b, r, n, P, d).
Experimental results
Research questions
- RQ1What are the symbolic time-complexity expressions for encryption and decryption of each finalist?
- RQ2How do initialization, processing, and finalization contribute to overall complexity across designs?
- RQ3Which finalists exhibit linear, simplest, or more complex scaling with input lengths?
- RQ4How do design choices (permutation-based, block-cipher, stream, hybrid) influence computational cost on constrained devices?
Key findings
- Time complexities scale linearly with input lengths, with coefficients determined by state size, permutation design, and mode of operation.
- GIFT-COFB achieves notably simple linear scaling O(ell_A + ell_M).
- Grain-128AEAD and ISAP exhibit linear scaling with O(|M|+|AD|) and O(|A|+|M|) respectively.
- SPARKLE includes additional terms such as d/r and constant 2b, reflecting enhanced functionality.
- Ascon and Xoodyak (permutation-based designs) show permutation-dominated costs in their complexity expressions.
- Block-cipher-based designs (Romulus-N, TinyJambu) reflect their cipher invocation costs and block-size effects.
- Grain-128AEAD (stream cipher) scales with bit counts |M| and |AD|, avoiding padding overhead.
- ISAP (hybrid) combines sponge-based encryption with linear scaling similar to GIFT-COFB.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.