Ascon (cipher)

Ascon
General
Designers	C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer
First published	2014
Cipher detail
Key sizes	up to 128, 128 bits are recommended
Block sizes	up to 128 bits, 128 and 64 bits are recommended
Structure	sponge construction
Rounds	6-8 rounds per input word recommended

Last updated February 28, 2024

Ascon is a family of lightweight authenticated ciphers that had been selected by US National Institute of Standards and Technology (NIST) for future standardization of the lightweight cryptography.^[2]

History

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.^[3] The cipher family was chosen as a finalist of the CAESAR Competition ^[3] in February 2019.

NIST had announced its decision on February 7, 2023^[3] with the following intermediate steps that would lead to the eventual standardization:^[2]

Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
Preparation of a new draft for public comments;
Public workshop to be held on June 21-22, 2023.

Design

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC).^[4] As of February 2023, the Ascon suite contained seven ciphers,^[3] including:^[5]

Ascon-128 and Ascon-128a authenticated ciphers;
Ascon-Hash cryptographic hash;
Ascon-Xof extendable-output function;
Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:^[4]

substitution layer utilizes a modified S-box from the $χ$ function of Keccak;
permutation layer functions are similar to the $\Sigma$ of SHA-2.

Parameterization

The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).^[6]

In the CAESAR submission, two sets of parameters were recommended:^[6]

Suggested parameters, bits
Name	k	r	a	b
Ascon-128	128	64	12	6
Ascon-128a	128	128	12	8

Padding

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of $r$ bits. As an exception, if A is an empty string, there is no padding at all.^[7]

State

The state consists of 320 bits, so the capacity $c=320-r$ .^[8] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.^[9]

Transformation

The initial state is transformed by applying $a$ times the transformation function $p$ ( $p^{a}$ ). On encryption, each word of A || P is XORed into the state and the $p$ is applied $b$ times ( $p^{b}$ ). The ciphertext C is contained in the first $r$ bits of the result of the XOR. Decryption is near-identical to encryption.^[8] The final stage that produces the tag T consists of another application of $p^{a}$ ; the special values are XORed into the last $c$ bits after the initialization, the end of A, and before the finalization.^[7]

Transformation $p$ consists of three layers:

$p_{C}$ , XORing the round constants;
$p_{S}$ , application of 5-bit S-boxes;
$p_{L}$ , application of linear diffusion.

Test vectors

Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.^[10]

Ascon-Hash("") 0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91 Ascon-HashA("") 0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4 Ascon-Xof("", 32) 0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e Ascon-XofA("", 32) 0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.

Ascon-Hash("The quick brown fox jumps over the lazy dog") 0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e Ascon-Hash("The quick brown fox jumps over the lazy dog .") 0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, a cipher key made by random number generation is very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

The following outline is provided as an overview of and topical guide to cryptography:

<span class="mw-page-title-main">Sponge function</span> Theory of cryptography

In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Sponge functions have both theoretical and practical uses. They can be used to model or implement many cryptographic primitives, including cryptographic hashes, message authentication codes, mask generation functions, stream ciphers, pseudo-random number generators, and authenticated encryption.

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

Kupyna is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014. It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

QARMA is a lightweight tweakable block cipher primarily known for its use in the ARMv8 architecture for protection of software as a cryptographic hash for the Pointer Authentication Code. The cipher was proposed by Roberto Avanzi in 2016. Two versions of QARMA are defined: QARMA-64 and QARMA-128. The design of the QARMA was influenced by PRINCE and MANTIS. The cipher is intended for fully-unrolled hardware implementations with low latency. Unlike the XTS mode, the address can be directly used as a tweak and does not need to be whitened with the block encryption first.

References

↑ NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.
1 2 NIST 2023a.
1 2 3 4 NIST 2023b.
1 2 Dobraunig et al. 2016, p. 17.
↑ Dobraunig et al. 2021, pp. 4–5.
1 2 Dobraunig et al. 2016, p. 2.
1 2 Dobraunig et al. 2016, p. 4.
1 2 Dobraunig et al. 2016, p. 3.
↑ Dobraunig et al. 2016, pp. 4–5.
↑ "Ascon Hash Family". hashing.tools.

Sources

NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". Journal of Cryptology . 34 (3). doi: 10.1007/s00145-021-09398-9 . eISSN 1432-1378. ISSN 0933-2790. S2CID 253633576.

External links

TU Graz. "Ascon: Publications". tugraz.at.

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.

[FOOTNOTENIST2023a-2] 1 2 NIST 2023a.

[FOOTNOTENIST2023b-3] 1 2 3 4 NIST 2023b.

[FOOTNOTEDobraunigEichlsederMendelSchläffer201617-4] 1 2 Dobraunig et al. 2016, p. 17.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20214–5-5] Dobraunig et al. 2021, pp. 4–5.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20162-6] 1 2 Dobraunig et al. 2016, p. 2.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20164-7] 1 2 Dobraunig et al. 2016, p. 4.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20163-8] 1 2 Dobraunig et al. 2016, p. 3.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20164–5-9] Dobraunig et al. 2016, pp. 4–5.

[10] "Ascon Hash Family". hashing.tools.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]