Ascon (cipher)

For other uses, see Ascon.

Ascon

General
Designers	C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer [1]
First published	2014
Cipher detail
Key sizes	up to 128, 128 bits are recommended
Block sizes	up to 128 bits, 128 and 64 bits are recommended
Structure	sponge construction
Rounds	6–8 rounds per input word recommended

Ascon is a family of lightweight authenticated ciphers and hash functions that have been selected by the U.S. National Institute of Standards and Technology (NIST) for cryptography on resource-constrained devices in 2025, specified in NIST SP 800-232. ^{[2] [3] [4]}

History

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University. ^[5] The cipher family was chosen as a finalist of the CAESAR Competition ^[5] in February 2019.

NIST announced its decision on February 7, 2023 ^[5] with the following steps that lead to its standardization: ^[2]

• Publication of NIST IR 8454 ^[6] describing the process of evaluation and selection that was used;
• Preparation of a new draft ^[7] for public comments ^[8] ;
• Public workshop held on June 21–22, 2023.

NIST finalized the standard on August 13, 2025, releasing it as "Ascon-Based Lightweight Cryptography Standards for Constrained Devices" (NIST Special Publication 800-232). [9]

Design

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC). ^[10] As of February 2023, the Ascon suite contained seven ciphers, ^[5] including: ^[11]

• Ascon-128 and Ascon-128a authenticated ciphers;
• Ascon-Hash cryptographic hash;
• Ascon-Xof extendable-output function;
• Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs: ^[10]

• substitution layer utilizes a modified S-box from the χ function of Keccak;
• permutation layer functions are similar to the ${\displaystyle \Sigma }$ of SHA-2.

Parameterization

The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits). ^[12]

In the CAESAR submission, two sets of parameters were recommended: ^[12]

Suggested parameters, bits

Name	k	r	a	b
Ascon-128	128	64	12	6
Ascon-128a	128	128	12	8

Padding

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of r bits. As an exception, if A is an empty string, there is no padding at all. ^[13]

State

The state consists of 320 bits, so the capacity ${\displaystyle c=320-r}$. ^[14] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N. ^[15]

Transformation

The initial state is transformed by applying a times the transformation function p (${\displaystyle p^{a}}$). On encryption, each word of A || P is XORed into the state and the p is applied b times (${\displaystyle p^{b}}$). The ciphertext C is contained in the first r bits of the result of the XOR. Decryption is near-identical to encryption. ^[14] The final stage that produces the tag T consists of another application of ${\displaystyle p^{a}}$; the special values are XORed into the last c bits after the initialization, the end of A, and before the finalization. ^[13]

Transformation p consists of three layers:

• ${\displaystyle p_{C}}$, XORing the round constants;
• ${\displaystyle p_{S}}$, application of 5-bit S-boxes;
• ${\displaystyle p_{L}}$, application of linear diffusion.

Test vectors

Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants. ^[16]

Ascon-Hash("") 0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91 Ascon-HashA("") 0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4 Ascon-Xof("", 32) 0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e Ascon-XofA("", 32) 0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.

Ascon-Hash("The quick brown fox jumps over the lazy dog") 0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e Ascon-Hash("The quick brown fox jumps over the lazy dog .") 0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048

See also

• CAESAR Competition
• Simon and Speck, earlier lightweight cipher families released by the U.S. National Security Agency

References

1. NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.
2. NIST 2023a.
3. "NIST Finalizes 'Lightweight Cryptography' Standard to Protect Small Devices". NIST. 2025-08-13.
4. Sönmez Turan, Meltem; McKay, Kerry; Chang, Donghoon; Kang, Jinkeon; Kelsey, John (2024-11-08). Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions (Report). National Institute of Standards and Technology.
5. NIST 2023b.
6. Computer Security Division, Information Technology Laboratory (2023-06-16). "NIST IR 8454: Status Report of Lightweight Cryptography Final Round | CSRC". CSRC | NIST. Retrieved 2025-08-13.
7. Computer Security Division, Information Technology Laboratory (2024-11-06). "NIST Invites Public Comments on SP 800-232 | CSRC". CSRC | NIST. Retrieved 2025-08-13.
8. "Compilation of Public Comments on SP 800" (PDF). Archived (PDF) from the original on 2025-04-03.
9. "Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions". National Institute of Standards and Technology . 2025-08-13. doi:10.6028/NIST.SP.800-232 . Retrieved 2025-08-23.
10. Dobraunig et al. 2016, p. 17.
11. Dobraunig et al. 2021, pp. 4–5.
12. Dobraunig et al. 2016, p. 2.
13. Dobraunig et al. 2016, p. 4.
14. Dobraunig et al. 2016, p. 3.
15. Dobraunig et al. 2016, pp. 4–5.
16. "Ascon Hash Family". hashing.tools.

Sources

• NIST (SP 800-232), "Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions" , nist.gov, National Institute of Standards and Technology
• NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
• NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
• Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
• Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". Journal of Cryptology . 34 (3) 33. doi: 10.1007/s00145-021-09398-9 . eISSN   1432-1378. hdl: 2066/235128 . ISSN   0933-2790. S2CID   253633576.

External links

• TU Graz. "Ascon: Publications". tugraz.at.
• Ascon Demo in Excel Example implementation and demonstration in Excel (without macros) by Tim Wambach