Ascon (cipher)

Ascon
General
Designers	C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer
Rounds	6-8 rounds per input word recommended

Ascon is a family of

authenticated ciphers that had been selected by US National Institute of Standards and Technology (NIST) for future standardization of the lightweight cryptography.^[2]

History

Ascon was developed in 2014 by a team of researchers from

Radboud University.^[3] The cipher family was chosen as a finalist of the CAESAR Competition^[3]

in February 2019.

NIST had announced its decision on February 7, 2023 [3] with the following intermediate steps that would lead to the eventual standardization:^[2]

Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
Preparation of a new draft for public comments;
Public workshop to be held on June 21-22, 2023.

Design

The design is based on a

hash, or a MAC).^[4] As of February 2023, the Ascon suite contained seven ciphers,^[3] including:^[5]

Ascon-128 and Ascon-128a authenticated ciphers;

Ascon-Hash cryptographic hash;

Ascon-Xof extendable-output function;
Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:^[4]

substitution layer utilizes a modified
Keccak
;
permutation layer functions are similar to the $\Sigma$ of SHA-2.

Parameterization

The ciphers are parameterizable by the

authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).^[6]

In the CAESAR submission, two sets of parameters were recommended:[6]

Suggested parameters, bits
Name	k	r	a	b
Ascon-128	128	64	12	6
Ascon-128a	128	128	12	8

Padding

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of $r$ bits. As an exception, if A is an empty string, there is no padding at all.^[7]

State

The state consists of 320 bits, so the capacity $c=320-r$ .^[8] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.^[9]

Transformation

The initial state is transformed by applying $a$ times the transformation function $p$ ( $p^{a}$ ). On encryption, each word of A || P is XORed into the state and the $p$ is applied $b$ times ( $p^{b}$ ). The ciphertext C is contained in the first $r$ bits of the result of the XOR. Decryption is near-identical to encryption.^[8] The final stage that produces the tag T consists of another application of $p^{a}$ ; the special values are XORed into the last $c$ bits after the initialization, the end of A, and before the finalization.^[7]

Transformation $p$ consists of three layers:

$p_{C}$ , XORing the
round constants
;
$p_{S}$ , application of 5-bit S-boxes;
$p_{L}$ , application of
linear diffusion
.

Test vectors

Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.^[10]

Ascon-Hash("")
0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91
Ascon-HashA("")
0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4
Ascon-Xof("", 32)
0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e
Ascon-XofA("", 32)
0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.

Ascon-Hash("The quick brown fox jumps over the lazy dog")
0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e
Ascon-Hash("The quick brown fox jumps over the lazy dog.")
0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048

References

^ NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.
^ ^a ^b NIST 2023a.
^ ^a ^b ^c ^d NIST 2023b.
^ ^a ^b Dobraunig et al. 2016, p. 17.
^ Dobraunig et al. 2021, pp. 4–5.
^ ^a ^b Dobraunig et al. 2016, p. 2.
^ ^a ^b Dobraunig et al. 2016, p. 4.
^ ^a ^b Dobraunig et al. 2016, p. 3.
^ Dobraunig et al. 2016, pp. 4–5.
^ "Ascon Hash Family". hashing.tools.

Sources

NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". S2CID 253633576
.

External links

TU Graz. "Ascon: Publications". tugraz.at.

v
t
e
Block ciphers (security summary)
Common
algorithms

AES

Blowfish

DES (internal mechanics, Triple DES)

Serpent

SM4

Twofish

Less common
algorithms

ARIA

Camellia

CAST-128

GOST

IDEA

LEA

RC5

RC6

SEED

Skipjack

TEA

XTEA

Other
algorithms

3-Way

Adiantum

Akelarre

Anubis

Ascon

BaseKing

BassOmatic

BATON

BEAR and LION

CAST-256

Chiasmus

CIKS-1

CIPHERUNICORN-A

CIPHERUNICORN-E

CLEFIA

CMEA

Cobra

COCONUT98

Crab

Cryptomeria/C2

CRYPTON

CS-Cipher

DEAL

DES-X

DFC

E2

FEAL

FEA-M

FROG

G-DES

Grand Cru

Hasty Pudding cipher

Hierocrypt

ICE

IDEA NXT

Intel Cascade Cipher

Iraqi

Kalyna

KASUMI

KeeLoq

KHAZAD

Khufu and Khafre

KN-Cipher

Kuznyechik

Ladder-DES

LOKI (97, 89/91)

Lucifer

M6

M8

MacGuffin

Madryga

MAGENTA

MARS

Mercy

MESH

MISTY1

MMB

MULTI2

MultiSwap

New Data Seal

NewDES

Nimbus

NOEKEON

NUSH

PRESENT

Prince

Q

RC2

REDOC

Red Pike

S-1

SAFER

SAVILLE

SC2000

SHACAL

SHARK

Simon

Speck

Spectr-H64

Square

SXAL/MBAL

Threefish

Treyfer

UES

xmx

XXTEA

Zodiac

Design

Feistel network

Key schedule

Lai–Massey scheme

Product cipher

S-box

P-box

SPN

Confusion and diffusion

Round

Avalanche effect

Block size

Key size

Key whitening (Whitening transformation)

Attack
(cryptanalysis)

Brute-force (EFF DES cracker)

MITM
Biclique attack

3-subset MITM attack

Linear (Piling-up lemma)

Differential
Impossible

Truncated

Higher-order

Differential-linear

Distinguishing (Known-key)

Integral/Square

Boomerang

Mod n

Related-key

Slide

Rotational

Side-channel
Timing

Power-monitoring

Electromagnetic

Acoustic

Differential-fault

XSL

Interpolation

Partitioning

Rubber-hose

Black-bag

Davies

Rebound

Weak key

Tau

Chi-square

Time/memory/data tradeoff

Standardization

AES process

CRYPTREC

NESSIE

Utilization

Initialization vector

Mode of operation

Padding

v
t
e
Cryptography
General

History of cryptography

Outline of cryptography

Cryptographic protocol
Authentication protocol

Cryptographic primitive

Cryptanalysis

Cryptocurrency

Cryptosystem

Cryptographic nonce

Cryptovirology

Hash function
Cryptographic hash function

Key derivation function

Digital signature

Kleptography

Key (cryptography)

Key exchange

Key generator

Key schedule

Key stretching

Keygen

Cryptojacking malware

Ransomware

Random number generation
Cryptographically secure pseudorandom number generator (CSPRNG)

Pseudorandom noise (PRN)

Secure channel

Insecure channel

Subliminal channel

Encryption

Decryption

End-to-end encryption

Harvest now, decrypt later

Information-theoretic security

Plaintext

Codetext

Ciphertext

Shared secret

Trapdoor function

Trusted timestamping

Key-based routing

Onion routing

Garlic routing

Kademlia

Mix network

Mathematics

Cryptographic hash function

Block cipher

Stream cipher

Symmetric-key algorithm

Authenticated encryption

Public-key cryptography

Quantum key distribution

Quantum cryptography

Post-quantum cryptography

Message authentication code

Random numbers

Steganography

Category

This cryptography-related article is a stub. You can help Wikipedia by expanding it.
v
t
e

Retrieved from "https://en.wikipedia.org/w/index.php?title=Ascon_(cipher)&oldid=1221139744"

[1] NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.

[FOOTNOTENIST2023a-2] NIST 2023a.

[FOOTNOTENIST2023b-3] NIST 2023b.

[FOOTNOTEDobraunigEichlsederMendelSchläffer201617-4] Dobraunig et al. 2016, p. 17.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20214–5-5] Dobraunig et al. 2021, pp. 4–5.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20162-6] Dobraunig et al. 2016, p. 2.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20164-7] Dobraunig et al. 2016, p. 4.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20163-8] Dobraunig et al. 2016, p. 3.

[FOOTNOTEDobraunigEichlsederMendelSchläffer20164–5-9] Dobraunig et al. 2016, pp. 4–5.

[10] "Ascon Hash Family". hashing.tools.

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]