Ascon (cipher)
In-game article clicks load inline without leaving the challenge.
Ascon is a family of lightweight authenticated ciphers and hash functions that have been selected by the U.S. National Institute of Standards and Technology (NIST) for cryptography on resource-constrained devices in 2025, specified in NIST SP 800-232.
History
Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University. The cipher family was chosen as a finalist of the CAESAR Competition in February 2019.
NIST announced its decision on February 7, 2023 with the following steps that lead to its standardization:
- Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
- Preparation of a new draft for public comments;
- Public workshop held on June 21–22, 2023.
NIST finalized the standard on August 13, 2025, releasing it as "Ascon-Based Lightweight Cryptography Standards for Constrained Devices" (NIST Special Publication 800-232).
Design
The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC). As of February 2023, the Ascon suite contained seven ciphers, including:
- Ascon-128 and Ascon-128a authenticated ciphers;
- Ascon-Hash cryptographic hash;
- Ascon-Xof extendable-output function;
- Ascon-80pq cipher with an "increased" 160-bit key.
The main components have been borrowed from other designs:
- substitution layer utilizes a modified S-box from the χ function of Keccak;
- permutation layer functions are similar to the Σ {\displaystyle \Sigma } of SHA-2.
Parameterization
The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).
In the CAESAR submission, two sets of parameters were recommended:
| Name | k | r | a | b |
|---|---|---|---|---|
| Ascon-128 | 128 | 64 | 12 | 6 |
| Ascon-128a | 128 | 128 | 12 | 8 |
Padding
The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of r bits. As an exception, if A is an empty string, there is no padding at all.
State
The state consists of 320 bits, so the capacity c = 320 − r {\displaystyle c=320-r}. The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.
Transformation
The initial state is transformed by applying a times the transformation function p (p a {\displaystyle p^{a}}). On encryption, each word of A || P is XORed into the state and the p is applied b times (p b {\displaystyle p^{b}}). The ciphertext C is contained in the first r bits of the result of the XOR. Decryption is near-identical to encryption. The final stage that produces the tag T consists of another application of p a {\displaystyle p^{a}}; the special values are XORed into the last c bits after the initialization, the end of A, and before the finalization.
Transformation p consists of three layers:
- p C {\displaystyle p_{C}}, XORing the round constants;
- p S {\displaystyle p_{S}}, application of 5-bit S-boxes;
- p L {\displaystyle p_{L}}, application of linear diffusion.
Test vectors
Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.
Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.
See also
- CAESAR Competition
- Simon and Speck, earlier lightweight cipher families released by the U.S. National Security Agency
Sources
- NIST (SP 800-232), , nist.gov, National Institute of Standards and Technology
- NIST (2023a). . nist.gov. National Institute of Standards and Technology.
- NIST (2023b). . nist.gov. National Institute of Standards and Technology.
- Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). (PDF). nist.gov. National Institute of Standards and Technology.
- Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). . Journal of Cryptology. 34 (3) 33. doi:. eISSN . hdl:. ISSN . S2CID .
External links
- TU Graz. . tugraz.at.
- Example implementation and demonstration in Excel (without macros) by Tim Wambach