Ascon (cipher) 📖 Wikipedia

Ascon is a family of lightweight authenticated ciphers and hash functions that have been selected by the U.S. National Institute of Standards and Technology (NIST) for cryptography on resource-constrained devices in 2025, specified in NIST SP 800-232.^[2][3][4]

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.^[5] The cipher family was chosen as a finalist of the CAESAR Competition^[5] in February 2019.

NIST announced its decision on February 7, 2023^[5] with the following steps that lead to its standardization:^[2]

• Publication of NIST IR 8454^[6] describing the process of evaluation and selection that was used;
• Preparation of a new draft^[7] for public comments^[8];
• Public workshop held on June 21–22, 2023.[1]

NIST finalized the standard on August 13, 2025, releasing it as "Ascon-Based Lightweight Cryptography Standards for Constrained Devices" (NIST Special Publication 800-232).^[9]

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC).^[10] As of February 2023, the Ascon suite contained seven ciphers,^[5] including:^[11]

• Ascon-128 and Ascon-128a authenticated ciphers;
• Ascon-Hash cryptographic hash;
• Ascon-Xof extendable-output function;
• Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:^[10]

• substitution layer utilizes a modified S-box from the χ function of Keccak;
• permutation layer functions are similar to the ${\displaystyle \Sigma }$ of SHA-2.

The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).^[12]

In the CAESAR submission, two sets of parameters were recommended:^[12]

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of r bits. As an exception, if A is an empty string, there is no padding at all.^[13]

The state consists of 320 bits, so the capacity ${\displaystyle c=320-r}$.^[14] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.^[15]

The initial state is transformed by applying a times the transformation function p (${\displaystyle p^{a}}$). On encryption, each word of A || P is XORed into the state and the p is applied b times (${\displaystyle p^{b}}$). The ciphertext C is contained in the first r bits of the result of the XOR. Decryption is near-identical to encryption.^[14] The final stage that produces the tag T consists of another application of ${\displaystyle p^{a}}$; the special values are XORed into the last c bits after the initialization, the end of A, and before the finalization.^[13]

Transformation p consists of three layers:

• ${\displaystyle p_{C}}$, XORing the round constants;
• ${\displaystyle p_{S}}$, application of 5-bit S-boxes;
• ${\displaystyle p_{L}}$, application of linear diffusion.

• CAESAR Competition
• Simon and Speck, earlier lightweight cipher families released by the U.S. National Security Agency

• NIST (SP 800-232), "Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions" , nist.gov, National Institute of Standards and Technology
• NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
• NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
• Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
• Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". Journal of Cryptology. 34 (3) 33. doi:10.1007/s00145-021-09398-9. eISSN 1432-1378. hdl:2066/235128. ISSN 0933-2790. S2CID 253633576.

• TU Graz. "Ascon: Publications". tugraz.at.
• Ascon Demo in Excel Example implementation and demonstration in Excel (without macros) by Tim Wambach

This cryptography-related article is a stub. You can help Wikipedia by adding missing information.

• v
• t
• e