Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 History 2 Design 2.1 Parameterization 2.2 Padding 2.3 State 2.4 Transformation 3 Test vectors 4 See also 5 References 6 Sources 7 External links

Ascon (cipher)

●Deutsch Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

Ascon
General
Designers	C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer^[1]
First published	2014
Cipher detail
Key sizes	up to 128, 128 bits are recommended
Block sizes	up to 128 bits, 128 and 64 bits are recommended
Structure	sponge construction
Rounds	6-8 rounds per input word recommended

Ascon is a family of lightweight authenticated ciphers that had been selected by US National Institute of Standards and Technology (NIST) for future standardization of the lightweight cryptography.^[2]

History

[edit]

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.^[3] The cipher family was chosen as a finalist of the CAESAR Competition^[3] in February 2019.

NIST had announced its decision on February 7, 2023^[3] with the following intermediate steps that would lead to the eventual standardization:^[2]

Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
Preparation of a new draft for public comments;
Public workshop to be held on June 21-22, 2023.

Design

[edit]

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC).^[4] As of February 2023, the Ascon suite contained seven ciphers,^[3] including:^[5]

Ascon-128 and Ascon-128a authenticated ciphers;
Ascon-Hash cryptographic hash;
Ascon-Xof extendable-output function;
Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:^[4]

substitution layer utilizes a modified S-box from the $χ$ function of Keccak;
permutation layer functions are similar to the $\Sigma$ ofSHA-2.

Parameterization

[edit]

The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).^[6]

In the CAESAR submission, two sets of parameters were recommended:^[6]

Suggested parameters, bits
Name	k	r	a	b
Ascon-128	128	64	12	6
Ascon-128a	128	128	12	8

Padding

[edit]

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of $r$ bits. As an exception, if A is an empty string, there is no padding at all.^[7]

State

[edit]

The state consists of 320 bits, so the capacity $c=320-r$ .^[8] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.^[9]

Transformation

[edit]

The initial state is transformed by applying $a$ times the transformation function $p$ ( $p^{a}$ ). On encryption, each word of A || P is XORed into the state and the $p$ is applied $b$ times ( $p^{b}$ ). The ciphertext C is contained in the first $r$ bits of the result of the XOR. Decryption is near-identical to encryption.^[8] The final stage that produces the tag T consists of another application of $p^{a}$ ; the special values are XORed into the last $c$ bits after the initialization, the end of A, and before the finalization.^[7]

Transformation $p$ consists of three layers:

$p_{C}$ , XORing the round constants;
$p_{S}$ , application of 5-bit S-boxes;
$p_{L}$ , application of linear diffusion.

Test vectors

[edit]

Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.^[10]

Ascon-Hash("")
0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91
Ascon-HashA("")
0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4
Ascon-Xof("", 32)
0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e
Ascon-XofA("", 32)
0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.

Ascon-Hash("The quick brown fox jumps over the lazy dog")
0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e
Ascon-Hash("The quick brown fox jumps over the lazy dog.")
0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048

References

[edit]

^ NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.

^ ^a ^b NIST 2023a.

^ ^a ^b ^c ^d NIST 2023b.

^ ^a ^b Dobraunig et al. 2016, p. 17.

^ Dobraunig et al. 2021, pp. 4–5.

^ ^a ^b Dobraunig et al. 2016, p. 2.

^ ^a ^b Dobraunig et al. 2016, p. 4.

^ ^a ^b Dobraunig et al. 2016, p. 3.

^ Dobraunig et al. 2016, pp. 4–5.

^ "Ascon Hash Family". hashing.tools.

Sources

[edit]

NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". Journal of Cryptology. 34 (3). doi:10.1007/s00145-021-09398-9. eISSN 1432-1378. hdl:2066/235128. ISSN 0933-2790. S2CID 253633576.

External links

[edit]

TU Graz. "Ascon: Publications". tugraz.at.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Cryptography

General

Mathematics

Category

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Ascon_(cipher)&oldid=1221139744" Categories: ●Block ciphers ●Authenticated-encryption schemes ●Extendable-output functions ●Cryptographic hash functions ●Cryptography stubs Hidden categories: ●Articles with short description ●Short description matches Wikidata ●All stub articles ●This page was last edited on 28 April 2024, at 03:29 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view