Ascon

Specification

The Ascon family is specified in the following documents:

Journal of Cryptology article: Ascon v1.2 (authenticated encryption and hash)
NIST submission: Ascon v1.2 (authenticated encryption and hash)
CAESAR submission: Ascon v1.2 (authenticated encryption)

Ascon's Permutation

All Ascon family members use the same lightweight permutation. This permutation iteratively applies an SPN-based round transformation a = 12 times (for p^a ) or b ∈ {6, 8} times (for p^b ). The round transformation consists of the following three steps which operate on a 320-bit state divided into 5 words x₀, x₁, x₂, x₃, x₄ of 64 bits each:

Addition of Round Constants: xors a round specific 1-byte constant to word x₂.
Nonlinear Substitution Layer: applies a 5-bit S-box 64 times in parallel in a bit-sliced fashion (vertically, across words).
Linear Diffusion Layer: xors different rotated copies of each word (horizontally, within each word).

Ascon 5-bit sbox — Ascon's S-box [tex] [C instructions]

x₀ := x₀ ⊕ (x₀ ⋙ 19) ⊕ (x₀ ⋙ 28)
x₁ := x₁ ⊕ (x₁ ⋙ 61) ⊕ (x₁ ⋙ 39)
x₂ := x₂ ⊕ (x₂ ⋙ 1) ⊕ (x₂ ⋙ 6)
x₃ := x₃ ⊕ (x₃ ⋙ 10) ⊕ (x₃ ⋙ 17)
x₄ := x₄ ⊕ (x₄ ⋙ 7) ⊕ (x₄ ⋙ 41)

Ascon's linear layer

Ascon's permutation: ⊕ denotes xor, ⊙ denotes and, ⋙ is rotation to the right.

Ascon's Authenticated Encryption Modes

Ascon uses a duplex-sponge-based mode of operation for authenticated encryption. The recommended key, tag and nonce length is 128 bits. The sponge operates on a state of 320 bits, with message blocks of 64 or 128 bits. The encryption process is split into four phases:

Initialization: initializes the state with the key K and nonce N.
Associated Data Processing: updates the state with associated data blocks A_i .
Plaintext Processing: injects plaintext blocks P_i into the state and extracts ciphertext blocks C_i .
Finalization: injects the key K again and extracts the tag T for authentication.

Ascon's duplex sponge mode for authenticated encryption — The duplex sponge mode for Ascon authenticated encryption [tex]

After each injected block (except the last plaintext block), the core permutation p^b is applied to the complete state. During initialization and finalization, a stronger permutation p^a with more rounds is used. The numbers of rounds a and b, as well as the sponge's rate and capacity, depend on the Ascon variant. The recommended parameters are:

Recommended parameters for Ascon authenticated encryption
Cipher	Bit size of					Rounds
Cipher	key	nonce	tag	rate	capacity	p^a	p^b
Ascon-128	128	128	128	64	256	12	6
Ascon-128a	128	128	128	128	192	12	8

Ascon's Hashing Modes

The Ascon family includes the hash functions Ascon-Hash and Ascon-Hasha as well as the extendable output functions Ascon-Xof and Ascon-Xofa with sponge-based modes of operation. Both provide 128-bit security with a hash size of at least 256 bits. The hashing modes use the same lightweight 320-bit permutation as the authenticated encryption modes.

Ascon's sponge mode for hashing — The sponge mode for Ascon hashing [tex]

The hashing modes absorb the message M in 64-bit blocks M_i and finally squeeze the hash value H in 64-bit blocks H_i . After each absorbed or squeezed block except the last, the b-round permutation p^b is applied to the state. The full a-round permutation p^a is applied in the initialization and finalization, after the last message block:

Recommended parameters for Ascon hashing
Algorithm	Bit size of			Rounds
Algorithm	hash output	rate	capacity	p^a	p^b
Ascon-Hash	256	64	256	12	12
Ascon-Xof	arbitrary	64	256	12	12
Ascon-Hasha	256	64	256	12	8
Ascon-Xofa	arbitrary	64	256	12	8

For details such as the IV and round constant values, padding rules or the (almost identical) decryption mode, please refer to the latest Ascon submission document.