Lightweight Authenticated Encryption & Hashing

Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks. Ascon has been selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition (2014–2019) and is currently competing as a finalist in the NIST Lightweight Cryptography competition (2019–).


  • Authenticated encryption and hashing (fixed or variable output length) with a single lightweight permutation
  • Sponge-based modes of operation with a custom-tailored SPN permutation
  • Provably secure mode with keyed finalization for additional robustness
  • Easy to implement in software and hardware
  • Lightweight for constrained devices: small state, simple permutation, robust mode
  • Fast in hardware
  • Fast in software: Pipelinable, bit-sliced 5-bit S-box for 64-bit architectures
  • Scalable for more conservative security or higher throughput
  • Timing resistance: No table look-ups or additions
  • Side-channel resistance: S-box optimized for countermeasures
  • Key size = tag size = security level (128 bits recommended)
  • Minimal overhead (ciphertext length = plaintext length)
  • Single-pass, online (encryption and decryption), nonce-based, inverse-free

Ascon was designed by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University:

Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Martin Schläffer.

logo tu graz         logo infineon
logo lamarr         logo radboud