A Family of Authenticated Encryption Algorithms

Ascon is a family of authenticated encryption algorithms and has been selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition. The Ascon family was designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks.


  • Sponge-based mode of operation with custom-tailored SPN permutation
  • Provably secure mode with keyed finalization for additional robustness
  • Easy to implement in software and hardware
  • Lightweight for constrained devices: small state, simple permutation, robust mode
  • Fast in hardware
  • Fast in software: Pipelinable, bit-sliced 5-bit S-box for 64-bit architectures
  • Scalable for more conservative security or higher throughput
  • Timing resistance: No table look-ups or additions
  • Side-channel resistance: S-box optimized for countermeasures
  • Key size = tag size = security level (128 bits recommended)
  • Minimal overhead (ciphertext length = plaintext length)
  • Single-pass, online (encryption and decryption), nonce-based, inverse-free

Ascon was designed by a team of cryptographers from Graz University of Technology, Infineon Technologies, and Radboud University:

Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Martin Schläffer.

logo tu graz         logo infineon

logo radboud