Lightweight Authenticated Encryption & Hashing

Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks. Ascon has been selected as new standard for lightweight cryptography in the NIST Lightweight Cryptography competition (2019–2023). Ascon has also been selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition (2014–2019).


  • Authenticated encryption and hashing (fixed or variable output length) with a single lightweight permutation
  • Sponge-based modes of operation with a custom-tailored SPN permutation
  • Provably secure mode with keyed finalization for additional robustness
  • Easy to implement in software and hardware
  • Lightweight for constrained devices: small state, simple permutation, robust mode
  • Fast in hardware
  • Fast in software: Pipelinable, bit-sliced 5-bit S-box for 64-bit architectures
  • Scalable for more conservative security or higher throughput
  • Timing resistance: No table look-ups or additions
  • Side-channel resistance: S-box optimized for countermeasures
  • Key size = tag size = security level (128 bits recommended)
  • Minimal overhead (ciphertext length = plaintext length)
  • Single-pass, online (encryption and decryption), nonce-based, inverse-free

Ascon is designed and maintained by a team of cryptographers working for Graz University of Technology, Infineon Technologies, Intel Labs, and Radboud University:

Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Martin Schläffer.

logo tu graz         logo infineon         logo radboud