Ascon

Specification

The Ascon family is specified in the following documents:

Ascon's Permutation

All Ascon family members use the same lightweight permutation. This permutation iteratively applies an SPN-based round transformation a = 12 times (for pa ) or b ∈ {6, 8} times (for pb ). The round transformation consists of the following three steps which operate on a 320-bit state divided into 5 words x0, x1, x2, x3, x4 of 64 bits each:

  • Addition of Round Constants: xors a round specific 1-byte constant to word x2.
  • Nonlinear Substitution Layer: applies a 5-bit S-box 64 times in parallel in a bit-sliced fashion (vertically, across words).
  • Linear Diffusion Layer: xors different rotated copies of each word (horizontally, within each word).
Sbox layer in Ascon sponge state
Ascon 5-bit sbox
Ascon's S-box   [tex] [C instructions]
Linear layer in Ascon sponge state
x0 := x0 ⊕ (x0 ⋙ 19) ⊕ (x0 ⋙ 28)
x1 := x1 ⊕ (x1 ⋙ 61) ⊕ (x1 ⋙ 39)
x2 := x2 ⊕ (x2 ⋙   1) ⊕ (x2 ⋙   6)
x3 := x3 ⊕ (x3 ⋙ 10) ⊕ (x3 ⋙ 17)
x4 := x4 ⊕ (x4 ⋙   7) ⊕ (x4 ⋙ 41)

Ascon's linear layer

Ascon's permutation: ⊕ denotes xor, ⊙ denotes and, ⋙ is rotation to the right.

Ascon's Authenticated Encryption Modes

Ascon uses a duplex-sponge-based mode of operation for authenticated encryption. The recommended key, tag and nonce length is 128 bits. The sponge operates on a state of 320 bits, with message blocks of 64 or 128 bits. The encryption process is split into four phases:

  1. Initialization: initializes the state with the key K  and nonce N.
  2. Associated Data Processing: updates the state with associated data blocks Ai .
  3. Plaintext Processing: injects plaintext blocks Pi  into the state and extracts ciphertext blocks Ci .
  4. Finalization: injects the key K  again and extracts the tag T  for authentication.
Ascon's duplex sponge mode for authenticated encryption
The duplex sponge mode for Ascon authenticated encryption     [tex]

After each injected block (except the last plaintext block), the core permutation pb  is applied to the complete state. During initialization and finalization, a stronger permutation pa  with more rounds is used. The numbers of rounds a and b, as well as the sponge's rate and capacity, depend on the Ascon variant. The recommended parameters are:

Recommended parameters for Ascon authenticated encryption
CipherBit size of Rounds
keynoncetagratecapacitypapb
Ascon-12812812812864256126
Ascon-128a128128128128192128

Ascon's Hashing Modes

The Ascon family includes the hash function Ascon-Hash and the extendable output function Ascon-Xof with sponge-based modes of operation. Both provide 128-bit security with a hash size of at least 256 bits. The hashing modes use the same lightweight 320-bit permutation as the authenticated encryption modes.

Ascon's sponge mode for hashing
The sponge mode for Ascon hashing     [tex]

The hashing modes absorb the message M  in 64-bit blocks Mi  and finally squeeze the hash value H  in 64-bit blocks Hi . After each absorbed or squeezed block, the 12-round permutation pa  is applied to the complete state:

Recommended parameters for Ascon hashing
AlgorithmBit size of Rounds
hash outputratecapacitypa
Ascon-Hash256 6425612
Ascon-Xof arbitrary6425612

For details such as the round constant values, padding rules or the (almost identical) decryption mode, please refer to the latest Ascon submission document.