Ascon (cipher)
General | |
---|---|
Designers | C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer[1] |
First published | 2014 |
Cipher detail | |
Key sizes | up to 128, 128 bits are recommended |
Block sizes | up to 128 bits, 128 and 64 bits are recommended |
Structure | sponge construction |
Rounds | 6–8 rounds per input word recommended |
Ascon is a family of lightweight authenticated ciphers that had been selected by US National Institute of Standards and Technology (NIST) for future standardization of the lightweight cryptography.[2]
History
[edit]Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.[3] The cipher family was chosen as a finalist of the CAESAR Competition[3] in February 2019.
NIST had announced its decision on February 7, 2023[3] with the following intermediate steps that would lead to the eventual standardization:[2]
- Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
- Preparation of a new draft for public comments;
- Public workshop to be held on June 21–22, 2023.
Design
[edit]The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC).[4] As of February 2023, the Ascon suite contained seven ciphers,[3] including:[5]
- Ascon-128 and Ascon-128a authenticated ciphers;
- Ascon-Hash cryptographic hash;
- Ascon-Xof extendable-output function;
- Ascon-80pq cipher with an "increased" 160-bit key.
The main components have been borrowed from other designs:[4]
- substitution layer utilizes a modified S-box from the χ function of Keccak;
- permutation layer functions are similar to the of SHA-2.
Parameterization
[edit]The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).[6]
In the CAESAR submission, two sets of parameters were recommended:[6]
Name | k | r | a | b |
---|---|---|---|---|
Ascon-128 | 128 | 64 | 12 | 6 |
Ascon-128a | 128 | 128 | 12 | 8 |
Padding
[edit]The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of r bits. As an exception, if A is an empty string, there is no padding at all.[7]
State
[edit]The state consists of 320 bits, so the capacity .[8] The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.[9]
Transformation
[edit]The initial state is transformed by applying a times the transformation function p (). On encryption, each word of A || P is XORed into the state and the p is applied b times (). The ciphertext C is contained in the first r bits of the result of the XOR. Decryption is near-identical to encryption.[8] The final stage that produces the tag T consists of another application of ; the special values are XORed into the last c bits after the initialization, the end of A, and before the finalization.[7]
Transformation p consists of three layers:
- , XORing the round constants;
- , application of 5-bit S-boxes;
- , application of linear diffusion.
Test vectors
[edit]Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.[10]
Ascon-Hash("") 0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91 Ascon-HashA("") 0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4 Ascon-Xof("", 32) 0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e Ascon-XofA("", 32) 0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d
Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.
Ascon-Hash("The quick brown fox jumps over the lazy dog") 0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e Ascon-Hash("The quick brown fox jumps over the lazy dog.") 0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048
See also
[edit]- Simon and Speck, earlier lightweight cipher families released by the U.S. National Security Agency
References
[edit]- ^ NIST (July 2021). "Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process". nist.gov. National Institute of Standards and Technology. p. 6.
- ^ a b NIST 2023a.
- ^ a b c d NIST 2023b.
- ^ a b Dobraunig et al. 2016, p. 17.
- ^ Dobraunig et al. 2021, pp. 4–5.
- ^ a b Dobraunig et al. 2016, p. 2.
- ^ a b Dobraunig et al. 2016, p. 4.
- ^ a b Dobraunig et al. 2016, p. 3.
- ^ Dobraunig et al. 2016, pp. 4–5.
- ^ "Ascon Hash Family". hashing.tools.
Sources
[edit]- NIST (2023a). "Lightweight Cryptography Standardization Process: NIST Selects Ascon". nist.gov. National Institute of Standards and Technology.
- NIST (2023b). "NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices". nist.gov. National Institute of Standards and Technology.
- Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (2016). "Ascon v1.2: Submission to the CAESAR Competition" (PDF). nist.gov. National Institute of Standards and Technology.
- Dobraunig, Christoph; Eichlseder, Maria; Mendel, Florian; Schläffer, Martin (22 June 2021). "Ascon v1.2: Lightweight Authenticated Encryption and Hashing". Journal of Cryptology. 34 (3). doi:10.1007/s00145-021-09398-9. eISSN 1432-1378. hdl:2066/235128. ISSN 0933-2790. S2CID 253633576.
External links
[edit]- TU Graz. "Ascon: Publications". tugraz.at.