Ascon (cipher)

Ascon is a family of lightweight authenticated ciphers and hash functions that have been selected by the U.S. National Institute of Standards and Technology for cryptography on resource-constrained devices in 2025, specified in NIST SP 800-232.

History

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University. The cipher family was chosen as a finalist of the CAESAR Competition in February 2019.
NIST announced its decision on February 7, 2023 with the following steps that lead to its standardization:

Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
Preparation of a new draft for public comments;
Public workshop held on June 21–22, 2023.

NIST finalized the standard on August 13, 2025, releasing it as "Ascon-Based Lightweight Cryptography Standards for Constrained Devices".

Design

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways. As of February 2023, the Ascon suite contained seven ciphers, including:

Ascon-128 and Ascon-128a authenticated ciphers;
Ascon-Hash cryptographic hash;
Ascon-Xof extendable-output function;
Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:

substitution layer utilizes a modified S-box from the function of Keccak;
permutation layer functions are similar to the of SHA-2.

Parameterization

The ciphers are parameterizable by the key length k, "rate" r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A. The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K.
In the CAESAR submission, two sets of parameters were recommended:

Name	k	r	a	b
Ascon-128	128	64	12	6
Ascon-128a	128	128	12	8

Padding

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of bits. As an exception, if A is an empty string, there is no padding at all.

State

The state consists of 320 bits, so the capacity. The state is initialized by an initialization vector IV concatenated with K and N.

Transformation

The initial state is transformed by applying times the transformation function . On encryption, each word of A || P is XORed into the state and the is applied times. The ciphertext C is contained in the first bits of the result of the XOR. Decryption is near-identical to encryption. The final stage that produces the tag T consists of another application of ; the special values are XORed into the last bits after the initialization, the end of A, and before the finalization.
Transformation consists of three layers:

, XORing the round constants;
, application of 5-bit S-boxes;
, application of linear diffusion.

Test vectors

Hash values of an empty string for both the XOF and non-XOF variants.
0x 7346bc14f036e87ae03d0997913088f5f68411434b3cf8b54fa796a80d251f91
0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4
0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e
0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d
Even a small change in the message will result in a different hash, due to the avalanche effect.
0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e
0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048