Ascon¶
links: AC1 TOC - AEAD - Index
Ascon was Submitted on May 31, 2021 to NIST. It provides authenticated encryption with associated data (AEAD) and hashing functionality. For full information see the NIST Submission.
Functions¶
The Ascon suite consists of:
Authenticated Cyphers:
- Ascon-128
- Ascon-128a
- Ascon-80pq
Hash Functions:
- Ascon-Hash
- Ascon-Hasha
Extendable Output Functions (XOF):
- Ascon-XOF
- Ascon-XOFa
Definition¶
In this section the several parts of Ascon will be described briefly for a visualization see the images down below. For the full explanation see the NIST Submission.
Initialization¶
The initial state of Ascon is 320 bits. It is formed by the secret key, the nonce \(N\) and an \(IV\) initializing the algorithm (including the key size \(k\), the rate \(r\), the initialization and finalization round number \(a\) and the intermediate round number \(b\)).
During the initialization \(a\) rounds of \(P\) (permutation / transformation) are applied. Followed by an XOR of the secret key \(K\).
Associated Data¶
Ascon appends a single \(1\) and the smallest number of \(0\)'s to \(A\) to make it a multiple of \(r\) bits. \(A\) is then divided into blocks of \(r\) bits.
Each block \(A_i\) is XORed with the first \(r\) bits of \(S_R\) of the state \(S\). Then a \(b\)-round permutation \(p^b\) is applied to \(S\).
Plaintext¶
Encryption
As with the associated data, the plaintext is padded to a multiple of \(r\) bits and then divided into blocks of size \(r\).
Each iteration on the plaintext block \(P_i\) is XORed with the first \(r\) bits of \(S_r\). Then a ciphertext block \(C_i\) is extracted. After the initial state \(S\) is transformed by the permutation \(p^b\) using \(b\) rounds.
Decryption
The plaintext block \(P_i\) is computed by XORing \(C_i\) with the first \(r\) bits of \(S_r\). Then the first \(r\) bits of \(S\) are replaced by \(C_i\). Finally, \(S\) is transformed using the \(b\)-round permutation \(p^b\).
Finalization¶
The secret key \(K\) is XOR'ed with \(S\) and \(S\) is transformed by the permutation \(p^a\) using a round. The tag \(T\) consists of the last 128 bits of \(S\) XORed with the last 128 bits of \(K\).
The encryption returns \(T\) with the ciphertext. Decryption returns the plaintext if the computed tag value matches \(T\).
links: AC1 TOC - AEAD - Index