Articles

ASCON: NIST's Lightweight Crypto Standard Decoded

March 15, 2026 5 min read

ASCON is a cryptographic algorithm that’s incredibly efficient, so much so that it can run on tiny microcontrollers with almost no power budget, making it the new standard for lightweight cryptography.

Let’s see ASCON in action. Imagine we have a simple message, "Hello, world!", and we want to encrypt it using ASCON-128. This is a specific variant of ASCON that uses a 128-bit key and a 128-bit nonce, producing a 128-bit ciphertext.

Here’s a conceptual representation of the encryption process. We start with:

  • Plaintext: "Hello, world!"
  • Key: 000102030405060708090a0b0c0d0e0f (128 bits)
  • Nonce (Number Used Once): f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff (128 bits)

The ASCON algorithm, in its essence, is a permutation-based authenticated encryption with associated data (AEAD) scheme. It operates on a state, which is a set of registers. The core of ASCON is a simple, highly efficient permutation function (ASCON-perm). This permutation is applied repeatedly to the internal state.

The encryption process involves:

  1. Initialization: The internal state is initialized with the key and nonce.
  2. Processing Associated Data (if any): If there’s data that needs authentication but not encryption (like headers), it’s processed by XORing it into the state and applying the permutation.
  3. Processing Plaintext: The plaintext is processed in blocks. Each block is XORed into the state, the permutation is applied, and then the first part of the state is extracted as ciphertext.
  4. Finalization: After all plaintext is processed, a final permutation is applied, and the authentication tag is generated from the state.

For our "Hello, world!" example, assuming a block size of 128 bits (which is typical for ASCON variants), the process would look something like this (simplified):

  • The initial state is formed using the key and nonce.
  • The plaintext "Hello, world!" (padded to 128 bits if necessary) is XORed into the state.
  • ASCON-perm is applied.
  • The first 128 bits of the state become the ciphertext.
  • A final ASCON-perm is applied.
  • An authentication tag (e.g., 128 bits) is derived from the final state.

The beauty of ASCON is that this entire process, including the permutation, is designed to be incredibly fast and require very little memory. It uses a small number of rounds (typically 12) of a simple substitution-permutation network (SPN) structure. The state is often represented as 5 words (e.g., 64-bit words), leading to a total state size of 320 bits. The permutation involves linear diffusion (XORing words) and non-linear substitution (S-boxes) operations.

The problem ASCON solves is the growing need for strong, secure encryption in environments where traditional cryptographic algorithms are too resource-intensive. Think of the Internet of Things (IoT) devices: smart sensors, wearable technology, embedded systems. These devices often have severely limited power, memory (RAM and flash), and processing capability. Algorithms like AES, while secure, can be too demanding for these constrained environments. ASCON provides a robust alternative that meets the security requirements of NIST (National Institute of Standards and Technology) while being exceptionally lightweight.

The exact levers you control are primarily the key and the nonce. The key is your secret that must be kept confidential. The nonce, while not secret, must be unique for every encryption operation with the same key. Reusing a nonce with the same key is a critical security failure that can compromise the confidentiality and integrity of your messages. ASCON offers variants like ASCON-128, ASCON-128a (which uses a 128-bit key and a 64-bit nonce), and ASCON-80q (for quantum resistance), allowing you to choose the best fit for your security and performance needs.

The internal state of ASCON is often described as a set of registers, typically five 64-bit registers in ASCON-128. The permutation involves applying an S-box layer (non-linear substitution) followed by linear layers that mix the bits across these registers. The specific sequence of operations and the constants used in the linear layers are carefully designed to provide diffusion and confusion, essential properties for cryptographic security. The number of rounds is a trade-off between security and performance; more rounds generally mean higher security but slower execution.

What many people overlook is how the associated data processing and the finalization steps contribute to the overall security. It’s not just about encrypting the message; it’s about ensuring that the message hasn’t been tampered with and that it’s authentic. The way ASCON incorporates these AEAD features into its permutation structure is a key part of its efficiency and elegance. The tag generation isn’t an afterthought; it’s an integral part of the final state transformation.

The next step after understanding ASCON is exploring its different variants and their specific performance characteristics on target hardware.

Want structured learning?

Take the full Cryptography course →