Security Highlight: Ascon

A lightweight crypto algorithm delivers low-cost encryption and integrity verification for IoT and other resource-constrained devices.


The contest for standardization of a lightweight crypto (LWC) algorithm has just finished. US standards body NIST selected Ascon as the winner. Ascon is an algorithm proposed by an international team of scientists that delivers strong performance and security at a low cost. How does that work?

Lightweight crypto is symmetric encryption technology, that runs well on constrained systems, like IoT. These products are affordable due to the usage of chips with limited capabilities. The chips run on lower clock speeds, may not be able to implement crypto in hardware, and have little memory available. At the same time, IoT devices may need to deliver end-to-end security, including real-time video encryption.

The dominant algorithm for symmetric encryption today is AES, which can be fast, but also costly in terms of memory or chip surface needs. Also, secure communication requires more than just encryption. There is a need for message integrity too. While AES can play a role there, secure protocols often also require hashing, for which algorithms like SHA-3 are used.

Ascon, as an LWC solution, uses the newest insights to deliver multiple security services, while achieving the same level of security, for less cost. Rather than just providing encryption, it provides ‘authenticated encryption’, which means that the algorithm delivers encryption and integrity verification at once. With this, there is no longer a need to implement separate algorithms for encryption and hashing.

The new algorithm is designed to operate on 64-bit operands and its most frequent steps are ordinary arithmetic operations, supported by any processor. The new algorithm is also interesting for hardware implementation as it needs a low number of gates and can process data using much less energy than AES. This would be particularly interesting for battery-powered sensors.

Although Ascon has been designed with the newest insights, it is not immune to common cryptographic threats like Side-Channel Analysis and Fault Analysis. The first papers claiming successful attacks have already been published, along with potential defense strategies. At Riscure we expect that Ascon, now becoming standardized, will be a significant ingredient in cyber security. We understand the algorithm, and its attacks, and have the expertise to evaluate its implementations. Are you working on a product that uses Ascon? We would be happy to help you evaluate its strengths and make sure your product achieves its intended security.

The specification of Ascon is available on the NIST website:

Leave a Reply

(Note: This name will be displayed publicly)