Английская Википедия:Ascon (cipher)

Материал из Онлайн справочника
Перейти к навигацииПерейти к поиску

Шаблон:Short description Шаблон:Other uses Шаблон:Infobox encryption method

Ascon is a family of lightweight authenticated ciphers that had been selected by US National Institute of Standards and Technology (NIST) for future standardization of the lightweight cryptography.Шаблон:Sfn

History

Ascon was developed in 2014 by a team of researchers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.Шаблон:Sfn The cipher family was chosen as a finalist of the CAESAR CompetitionШаблон:Sfn in February 2019.

NIST had announced its decision on February 7, 2023Шаблон:Sfn with the following intermediate steps that would lead to the eventual standardization:Шаблон:Sfn

  • Publication of NIST IR 8454 describing the process of evaluation and selection that was used;
  • Preparation of a new draft for public comments;
  • Public workshop to be held on June 21-22, 2023.

Design

The design is based on a sponge construction along the lines of SpongeWrap and MonkeyDuplex. This design makes it easy to reuse Ascon in multiple ways (as a cipher, hash, or a MAC).Шаблон:Sfn As of February 2023, the Ascon suite contained seven ciphers,Шаблон:Sfn including:Шаблон:Sfn

  • Ascon-128 and Ascon-128a authenticated ciphers;
  • Ascon-Hash cryptographic hash;
  • Ascon-Xof extendable-output function;
  • Ascon-80pq cipher with an "increased" 160-bit key.

The main components have been borrowed from other designs:Шаблон:Sfn

  • substitution layer utilizes a modified S-box from the Шаблон:Mvar function of Keccak;
  • permutation layer functions are similar to the <math>\Sigma</math> of SHA-2.

Parameterization

The ciphers are parameterizable by the key length k (up to 128 bits), "rate" (block size) r, and two numbers of rounds a, b. All algorithms support authenticated encryption with plaintext P and additional authenticated data A (that remains unencrypted). The encryption input also includes a public nonce N, the output - authentication tag T, size of the ciphertext C is the same as that of P. The decryption uses N, A, C, and T as inputs and produces either P or signals verification failure if the message has been altered. Nonce and tag have the same size as the key K (k bits).Шаблон:Sfn

In the CAESAR submission, two sets of parameters were recommended:Шаблон:Sfn

Suggested parameters, bits
Name k r a b
Ascon-128 128 64 12 6
Ascon-128a 128 128 12 8

Padding

The data in both A and P is padded with a single bit with the value of 1 and a number of zeros to the nearest multiple of Шаблон:Mvar bits. As an exception, if A is an empty string, there is no padding at all.Шаблон:Sfn

State

The state consists of 320 bits, so the capacity <math>c=320-r</math>.Шаблон:Sfn The state is initialized by an initialization vector IV (constant for each cipher type, e.g., hex 80400c0600000000 for Ascon-128) concatenated with K and N.Шаблон:Sfn

Transformation

The initial state is transformed by applying Шаблон:Mvar times the transformation function Шаблон:Mvar (<math>p^a</math>). On encryption, each word of A || P is XORed into the state and the Шаблон:Mvar is applied Шаблон:Mvar times (<math>p^b</math>). The ciphertext C is contained in the first Шаблон:Mvar bits of the result of the XOR. Decryption is near-identical to encryption.Шаблон:Sfn The final stage that produces the tag T consists of another application of <math>p^a</math>; the special values are XORed into the last Шаблон:Mvar bits after the initialization, the end of A, and before the finalization.Шаблон:Sfn

Transformation Шаблон:Mvar consists of three layers:

Test vectors

Hash values of an empty string (i.e., a zero-length input text) for both the XOF and non-XOF variants.[1]

Ascon-Hash("")
0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d
Ascon-HashA("")
0x aecd027026d0675f9de7a8ad8ccf512db64b1edcf0b20c388a0c7cc617aaa2c4
Ascon-Xof("", 32)
0x 5d4cbde6350ea4c174bd65b5b332f8408f99740b81aa02735eaefbcf0ba0339e
Ascon-XofA("", 32)
0x 7c10dffd6bb03be262d72fbe1b0f530013c6c4eadaabde278d6f29d579e3908d

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect.

Ascon-Hash("The quick brown fox jumps over the lazy dog")
0x 3375fb43372c49cbd48ac5bb6774e7cf5702f537b2cf854628edae1bd280059e
Ascon-Hash("The quick brown fox jumps over the lazy dogШаблон:Highlight")
0x c9744340ed476ac235dd979d12f5010a7523146ee90b57ccc4faeb864efcd048

See also

References

Шаблон:Reflist

Sources

External links

Шаблон:Cryptography navbox Шаблон:Cryptography-stub