Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Reference and optimized C and ASM implementations of Ascon

Ascon is a family of lightweight authenticated encryption schemes with associated data (AEAD), including hash and extendible output functions (XOF).

For more information on Ascon visit:

This repository contains the following 7 Ascon algorithms:

  • crypto_aead/ascon128v12: Ascon-128 v1.2
  • crypto_aead/ascon128av12: Ascon-128a v1.2
  • crypto_aead/ascon80pqv12: Ascon-80pq v1.2
  • crypto_hash/asconhashv12: Ascon-Hash v1.2
  • crypto_hash/asconxofv12: Ascon-Xof v1.2
  • crypto_hash/asconhashav12: Ascon-Hasha v1.2
  • crypto_hash/asconxofav12: Ascon-Xofa v1.2

and the following implementations:

  • ref: reference implementation
  • opt64: 64-bit speed-optimized C implementation
  • opt64_lowsize: 64-bit size-optimized C implementation
  • avx512: AVX512 speed-optimized inline assembly implementation
  • neon: NEON speed-optimized ARM inline assembly implementation
  • bi32: 32-bit speed-optimized bit-interleaved C implementation
  • bi32_arm: 32-bit speed-optimized bit-interleaved ARM inline assembly implementation
  • bi32_lowreg: 32-bit speed-optimized bit-interleaved C implementation (low register usage)
  • bi32_lowsize: 32-bit size-optimized bit-interleaved C implementation
  • opt8: 8-bit optimized C implementation
  • bi8: 8-bit optimized bit-interleaved C implementation

Performance results of Ascon-128 on different CPUs in cycles per byte:

Message Length in Bytes: 1 8 16 32 64 1536 long
AMD Ryzen 7 1700* 14.5 8.8 8.6
Intel Xeon E5-2609 v4* 17.3 10.8 10.5
Cortex-A53 (ARMv8)* 18.3 11.3 11.0
Intel Core i5-6300U 367 58 35 23 17.6 11.9 11.4
Intel Core i5-4200U 521 81 49 32 23.9 16.2 15.8
Cortex-A15 (ARMv7)* 69.8 36.2 34.6
Cortex-A7 (NEON) 2182 249 148 97 71.7 47.5 46.5
Cortex-A7 (ARMv7) 1871 292 175 115 86.6 58.3 57.2
ARM1176JZF-S (ARMv6) 2136 312 186 123 91.6 61.8 62.2

* Results taken from eBACS:

Performance results of Ascon-128a on different CPUs in cycles per byte:

Message Length in Bytes: 1 8 16 32 64 1536 long
AMD Ryzen 7 1700* 12.0 6.0 5.7
Intel Xeon E5-2609 v4* 14.1 7.3 6.9
Cortex-A53 (ARMv8)* 15.1 7.6 7.3
Intel Core i5-6300U 365 47 31 19 13.5 8.0 7.8
Intel Core i5-4200U 519 67 44 27 18.8 11.0 10.6
Cortex-A15 (ARMv7)* 60.3 25.3 23.8
Cortex-A7 (NEON) 2204 226 132 82 55.9 31.7 30.7
Cortex-A7 (ARMv7) 1911 255 161 102 71.3 42.3 41.2
ARM1176JZF-S (ARMv6) 2118 261 170 107 75.6 46.0 46.6

* Results taken from eBACS:

Implementation interface

All implementations use the interface defined by the ECRYPT Benchmarking of Cryptographic Systems (eBACS):

Combined AEAD and hashing implementations

Ascon implementations supporting both AEAD and hashing are located in crypto_aead_hash. We provide the following examples of pairing AEAD with hashing:

  • Ascon128 with AsconHash in crypto_aead_hash/asconv12
  • Ascon128a with AsconHasha in crypto_aead_hash/asconav12

These implementations are also symlinked in crypto_aead and crypto_hash to reuse their test suits.

Manually build and run a single Ascon target:

Build example for CRYPTO_AEAD algorithms:

gcc -march=native -O3 -DNDEBUG -Icrypto_aead/ascon128v12/opt64 crypto_aead/ascon128v12/opt64/*.c -Itests tests/genkat_aead.c -o genkat
gcc -march=native -O3 -DNDEBUG -Icrypto_aead/ascon128v12/opt64 crypto_aead/ascon128v12/opt64/*.c -DCRYPTO_AEAD -Itests tests/getcycles.c -o getcycles

Build example for CRYPTO_HASH algorithms:

gcc -march=native -O3 -DNDEBUG -Icrypto_hash/asconhashv12/opt64 crypto_hash/asconhashv12/opt64/*.c -Itests tests/genkat_hash.c -o genkat
gcc -march=native -O3 -DNDEBUG -Icrypto_hash/asconhashv12/opt64 crypto_hash/asconhashv12/opt64/*.c -DCRYPTO_HASH -Itests tests/getcycles.c -o getcycles

Generate KATs and get CPU cycles:


Build and test all Ascon v1.2 targets using performance flags:

mkdir build && cd build
cmake ..
cmake --build .

Build and test all Ascon v1.2 targets on Windows:

mkdir build && cd build
cmake ..
cmake --build . --config Release
ctest -C Release

Build and test all Ascon v1.2 targets using NIST flags and sanitizers:

mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug
cmake --build .

Build and run only specific algorithms, implementations and tests:

Build and test:

mkdir build && cd build
cmake .. -DVERSION_LIST="v12" -DALG_LIST="ascon128;asconhash" -DIMPL_LIST="opt64;bi32" -DTEST_LIST="genkat;getcycles"
cmake --build .
ctest -R genkat

Get CPU cycles:


Hints to get more reliable getcycles results on Intel/AMD CPUs:

  • Determine the processor base frequency (also called design frequency):

    • e.g. using the Intel/AMD website
    • or using lscpu listed under model name
  • Disable turbo boost (this should lock the frequency to the next value below the processor base frequency):

    echo 1 | sudo tee /sys/devices/system/cpu/intel_pstate/no_turbo
  • If the above does not work, manually set the frequency using e.g. cpufreq-set.

  • Determine the actual frequency (under load):

    • e.g. by watching the frequency using lscpu or cpufreq-info
  • Determine the scaling factor between the actual and base frequency:

    • factor = actual frequency / base frequency
  • Run a getcycles program using the frequency factor and watch the results:

    while true; do ./getcycles_crypto_aead_ascon128v12_opt64 $factor; done
  • Run the script with the frequency factor and a specific algorithm to benchmark all correspondng getcycles implementations:

    ./ $factor ascon128

Hints to activate the performance monitor unit (PMU) on ARM CPUs:

Benchmark Ascon v1.2 using supercop

Download supercop according to the website:

To test only Ascon, just run the following commands:

./do-part init
./do-part crypto_aead ascon128v12
./do-part crypto_aead ascon128av12
./do-part crypto_aead ascon80pqv12
./do-part crypto_hash asconhashv12
./do-part crypto_hash asconxofv12

Evaluate and optimize Ascon on constraint devices:

  • The ascon-c code allows to set compile-time parameters ASCON_INLINE_MODE (IM), ASCON_INLINE_PERM (IP), ASCON_UNROLL_LOOPS (UL), via command line or in the crypto_*/ascon*/*/config.h files.
  • Use the script to evaluate all combinations of these parameters for a given list of ascon implementations. The script is called with an output file, frequency factor, the algorithm, and the list of implementations to test:
    ./ $factor ascon128 ref opt64 opt64_lowsize
  • The file then contains a markup table with size and cycles for each implementation and parameter set to evaluate several time-area trade-offs.


Reference and optimized C and ASM implementations of Ascon







No packages published

Contributors 4