This is a collection of hardware and software implementations of Ascon. Reference implementations are included as submodules, while this file lists additional implementations in various languages.
Ascon is a family of authenticated encryption (AEAD) and hashing algorithms designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks. It was designed by a team of cryptographers from Graz University of Technology, Infineon Technologies, and Intel Labs: Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer.
Ascon has been selected as the standard for lightweight cryptography in the NIST Lightweight Cryptography competition (2019–2023) and as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition (2014–2019).
The most recent version of Ascon is specified in NIST SP 800-232 (initial public draft) and includes the following designs:
-
Authenticated Encryption with Associated Data (AEAD):
Ascon-AEAD128with 128-bit key, nonce, and tag
-
Hashing algorithms:
Ascon-Hash256with fixed 256-bit output size (hash function)Ascon-XOF128with variable output lengths (eXtendable Output Function, XOF)Ascon-CXOF128with variable output lengths and supporting a customization string as an additional input (Customizable XOF)
Prior versions (Ascon v1.2 as submitted to NIST LWC) and other non-standardized family members include:
-
Authenticated encryption (
Ascon-128,Ascon-128a,Ascon-80pq) -
Hashing algorithms including hash functions with fixed 256-bit tag size (
Ascon-Hash,Ascon-Hasha) and eXtendable Output Functions (XOFs) with variable output lengths (Ascon-Xof,Ascon-Xofa) -
Authentication algorithms including Message Authentication Codes (MACs) with fixed 128-bit tag size (
Ascon-Mac,Ascon-Maca) and PseudoRandom Functions (PRFs) with variable output lengths (Ascon-Prf,Ascon-Prfa), as well as a variant for short messages of up to 128 bits (Ascon-PrfShort)
Find the specification of Ascon and more information here: https://ascon.isec.tugraz.at/
| Description | Code | Author | Ascon version | Comments and supported variants |
|---|---|---|---|---|
| ⭐ C reference implementation | ascon/ascon-c | Ascon Team | NIST SP 800-232 draft | Features both the reference implementation and optimized implementations (64-bit) of all AEAD and hash family members. For a detailed overview of the AEAD performance on different CPUs see eBAEAD. |
| C collection with benchmarks | lab.las3.de/lwc/ascon | Rhys Weatherley et al. | LWC submission | Collection with implementations by multiple authors, including benchmarking results (AEAD and hash variants) |
| C with Init-Update-Final interface | TheMatjaz/LibAscon | Matjaž Guštin | LWC submission | C11 library wrapping the reference C implementation (all AEAD and hash variants), including Init-Update-Final processing and variable tag length |
| C/assembly optimized for 32-bit architectures (ESP32/Xtensa, RISC-V) | in LAS3 collection | Ferdinand Bachmann | LWC submission | C wrapper with assembly optimized for Tensilica Xtensa and 32-bit RISC-V (all AEAD and hash variants) |
| C optimized for RISC-V | ulmer-a/lightweight_aead | Alexander Ulmer | LWC submission | RISC-V implementation of Ascon-128 and Ascon-128a |
| Description | Code | Author | Ascon version | Comments and supported variants |
|---|---|---|---|---|
| ⭐ Python reference implementation | meichlseder/pyascon | Ascon Team | NIST SP 800-232 draft | Reference implementation of all AEAD and hash family members. Note: The pypi package is not maintained by us. |
| Rust | sebastinas/ascon-hash, sebastinas/ascon-aead | Sebastian Ramacher | NIST SP 800-232 draft | Rust implementation, implementing the RustCrypto traits, of all AEAD and hash variants. Crate links: crate (hash), crate (AEAD) |
| TypeScript/JavaScript | brainfoolong/js-ascon | Roland Eigelsreiter | NIST SP 800-232 draft | JavaScript/TypeScript implementation (all Ascon family members). Link: npm |
| PHP | brainfoolong/php-ascon | Roland Eigelsreiter | NIST SP 800-232 draft | PHP 8+ implementation (all Ascon family members) |
| Cython/Python | xHappenZ/cyascon | Oliver Popa | LWC submission | Python wrapper with C/Cython implementation (all AEAD and hash variants), with optional init-update-final interface. |
| Java for JCE | - | SIC | LWC submission | IAIK-LW Provider for the Java Cryptography Extension (JCE). Links: commercial toolkit, free evaluation version |
| Jasmin | jerlacher/ascon-jasmin | Johannes Erlacher | LWC submission | Jasmin implementation with a Rust interface (Ascon-128 and Ascon-128a AEAD variants) |
| Go | cloudflare/circl | Armando Faz | LWC submission | Go implementation as part of the CIRCL library (all AEAD variants) |
| TypeScript | Simolation/ascon-js | Simon Osterlehner | LWC submission | Fully typed TypeScript/JavaScript library (all AEAD and hash variants). Link: npm |
| Zig | ziglang/ascon.zig | Frank Denis | LWC submission | Zig implementation as part of the standard library (permutation only) |
| Java | ascon/javaascon | Hannes Groß | CAESAR submission | Java implementation of Ascon-128 and Ascon-128a. |
🚧 to be completed
| Description | Code | Author | Ascon version | Comments and supported variants |
|---|---|---|---|---|
| RISC-V (RV32IM assembly) | l.mainka/side-channel-secure-ascon | Linus Mainka, Kostas Papagiannopoulos | LWC submission | Protected RISC-V implementation of Ascon-128 using masking and shuffling (CASCADE 2025 paper preprint). |
🚧 to be completed
🚧 to be completed
🚧 to be completed