Public Comments on SP 800-232 Ascon-Based Lightweight Cryptography Standards for Constrained Devices

122 views
Skip to first unread message

Sonmez Turan, Meltem (Fed)

unread,
Mar 3, 2025, 10:51:38 AMMar 3
to lwc-...@list.nist.gov, lightweight-crypto

Dear all,

 

We would like to thank everyone who provided feedback on the initial public draft of SP 800-232, Ascon-Based Lightweight Cryptography Standards for Constrained Devices.

 

You can access the public comments using the following link:  https://csrc.nist.gov/files/pubs/sp/800/232/ipd/docs/sp800-232-ipd-public-comments-received.pdf

 

Thanks,

NIST Lightweight Cryptography team

Sonmez Turan, Meltem (Fed)

unread,
Aug 13, 2025, 10:21:07 AMAug 13
to LWC-forum, lightweight-crypto

Dear all,

NIST has released Special Publication (SP) 800-232, Ascon-Based Lightweight Cryptography Standards for Constrained Devices.

This standard introduces a new Ascon-based family of symmetric-key cryptographic primitives that provides robust security, efficiency, and flexibility. With its compact state and range of cryptographic functions, it is suitable for resource-constrained environments, such as Internet of Things (IoT) devices, embedded systems, and low-power sensors. This standard includes multiple algorithms to meet a wide range of symmetric cryptographic needs, including the Authenticated Encryption with Associated Data (AEAD) scheme Ascon-AEAD128, the hash function Ascon-Hash256, and the eXtendable-Output Functions (XOFs) Ascon-XOF128 and Ascon-CXOF128.

Arne Padmos

unread,
Aug 13, 2025, 5:04:19 PMAug 13
to LWC-forum
Great to see that the final SP 800-232 is published.

Based on a quick skim, the major updates seem to be:
- Addition of the section '5.4. Streaming API for XOF'
- Addition of the section '6. Conformance'

Some other initial observations:
- It seems like Table 9 wasn't updated to indicate that the XOFs provide
192-bit preimage security, possibly because more research is needed.
- One interesting detail is that the SP notes that Ascon-Hash256 'is not
approved in this standard' for use with HMAC and that using Ascon-XOF128
and Ascon-CXOF128 within HMAC 'is not approved'. Note the important
detail of 'in this standard', i.e. not explicitly disallowed, and that
'Ascon-Hash256 is an approved cryptographic hash function'. Rejoice:
until FIPS 198-1 is withdrawn and SP 800-224 is published you can use
Ascon-Hash256-HMAC (at least based on a critical reading of the relevant
NIST documents). Whether that's a desirable solution over using
Ascon-XOF in Tsudik's keymode is another question.
- Both 'Ascon-XOF128 and Ascon-CXOF128 are approved XOFs, and their
approved uses will be specified in other NIST publications.' and 'The
Ascon permutations, including variants with different numbers of rounds,
may be approved for additional applications if corresponding modes of
operation are developed and approved within a FIPS or a NIST Special
Publication.' seem to indicate potential interest in an effort for
further modes development which would be great news.

On 2025-08-13 16:20, 'Sonmez Turan, Meltem (Fed)' via lwc-forum wrote:
> Dear all,
>
> NIST has released Special Publication (SP) 800-232, Ascon-Based
> Lightweight Cryptography Standards for Constrained
> Devices<https://doi.org/10.6028/NIST.SP.800-232>.
Reply all
Reply to author
Forward
0 new messages