Customization of named functions

[Rhys Weatherley]

Hi all,

I'm working through converting my ASCON-Suite to the draft standard.  I have a question about how to use the customization string of Ascon-CXOF128 for building higher-level primitives.

Take for example a "KMAC" style authentication mode.  Easiest is something like this:

Ascon-KMAC256(K, Msg) = Ascon-CXOF128(K || Msg, 256, "KMAC256")

Here the Ascon-CXOF128 customization string Z is "KMAC256".  But what if I want to also customize my KMAC with an application-specific string of arbitrary length?  Two options:

Ascon-KMAC256(K, Msg, Z) = Ascon-CXOF128(K || Msg, 256, "KMAC256" || Z)

Ascon-KMAC256(K, Msg, Z) = Ascon-CXOF128(pad(Z) || K || Msg, 256, "KMAC256")

The problem with the first is that it is no longer possible to precompute the prefix because the length of the entire customization string in bits must be encoded first in the hashed bitstream.  So is the second preferable?

I would like to see some guidance in the specification as to how to build higher-level primitives out of Ascon-CXOF128.  Similar to how cSHAKE in NIST SP 800-185 is defined as a base-level customizable function: cSHAKE has both a customization string and a function name as parameters.  Ascon-cXOF128 currently lacks the function name.

I can put in an official comment if you prefer.

Cheers,

Rhys.