COSE Working Group D. Ochkas Internet-Draft H. Le Bouder Intended status: Informational A. Pelov Expires: 7 January 2027 IMT Atlantique 6 July 2026 Ascon-AEAD128 and Ascon-Hash256 for COSE draft-ochkas-cose-ascon-04 Abstract This document describes CBOR Object Signing and Encryption (COSE) serialization with Ascon, a NIST standard for lightweight cryptography. In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a were selected as the first choice for the lightweight authenticated encryption. After, in 2023, National Institute of Standards and Technology (NIST) selected Ascon family of cryptographic algorithms to be the standard for lightweight cryptography. In August 2025, NIST Special Publication 800-232 was released, defining Ascon-based lightweight cryptography standards for constrained devices. This recognition makes it particularly interesting to enable using Ascon with COSE structures. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Ochkas, et al. Expires 7 January 2027 [Page 1] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Ascon algorithms for COSE . . . . . . . . . . . . . . . . . . 3 3.1. Ascon-AEAD128 . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Ascon-Hash256 . . . . . . . . . . . . . . . . . . . . . . 5 3.2.1. Ascon-Hash256 for KDF operations . . . . . . . . . . 5 3.2.2. Ascon-Hash256 for MAC operations . . . . . . . . . . 6 4. IV Header Parameter . . . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6.1. Additions to COSE Algorithms Registry . . . . . . . . . . 7 6.1.1. Ascon-AEAD128 for COSE . . . . . . . . . . . . . . . 7 6.1.2. Ascon-AEAD128/64 for COSE . . . . . . . . . . . . . . 8 6.1.3. Ascon-AEAD128/32 for COSE . . . . . . . . . . . . . . 8 6.1.4. direct+HKDF-Ascon-Hash256 for COSE . . . . . . . . . 8 6.1.5. HMAC Ascon-Hash256 for COSE . . . . . . . . . . . . . 8 6.1.6. HMAC Ascon-Hash256/64 for COSE . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 11 A.1. COSE Content Encryption . . . . . . . . . . . . . . . . . 11 A.1.1. Simple Ascon-AEAD128 encryption . . . . . . . . . . . 11 A.1.2. Direct Ascon-AEAD128 encryption with recipient . . . 11 A.1.3. Direct Ascon-AEAD128 encryption with HKDF-SHA-256 . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Constrained networks such as Internet of Things (IoT) networks most of the time are characterized by the limited computational power and energy. In this context, the choice of suitable cryptographic suites that provide reliable security without consuming large amount of resources is essential. As a winner of the lightweight cryptography standardization process conducted by NIST, Ascon algorithms are the perfect candidates to fit into the described use case. The Ascon family offers a low computational cost that translates into lower Ochkas, et al. Expires 7 January 2027 [Page 2] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 latency, reduced energy consumption, and higher throughput compared to traditional crypto algorithms. Moreover, all Ascon algorithms share a single permutation function allowing for a drastic reduction of memory footprint. Ascon-Based Lightweight Cryptography Standards for Constrained Devices [NIST.SP.800-232] introduces a suite of algorithms consisting of Ascon-AEAD128, an authenticated encryption with associated data (AEAD) algorithm; Ascon-Hash256, a hash function; and two eXtendable Output Functions (XOFs). As, in COSE, only AEAD and hash functions of Ascon family are relevant, this document focuses on the usage of Ascon-AEAD128 for COSE content encryption, and Ascon-Hash256 for KDF and MAC procedures. This document does not define any new cryptography, only serializations of existing cryptographic systems described in [NIST.SP.800-232]. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Ascon algorithms for COSE 3.1. Ascon-AEAD128 This document introduces Ascon-AEAD128 for COSE content encryption. Ascon AEAD algorithm is parametrized by the key size k, the nonce size n, the tag size t, the rate r, and the number of outer permutation rounds a and the number of inner permutation rounds b. [NIST.SP.800-232] specifies the Ascon-AEAD128 parameters with the following numerical values. Ochkas, et al. Expires 7 January 2027 [Page 3] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 +=========+=========+=========+=======+=============+=============+ | Key | Nonce | Tag | Rate, | Outer | Inner | | size, k | size, n | size, t | r | permutation | permutation | | | | | | rounds, a | rounds, b | +=========+=========+=========+=======+=============+=============+ | 128 | 128 | 32-128 | 128 | 12 | 8 | | bits | bits | bits | bits | | | +---------+---------+---------+-------+-------------+-------------+ Table 1: Ascon-AEAD128 parameters Note that the standard permits tag sizes t between 32 and 128 bits. Tags of less than 64 bits SHALL only be selected after a careful risk analysis. Since COSE can be used in a variety of scenarios, this document requests to register three configurations of Ascon-AEAD128 in [IANA.cose] with tag sizes of 32, 64, and 128 bits (see Table 2). Using the 32-bit variation is discouraged for typical scenarios and SHOULD be introduced only in extremely constrained use cases with justified security. +==================+================+============================+ | Name | alg | Description | +==================+================+============================+ | Ascon-AEAD128 | TBD (requested | Ascon-AEAD128 with 128-bit | | | assignment 35) | tag as the CBOR Object | | | | Encryption Algorithm | +------------------+----------------+----------------------------+ | Ascon-AEAD128/64 | TBD (requested | Ascon-AEAD128 with 64-bit | | | assignment 36) | tag as the CBOR Object | | | | Encryption Algorithm | +------------------+----------------+----------------------------+ | Ascon-AEAD128/32 | TBD (requested | Ascon-AEAD128 with 32-bit | | | assignment 37) | tag as the CBOR Object | | | | Encryption Algorithm | +------------------+----------------+----------------------------+ Table 2: New COSE AEAD algorithms with Ascon In COSE, keys may be obtained from either a key structure or a recipient structure [RFC9052]. When using a COSE key for this algorithm, the following checks are made: * The "kty" field MUST be present, and it MUST be "Symmetric". Ochkas, et al. Expires 7 January 2027 [Page 4] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 * If the "alg" field is present, it MUST match the variation of Ascon-AEAD128 algorithm being used. * If the "key_ops" field is present, it MUST include "encrypt" when encrypting. * If the "key_ops" field is present, it MUST include "decrypt" when decrypting. COSE encryption and decryption with Ascon-AEAD128 MUST be done in accordance with Section 5.3 of [RFC9052]. 3.2. Ascon-Hash256 This document introduces Ascon-Hash256 for Key Derivation Function (KDF) and Message Authentication Code (MAC) COSE operations. Ascon hash algorithm is parametrized by the rate r, the number of permutation rounds a, and the length of output l. [NIST.SP.800-232] specifies the Ascon-Hash256 parameters with the following numerical values. +=========+=======================+==================+ | Rate, r | Permutation rounds, a | Output length, l | +=========+=======================+==================+ | 64 bits | 12 | 256 bits | +---------+-----------------------+------------------+ Table 3: Ascon-Hash256 parameters 3.2.1. Ascon-Hash256 for KDF operations In COSE, integration Ascon-Hash256 for KDF operations SHALL be done via HMAC-based Extract-and-Expand KDF (HKDF) defined in [RFC5869]. HKDF leverages HMAC mechanism described in [RFC2104]. HMAC is an algorithm allowing usage of arbirtary cryptographic hash functions for message authentication. This KDF is described in Table 4. +====================+=========================+====================+ | Name | PRF | Description | +====================+=========================+====================+ | HKDF Ascon-Hash256 | HMAC with | HKDF using HMAC | | | Ascon-Hash256 | with Ascon-Hash256 | +--------------------+-------------------------+--------------------+ Table 4: New COSE KDF algorithms with Ascon Ochkas, et al. Expires 7 January 2027 [Page 5] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 COSE leverages KDF algorithms to perform direct encryption. Thus, this documents requests the registration of a new direct key with KDF algorithm using HKDF and Ascon-Hash256. The algorithm is defined in Table 5. +===========================+==========+=============+=============+ | Name |Value | KDF |Description | +===========================+==========+=============+=============+ | direct+HKDF-Ascon-Hash256 |TBD | HKDF Ascon- |Shared secret| | |(requested| Hash256 |w/ HKDF | | |assigment | |Ascon-Hash256| | |-20) | | | +---------------------------+----------+-------------+-------------+ Table 5: New COSE Direct Key with KDF algorithms with Ascon The algorithm from Table 5 MUST be used as described in Section 6.1.2 of [RFC9053]. 3.2.2. Ascon-Hash256 for MAC operations In COSE, integration Ascon-Hash256 for MAC operations SHALL be implemented via HMAC algorithm [RFC2104]. This algorithm is described in Table 6. +==================+==========+=============+======+===============+ | Name |Value |Hash |Tag | Description | | | | |Length| | +==================+==========+=============+======+===============+ | HMAC Ascon- |TBD |Ascon-Hash256|256 | HMAC w/ | | Hash256 |(requested| |bits | Ascon-Hash256 | | |assigment | | | | | |8) | | | | +------------------+----------+-------------+------+---------------+ | HMAC Ascon- |TBD |Ascon-Hash256|64 | HMAC w/ | | Hash256/64 |(requested| |bits | Ascon-Hash256 | | |assigment | | | truncated to | | |9) | | | 64 bits | +------------------+----------+-------------+------+---------------+ Table 6: New COSE MAC algorithms with Ascon The process of creation and verification of COSE MAC using the algorithms from Table 6 MUST follow Section 6.3 of [RFC9052]. Ochkas, et al. Expires 7 January 2027 [Page 6] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 4. IV Header Parameter Unlike some common AEAD algorithms, Ascon distinguishes between the notion of initialization vector (IV) and nonce (N). While N is the input argument for the Ascon-AEAD128 encryption/decryption functions, IV is the constant defined for each Ascon algorithm used as part of state initialization. However, [IANA.cose] does not define a separate header parameter to specify Nonce. Thus, in COSE, whenever Full Initialization Vector Header Parameter (Name: IV, Label: 5) or Partial Initialization Vector Header Parameter (Name: Partial IV, Label: 6) is specified it SHALL refer to the N argument of the corresponding Ascon function. 5. Security Considerations The security considerations for [NIST.SP.800-232], [RFC7516], [RFC7517] and [RFC9052] apply to this specification as well. According to the most recent security analysis publications, Ascon did not show any security vulnerabilities so far and the best attacks target the initialization of Ascon reduced to 7 (out of 12) rounds, concluding that Ascon has a security margin of 5 rounds (42 % of the 12 rounds). More details are available at List of Published Analysis section of [asconv1.2-nist]. 6. IANA Considerations 6.1. Additions to COSE Algorithms Registry IANA is requested to add the following entries to the COSE Algorithms Registry. The following completed registration templates are provided as described in [RFC9053]. The "Recommended" fields for Ascon-AEAD128/32 and HMAC Ascon-Hash256/64 are set to "Filter Only" to discourage unreflected usage. 6.1.1. Ascon-AEAD128 for COSE * Name: Ascon-AEAD128 * Value: TBD (requested assignment 35) * Description: Ascon-AEAD128 with 128-bit tag * Capabilities: [kty] * Reference: NIST SP 800-232 Ochkas, et al. Expires 7 January 2027 [Page 7] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 * Recommended: Yes 6.1.2. Ascon-AEAD128/64 for COSE * Name: Ascon-AEAD128/64 * Value: TBD (requested assignment 36) * Description: Ascon-AEAD128 with 64-bit tag * Capabilities: [kty] * Reference: NIST SP 800-232 * Recommended: Yes 6.1.3. Ascon-AEAD128/32 for COSE * Name: Ascon-AEAD128/32 * Value: TBD (requested assignment 37) * Description: Ascon-AEAD128 with 32-bit tag * Capabilities: [kty] * Reference: NIST SP 800-232 * Recommended: Filter Only 6.1.4. direct+HKDF-Ascon-Hash256 for COSE * Name: direct+HKDF-Ascon-Hash256 * Value: TBD (requested assignment -20) * Description: Shared secret w/ HKDF Ascon-Hash256 * Capabilities: [kty] * Reference: NIST SP 800-232 * Recommended: Yes 6.1.5. HMAC Ascon-Hash256 for COSE * Name: HMAC Ascon-Hash256 Ochkas, et al. Expires 7 January 2027 [Page 8] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 * Value: TBD (requested assignment 8) * Description: HMAC w/ Ascon-Hash256 * Capabilities: [kty] * Reference: NIST SP 800-232 * Recommended: Yes 6.1.6. HMAC Ascon-Hash256/64 for COSE * Name: HMAC Ascon-Hash256/64 * Value: TBD (requested assignment 9) * Description: HMAC w/ Ascon-Hash256 truncated to 64 bits * Capabilities: [kty] * Reference: NIST SP 800-232 * Recommended: Filter Only 7. References 7.1. Normative References [IANA.cose] IANA, "CBOR Object Signing and Encryption (COSE)", . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . Ochkas, et al. Expires 7 January 2027 [Page 9] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015, . [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, . [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, May 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . 7.2. Informative References [asconv1.2-caesar] Dobraunig, C., Eichlseder, M., Mendel, F., and M. Schläffer, "Ascon v1.2, Submission to Round 3 of the CAESAR competition", 2016, . [asconv1.2-nist] Dobraunig, C., Eichlseder, M., Mendel, F., and M. Schläffer, "Ascon v1.2, Submission to Final Round of the NIST Lightweight Cryptography project", 2021, . [NIST.SP.800-232] Turan, M. S., McKay, K. A., Kang, J., and J. Kelsey, "Ascon-Based Lightweight Cryptography Standards for Constrained Devices", DOI 10.6028/NIST.SP.800-232, August 2025, . Ochkas, et al. Expires 7 January 2027 [Page 10] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 Appendix A. Examples This appendix provides some examples of various Ascon-AEAD128 encryptions with COSE. A.1. COSE Content Encryption A.1.1. Simple Ascon-AEAD128 encryption { "plaintext": "This is the content.", "nonce_hex": "00000000000000000000000000000000", "AAD_hex": "8367456E637279707443A1010140", "CEK_hex": "849B57219DAE48DE646D07DBB533566E", "Encrypt0_hex": "8344A1011823A1055000000000000000000000000000000000582461484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96", "Encrypt0_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'61484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96']" } A.1.2. Direct Ascon-AEAD128 encryption with recipient { "plaintext": "This is the content.", "nonce_hex": "00000000000000000000000000000000", "AAD_hex": "8367456E637279707443A1010140", "CEK_hex": "849B57219DAE48DE646D07DBB533566E", "key": { "kid": "abcdef", "kty": "Symmetric" }, "Encrypt": "8444A1011823A10550000000000000000000000000000000005824D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44818340A20125044661626364656640", "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44', [[h'', {1: -6, 4: h'616263646566'}, h'']]]" } A.1.3. Direct Ascon-AEAD128 encryption with HKDF-SHA-256 { "plaintext": "This is the content.", "nonce_hex": "00000000000000000000000000000000", "AAD_hex": "8367456E637279707443A1010140", "CEK_hex": "849B57219DAE48DE646D07DBB533566E", "key": { "kid": "abcdef", "kty": "Symmetric" }, "salt": "abcdefghijlmnopq", "Encrypt": "8444A1011823A10550000000000000000000000000000000005824B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF818340A3012933506162636465666768696A6C6D6E6F7071044661626364656640", "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF', [[h'', {1: -10, -20: h'6162636465666768696A6C6D6E6F7071', 4: h'616263646566'}, h'']]]" } Ochkas, et al. Expires 7 January 2027 [Page 11] Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026 Authors' Addresses Dmytro Ochkas IMT Atlantique Email: dmytro.ochkas@imt-atlantique.fr Hélène Le Bouder IMT Atlantique Email: helene.le-bouder@imt-atlantique.fr Alexander Pelov IMT Atlantique Email: alexander.pelov@imt-atlantique.fr Ochkas, et al. Expires 7 January 2027 [Page 12]