<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 3.2.3) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-ochkas-cose-ascon-04" category="info" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title>Ascon-AEAD128 and Ascon-Hash256 for COSE</title>

    <author initials="D." surname="Ochkas" fullname="Dmytro Ochkas">
      <organization>IMT Atlantique</organization>
      <address>
        <email>dmytro.ochkas@imt-atlantique.fr</email>
      </address>
    </author>
    <author initials="H." surname="Le Bouder" fullname="Hélène Le Bouder">
      <organization>IMT Atlantique</organization>
      <address>
        <email>helene.le-bouder@imt-atlantique.fr</email>
      </address>
    </author>
    <author initials="A." surname="Pelov" fullname="Alexander Pelov">
      <organization>IMT Atlantique</organization>
      <address>
        <email>alexander.pelov@imt-atlantique.fr</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>General</area>
    <workgroup>COSE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 89?>

<t>This document describes CBOR Object Signing and Encryption (COSE) serialization with Ascon,
 a NIST standard for lightweight cryptography.</t>

<t>In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a were
selected as the first choice for the lightweight authenticated encryption.
After, in 2023, National Institute of Standards and Technology (NIST) selected
Ascon family of cryptographic algorithms to be the standard for lightweight
cryptography. In August 2025, NIST Special Publication 800-232 was released,
defining Ascon-based lightweight cryptography standards for constrained
devices. This recognition makes it particularly interesting
to enable using Ascon with COSE structures.</t>



    </abstract>



  </front>

  <middle>


<?line 103?>

<section anchor="intro"><name>Introduction</name>

<t>Constrained networks such as Internet of Things (IoT) networks most of the
time are characterized by the limited computational power and energy.
In this context, the choice of suitable cryptographic suites that provide 
reliable security without consuming large amount of resources is essential.
As a winner of the lightweight cryptography standardization process conducted by
NIST, Ascon algorithms are the perfect candidates to fit into the described
use case. The Ascon family offers a low computational cost that translates into
lower latency, reduced energy consumption, and higher throughput compared to
traditional crypto algorithms. Moreover, all Ascon algorithms share a single
permutation function allowing for a drastic reduction of memory footprint.</t>

<t>Ascon-Based Lightweight Cryptography Standards for Constrained Devices
<xref target="NIST.SP.800-232"/> introduces a suite of algorithms consisting of Ascon-AEAD128,
an authenticated encryption with associated data (AEAD) algorithm; Ascon-Hash256,
a hash function; and two eXtendable Output Functions (XOFs).</t>

<t>As, in COSE, only AEAD and hash functions of Ascon family are relevant, this document
focuses on the usage of Ascon-AEAD128 for COSE content encryption, and Ascon-Hash256
for KDF and MAC procedures.</t>

<t>This document does not define any new cryptography, only
serializations of existing cryptographic systems described in
<xref target="NIST.SP.800-232"/>.</t>

</section>
<section anchor="need"><name>Terminology</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>

</section>
<section anchor="algos"><name>Ascon algorithms for COSE</name>

<section anchor="ascon-aead128"><name>Ascon-AEAD128</name>

<t>This document introduces Ascon-AEAD128 for COSE content encryption. Ascon AEAD algorithm is parametrized by the key size k, the nonce size n, the tag size t, the rate r, and the number of outer permutation rounds a and the number of inner permutation rounds b.
<xref target="NIST.SP.800-232"/> specifies the Ascon-AEAD128 parameters with the following numerical values.</t>

<texttable title="Ascon-AEAD128 parameters" anchor="asconaeadparams">
      <ttcol align='left'>Key size, k</ttcol>
      <ttcol align='left'>Nonce size, n</ttcol>
      <ttcol align='left'>Tag size, t</ttcol>
      <ttcol align='left'>Rate, r</ttcol>
      <ttcol align='left'>Outer permutation rounds, a</ttcol>
      <ttcol align='left'>Inner permutation rounds, b</ttcol>
      <c>128 bits</c>
      <c>128 bits</c>
      <c>32-128 bits</c>
      <c>128 bits</c>
      <c>12</c>
      <c>8</c>
</texttable>

<t>Note that the standard permits tag sizes t between 32 and 128 bits.
Tags of less than 64 bits SHALL only be selected after a careful risk analysis.</t>

<t>Since COSE can be used in a variety of scenarios, this document requests to register three configurations of Ascon-AEAD128 in <xref target="IANA.cose"/> with tag sizes of 32, 64, and 128 bits (see <xref target="cosealgos"/>). Using the 32-bit variation is discouraged for typical scenarios and SHOULD be introduced only in extremely constrained use cases with justified security.</t>

<texttable title="New COSE AEAD algorithms with Ascon" anchor="cosealgos">
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>alg</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>Ascon-AEAD128</c>
      <c>TBD (requested assignment 35)</c>
      <c>Ascon-AEAD128 with 128-bit tag as the CBOR Object Encryption Algorithm</c>
      <c>Ascon-AEAD128/64</c>
      <c>TBD (requested assignment 36)</c>
      <c>Ascon-AEAD128 with 64-bit tag as the CBOR Object Encryption Algorithm</c>
      <c>Ascon-AEAD128/32</c>
      <c>TBD (requested assignment 37)</c>
      <c>Ascon-AEAD128 with 32-bit tag as the CBOR Object Encryption Algorithm</c>
</texttable>

<t>In COSE, keys may be obtained from either a key structure or a recipient structure <xref target="RFC9052"/>.</t>

<t>When using a COSE key for this algorithm, the following checks are made:</t>

<t><list style="symbols">
  <t>The "kty" field MUST be present, and it MUST be "Symmetric".</t>
  <t>If the "alg" field is present, it MUST match the variation of Ascon-AEAD128 algorithm being used.</t>
  <t>If the "key_ops" field is present, it MUST include "encrypt" when encrypting.</t>
  <t>If the "key_ops" field is present, it MUST include "decrypt" when decrypting.</t>
</list></t>

<t>COSE encryption and decryption with Ascon-AEAD128 MUST be done in accordance with Section 5.3 of <xref target="RFC9052"/>.</t>

</section>
<section anchor="hash"><name>Ascon-Hash256</name>

<t>This document introduces Ascon-Hash256 for Key Derivation Function (KDF) and Message Authentication Code (MAC) COSE operations.
Ascon hash algorithm is parametrized by the rate r, the number of permutation rounds a, and the length of output l.
<xref target="NIST.SP.800-232"/> specifies the Ascon-Hash256 parameters with the following numerical values.</t>

<texttable title="Ascon-Hash256 parameters" anchor="asconhashparams">
      <ttcol align='left'>Rate, r</ttcol>
      <ttcol align='left'>Permutation rounds, a</ttcol>
      <ttcol align='left'>Output length, l</ttcol>
      <c>64 bits</c>
      <c>12</c>
      <c>256 bits</c>
</texttable>

<section anchor="ascon-hash256-for-kdf-operations"><name>Ascon-Hash256 for KDF operations</name>

<t>In COSE, integration Ascon-Hash256 for KDF operations SHALL be done via HMAC-based Extract-and-Expand KDF (HKDF) defined in <xref target="RFC5869"/>.
HKDF leverages HMAC mechanism described in <xref target="RFC2104"/>. HMAC is an algorithm allowing usage of
arbirtary cryptographic hash functions for message authentication. This KDF is described in <xref target="cosekdfalgos"/>.</t>

<texttable title="New COSE KDF algorithms with Ascon" anchor="cosekdfalgos">
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>PRF</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>HKDF Ascon-Hash256</c>
      <c>HMAC with Ascon-Hash256</c>
      <c>HKDF using HMAC with Ascon-Hash256</c>
</texttable>

<t>COSE leverages KDF algorithms to perform direct encryption. Thus, this documents requests the registration of
a new direct key with KDF algorithm using HKDF and Ascon-Hash256. The algorithm is defined in <xref target="cosehashalgos"/>.</t>

<texttable title="New COSE Direct Key with KDF algorithms with Ascon" anchor="cosehashalgos">
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>KDF</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>direct+HKDF-Ascon-Hash256</c>
      <c>TBD (requested assigment -20)</c>
      <c>HKDF Ascon-Hash256</c>
      <c>Shared secret w/ HKDF Ascon-Hash256</c>
</texttable>

<t>The algorithm from <xref target="cosehashalgos"/> MUST be used as described in Section 6.1.2 of <xref target="RFC9053"/>.</t>

</section>
<section anchor="ascon-hash256-for-mac-operations"><name>Ascon-Hash256 for MAC operations</name>

<t>In COSE, integration Ascon-Hash256 for MAC operations SHALL be implemented via HMAC algorithm <xref target="RFC2104"/>.
This algorithm is described in <xref target="cosemacalgos"/>.</t>

<texttable title="New COSE MAC algorithms with Ascon" anchor="cosemacalgos">
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>Hash</ttcol>
      <ttcol align='left'>Tag Length</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>HMAC Ascon-Hash256</c>
      <c>TBD (requested assigment 8)</c>
      <c>Ascon-Hash256</c>
      <c>256 bits</c>
      <c>HMAC w/ Ascon-Hash256</c>
      <c>HMAC Ascon-Hash256/64</c>
      <c>TBD (requested assigment 9)</c>
      <c>Ascon-Hash256</c>
      <c>64 bits</c>
      <c>HMAC w/ Ascon-Hash256 truncated to 64 bits</c>
</texttable>

<t>The process of creation and verification of COSE MAC using the algorithms from <xref target="cosemacalgos"/> MUST follow Section 6.3 of <xref target="RFC9052"/>.</t>

</section>
</section>
</section>
<section anchor="iv"><name>IV Header Parameter</name>

<t>Unlike some common AEAD algorithms, Ascon distinguishes between the notion
of initialization vector (IV) and nonce (N). While N is the input argument
for the Ascon-AEAD128 encryption/decryption functions, IV is the constant defined
for each Ascon algorithm used as part of state initialization.</t>

<t>However, <xref target="IANA.cose"/> does not define a separate header parameter to specify Nonce.
Thus, in COSE, whenever Full Initialization Vector Header Parameter (Name: IV,
Label: 5) or Partial Initialization Vector Header Parameter (Name: Partial IV, Label: 6) is
specified it SHALL refer to the N argument of the corresponding Ascon function.</t>

</section>
<section anchor="security"><name>Security Considerations</name>

<t>The security considerations for <xref target="NIST.SP.800-232"/>, <xref target="RFC7516"/>, <xref target="RFC7517"/> and <xref target="RFC9052"/> apply to
this specification as well.</t>

<t>According to the most recent security analysis publications, Ascon did not show any
security vulnerabilities so far and the best attacks target the initialization of Ascon
reduced to 7 (out of 12) rounds, concluding that Ascon has a security margin of 5 rounds
(42 % of the 12 rounds). More details are available at List of Published Analysis section of <xref target="asconv1.2-nist"/>.</t>

</section>
<section anchor="iana"><name>IANA Considerations</name>

<section anchor="additions-to-cose-algorithms-registry"><name>Additions to COSE Algorithms Registry</name>

<t>IANA is requested to add the following entries to the COSE Algorithms
Registry. The following completed registration templates are
provided as described in <xref target="RFC9053"/>. The "Recommended" fields
for Ascon-AEAD128/32 and HMAC Ascon-Hash256/64 are set to
"Filter Only" to discourage unreflected usage.</t>

<section anchor="ascon-aead128-for-cose"><name>Ascon-AEAD128 for COSE</name>

<t><list style="symbols">
  <t>Name: Ascon-AEAD128</t>
  <t>Value: TBD (requested assignment 35)</t>
  <t>Description: Ascon-AEAD128 with 128-bit tag</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Yes</t>
</list></t>

</section>
<section anchor="ascon-aead12864-for-cose"><name>Ascon-AEAD128/64 for COSE</name>

<t><list style="symbols">
  <t>Name: Ascon-AEAD128/64</t>
  <t>Value: TBD (requested assignment 36)</t>
  <t>Description: Ascon-AEAD128 with 64-bit tag</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Yes</t>
</list></t>

</section>
<section anchor="ascon-aead12832-for-cose"><name>Ascon-AEAD128/32 for COSE</name>

<t><list style="symbols">
  <t>Name: Ascon-AEAD128/32</t>
  <t>Value: TBD (requested assignment 37)</t>
  <t>Description: Ascon-AEAD128 with 32-bit tag</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Filter Only</t>
</list></t>

</section>
<section anchor="directhkdf-ascon-hash256-for-cose"><name>direct+HKDF-Ascon-Hash256 for COSE</name>

<t><list style="symbols">
  <t>Name: direct+HKDF-Ascon-Hash256</t>
  <t>Value: TBD (requested assignment -20)</t>
  <t>Description: Shared secret w/ HKDF Ascon-Hash256</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Yes</t>
</list></t>

</section>
<section anchor="hmac-ascon-hash256-for-cose"><name>HMAC Ascon-Hash256 for COSE</name>

<t><list style="symbols">
  <t>Name: HMAC Ascon-Hash256</t>
  <t>Value: TBD (requested assignment 8)</t>
  <t>Description: HMAC w/ Ascon-Hash256</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Yes</t>
</list></t>

</section>
<section anchor="hmac-ascon-hash25664-for-cose"><name>HMAC Ascon-Hash256/64 for COSE</name>

<t><list style="symbols">
  <t>Name: HMAC Ascon-Hash256/64</t>
  <t>Value: TBD (requested assignment 9)</t>
  <t>Description: HMAC w/ Ascon-Hash256 truncated to 64 bits</t>
  <t>Capabilities: [kty]</t>
  <t>Reference: NIST SP 800-232</t>
  <t>Recommended: Filter Only</t>
</list></t>

</section>
</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2104">
  <front>
    <title>HMAC: Keyed-Hashing for Message Authentication</title>
    <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
    <author fullname="M. Bellare" initials="M." surname="Bellare"/>
    <author fullname="R. Canetti" initials="R." surname="Canetti"/>
    <date month="February" year="1997"/>
    <abstract>
      <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2104"/>
  <seriesInfo name="DOI" value="10.17487/RFC2104"/>
</reference>

<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>

<reference anchor="RFC5869">
  <front>
    <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
    <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
    <author fullname="P. Eronen" initials="P." surname="Eronen"/>
    <date month="May" year="2010"/>
    <abstract>
      <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5869"/>
  <seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>

<reference anchor="RFC7516">
  <front>
    <title>JSON Web Encryption (JWE)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="J. Hildebrand" initials="J." surname="Hildebrand"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7516"/>
  <seriesInfo name="DOI" value="10.17487/RFC7516"/>
</reference>

<reference anchor="RFC7517">
  <front>
    <title>JSON Web Key (JWK)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7517"/>
  <seriesInfo name="DOI" value="10.17487/RFC7517"/>
</reference>

<reference anchor="RFC7518">
  <front>
    <title>JSON Web Algorithms (JWA)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7518"/>
  <seriesInfo name="DOI" value="10.17487/RFC7518"/>
</reference>

<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>

<reference anchor="RFC9052">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
      <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="96"/>
  <seriesInfo name="RFC" value="9052"/>
  <seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>

<reference anchor="RFC9053">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
      <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9053"/>
  <seriesInfo name="DOI" value="10.17487/RFC9053"/>
</reference>

<reference anchor="IANA.cose" target="https://www.iana.org/assignments/cose">
  <front>
    <title>CBOR Object Signing and Encryption (COSE)</title>
    <author>
      <organization>IANA</organization>
    </author>
  </front>
</reference>




    </references>

    <references title='Informative References' anchor="sec-informative-references">

<reference anchor="asconv1.2-caesar" target="https://competitions.cr.yp.to/round3/asconv12.pdf">
  <front>
    <title>Ascon v1.2, Submission to Round 3 of the CAESAR competition</title>
    <author initials="C." surname="Dobraunig" fullname="Christoph Dobraunig">
      <organization></organization>
    </author>
    <author initials="M." surname="Eichlseder" fullname="Maria Eichlseder">
      <organization></organization>
    </author>
    <author initials="F." surname="Mendel" fullname="Florian Mendel">
      <organization></organization>
    </author>
    <author initials="M." surname="Schläffer" fullname="Martin Schläffer">
      <organization></organization>
    </author>
    <date year="2016"/>
  </front>
</reference>
<reference anchor="asconv1.2-nist" target="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf">
  <front>
    <title>Ascon v1.2, Submission to Final Round of the NIST Lightweight Cryptography project</title>
    <author initials="C." surname="Dobraunig" fullname="Christoph Dobraunig">
      <organization></organization>
    </author>
    <author initials="M." surname="Eichlseder" fullname="Maria Eichlseder">
      <organization></organization>
    </author>
    <author initials="F." surname="Mendel" fullname="Florian Mendel">
      <organization></organization>
    </author>
    <author initials="M." surname="Schläffer" fullname="Martin Schläffer">
      <organization></organization>
    </author>
    <date year="2021"/>
  </front>
</reference>
<reference anchor="NIST.SP.800-232" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf">
  <front>
    <title>Ascon-Based Lightweight Cryptography Standards for Constrained Devices</title>
    <author initials="M. S." surname="Turan" fullname="Meltem Sönmez Turan">
      <organization></organization>
    </author>
    <author initials="K. A." surname="McKay" fullname="Kerry A. McKay">
      <organization></organization>
    </author>
    <author initials="J." surname="Kang" fullname="Jinkeon Kang">
      <organization></organization>
    </author>
    <author initials="J." surname="Kelsey" fullname="John Kelsey">
      <organization></organization>
    </author>
    <date year="2025" month="August"/>
  </front>
  <seriesInfo name="DOI" value="10.6028/NIST.SP.800-232"/>
</reference>


    </references>

</references>


<?line 342?>

<section anchor="xmp"><name>Examples</name>

<t>This appendix provides some examples of various Ascon-AEAD128 encryptions with COSE.</t>

<section anchor="cose-content-encryption"><name>COSE Content Encryption</name>

<section anchor="simple-ascon-aead128-encryption"><name>Simple Ascon-AEAD128 encryption</name>

<figure><artwork><![CDATA[
{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "Encrypt0_hex": "8344A1011823A1055000000000000000000000000000000000582461484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96",
  "Encrypt0_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'61484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96']"  
}
]]></artwork></figure>

</section>
<section anchor="direct-ascon-aead128-encryption-with-recipient"><name>Direct Ascon-AEAD128 encryption with recipient</name>

<figure><artwork><![CDATA[
{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "key": {
    "kid": "abcdef",
    "kty": "Symmetric"
  },
  "Encrypt": "8444A1011823A10550000000000000000000000000000000005824D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44818340A20125044661626364656640",
  "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44', [[h'', {1: -6, 4: h'616263646566'}, h'']]]"
}
]]></artwork></figure>

</section>
<section anchor="direct-ascon-aead128-encryption-with-hkdf-sha-256"><name>Direct Ascon-AEAD128 encryption with HKDF-SHA-256</name>

<figure><artwork><![CDATA[
{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "key": {
    "kid": "abcdef",
    "kty": "Symmetric"
  },
  "salt": "abcdefghijlmnopq",
  "Encrypt": "8444A1011823A10550000000000000000000000000000000005824B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF818340A3012933506162636465666768696A6C6D6E6F7071044661626364656640",
  "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF', [[h'', {1: -10, -20: h'6162636465666768696A6C6D6E6F7071', 4: h'616263646566'}, h'']]]"
}
]]></artwork></figure>

</section>
</section>
</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+1a624bR5b+309RoLGwNEtSvDYvgwBLkdRYY1vySo4zg8AI
is0iWVFfmO6mZEbyPs3+2H2BfYG82H7nVF95iZWMs8AuVgHiZrMu5/Kdc75T
xVqtZsU6dtVQjCIn8Guj6WjSbPWF9OfJm1cyWrW6tlgEoRhf306tF0LOZqG6
HwprHji+9DB5HspFXAuc1Z2Mak4QqZrkyY2ONZcxBrQaLbvW6NUatuXgxTII
t0Oh/UVgWXodDkUcbqK41WgMGi1LhkoOxV+Ur0LpWg9BeLcMg816yNuL7/BZ
+0vxF3pn3aktBsyH4tKPVeiruDYhUSwriqHCD9INfOy+VZG11kPxfRw4VREF
YRyqRYSnrUcPHy1LbuJVEA4tUbME/rQfDcWkLq5ZI35lFJ142zgMiu+DcCl9
/bOMdeBDjLfvxSh2pR/rnzaKByhPahcm4pl1Y6N/0V5ck9m4+iIs7fyqLt4o
cR5s5iosbP7ql/90f/kPX+18+VwJVsqFTeuuqs148heEGNXFO+UG9wUBRq76
BLOqsPDNc3eX6dz6muYe2Nzyg9DDOvcKfhA3F+NWs9HJHpuD5LHbt9PHXrdp
54+9/LGfPPabvXSFQaPbyh/b9Hg5uhrVCa1DoBBYLOzO8L1v1ls1R6pIEjLw
VwwVQd9Wxe1m5ukogvIiDsRNsEHgtEWwEPFKifFoeju6EU7grRXmYpBZRoZL
FcMhcbyOhmdnhe+juhPWt+t6HJyFtFb7LJGkVV/PFzw7gyr/1ZJ/UxeNV6GO
4mC9EpNgFsqNr5dHRr6VoZZiqp2VG6kUS/vDLtwA43zxVsF57vG1Yu2LW6z1
y78vFsliaeg37ZJFfQj4THteaF+6iVUTm15d3r4Xb/RyFT8o+r8Yh9t1HCxD
uV5txToMflROfNjMUejUafP6Mrg/G9/ejM88Ndfy7J2ZFJ25+bI1p7DsGRLd
xlM+hixIIqxRY/ecbdak5LwWrZVTwyjjLvORh/4vdluriY9k7vrtu3q/0ai1
2q19v9XOJeQ47pFbSsQynEemggDicSi1jykTda8dFR30lX/vrjezKHcXPdCb
s1uYVkv33WbmaoezTnS2I+Qzbf5WubHyxO0v/+V76mfxfhNK/8jQ1yoMt5QR
3zqv5fbIoL9q/04Bt6+lf8x5fw1W+F7Bc9uCqUebJaofWbzLbyMVahVRRkpF
n1xfDkWzUbcbrf6utpZl1Wo1FGUyLKBvvV/pSKSIFXMVOaGeqUiMz69vxPWM
oC5u9dKnKkp1fuoz1inkTqjEnrIAQLlJ6uJBxyvj66olpAnAKPEqO7UQNqIY
NnXLuvQp/gdVhD+mroE3iuP9vFhNwFTmHvgkxYMKlRWhdjkINFqHssBCh7CY
swqAIJaBXhblINdDfYIIZqlMxbo1WoApVFHjyODtqrhiLZFmLgFNHW9iRSLm
sCVx3itn5QdusNyKE9KfTGQEskzyWkhPu1uaWDCAdlD1QHVgPy+idDZTLOcx
41kl40GeIjKqxvAJ/EUB/yIBgniAcULIRQFZteYKCYh8bGw54zA95qpMJhOm
Th6mWIfDtC4YV6FyAkCH9/XkHWClY/ardjauDGEDTUxMwZSIAuisfDlzldhE
mSgGUEzmsMnGiTcYXjco9vR87irCDcjSHN/RPsnf4wtNbz9b3xT+LKuYUkAA
iS9GIto4K8JKSgvJM5DfX0bi5DKA/7KRXhDFSW0BFfaUAP0EsCTFEsLgZ6w6
2ybw8jSBiWC7iVPUrAMAlEFChHUJ0MNvMZkKqsbqU1zlyQlUsVG00TGbpIwU
eq0I3DKmKnav50pY8KbmsZFyNsDRlm0XbGL20MYjm7qUOoX0UI9YERgz2IQO
eSYSKoooClCHAFRE4IP2IWVaS7+IhjQFQCAsyCqRU9gmFuExidsizsl+tPha
hQtKNQ6W0pToOAQWgAvcGPCQNDfNrU0EewChhDIldmIKhYlkd4OHHds75Du2
GADgRy5vQqtbLnuFXvjOtgqbQGyVuigx3tokHnLdCiZQlERQ1ZerNdvXA6ox
BYth8blOt2QzFfRFTQhCFdxTTpGuu2+PaEUWkYICANCGWbxEA7HY+AbhmBg8
kDMp+CS1U4gfx4jNA+AwT3nomjAiiNchlETEfKUC/Pi4U1I+fxY6CUBFlmds
kgwFtciGmqOcvih1j1ULxONYAjbRL6MoQB6jrwANKU5o6mm+/p/L3SdWFCs8
Zhb7M7sNISzU3+DjOQfJ9SYm110kYxDqf7u+iE7ZUJzwKedUReADVbSfcX1x
2SjTJUUf+Y5y6j0alaqJ67S0Wgs8RDAQcdUVpTi5VHvGyBpnkw8Qo7ktqvt9
tkXDX08u+Ju3o7EJvXmSIndKe4DN/YBqPFI9MOZvkdceSqFs1LVKFZ21VJ8S
7+2koW0EUhTloQm7HQIICQMk66QqIjn7Ss1LuZnEVQIduqAWPRKVt9/evq9U
zb/i6pqfb6b/+u3lzXRCz7evRm/eZA9mhIUP19++Sb6np3zm+Prt2+nVxEzG
W7Hz6u3o7xU2sVW5fvf+8vpq9KZCMCh50eQrrs1cudahSnhGyQTn43ei2RGP
j0kzihDhZ+ow8fwArBtvMrrMR4ACAFqvlQxpWwS55cg1sr8bMSGKVsGDj7Y8
VLCmtZc4MuDAuPQ6Kle+b8plsAQ6qqX53y5uCrH9bKjWk7AwcZMKSSUGaRLc
Ni6VSnJ6hBfizlQ/P/BR/PiNsQsI/9J8TupjiFwgQmNCnrHxZqZQodrhoZg2
ufWivLQ/2JS3A4Nn9YNpjho1vdDKsMqyNRLFqPhwzmLeGaSZGnsiphyUhHvp
bjg6n14nalfF3dNVpnJV+E/vE3Wh7NMNVEVJero+ohiM8HR5RI+qmD1ZTyTd
TMdR/tBu1fZfNltP/SfrcShecFcqlZyzTpFp4L6pHNO38tmyroJYJbW1SFlJ
JKyd+Q9PCB0UHuULUFDySLp/3YLWnGtc4g5Yyxd2h78SJsI5VmZK5OyeuDkc
6yAoFxtXoCm+w5rS3aLW1IVl3WqyqsEolptR1uUAxaR7dMYqZhIeOaCdoQ6i
nZSNVP4TfBUzFQnVEinQlH2lCPMLvUQTWC4EmXmwx+NjdmREMc+gyOyACe1W
FRpWS1YQJxEWf3ykSSaKP5/WxbdMh8my8ByGsfDG0SSuxs6QZKlMjxBv14y0
TC3eIUmHJnGZgE7SD0QF8QyVp9xtkcuLlGYliP4RzQWhf57xS0LxFVDwBFGf
JpwAOfwBupI1nt6fT8RJYk1OlxE6SjZxu3taHmv2wgMrSgZLmrhiQ1poQkdp
dtnd9Mzu/Nq+9sF97c4/vG279Wvb9g5um7j1N21LkZrBJI3RKxR0xns580aF
tpzC9TJlN0i9aGokx1Uwi43fF2HgCYUJHF2cndPOSzDjRFun15r0yb/g+kbH
plztv0NJS7o4aQSiZUzrDchmglV38qSzUs6d6Qo8OaejViH+xCy/chdvK2gI
lAumQ5QAEqP6UsNiQgj2S99XbrceFxmnUjcrXJoWpoKN00WoGKXz07mejB2T
uvMI2wvtvJ7NFMlMOWVnGyj7Q7COfm0rpCZ3g66tklTNCtOArIb6y39gybkq
Lpl8MkuyLwr8miyXDiid3mTqpkadB77i1Ok4IGiSMiuPvlWm6ejW+SS7jIPy
rdDjC+LPn38j3yjeKVHNnKCS3hvfpORdnIAEnxoWjOpBzHqUdxQ0YBzAMCeg
yKcGjgFKk8nd9YRLMbX/IldJmUeZSBziGzk7cZW/hKEMO6Gew30+vUiV/+30
IiUO7w5ShqT7MaJVhYs0llRbIgK0Iz/nfIDMc4gP7AtICebFixeHvIdOJTe8
wKBCKiI+vTRffXmqYQQpKu+1FK/g2+TYavqJzzZrsH9t+mlNbqDpJ68YJKb9
mZsKndwQEVbpW9gDrTngE/F66KId8BAdeSV6n/L6Brh83QyknFag43mLnrZ5
lgxnOowlevJyC7XTUZKuXgJhWYJwcqRGUupoVx4qBHfzRUIZsrr87uZipy6z
liXzPrEChcDP3tNQk8OPDcmKULr3Xh3i5vRYGeIRucl3xoJ00alQEML6OqRC
WGww3q82u3wtKhA2ClVmbGGaxS3J7W6yFDeaJExp01TdtKUuaWtOm0oZooQl
sgN5c9cJHygkn7DkjiuMJP9Mm9XKZj3EHzg31lqN00MuvF3x6RN4GfpR8XAm
DozJfJXJuOesibHN64O22XVe2RjMGfZskBUP5t07XXJWOex6s94q1o42W+9w
DiEk/s4csjM1yyHaW7uK7Aux0lRSUK0Y7aZW7WBgLxI96RwGAUnD3d0bzru7
sUn7PhMJ/ZRHpiOzlG1i9WzX+wdWP8aQeYPB7gZpeTi4Pv0kwzeHdwjbdGgG
udQge4grWfoQwtKzZL4rUTLjLMgZKJVORtGy1TZZr1Q8HMnRmfvGgNMU0QIW
D7CYyw/iFdph+iVDWuXMDcP9wUMWy/rWd/UdOtXAo07R8/aOQqL0KHxuztU2
OlohA6a9sTkF4Z8A8DGFjgs3bPcQFWg+ufxgGI85Ljm5QqP43Uq7SlwRLGkJ
7VONl+EyPYEMDxxc5En1rEAEs4pUFdA+WY+bQ+mnR4hzXlFJZ7V7jp3Fe3qH
h2mx2lEEhn0VPCg+Cy/3yntHlchsxC+wxMr4IWMbBDfDm7aCD1EoRDfFA1zi
wLQJyKJL13YlW34wttzz7skV38Befqhab+RMuUPRPaXe5x3dXcnfukw260NV
JMvZpzCqlTI+7l5MPgrVwmjFP1/InJdewoB7g/avA3+e35ClvoJBb9ObHzq5
1/Ms1wGsadN+9FzQBFx2d+SUVyBXHyCtVRMq9Nua4ocevEjYLMQRnW26W74h
oRyaqJ5EMKDyoFyXDm1G3F9wEBsj8J0bChP3m6l06TGPWBeu9vOgmjN86MiU
zrmtbNr9xqUfis20C/8BZFEgFjLMmPoMWVDIOJbUhJpfGSSBVHJ32hJa6U0R
JO2JE7ppw1fN1mlGtDGIejKTkmQsslaDMZ0I5WEjzat2k4nWSacl/in1ebOV
vD4110cIC3TqrmmT5T0e+UIDy7/R5nqS73uRUcBgUjtFKrsbenws/7zG5DjE
3wHUaBj6SJIbzc09FzM1c+iQZ9wbQ7625V7vwF+ys87ImzGnnM93ehy4P9Tm
WpAPSMobWumGhqUVThQCqu60aokPxgqv+QYQRrSSK9R9ilJkJOYY4kZRQqff
ycyTXjziNLh7CMSYOlhz2W0RISuwKhfapURx7bvbCqmWH+aJjY9ckBx1chtR
4kR7p/DMhP4khEk55QN+es8MZCh+9SiOBxZIye4PPXfP5nj8WK6zgBqK7+/i
7Ud+f0OZDNUFm5ofI7wT2Y9Q+OvMkEPxdxUdUI6M9Rz9MO6ZKtrPUzE/Bvyj
NQRQnqVhsuSXNew9T8P8xPGraViAstH0aINzTOWjE56nO3VH+8o/ozf6+k7e
D/xjOu+PfJ6y/QOqHqTm/xPK/UqgHhz8PBUHz1XxYPfxx+CafnY0Az2wrOkn
SZWFq+Qnb50XyeRAk65ywdI+pb/PiUw7oNJpKMR0yBxsdu9Vc0Ie5T9+So9u
x8lda34ncKzCGl/dcnN7dAfjrH/L/qxHS4gKKqPmXyNVhqLCyuQNAO1er1Rp
GDceP6zUJxrW+MKfmTIaTdIJ/bbd63Ttqd3utXqDXqPX6bRHzQb+6ySDx9PX
2eDO4LzbazUHk9G0059M7Y49afQm5+fddrtr21MzITFKI9+i06Elm/0WLd3t
fknIRrff6tjNTr9zMehejNv2+aTZnvSmF+NRc9zuNabT9rk9ajZb3V6vMe73
e/2O3Zu0IZNtj3tjezzuXHQGzf75aDSwd2Saa7kkob5fvUxlegnC3B2K1csv
ifUS1Hr18msJ9vJjRQjrc9HtjJXk+OcoVhiM+d3P/yno3KktBj/yL2grd3pO
M+XMQQPK3wtz/zQsXi3h9eeii81mvwdxk3bH7k8GzWZj1Bq38W7ab006fbvV
H086duv8fNKHAhfno/Npv98e9Xqd9kVz0ByN+83xqD+xz8+nk+600+k3gXis
0QAOGh24vmm37DYUhp6pZRJhvwIcv5bU2PZ7SEG7N4eiZldFZ8hoz4U3G778
+PFj5ffilkkFWuwa1Yv/h24C3Ui6cT5+udI/up4frH+qfB1gn/cb01HTvmhM
z8fjwUUL01rTaXMyGLQmrfa4M+0N+p1pa9AcjCb2uD1t97p9IKYxGEzOu/1u
96LZGTSm44sE2G0AewDVG0Vs2D27bw/skT22J7DrBWza/OPB/7U02wF/s1El
GruL/0M6vvwtcfLfk8YmGbs3AAA=

-->

</rfc>

