| Internet-Draft | Ascon-AEAD128 and Ascon-Hash256 for COSE | July 2026 |
| Ochkas, et al. | Expires 7 January 2027 | [Page] |
This document describes CBOR Object Signing and Encryption (COSE) serialization with Ascon, a NIST standard for lightweight cryptography.¶
In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a were selected as the first choice for the lightweight authenticated encryption. After, in 2023, National Institute of Standards and Technology (NIST) selected Ascon family of cryptographic algorithms to be the standard for lightweight cryptography. In August 2025, NIST Special Publication 800-232 was released, defining Ascon-based lightweight cryptography standards for constrained devices. This recognition makes it particularly interesting to enable using Ascon with COSE structures.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Constrained networks such as Internet of Things (IoT) networks most of the time are characterized by the limited computational power and energy. In this context, the choice of suitable cryptographic suites that provide reliable security without consuming large amount of resources is essential. As a winner of the lightweight cryptography standardization process conducted by NIST, Ascon algorithms are the perfect candidates to fit into the described use case. The Ascon family offers a low computational cost that translates into lower latency, reduced energy consumption, and higher throughput compared to traditional crypto algorithms. Moreover, all Ascon algorithms share a single permutation function allowing for a drastic reduction of memory footprint.¶
Ascon-Based Lightweight Cryptography Standards for Constrained Devices [NIST.SP.800-232] introduces a suite of algorithms consisting of Ascon-AEAD128, an authenticated encryption with associated data (AEAD) algorithm; Ascon-Hash256, a hash function; and two eXtendable Output Functions (XOFs).¶
As, in COSE, only AEAD and hash functions of Ascon family are relevant, this document focuses on the usage of Ascon-AEAD128 for COSE content encryption, and Ascon-Hash256 for KDF and MAC procedures.¶
This document does not define any new cryptography, only serializations of existing cryptographic systems described in [NIST.SP.800-232].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document introduces Ascon-AEAD128 for COSE content encryption. Ascon AEAD algorithm is parametrized by the key size k, the nonce size n, the tag size t, the rate r, and the number of outer permutation rounds a and the number of inner permutation rounds b. [NIST.SP.800-232] specifies the Ascon-AEAD128 parameters with the following numerical values.¶
| Key size, k | Nonce size, n | Tag size, t | Rate, r | Outer permutation rounds, a | Inner permutation rounds, b |
|---|---|---|---|---|---|
| 128 bits | 128 bits | 32-128 bits | 128 bits | 12 | 8 |
Note that the standard permits tag sizes t between 32 and 128 bits. Tags of less than 64 bits SHALL only be selected after a careful risk analysis.¶
Since COSE can be used in a variety of scenarios, this document requests to register three configurations of Ascon-AEAD128 in [IANA.cose] with tag sizes of 32, 64, and 128 bits (see Table 2). Using the 32-bit variation is discouraged for typical scenarios and SHOULD be introduced only in extremely constrained use cases with justified security.¶
| Name | alg | Description |
|---|---|---|
| Ascon-AEAD128 | TBD (requested assignment 35) | Ascon-AEAD128 with 128-bit tag as the CBOR Object Encryption Algorithm |
| Ascon-AEAD128/64 | TBD (requested assignment 36) | Ascon-AEAD128 with 64-bit tag as the CBOR Object Encryption Algorithm |
| Ascon-AEAD128/32 | TBD (requested assignment 37) | Ascon-AEAD128 with 32-bit tag as the CBOR Object Encryption Algorithm |
In COSE, keys may be obtained from either a key structure or a recipient structure [RFC9052].¶
When using a COSE key for this algorithm, the following checks are made:¶
The "kty" field MUST be present, and it MUST be "Symmetric".¶
If the "alg" field is present, it MUST match the variation of Ascon-AEAD128 algorithm being used.¶
If the "key_ops" field is present, it MUST include "encrypt" when encrypting.¶
If the "key_ops" field is present, it MUST include "decrypt" when decrypting.¶
COSE encryption and decryption with Ascon-AEAD128 MUST be done in accordance with Section 5.3 of [RFC9052].¶
This document introduces Ascon-Hash256 for Key Derivation Function (KDF) and Message Authentication Code (MAC) COSE operations. Ascon hash algorithm is parametrized by the rate r, the number of permutation rounds a, and the length of output l. [NIST.SP.800-232] specifies the Ascon-Hash256 parameters with the following numerical values.¶
| Rate, r | Permutation rounds, a | Output length, l |
|---|---|---|
| 64 bits | 12 | 256 bits |
In COSE, integration Ascon-Hash256 for KDF operations SHALL be done via HMAC-based Extract-and-Expand KDF (HKDF) defined in [RFC5869]. HKDF leverages HMAC mechanism described in [RFC2104]. HMAC is an algorithm allowing usage of arbirtary cryptographic hash functions for message authentication. This KDF is described in Table 4.¶
| Name | PRF | Description |
|---|---|---|
| HKDF Ascon-Hash256 | HMAC with Ascon-Hash256 | HKDF using HMAC with Ascon-Hash256 |
COSE leverages KDF algorithms to perform direct encryption. Thus, this documents requests the registration of a new direct key with KDF algorithm using HKDF and Ascon-Hash256. The algorithm is defined in Table 5.¶
| Name | Value | KDF | Description |
|---|---|---|---|
| direct+HKDF-Ascon-Hash256 | TBD (requested assigment -20) | HKDF Ascon-Hash256 | Shared secret w/ HKDF Ascon-Hash256 |
The algorithm from Table 5 MUST be used as described in Section 6.1.2 of [RFC9053].¶
In COSE, integration Ascon-Hash256 for MAC operations SHALL be implemented via HMAC algorithm [RFC2104]. This algorithm is described in Table 6.¶
| Name | Value | Hash | Tag Length | Description |
|---|---|---|---|---|
| HMAC Ascon-Hash256 | TBD (requested assigment 8) | Ascon-Hash256 | 256 bits | HMAC w/ Ascon-Hash256 |
| HMAC Ascon-Hash256/64 | TBD (requested assigment 9) | Ascon-Hash256 | 64 bits | HMAC w/ Ascon-Hash256 truncated to 64 bits |
The process of creation and verification of COSE MAC using the algorithms from Table 6 MUST follow Section 6.3 of [RFC9052].¶
Unlike some common AEAD algorithms, Ascon distinguishes between the notion of initialization vector (IV) and nonce (N). While N is the input argument for the Ascon-AEAD128 encryption/decryption functions, IV is the constant defined for each Ascon algorithm used as part of state initialization.¶
However, [IANA.cose] does not define a separate header parameter to specify Nonce. Thus, in COSE, whenever Full Initialization Vector Header Parameter (Name: IV, Label: 5) or Partial Initialization Vector Header Parameter (Name: Partial IV, Label: 6) is specified it SHALL refer to the N argument of the corresponding Ascon function.¶
The security considerations for [NIST.SP.800-232], [RFC7516], [RFC7517] and [RFC9052] apply to this specification as well.¶
According to the most recent security analysis publications, Ascon did not show any security vulnerabilities so far and the best attacks target the initialization of Ascon reduced to 7 (out of 12) rounds, concluding that Ascon has a security margin of 5 rounds (42 % of the 12 rounds). More details are available at List of Published Analysis section of [asconv1.2-nist].¶
IANA is requested to add the following entries to the COSE Algorithms Registry. The following completed registration templates are provided as described in [RFC9053]. The "Recommended" fields for Ascon-AEAD128/32 and HMAC Ascon-Hash256/64 are set to "Filter Only" to discourage unreflected usage.¶
This appendix provides some examples of various Ascon-AEAD128 encryptions with COSE.¶
{
"plaintext": "This is the content.",
"nonce_hex": "00000000000000000000000000000000",
"AAD_hex": "8367456E637279707443A1010140",
"CEK_hex": "849B57219DAE48DE646D07DBB533566E",
"Encrypt0_hex": "8344A1011823A1055000000000000000000000000000000000582461484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96",
"Encrypt0_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'61484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96']"
}
¶
{
"plaintext": "This is the content.",
"nonce_hex": "00000000000000000000000000000000",
"AAD_hex": "8367456E637279707443A1010140",
"CEK_hex": "849B57219DAE48DE646D07DBB533566E",
"key": {
"kid": "abcdef",
"kty": "Symmetric"
},
"Encrypt": "8444A1011823A10550000000000000000000000000000000005824D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44818340A20125044661626364656640",
"Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44', [[h'', {1: -6, 4: h'616263646566'}, h'']]]"
}
¶
{
"plaintext": "This is the content.",
"nonce_hex": "00000000000000000000000000000000",
"AAD_hex": "8367456E637279707443A1010140",
"CEK_hex": "849B57219DAE48DE646D07DBB533566E",
"key": {
"kid": "abcdef",
"kty": "Symmetric"
},
"salt": "abcdefghijlmnopq",
"Encrypt": "8444A1011823A10550000000000000000000000000000000005824B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF818340A3012933506162636465666768696A6C6D6E6F7071044661626364656640",
"Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF', [[h'', {1: -10, -20: h'6162636465666768696A6C6D6E6F7071', 4: h'616263646566'}, h'']]]"
}
¶