Internet-Draft Ascon-AEAD128 and Ascon-Hash256 for COSE July 2026
Ochkas, et al. Expires 7 January 2027 [Page]
Workgroup:
COSE Working Group
Internet-Draft:
draft-ochkas-cose-ascon-04
Published:
Intended Status:
Informational
Expires:
Authors:
D. Ochkas
IMT Atlantique
H. Le Bouder
IMT Atlantique
A. Pelov
IMT Atlantique

Ascon-AEAD128 and Ascon-Hash256 for COSE

Abstract

This document describes CBOR Object Signing and Encryption (COSE) serialization with Ascon, a NIST standard for lightweight cryptography.

In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a were selected as the first choice for the lightweight authenticated encryption. After, in 2023, National Institute of Standards and Technology (NIST) selected Ascon family of cryptographic algorithms to be the standard for lightweight cryptography. In August 2025, NIST Special Publication 800-232 was released, defining Ascon-based lightweight cryptography standards for constrained devices. This recognition makes it particularly interesting to enable using Ascon with COSE structures.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

Constrained networks such as Internet of Things (IoT) networks most of the time are characterized by the limited computational power and energy. In this context, the choice of suitable cryptographic suites that provide reliable security without consuming large amount of resources is essential. As a winner of the lightweight cryptography standardization process conducted by NIST, Ascon algorithms are the perfect candidates to fit into the described use case. The Ascon family offers a low computational cost that translates into lower latency, reduced energy consumption, and higher throughput compared to traditional crypto algorithms. Moreover, all Ascon algorithms share a single permutation function allowing for a drastic reduction of memory footprint.

Ascon-Based Lightweight Cryptography Standards for Constrained Devices [NIST.SP.800-232] introduces a suite of algorithms consisting of Ascon-AEAD128, an authenticated encryption with associated data (AEAD) algorithm; Ascon-Hash256, a hash function; and two eXtendable Output Functions (XOFs).

As, in COSE, only AEAD and hash functions of Ascon family are relevant, this document focuses on the usage of Ascon-AEAD128 for COSE content encryption, and Ascon-Hash256 for KDF and MAC procedures.

This document does not define any new cryptography, only serializations of existing cryptographic systems described in [NIST.SP.800-232].

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Ascon algorithms for COSE

3.1. Ascon-AEAD128

This document introduces Ascon-AEAD128 for COSE content encryption. Ascon AEAD algorithm is parametrized by the key size k, the nonce size n, the tag size t, the rate r, and the number of outer permutation rounds a and the number of inner permutation rounds b. [NIST.SP.800-232] specifies the Ascon-AEAD128 parameters with the following numerical values.

Table 1: Ascon-AEAD128 parameters
Key size, k Nonce size, n Tag size, t Rate, r Outer permutation rounds, a Inner permutation rounds, b
128 bits 128 bits 32-128 bits 128 bits 12 8

Note that the standard permits tag sizes t between 32 and 128 bits. Tags of less than 64 bits SHALL only be selected after a careful risk analysis.

Since COSE can be used in a variety of scenarios, this document requests to register three configurations of Ascon-AEAD128 in [IANA.cose] with tag sizes of 32, 64, and 128 bits (see Table 2). Using the 32-bit variation is discouraged for typical scenarios and SHOULD be introduced only in extremely constrained use cases with justified security.

Table 2: New COSE AEAD algorithms with Ascon
Name alg Description
Ascon-AEAD128 TBD (requested assignment 35) Ascon-AEAD128 with 128-bit tag as the CBOR Object Encryption Algorithm
Ascon-AEAD128/64 TBD (requested assignment 36) Ascon-AEAD128 with 64-bit tag as the CBOR Object Encryption Algorithm
Ascon-AEAD128/32 TBD (requested assignment 37) Ascon-AEAD128 with 32-bit tag as the CBOR Object Encryption Algorithm

In COSE, keys may be obtained from either a key structure or a recipient structure [RFC9052].

When using a COSE key for this algorithm, the following checks are made:

  • The "kty" field MUST be present, and it MUST be "Symmetric".

  • If the "alg" field is present, it MUST match the variation of Ascon-AEAD128 algorithm being used.

  • If the "key_ops" field is present, it MUST include "encrypt" when encrypting.

  • If the "key_ops" field is present, it MUST include "decrypt" when decrypting.

COSE encryption and decryption with Ascon-AEAD128 MUST be done in accordance with Section 5.3 of [RFC9052].

3.2. Ascon-Hash256

This document introduces Ascon-Hash256 for Key Derivation Function (KDF) and Message Authentication Code (MAC) COSE operations. Ascon hash algorithm is parametrized by the rate r, the number of permutation rounds a, and the length of output l. [NIST.SP.800-232] specifies the Ascon-Hash256 parameters with the following numerical values.

Table 3: Ascon-Hash256 parameters
Rate, r Permutation rounds, a Output length, l
64 bits 12 256 bits

3.2.1. Ascon-Hash256 for KDF operations

In COSE, integration Ascon-Hash256 for KDF operations SHALL be done via HMAC-based Extract-and-Expand KDF (HKDF) defined in [RFC5869]. HKDF leverages HMAC mechanism described in [RFC2104]. HMAC is an algorithm allowing usage of arbirtary cryptographic hash functions for message authentication. This KDF is described in Table 4.

Table 4: New COSE KDF algorithms with Ascon
Name PRF Description
HKDF Ascon-Hash256 HMAC with Ascon-Hash256 HKDF using HMAC with Ascon-Hash256

COSE leverages KDF algorithms to perform direct encryption. Thus, this documents requests the registration of a new direct key with KDF algorithm using HKDF and Ascon-Hash256. The algorithm is defined in Table 5.

Table 5: New COSE Direct Key with KDF algorithms with Ascon
Name Value KDF Description
direct+HKDF-Ascon-Hash256 TBD (requested assigment -20) HKDF Ascon-Hash256 Shared secret w/ HKDF Ascon-Hash256

The algorithm from Table 5 MUST be used as described in Section 6.1.2 of [RFC9053].

3.2.2. Ascon-Hash256 for MAC operations

In COSE, integration Ascon-Hash256 for MAC operations SHALL be implemented via HMAC algorithm [RFC2104]. This algorithm is described in Table 6.

Table 6: New COSE MAC algorithms with Ascon
Name Value Hash Tag Length Description
HMAC Ascon-Hash256 TBD (requested assigment 8) Ascon-Hash256 256 bits HMAC w/ Ascon-Hash256
HMAC Ascon-Hash256/64 TBD (requested assigment 9) Ascon-Hash256 64 bits HMAC w/ Ascon-Hash256 truncated to 64 bits

The process of creation and verification of COSE MAC using the algorithms from Table 6 MUST follow Section 6.3 of [RFC9052].

4. IV Header Parameter

Unlike some common AEAD algorithms, Ascon distinguishes between the notion of initialization vector (IV) and nonce (N). While N is the input argument for the Ascon-AEAD128 encryption/decryption functions, IV is the constant defined for each Ascon algorithm used as part of state initialization.

However, [IANA.cose] does not define a separate header parameter to specify Nonce. Thus, in COSE, whenever Full Initialization Vector Header Parameter (Name: IV, Label: 5) or Partial Initialization Vector Header Parameter (Name: Partial IV, Label: 6) is specified it SHALL refer to the N argument of the corresponding Ascon function.

5. Security Considerations

The security considerations for [NIST.SP.800-232], [RFC7516], [RFC7517] and [RFC9052] apply to this specification as well.

According to the most recent security analysis publications, Ascon did not show any security vulnerabilities so far and the best attacks target the initialization of Ascon reduced to 7 (out of 12) rounds, concluding that Ascon has a security margin of 5 rounds (42 % of the 12 rounds). More details are available at List of Published Analysis section of [asconv1.2-nist].

6. IANA Considerations

6.1. Additions to COSE Algorithms Registry

IANA is requested to add the following entries to the COSE Algorithms Registry. The following completed registration templates are provided as described in [RFC9053]. The "Recommended" fields for Ascon-AEAD128/32 and HMAC Ascon-Hash256/64 are set to "Filter Only" to discourage unreflected usage.

6.1.1. Ascon-AEAD128 for COSE

  • Name: Ascon-AEAD128

  • Value: TBD (requested assignment 35)

  • Description: Ascon-AEAD128 with 128-bit tag

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Yes

6.1.2. Ascon-AEAD128/64 for COSE

  • Name: Ascon-AEAD128/64

  • Value: TBD (requested assignment 36)

  • Description: Ascon-AEAD128 with 64-bit tag

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Yes

6.1.3. Ascon-AEAD128/32 for COSE

  • Name: Ascon-AEAD128/32

  • Value: TBD (requested assignment 37)

  • Description: Ascon-AEAD128 with 32-bit tag

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Filter Only

6.1.4. direct+HKDF-Ascon-Hash256 for COSE

  • Name: direct+HKDF-Ascon-Hash256

  • Value: TBD (requested assignment -20)

  • Description: Shared secret w/ HKDF Ascon-Hash256

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Yes

6.1.5. HMAC Ascon-Hash256 for COSE

  • Name: HMAC Ascon-Hash256

  • Value: TBD (requested assignment 8)

  • Description: HMAC w/ Ascon-Hash256

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Yes

6.1.6. HMAC Ascon-Hash256/64 for COSE

  • Name: HMAC Ascon-Hash256/64

  • Value: TBD (requested assignment 9)

  • Description: HMAC w/ Ascon-Hash256 truncated to 64 bits

  • Capabilities: [kty]

  • Reference: NIST SP 800-232

  • Recommended: Filter Only

7. References

7.1. Normative References

[IANA.cose]
IANA, "CBOR Object Signing and Encryption (COSE)", <https://www.iana.org/assignments/cose>.
[RFC2104]
Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, , <https://www.rfc-editor.org/rfc/rfc2104>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5869]
Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, , <https://www.rfc-editor.org/rfc/rfc5869>.
[RFC7516]
Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, , <https://www.rfc-editor.org/rfc/rfc7516>.
[RFC7517]
Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, , <https://www.rfc-editor.org/rfc/rfc7517>.
[RFC7518]
Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, , <https://www.rfc-editor.org/rfc/rfc7518>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9052]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, , <https://www.rfc-editor.org/rfc/rfc9052>.
[RFC9053]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, , <https://www.rfc-editor.org/rfc/rfc9053>.

7.2. Informative References

[asconv1.2-caesar]
Dobraunig, C., Eichlseder, M., Mendel, F., and M. Schläffer, "Ascon v1.2, Submission to Round 3 of the CAESAR competition", , <https://competitions.cr.yp.to/round3/asconv12.pdf>.
[asconv1.2-nist]
Dobraunig, C., Eichlseder, M., Mendel, F., and M. Schläffer, "Ascon v1.2, Submission to Final Round of the NIST Lightweight Cryptography project", , <https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf>.
[NIST.SP.800-232]
Turan, M. S., McKay, K. A., Kang, J., and J. Kelsey, "Ascon-Based Lightweight Cryptography Standards for Constrained Devices", DOI 10.6028/NIST.SP.800-232, , <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf>.

Appendix A. Examples

This appendix provides some examples of various Ascon-AEAD128 encryptions with COSE.

A.1. COSE Content Encryption

A.1.1. Simple Ascon-AEAD128 encryption

{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "Encrypt0_hex": "8344A1011823A1055000000000000000000000000000000000582461484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96",
  "Encrypt0_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'61484F95FC36BD13D7EFCA1C370EE3B6A1125770C8878467D3AE466C7C6CC4F4918BAA96']"
}

A.1.2. Direct Ascon-AEAD128 encryption with recipient

{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "key": {
    "kid": "abcdef",
    "kty": "Symmetric"
  },
  "Encrypt": "8444A1011823A10550000000000000000000000000000000005824D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44818340A20125044661626364656640",
  "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'D3468D9110A2C3005E82D48628CD462BBD8721FBABE883A7743F191AC81CA8D6BBED5E44', [[h'', {1: -6, 4: h'616263646566'}, h'']]]"
}

A.1.3. Direct Ascon-AEAD128 encryption with HKDF-SHA-256

{
  "plaintext": "This is the content.",
  "nonce_hex": "00000000000000000000000000000000",
  "AAD_hex": "8367456E637279707443A1010140",
  "CEK_hex": "849B57219DAE48DE646D07DBB533566E",
  "key": {
    "kid": "abcdef",
    "kty": "Symmetric"
  },
  "salt": "abcdefghijlmnopq",
  "Encrypt": "8444A1011823A10550000000000000000000000000000000005824B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF818340A3012933506162636465666768696A6C6D6E6F7071044661626364656640",
  "Encrypt_diag": "[h'A1011823', {5: h'00000000000000000000000000000000'}, h'B80EA16F0EBCC9F25502EE1D992D23C4E7984E2919AD6C3E37581FB099DB5855F1490ECF', [[h'', {1: -10, -20: h'6162636465666768696A6C6D6E6F7071', 4: h'616263646566'}, h'']]]"
}

Authors' Addresses

Dmytro Ochkas
IMT Atlantique
Hélène Le Bouder
IMT Atlantique
Alexander Pelov
IMT Atlantique