ASCON Suite
Customizable hashing with ASCON-cXOF

NIST SP 800-185 defines an extension to SHAKE128 and SHAKE256 of SHA-3 to provide customizable XOF modes called cSHAKE128 and cSHAKE256. cSHAKE differs from SHAKE in that it specifies four input parameters in place of SHAKE's single input data stream:

  • X is the main input string of any length allowed by the underying XOF mode, including zero-length strings.
  • L is an integer representing the requested output length in bits, or zero for arbitrary-length output.
  • N is a function-name string, used by NIST to define functions based on cSHAKE such as "KMAC", "TupleHash", and "ParallelHash". When N is empty, the behaviour is identical to basic SHAKE.
  • C is a customization string, selected by the user to define an application-specific variant of the function. When no customization is desired, C is set to the empty string.

The ASCON hashing mode already supports the L parameter in the low 32 bits of the initialization vector (IV) of the first block. ASCON-HASH is the special case where L is 256 bits and ASCON-XOF is the special case where L is 0.

NIST SP 800-185 is slightly more flexible in that L can be provided dynamically after the X input string has been absorbed, in case its value is unknown ahead of time. However, it is unusual for an application to be unaware of the desired output length before hashing starts, except in the special case of arbitrary-length output (0).

The remaining 256 bits of the initial block for ASCON hashing are set to zero in the standard version. We propose that this space be used to encode the function-name string N, as demonstrated in the following figure for N = "KMAC":

If N is less than or equal to 256 bits in length, then pad it with zero bits and populate the spare space in the initial block with the padded string. If N is greater than 256 bits in length, then compute ASCON-HASH(N) and place the digest value into the spare space instead.

The initial block is hashed with the ASCON permutation and then C and X are absorbed. The hashed version of the initial block can be precomputed by the application for known constant values of L and N.

The customization string C is absorbed before X. After absorbing C, the last bit of the state is inverted to provide domain separation between the C and X blocks. If C is empty, then no additional blocks are absorbed before X.

After that, ASCON-cXOF proceeds the same as ASCON-XOF. Input data is absorbed and output data is squeezed.

This library uses ASCON-cXOF to implement a NIST-style KMAC mode. ASCON-cXOF is also used in the library's PBKDF2 and PRNG implementations.

NIST SP 800-185 also defines modes called TupleHash and ParallelHash, based on cSHAKE. We could define similar modes using ASCON-cXOF as well but haven't done so yet.

Generated on Sun Mar 19 2023 13:56:57 for ASCON Suite by doxygen 1.9.1