Ascon hardware implementations and side-channel evaluation

Hannes Groß, Erich Wenger, Christoph Dobraunig, Christoph Ehrenhöfer

Research output: Contribution to journalArticlepeer-review


Having ciphers that provide confidentiality and authenticity, that are fast in software and efficient in hardware, these are the goals of CAESAR, the Competition for Authenticated Encryption: Security, Applicability, and Robustness. In this paper, the CAESAR candidate Ascon is implemented in hardware and optimized for different typical applications to fully explore Ascon’s design space. Thus, we are able to present hardware implementations of Ascon suitable for RFID tags, Wireless Sensor Nodes, Embedded Systems, and applications that need maximum performance. For instance, we show that an Ascon implementation with a single unrolled round transformation is only 7 kGE large, but can process up to 5.5Gbit/sec of data (0.75 cycles/byte), which is already enough to encrypt a Gigabit Ethernet connection. Besides, Ascon is not only fast and small, it can also be easily protected against DPA attacks. A threshold implementation of Ascon just requires about 8 kGE of chip area, which is only 3.1 times larger than the unprotected low-area optimized implementation.
Original languageEnglish
Pages (from-to)470-479
Number of pages10
JournalMicroprocessors and Microsystems - Embedded Hardware Design
Publication statusPublished - 2017


  • Authenticated encryption
  • CAESAR competition
  • Hardware design
  • Threshold implementation
  • Ascon

Cite this