Add Ascon-80pq to cipher\ascon

[dhcgn]

Since this repo has a focus on PQ, I would like to suggest including the PQ optimized variant of Ascon.

Ascon-80pq has an increased key-size to provide more resistance against a quantum adversary using Grover’s algorithm for key search. Since Ascon-128 and Ascon- 80pq share the same building blocks and same parameters except the size of the key, we claim the same security for Ascon-80pq against classical attacks as for Ascon-128. [...] The only difference between Ascon-80pq and Ascon-128 is the increased length of the key. This increased key length provides additional protection against exhaustive key search in the case the availability of quantum computers becomes evident. Since the other tunable security parameters (the number of rounds of the permutations) have not been increased, the security claim for Ascon-80pq against classical attacks stays the same as for Ascon-128.

Source: https://ascon.iaik.tugraz.at/files/asconv12-nist.pdf

Here is a draft pr: https://github.com/cloudflare/circl/pull/404

[bwesterb]

Thank you for the PR, we'll have a look.

I would like to point out, though, that Ascon-128 itself is already post-quantum secure (barring any classical breaks.) Grover's algorithm doesn't parallelise well. It is very likely that it will take many decades after Shor's algorithm is already practical, before Grover's algorithm threatens any symmetric crypto. To wit: NIST security level 1 for post-quantum signatures and key agreement is defined as being as hard to crack as AES-128.

[dhcgn]

PR #404 is closed.