This patch implements Ascon-Hash256. Ascon-Hash256 is a hash function as a part
	of the Ascon-Based Lightweight Cryptography Standards for Constrained Devices,
	published as NIST SP 800-232 (https://csrc.nist.gov/pubs/sp/800/232/final).

Signed-off-by: Rusydi H. Makarim <rusydi.makarim@kriptograf.id>
---
Rusydi H. Makarim (3):
      lib/crypto: Add KUnit test vectors for Ascon-Hash256
      lib/crypto: Initial implementation of Ascon-Hash256
      crypto: Crypto API implementation of Ascon-Hash256

 crypto/Kconfig                         |   7 +
 crypto/Makefile                        |   1 +
 crypto/ascon_hash.c                    |  86 ++++++++++++
 include/crypto/ascon_hash.h            |  97 ++++++++++++++
 lib/crypto/Kconfig                     |   8 ++
 lib/crypto/Makefile                    |   5 +
 lib/crypto/ascon_hash.c                | 154 +++++++++++++++++++++
 lib/crypto/hash_info.c                 |   2 +
 lib/crypto/tests/Kconfig               |   9 ++
 lib/crypto/tests/Makefile              |   1 +
 lib/crypto/tests/ascon_hash-testvecs.h | 235 +++++++++++++++++++++++++++++++++
 lib/crypto/tests/ascon_hash_kunit.c    |  33 +++++
 12 files changed, 638 insertions(+)
---
base-commit: 92de2d349e02c2dd96d8d1b7016cc78cf80fc085
change-id: 20251214-ascon_hash256-704130f41b29

Best regards,
-- 
Rusydi H. Makarim <rusydi.makarim@kriptograf.id>

On Mon, Dec 15, 2025 at 02:54:33PM +0700, Rusydi H. Makarim wrote:
> This patch implements Ascon-Hash256. Ascon-Hash256 is a hash function as a part
> 	of the Ascon-Based Lightweight Cryptography Standards for Constrained Devices,
> 	published as NIST SP 800-232 (https://csrc.nist.gov/pubs/sp/800/232/final).
> 
> Signed-off-by: Rusydi H. Makarim <rusydi.makarim@kriptograf.id>

What is the use case for supporting this algorithm in the kernel?  Which
specific kernel subsystem will be using this algorithm, and why?

There's a significant maintainence cost to each supported algorithm.  So
if there's no in-kernel user, there's no need to add this.

- Eric

On 2025-12-16 03:19, Eric Biggers wrote:
> On Mon, Dec 15, 2025 at 02:54:33PM +0700, Rusydi H. Makarim wrote:
>> This patch implements Ascon-Hash256. Ascon-Hash256 is a hash function 
>> as a part
>> 	of the Ascon-Based Lightweight Cryptography Standards for Constrained 
>> Devices,
>> 	published as NIST SP 800-232 
>> (https://csrc.nist.gov/pubs/sp/800/232/final).
>> 
>> Signed-off-by: Rusydi H. Makarim <rusydi.makarim@kriptograf.id>
> 
> What is the use case for supporting this algorithm in the kernel?  
> Which
> specific kernel subsystem will be using this algorithm, and why?

Ascon is a NIST standard (published in August 2025) for hashing, XOF, 
and AEAD in resource-constrained devices. Since it is a NIST standard, 
akin to AES and SHA-3, it will eventually find its way into the Linux 
kernel. It is only a matter of _when_ it becomes part of the kernel.

> There's a significant maintainence cost to each supported algorithm.  
> So
> if there's no in-kernel user, there's no need to add this.

While no direct in-kernel use as of now, adding this primitive now 
reduces the barrier for future adoption by kernel subsystems. 
Ascon-Hash256 specifically can serve as an alternative hash function to 
SHA-3 or Blake for existing use cases on devices that require more 
lightweight hashing.

The implementation of the standard starts with Ascon-Hash256 and is 
intentionally kept minimal to gather initial feedback. The final goal is 
to implement the complete NIST SP 800-232 in the kernel, which also 
includes Ascon-XOF128, Ascon-CXOF128, and Ascon-AEAD128.

> 
> - Eric

Best,
Rusydi

On Tue, Dec 16, 2025 at 01:27:17PM +0700, Rusydi H. Makarim wrote:
> While no direct in-kernel use as of now

Thanks for confirming.  We only add algorithms when there is a real
user, so it's best to hold off on this for now.

- Eric