Cryptology ePrint Archive: Report 2015/030
Cryptanalysis of Ascon
Christoph Dobraunig and Maria Eichlseder and Florian Mendel and Martin Schläffer
Abstract: We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the design document regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.
Category / Keywords: secret-key cryptography / authenticated encryption, cryptanalysis, CAESAR initiative, Ascon
Original Publication (with minor differences): CT-RSA 2015
Date: received 13 Jan 2015
Contact author: christoph dobraunig at iaik tugraz at
Available format(s): PDF | BibTeX Citation
Note: Extended version of CT-RSA 2015 paper.
Version: 20150114:165137 (All versions of this report)
Short URL: ia.cr/2015/030
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]