You are looking at a specific version 20150114:165137 of this paper. See the latest version.

Paper 2015/030

Cryptanalysis of Ascon

Christoph Dobraunig and Maria Eichlseder and Florian Mendel and Martin Schläffer

Abstract

We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the design document regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

Note: Extended version of CT-RSA 2015 paper.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. CT-RSA 2015
Keywords
authenticated encryptioncryptanalysisCAESAR initiativeAscon
Contact author(s)
christoph dobraunig @ iaik tugraz at
History
2017-07-31: revised
2015-01-14: received
See all versions
Short URL
https://ia.cr/2015/030
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.