Paper 2017/160

Conditional Cube Attack on Round-Reduced ASCON

Zheng Li, Xiaoyang Dong, and Xiaoyun Wang

Abstract

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with $2^{66}$ time complexity to a practical one with $2^{40}$ time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about $2^{103.9}$. In addition, for a weak-key subset, whose size is $2^{117}$, the attack is more efficient and costs only $2^{77}$ time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

Metadata
Available format(s)
PDF
Publication info
A minor revision of an IACR publication in FSE 2017
Keywords
secret-key cryptography
Contact author(s)
lizhengcn @ mail sdu edu cn
dongxiaoyang @ mail sdu edu cn
History
2017-02-23: received
Short URL
https://ia.cr/2017/160
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/160,
      author = {Zheng Li and Xiaoyang Dong and Xiaoyun Wang},
      title = {Conditional Cube Attack on Round-Reduced {ASCON}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/160},
      year = {2017},
      url = {https://eprint.iacr.org/2017/160}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.