Cryptology ePrint Archive: Report 2015/030

Cryptanalysis of Ascon

Christoph Dobraunig and Maria Eichlseder and Florian Mendel and Martin Schläffer

Abstract: We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the design document regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

Category / Keywords: secret-key cryptography / authenticated encryption, cryptanalysis, CAESAR initiative, Ascon

Original Publication (in the same form): CT-RSA 2015

Date: received 13 Jan 2015, last revised 31 Jul 2017

Contact author: christoph dobraunig at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Note: Added link to final publication

Version: 20170731:142600 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]