Paper 2019/1115

Collision Attacks on Round-Reduced Gimli-Hash/Ascon-Xof/Ascon-Hash

Rui Zong, Xiaoyang Dong, and Xiaoyun Wang


The NIST-approved lightweight cryptography competition is an ongoing project to look for some algorithms as lightweight cryp- tographic standards. Recently, NIST chooses 32 algorithms from the 57 submissions as Round 2 candidates. Gimli and Ascon are both the Round 2 candidates. In this paper, we analyze the security of their hash mode against collision attacks. Con- cretely, we mount collision attacks on three hash functions: Gimli-Hash, Ascon-Xof and Ascon-Hash. These three hash functions are all based on sponge constructions. We give two attack strategies for searching collisions in sponge-based hash functions. Following one strategy, we give two non-practical collision attacks: a 6-round collision attack on Gimli-Hash with time complexity 2113and a 2-round collision attack on Ascon-Hash with time complexity 2125. Following the other strategy, we give a practical attack on 2-round Ascon-Xof with a 64-bit output. The time complexity is 215. We search for the differential characteristics using the MILP technique and the target differential algorithm.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Collision AttackGimli-HashAscon-XofAscon-HashAttack StrategySponge-based Hash Function
Contact author(s)
zongrui3 @ 163 com
2019-10-03: last of 2 revisions
2019-10-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Rui Zong and Xiaoyang Dong and Xiaoyun Wang},
      title = {Collision Attacks on Round-Reduced Gimli-Hash/Ascon-Xof/Ascon-Hash},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1115},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.