Paper 2019/1370

A Subset Fault Analysis of ASCON

Priyanka Joshi and Bodhisatwa Mazumdar


ASCON is an authenticated encryption, selected as the first choice for a lightweight use case in the CAESAR competition in February 2019. In this work, we investigate vulnerabilities of ASCON against fault analysis. We observe that the use of 128-bit random nonce makes it resistant against many cryptanalysis techniques like differential, linear, etc. and their variants. However, XORing the key just before releasing the tag T (a public value) creates a trivial attack path. Also, the S-Box demonstrates a non-random behavior towards subset cryptanalysis. We observe that if the 3rd bit of the S-box input is set to zero, then XoR of the last two output bits is zero, with a probability of $0.625$, i.e., this characteristic is present in 10 out of 16 cases. Our subset fault analysis(SSFA) attack uses this property to retrieve the 128-bit secret key. The SSFA attack can uniquely retrieve the key of full-round ASCON with the complexity of $2^{64}$.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Authenticated encryptionsASCONsubset cryptanalysisfault analysisbit-setreset faults
Contact author(s)
phd1801201001 @ iiti ac in
2019-11-28: received
Short URL
Creative Commons Attribution


      author = {Priyanka Joshi and Bodhisatwa Mazumdar},
      title = {A Subset Fault Analysis of ASCON},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1370},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.