Paper 2019/1370

A Subset Fault Analysis of ASCON

Priyanka Joshi and Bodhisatwa Mazumdar

Abstract

ASCON is an authenticated encryption, selected as the first choice for a lightweight use case in the CAESAR competition in February 2019. In this work, we investigate vulnerabilities of ASCON against fault analysis. We observe that the use of 128-bit random nonce makes it resistant against many cryptanalysis techniques like differential, linear, etc. and their variants. However, XORing the key just before releasing the tag T (a public value) creates a trivial attack path. Also, the S-Box demonstrates a non-random behavior towards subset cryptanalysis. We observe that if the 3rd bit of the S-box input is set to zero, then XoR of the last two output bits is zero, with a probability of $0.625$, i.e., this characteristic is present in 10 out of 16 cases. Our subset fault analysis(SSFA) attack uses this property to retrieve the 128-bit secret key. The SSFA attack can uniquely retrieve the key of full-round ASCON with the complexity of $2^{64}$.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Authenticated encryptionsASCONsubset cryptanalysisfault analysisbit-setreset faults
Contact author(s)
phd1801201001 @ iiti ac in
History
2019-11-28: received
Short URL
https://ia.cr/2019/1370
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2019/1370,
      author = {Priyanka Joshi and Bodhisatwa Mazumdar},
      title = {A Subset Fault Analysis of {ASCON}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/1370},
      year = {2019},
      url = {https://eprint.iacr.org/2019/1370}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.