Paper 2021/194

Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Raghvendra Rohit, Kai Hu, Sumanta Sarkar, and Siwei Sun


Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schl{ä}ffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to $7$ (out of $12$) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of $2^{64}$ blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as \textit{partial polynomial multiplication} for which computations take place between the so-called degree-$d$ homogeneous parts of the involved Boolean functions for a $2d$-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about $2^{123}$ 7-round Ascon permutations and requires $2^{64}$ data and $2^{101}$ bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. IACR-ToSC 2021 (Issue 1)
AsconAuthenticated encryptionCube attackDivision propertyPartial polynomial multiplication
Contact author(s)
raghvendra-singh rohit @ irisa fr
hukai @ mail sdu edu cn
sumanta sarkar1 @ tcs com
siweisun isaac @ gmail com
2021-02-24: received
Short URL
Creative Commons Attribution


      author = {Raghvendra Rohit and Kai Hu and Sumanta Sarkar and Siwei Sun},
      title = {Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon},
      howpublished = {Cryptology ePrint Archive, Paper 2021/194},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.