## Cryptology ePrint Archive: Report 2021/194

Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Raghvendra Rohit and Kai Hu and Sumanta Sarkar and Siwei Sun

Abstract: Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schl{\"{a}}ffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to $7$ (out of $12$) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of $2^{64}$ blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as \textit{partial polynomial multiplication} for which computations take place between the so-called degree-$d$ homogeneous parts of the involved Boolean functions for a $2d$-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about $2^{123}$ 7-round Ascon permutations and requires $2^{64}$ data and $2^{101}$ bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.

Category / Keywords: secret-key cryptography / Ascon, Authenticated encryption,Cube attack,Division property,Partial polynomial multiplication

Original Publication (in the same form): IACR-ToSC 2021 (Issue 1)

Date: received 22 Feb 2021, last revised 22 Feb 2021

Contact author: raghvendra-singh rohit at irisa fr,hukai@mail sdu edu cn,sumanta sarkar1@tcs com,siweisun isaac@gmail com

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2021/194

[ Cryptology ePrint archive ]