Paper 2022/544

Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting

Donghoon Chang, Deukjo Hong, and Jinkeon Kang

Abstract

Ascon-128 and Ascon-80pq use 12-round Ascon permutation for initialization and finalization phases and 6-round Ascon permutation for processing associate data and message. In a nonce-misuse setting, we present a new partial-state-recovery conditional-cube attack on Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered. For our partial state-recovery attack, its required data complexity, D, is about 244.8 and its required memory complexity, M, is negligible. After a 192-bit partial state is recovered, in a nonce-misuse setting, we can further recover the full 320-bit state with time complexity, T=2128, and then we can recover the secret key with extra data complexity of 231.5, extra time complexity of 2129.5, and memory complexity of 231.5. A similar attack of recovering the partial state was independently developed by Baudrin et al. at NIST fifth Lightweight Cryptography workshop. Note that our attack does not violate the NIST LWC security requirements on Ascon-128 and Ascon-80pq as well as the designers' claims.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Ascon-128Ascon-80pqlightweight cryptographystate recoverykey recovery
Contact author(s)
pointchang @ gmail com
deukjo hong @ jbnu ac kr
jinkeon kang @ nist gov
History
2022-05-10: received
Short URL
https://ia.cr/2022/544
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/544,
      author = {Donghoon Chang and Deukjo Hong and Jinkeon Kang},
      title = {Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/544},
      year = {2022},
      url = {https://eprint.iacr.org/2022/544}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.