Paper 2022/544
Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting
Donghoon Chang, Deukjo Hong, and Jinkeon Kang
Abstract
Ascon-128 and Ascon-80pq use 12-round Ascon permutation for initialization and finalization phases and 6-round Ascon permutation for processing associate data and message. In a nonce-misuse setting, we present a new partial-state-recovery conditional-cube attack on Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered. For our partial state-recovery attack, its required data complexity, \(D\), is about \(2^{44.8}\) and its required memory complexity, \(M\), is negligible. After a 192-bit partial state is recovered, in a nonce-misuse setting, we can further recover the full 320-bit state with time complexity, \(T=2^{128}\), and then we can recover the secret key with extra data complexity of \(2^{31.5}\), extra time complexity of \(2^{129.5}\), and memory complexity of \(2^{31.5}\). A similar attack of recovering the partial state was independently developed by Baudrin et al. at NIST fifth Lightweight Cryptography workshop. Note that our attack does not violate the NIST LWC security requirements on Ascon-128 and Ascon-80pq as well as the designers' claims.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- Ascon-128Ascon-80pqlightweight cryptographystate recoverykey recovery
- Contact author(s)
-
pointchang @ gmail com
deukjo hong @ jbnu ac kr
jinkeon kang @ nist gov - History
- 2022-05-10: received
- Short URL
- https://ia.cr/2022/544
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/544,
author = {Donghoon Chang and Deukjo Hong and Jinkeon Kang},
title = {Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting},
howpublished = {Cryptology ePrint Archive, Paper 2022/544},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/544}},
url = {https://eprint.iacr.org/2022/544}
}
