Paper 2022/544

Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting

Donghoon Chang, Deukjo Hong, and Jinkeon Kang


Ascon-128 and Ascon-80pq use 12-round Ascon permutation for initialization and finalization phases and 6-round Ascon permutation for processing associate data and message. In a nonce-misuse setting, we present a new partial-state-recovery conditional-cube attack on Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered. For our partial state-recovery attack, its required data complexity, \(D\), is about \(2^{44.8}\) and its required memory complexity, \(M\), is negligible. After a 192-bit partial state is recovered, in a nonce-misuse setting, we can further recover the full 320-bit state with time complexity, \(T=2^{128}\), and then we can recover the secret key with extra data complexity of \(2^{31.5}\), extra time complexity of \(2^{129.5}\), and memory complexity of \(2^{31.5}\). A similar attack of recovering the partial state was independently developed by Baudrin et al. at NIST fifth Lightweight Cryptography workshop. Note that our attack does not violate the NIST LWC security requirements on Ascon-128 and Ascon-80pq as well as the designers' claims.

Available format(s)
Secret-key cryptography
Publication info
Preprint. Minor revision.
Ascon-128Ascon-80pqlightweight cryptographystate recoverykey recovery
Contact author(s)
pointchang @ gmail com
deukjo hong @ jbnu ac kr
jinkeon kang @ nist gov
2022-05-10: received
Short URL
Creative Commons Attribution


      author = {Donghoon Chang and Deukjo Hong and Jinkeon Kang},
      title = {Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting},
      howpublished = {Cryptology ePrint Archive, Paper 2022/544},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.