Paper 2023/775

Exact Security Analysis of ASCON

Bishwajit Chakraborty, Indian Statistical Institute
Chandranan Dhar, Indian Statistical Institute
Mridul Nandi, Indian Statistical Institute

The Ascon cipher suite, offering both authenticated encryption with associated data (AEAD) and hashing functionality, has recently emerged as the winner of the NIST Lightweight Cryptography (LwC) standardization process. The AEAD schemes within Ascon, namely Ascon-128 and Ascon-128a, have also been previously selected as the preferred lightweight authenticated encryption solutions in the CAESAR competition. In this paper, we present a tight and comprehensive security analysis of the Ascon AEAD schemes within the random permutation model. Existing integrity analyses of Ascon (and any Duplex AEAD scheme in general) commonly include the term $DT/2^c$, where $D$ and $T$ represent data and time complexities respectively, and $c$ denotes the capacity of the underlying sponge. In this paper, we demonstrate that Ascon achieves AE security when $T$ is bounded by $\min\{2^{\kappa}, 2^c\}$ (where $\kappa$ is the key size), and $DT$ is limited to $2^b$ (with $b$ being the size of the underlying permutation, which is 320 for Ascon). Our findings indicate that in accordance with NIST requirements, Ascon allows for a tag size as low as 64 bits while enabling a higher rate of 184 bits, surpassing the recommended rate.

Note: There are two changes between this version and the original version (Asiacrypt 2023 version). First, in the original version, the key-size was taken lesser than or equal to that of the capacity. However, the key-size needs to be strictly lesser than the capacity, for reasons mentioned in the revised version. As a result, we recommend increasing the capacity to 136 bits (one byte more than the key-size). Second, a bad event related to the permutation compatibility of the tag generation input-output pairs of encryption queries with previous permutation queries was missed in the original version. This has been updated here. Note that there has been no compromise with the security because of this.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2023
AsconAEADtight securitylightweight cryptography
Contact author(s)
bishu math ynwa @ gmail com
chandranandhar @ gmail com
mridul nandi @ gmail com
2023-10-27: last of 2 revisions
2023-05-27: received
See all versions
Short URL
Creative Commons Attribution-ShareAlike


      author = {Bishwajit Chakraborty and Chandranan Dhar and Mridul Nandi},
      title = {Exact Security Analysis of ASCON},
      howpublished = {Cryptology ePrint Archive, Paper 2023/775},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.