Paper 2023/796

Generic Security of the Ascon Mode: On the Power of Key Blinding

Charlotte Lefevre, Radboud University Nijmegen
Bart Mennink, Radboud University Nijmegen

The Ascon authenticated encryption scheme has recently been selected as winner of the NIST Lightweight Cryptography competition. Despite its fame, however, there is no known overall generic security treatment of its mode: most importantly, all earlier related generic security results only use the key to initialize the state and do not take into account key blinding internally and at the end. In this work we present a thorough security analysis of the Ascon mode: we consider multi-user and possibly nonce-misuse security by default, but more importantly, we particularly investigate the role of the key blinding. More technically, our analysis includes an authenticity study in various attack settings. This analysis includes a description of a security model of authenticity under state recovery, that captures the idea that the mode aims to still guarantee authenticity and security against key recovery even if an inner state is revealed to the adversary in some way, for instance through leakage. We prove that Ascon satisfies this security property, thanks to its unique key blinding technique.

Available format(s)
Secret-key cryptography
Publication info
AsconNIST LWCauthenticated encryptionkey blindingsecurity under state recovery
Contact author(s)
Charlotte lefevre @ ru nl
b mennink @ cs ru nl
2023-10-06: last of 2 revisions
2023-05-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Charlotte Lefevre and Bart Mennink},
      title = {Generic Security of the Ascon Mode: On the Power of Key Blinding},
      howpublished = {Cryptology ePrint Archive, Paper 2023/796},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.