Paper 2023/796
Generic Security of the Ascon Mode: On the Power of Key Blinding
Abstract
The Ascon authenticated encryption scheme has recently been selected as winner of the NIST Lightweight Cryptography competition. Despite its fame, however, there is no known overall generic security treatment of its mode: most importantly, all earlier related generic security results only use the key to initialize the state and do not take into account key blinding internally and at the end. In this work we present a thorough security analysis of the Ascon mode: we consider multi-user and possibly nonce-misuse security by default, but more importantly, we particularly investigate the role of the key blinding. More technically, our analysis includes an authenticity study in various attack settings. This analysis includes a description of a security model of authenticity under state recovery, that captures the idea that the mode aims to still guarantee authenticity and security against key recovery even if an inner state is revealed to the adversary in some way, for instance through leakage. We prove that Ascon satisfies this security property, thanks to its unique key blinding technique.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Minor revision. SAC 2024
- Keywords
- AsconNIST LWCauthenticated encryptionkey blindingsecurity under state recovery
- Contact author(s)
-
Charlotte lefevre @ ru nl
b mennink @ cs ru nl - History
- 2024-12-06: last of 4 revisions
- 2023-05-31: received
- See all versions
- Short URL
- https://ia.cr/2023/796
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/796, author = {Charlotte Lefevre and Bart Mennink}, title = {Generic Security of the Ascon Mode: On the Power of Key Blinding}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/796}, year = {2023}, url = {https://eprint.iacr.org/2023/796} }