Paper 2023/796

Generic Security of the Ascon Mode: On the Power of Key Blinding

Charlotte Lefevre, Radboud University Nijmegen
Bart Mennink, Radboud University Nijmegen
Abstract

The Ascon authenticated encryption scheme has recently been selected as winner of the NIST Lightweight Cryptography competition. Despite its fame, however, there is no known overall generic security treatment of its mode: most importantly, all earlier related generic security results only use the key to initialize the state and do not take into account key blinding internally and at the end. In this work we present a thorough security analysis of the Ascon mode: we consider multi-user and possibly nonce-misuse security by default, but more importantly, we particularly investigate the role of the key blinding. More technically, our analysis includes an authenticity study in various attack settings. This analysis includes a description of a security model of authenticity under state recovery, that captures the idea that the mode aims to still guarantee authenticity and security against key recovery even if an inner state is revealed to the adversary in some way, for instance through leakage. We prove that Ascon satisfies this security property, thanks to its unique key blinding technique.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. SAC 2024
Keywords
AsconNIST LWCauthenticated encryptionkey blindingsecurity under state recovery
Contact author(s)
Charlotte lefevre @ ru nl
b mennink @ cs ru nl
History
2024-12-06: last of 4 revisions
2023-05-31: received
See all versions
Short URL
https://ia.cr/2023/796
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/796,
      author = {Charlotte Lefevre and Bart Mennink},
      title = {Generic Security of the Ascon Mode: On the Power of Key Blinding},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/796},
      year = {2023},
      url = {https://eprint.iacr.org/2023/796}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.