Paper 2023/865

A Closer Look at the S-box: Deeper Analysis of Round-Reduced ASCON-HASH

Abstract

ASCON, a lightweight permutation-based primitive, has been selected as NIST’s lightweight cryptography standard. ASCON-HASH is one of the hash functions provided by the cipher suite ASCON. At ToSC 2021, the collision attack on 2-round ASCON-HASH with time complexity 2^{103} was proposed. Due to its small rate, it is always required to utilize at least 2 message blocks to mount a collision attack because each message block is only of size 64 bits. This significantly increases the difficulty of the analysis because one almost needs to analyze equivalently at least $2L$ rounds of ASCON in order to break $L$ rounds. In this paper, we make some critical observations on the round function of ASCON, especially a 2-round property. It is found that such properties can be exploited to reduce the time complexity of the 2-round collision attack to 2^{62.6}. Although the number of attacked rounds is not improved, we believe our techniques shed more insight into the properties of the ASCON permutation and we expect they can be useful for the future research. Following the same analysis method and with SMT technique, we practically find some semi-free-start collision attacks for 4-round ASCON-HASH and ASCON-Xof with STP solver.