Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting
Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper,...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2023-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9957054/ |
| _version_ | 1828011291563786240 |
|---|---|
| author | Donghoon Chang Deukjo Hong Jinkeon Kang Meltem Sonmez Turan |
| author_facet | Donghoon Chang Deukjo Hong Jinkeon Kang Meltem Sonmez Turan |
| author_sort | Donghoon Chang |
| collection | DOAJ |
| description | Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attacks recover the full state and the secret key of Ascon-128a when reduced to 7 out of 8 rounds of Ascon-permutation for the encryption phase, with 2117 data and 2116.2 time. These are the best known attack results for Ascon-128a as far as we know, while violating the data limit 264 imposed by designers. We also show that the partial state information of Ascon-128 can be recovered with 244.8 data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.’s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2128 time. Although our attacks do not invalidate designers’ security claim. those allow us to understand the security of Ascon in nonce-misuse setting. |
| first_indexed | 2024-04-10T09:14:11Z |
| format | Article |
| id | doaj.art-4f1c7f3d2ce74ec196975315f767a4c3 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-04-10T09:14:11Z |
| publishDate | 2023-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-4f1c7f3d2ce74ec196975315f767a4c32023-02-21T00:02:36ZengIEEEIEEE Access2169-35362023-01-01114501451610.1109/ACCESS.2022.32239919957054Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse SettingDonghoon Chang0https://orcid.org/0000-0003-1249-2869Deukjo Hong1https://orcid.org/0000-0002-0998-2958Jinkeon Kang2Meltem Sonmez Turan3National Institute of Standards and Technology, Gaithersburg, MD, USANational Institute of Standards and Technology, Gaithersburg, MD, USANational Institute of Standards and Technology, Gaithersburg, MD, USANational Institute of Standards and Technology, Gaithersburg, MD, USAAscon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attacks recover the full state and the secret key of Ascon-128a when reduced to 7 out of 8 rounds of Ascon-permutation for the encryption phase, with 2117 data and 2116.2 time. These are the best known attack results for Ascon-128a as far as we know, while violating the data limit 264 imposed by designers. We also show that the partial state information of Ascon-128 can be recovered with 244.8 data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.’s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2128 time. Although our attacks do not invalidate designers’ security claim. those allow us to understand the security of Ascon in nonce-misuse setting.https://ieeexplore.ieee.org/document/9957054/Asconconditional cube attacklightweight cryptographystate recoverykey recovery |
| spellingShingle | Donghoon Chang Deukjo Hong Jinkeon Kang Meltem Sonmez Turan Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting IEEE Access Ascon conditional cube attack lightweight cryptography state recovery key recovery |
| title | Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting |
| title_full | Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting |
| title_fullStr | Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting |
| title_full_unstemmed | Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting |
| title_short | Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting |
| title_sort | resistance of ascon family against conditional cube attacks in nonce misuse setting |
| topic | Ascon conditional cube attack lightweight cryptography state recovery key recovery |
| url | https://ieeexplore.ieee.org/document/9957054/ |
| work_keys_str_mv | AT donghoonchang resistanceofasconfamilyagainstconditionalcubeattacksinnoncemisusesetting AT deukjohong resistanceofasconfamilyagainstconditionalcubeattacksinnoncemisusesetting AT jinkeonkang resistanceofasconfamilyagainstconditionalcubeattacksinnoncemisusesetting AT meltemsonmezturan resistanceofasconfamilyagainstconditionalcubeattacksinnoncemisusesetting |