Paper 2015/030

Cryptanalysis of Ascon

Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer

Abstract

We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the design document regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

Note: Added link to final publication

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. CT-RSA 2015
DOI
10.1007/978-3-319-16715-2_20
Keywords
authenticated encryptioncryptanalysisCAESAR initiativeAscon
Contact author(s)
christoph dobraunig @ iaik tugraz at
History
2017-07-31: revised
2015-01-14: received
See all versions
Short URL
https://ia.cr/2015/030
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/030,
      author = {Christoph Dobraunig and Maria Eichlseder and Florian Mendel and Martin Schläffer},
      title = {Cryptanalysis of Ascon},
      howpublished = {Cryptology ePrint Archive, Paper 2015/030},
      year = {2015},
      doi = {10.1007/978-3-319-16715-2_20},
      note = {\url{https://eprint.iacr.org/2015/030}},
      url = {https://eprint.iacr.org/2015/030}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.