Cryptanalysis of Ascon

Christoph Erwin Dobraunig; Maria Eichlseder; Florian Mendel; Martin Schläffer

doi:10.1007/978-3-319-16715-2_20

Cryptanalysis of Ascon

Christoph Erwin Dobraunig^*, Maria Eichlseder, Florian Mendel, Martin Schläffer

^*Corresponding author for this work

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the designers regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

Original language	English
Title of host publication	Topics in Cryptology - CT-RSA 2015
Place of Publication	Cham
Publisher	Springer
Pages	371-387
ISBN (Electronic)	978-3-319-16714-5
DOIs	https://doi.org/10.1007/978-3-319-16715-2_20
Publication status	Published - 2015
Event	Cryptographers´ Track at the RSA Conference - San Francisco, United States Duration: 20 Apr 2015 → 24 Apr 2015

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	9048

Conference

Conference	Cryptographers´ Track at the RSA Conference
Country/Territory	United States
City	San Francisco
Period	20/04/15 → 24/04/15

Fields of Expertise

Information, Communication & Computing

Access to Document

10.1007/978-3-319-16715-2_20

ascon-analysis.pdfAccepted author manuscript, 341 KB

FWF - AE - Design and Analysis of Next Generation Authenticated Encryption Algorithms
Mendel, F., Dobraunig, C. E. & Eichlseder, M.
1/10/14 → 30/09/17
Project: Research project
SeCoS - Secure Contactless Sphere - Smart RFID-Technologies for a Connected World
Bösch, W., Wenger, E., Khan, H. N., Schmidt, J., Gadringer, M. E., Spreitzer, R. C., Mendel, F., Gruss, D., Hutter, M., Freidl, P. F., Görtschacher, L. J., Mangard, S. & Grosinger, J.
1/01/13 → 31/12/15
Project: Research project
Cryptography
Schläffer, M., Oswald, M. E., Lipp, P., Dobraunig, C. E., Mendel, F., Eichlseder, M., Nad, T., Posch, R., Lamberger, M., Rijmen, V. & Rechberger, C.
1/01/95 → 31/01/19
Project: Research area

Cite this

@inproceedings{09fc44899def4ae0bff23df634b16e9a,

title = "Cryptanalysis of Ascon",

abstract = "We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the designers regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.",

author = "Dobraunig, {Christoph Erwin} and Maria Eichlseder and Florian Mendel and Martin Schl{\"a}ffer",

year = "2015",

doi = "10.1007/978-3-319-16715-2_20",

language = "English",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "371--387",

booktitle = "Topics in Cryptology - CT-RSA 2015",

note = "Cryptographers´ Track at the RSA Conference ; Conference date: 20-04-2015 Through 24-04-2015",

}

TY - GEN

T1 - Cryptanalysis of Ascon

AU - Dobraunig, Christoph Erwin

AU - Eichlseder, Maria

AU - Mendel, Florian

AU - Schläffer, Martin

PY - 2015

Y1 - 2015

N2 - We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the designers regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

AB - We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the designers regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

U2 - 10.1007/978-3-319-16715-2_20

DO - 10.1007/978-3-319-16715-2_20

M3 - Conference paper

T3 - Lecture Notes in Computer Science

SP - 371

EP - 387

BT - Topics in Cryptology - CT-RSA 2015

PB - Springer

CY - Cham

T2 - Cryptographers´ Track at the RSA Conference

Y2 - 20 April 2015 through 24 April 2015

ER -

Cryptanalysis of Ascon

Abstract

Publication series

Conference

Fields of Expertise

Access to Document

Fingerprint

Projects

FWF - AE - Design and Analysis of Next Generation Authenticated Encryption Algorithms

SeCoS - Secure Contactless Sphere - Smart RFID-Technologies for a Connected World

Cryptography

Cite this