Practical Cube Attack against Nonce-Misused Ascon

Ascon is a sponge-based Authenticated Encryption with Associated Data that was selected as both one of the winners of the CAESAR competition and one of the finalists of the NIST lightweight cryptography standardization effort. As this competition comes to an end, we analyse the security of this algo...

Full description

Saved in:
Bibliographic Details
Published inIACR Transactions on Symmetric Cryptology Vol. 2022; no. 4; pp. 120 - 144
Main Authors Baudrin, Jules, Canteaut, Anne, Perrin, Léo
Format Journal Article
LanguageEnglish
Published Ruhr Universität Bochum 07.12.2022
Ruhr-Universität Bochum
Subjects
algebraic attack
Ascon
CAESAR
Computer Science
Cryptography and Security
cube attack
lightweight cryptography
nonce-misuse
Cube attack
Ascon
Nonce-misuse
CAESAR
Lightweight cryptography
Algebraic attack
Online AccessGet full text

Cover

Abstract Ascon is a sponge-based Authenticated Encryption with Associated Data that was selected as both one of the winners of the CAESAR competition and one of the finalists of the NIST lightweight cryptography standardization effort. As this competition comes to an end, we analyse the security of this algorithm against cube attacks. We present a practical cube attack against the full 6-round encryption in Ascon in the nonce-misuse setting. We note right away that this attack does not violate the security claims made by the designers of Ascon, due to this setting.Our cryptanalysis is a conditional cube attack that is capable of recovering the full capacity in practical time; but for Ascon-128, its extension to a key recovery or a forgery is still an open question. First, a careful analysis of the maximum-degree terms in the algebraic normal form of the Ascon permutation allows us to derive linear equations in half of the capacity bits given enough cube sums of dimension 32. Then, depending on the results of this first phase, we identify smaller-degree cubes that allow us to recover the remaining half of the capacity. Overall, our cryptanalysis has a complexity of about 240 adaptatively chosen plaintexts, and about 240 calls to the permutation. We have implemented the full attack and our experiments confirm our claims.Our results are built on a theoretical framework which allows us to easily identify monomials whose cube-sums provide linear equations in the capacity bits. The coefficients of these monomials have a more general form than those used in the previous attacks against Ascon, and our method enables us to re-frame previous results in a simpler form. Overall, it enables to gain a deeper understanding of the properties of the permutation, and in particular of its S-box, that make such state-recoveries possible.
AbstractList Ascon is a sponge-based Authenticated Encryption with Associated Data that was selected as both one of the winners of the CAESAR competition and one of the finalists of the NIST lightweight cryptography standardization effort. As this competition comes to an end, we analyse the security of this algorithm against cube attacks. We present a practical cube attack against the full 6-round encryption in Ascon in the nonce-misuse setting. We note right away that this attack does not violate the security claims made by the designers of Ascon, due to this setting. Our cryptanalysis is a conditional cube attack that is capable of recovering the full capacity in practical time; but for Ascon-128, its extension to a key recovery or a forgery is still an open question. First, a careful analysis of the maximum-degree terms in the algebraic normal form of the Ascon permutation allows us to derive linear equations in half of the capacity bits given enough cube sums of dimension 32. Then, depending on the results of this first phase, we identify smaller-degree cubes that allow us to recover the remaining half of the capacity. Overall, our cryptanalysis has a complexity of about 240 adaptatively chosen plaintexts, and about 240 calls to the permutation. We have implemented the full attack and our experiments confirm our claims. Our results are built on a theoretical framework which allows us to easily identify monomials whose cube-sums provide linear equations in the capacity bits. The coefficients of these monomials have a more general form than those used in the previous attacks against Ascon, and our method enables us to re-frame previous results in a simpler form. Overall, it enables to gain a deeper understanding of the properties of the permutation, and in particular of its S-box, that make such state-recoveries possible.
Author Perrin, Léo
Baudrin, Jules
Canteaut, Anne
Author_xml – sequence: 1
  givenname: Jules
  surname: Baudrin
  fullname: Baudrin, Jules
– sequence: 2
  givenname: Anne
  surname: Canteaut
  fullname: Canteaut, Anne
– sequence: 3
  givenname: Léo
  surname: Perrin
  fullname: Perrin, Léo
BackLink https://inria.hal.science/hal-03901680$$DView record in HAL
BookMark eNqFkMlKBDEQhoMouL6C9NVDj9k6C3gZBjcYl4OCt1CdRaNtRzpxwLe3Z0ZBvXiqoviX4ttFm33qPUKHBE-4aJQ4LinbyYJiSieRTwjFNeF8A-3QhuiaSPaw-WPfRgc5P2OMqdJMcL2DyO0AtkQLXTV7b301LQXsSwWPEPtcquvUW19fxfyevaum2aZ-H20F6LI_-Jp76P7s9G52Uc9vzi9n03ltOWal1iJw6YJrLcYcGkqkpI44BxxLCTgoorVrKdeMhtYq3wamPFHM2lHbAGF76HKd6xI8m7chvsLwYRJEszqk4dHAMH7eeSMkd04wCY0X3HmlIEilObfeSoqbMGYdrbOeoPsVdTGdm-UNM42JUHix7D1Za-2Qch58MDYWKDH1ZYDYGYLNirxZkjcr8iZyM5I3I_nRLv7Yv_v-MX4CgY6Kjw
CitedBy_id crossref_primary_10_1109_ACCESS_2022_3223991
crossref_primary_10_1007_s11786_024_00594_x
crossref_primary_10_3390_app131810345
crossref_primary_10_1007_s00200_023_00602_w
ContentType Journal Article
Copyright Distributed under a Creative Commons Attribution 4.0 International License
Copyright_xml – notice: Distributed under a Creative Commons Attribution 4.0 International License
DBID AAYXX
CITATION
1XC
DOA
DOI 10.46586/tosc.v2022.i4.120-144
DatabaseName CrossRef
Hyper Article en Ligne (HAL)
DOAJ Directory of Open Access Journals
DatabaseTitle CrossRef
DatabaseTitleList
CrossRef
Database_xml – sequence: 1
  dbid: DOA
  name: DOAJ Directory of Open Access Journals
  url: https://www.doaj.org/
  sourceTypes: Open Website
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 2519-173X
EndPage 144
ExternalDocumentID oai_doaj_org_article_674dd637a5e64de88af78944cec7205f
oai_HAL_hal_03901680v1
10_46586_tosc_v2022_i4_120_144
GroupedDBID AAYXX
ADBBV
ALMA_UNASSIGNED_HOLDINGS
BCNDV
CITATION
GROUPED_DOAJ
1XC
ID FETCH-LOGICAL-c403t-96f47dfdbc004a521772d1dda4077a0f8199db24932fbc8ebf38e183cc5215a13
IEDL.DBID DOA
ISSN 2519-173X
IngestDate Wed Aug 27 01:13:59 EDT 2025
Wed Jul 23 06:30:30 EDT 2025
Tue Jul 01 03:41:35 EDT 2025
Thu Apr 24 23:09:13 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 4
Keywords Cube attack
Ascon
Nonce-misuse
CAESAR
Lightweight cryptography
Algebraic attack
Language English
License http://creativecommons.org/licenses/by/4.0
Distributed under a Creative Commons Attribution 4.0 International License: http://creativecommons.org/licenses/by/4.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c403t-96f47dfdbc004a521772d1dda4077a0f8199db24932fbc8ebf38e183cc5215a13
ORCID 0009-0004-5844-2845
0000-0002-6292-8336
OpenAccessLink https://doaj.org/article/674dd637a5e64de88af78944cec7205f
PageCount 25
ParticipantIDs doaj_primary_oai_doaj_org_article_674dd637a5e64de88af78944cec7205f
hal_primary_oai_HAL_hal_03901680v1
crossref_citationtrail_10_46586_tosc_v2022_i4_120_144
crossref_primary_10_46586_tosc_v2022_i4_120_144
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2022-12-07
PublicationDateYYYYMMDD 2022-12-07
PublicationDate_xml – month: 12
  year: 2022
  text: 2022-12-07
  day: 07
PublicationDecade 2020
PublicationTitle IACR Transactions on Symmetric Cryptology
PublicationYear 2022
Publisher Ruhr Universität Bochum
Ruhr-Universität Bochum
Publisher_xml – name: Ruhr Universität Bochum
– name: Ruhr-Universität Bochum
SSID ssj0002893649
Score 2.270459
Snippet Ascon is a sponge-based Authenticated Encryption with Associated Data that was selected as both one of the winners of the CAESAR competition and one of the...
SourceID doaj
hal
crossref
SourceType Open Website
Open Access Repository
Enrichment Source
Index Database
StartPage 120
SubjectTerms algebraic attack
Ascon
CAESAR
Computer Science
Cryptography and Security
cube attack
lightweight cryptography
nonce-misuse
Title Practical Cube Attack against Nonce-Misused Ascon
URI https://inria.hal.science/hal-03901680
https://doaj.org/article/674dd637a5e64de88af78944cec7205f
Volume 2022
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV3PT8IwFG4MJy9Go0b8lcV4HbRr13ZHJBJihJMk3Jr-VNSAcYO_39cNCJy4eH1pt_V73b73dX2vCD0KLjwJDKc6JzZlRodUSiPTAOEGpSTzmMfk5NGYDyfsZZpPd476invCmvLADXBdLphznAqde86cl1IHIQvGrLciw3mIX1_gvB0x9dn8PqOcFU1KMAOW5d1qUdrOCrR-1pmxDgHVBFpij43qov3AMR-bNdWaYwan6GQdHCa95qHO0JGfnyPSlBQCLJP-0vikV1XafiX6HTR9WSXjmHeYjmblsvQu6ZWgby_QZPD81h-m64MOUsswrdKCByZccMbClNVAqBDyOuKcBrUlNA7A2oUzIJRoFoyV3gQqPbyL1kLbXBN6iVrzxdxfoYR654Tk2JEQmDW5liILUgiMXQALb6N8M2Bl11XA42EU3wrUQA2UikCpGig1YwqAAnnA2qi77ffT1ME42OMp4rltHetY1wbwrlp7Vx3ybhs9gDf2rjHsvapow3G1hku8Itf_cacbdBwHUO9UEbeoVf0u_R3EG5W5r6fWH1nc0Gs
linkProvider Directory of Open Access Journals
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Practical+Cube+Attack+against+Nonce-Misused+Ascon&rft.jtitle=IACR+Transactions+on+Symmetric+Cryptology&rft.au=Baudrin%2C+Jules&rft.au=Canteaut%2C+Anne&rft.au=Perrin%2C+L%C3%A9o&rft.date=2022-12-07&rft.issn=2519-173X&rft.eissn=2519-173X&rft.spage=120&rft.epage=144&rft_id=info:doi/10.46586%2Ftosc.v2022.i4.120-144&rft.externalDBID=n%2Fa&rft.externalDocID=10_46586_tosc_v2022_i4_120_144
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2519-173X&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2519-173X&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2519-173X&client=summon