Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A New Conditional Cube Attack on Reduced-Round Ascon-128a in a Nonce-misuse Setting



Donghoon Chang, Jinkeon Kang, Meltem Sonmez Turan


Ascon is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. In 2019, Ascon was also selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition. The Ascon family includes three variants; Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the security of Ascon-128a in a nonce-misuse setting, and present new state and key recovery attacks on a reduced-round Ascon-128a in which the internal permutation for associated data and message processing is reduced from 8 to 7 rounds (the number of rounds for initialization and finalization remain unchanged). Our state-recovery attack requires $2^117}$ data and $2^118}$ time with negligible memory. After recovering the state, again in a nonce-misuse scenario, secret key can be recovered with additional $2^32}$ data, $2^97.6}$ time and $2^32}$ memory complexities. The presented attacks do not violate the security claims of the designers.


lightweight cryptography, Ascon, cube attacks


Chang, D. , Kang, J. and Sonmez Turan, M. (2022), A New Conditional Cube Attack on Reduced-Round Ascon-128a in a Nonce-misuse Setting, [online], (Accessed May 25, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created May 9, 2022, Updated November 29, 2022