A New Conditional Cube Attack on Reduced-Round Ascon-128a in a Nonce-misuse Setting
Donghoon Chang, Jinkeon Kang, Meltem Sonmez Turan
Ascon is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. In 2019, Ascon was also selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition. The Ascon family includes three variants; Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the security of Ascon-128a in a nonce-misuse setting, and present new state and key recovery attacks on a reduced-round Ascon-128a in which the internal permutation for associated data and message processing is reduced from 8 to 7 rounds (the number of rounds for initialization and finalization remain unchanged). Our state-recovery attack requires $2^117}$ data and $2^118}$ time with negligible memory. After recovering the state, again in a nonce-misuse scenario, secret key can be recovered with additional $2^32}$ data, $2^97.6}$ time and $2^32}$ memory complexities. The presented attacks do not violate the security claims of the designers.
, Kang, J.
and Sonmez Turan, M.
A New Conditional Cube Attack on Reduced-Round Ascon-128a in a Nonce-misuse Setting, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934568
(Accessed September 28, 2023)