[Resource Topic] 2022/544: Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting

Welcome to the resource topic for 2022/544

Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting

Authors: Donghoon Chang, Deukjo Hong, Jinkeon Kang


Ascon-128 and Ascon-80pq use 12-round Ascon permutation for initialization and finalization phases and 6-round Ascon permutation for processing associate data and message. In a nonce-misuse setting, we present a new partial-state-recovery conditional-cube attack on Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered. For our partial state-recovery attack, its required data complexity, (D), is about (2^{44.8}) and its required memory complexity, (M), is negligible. After a 192-bit partial state is recovered, in a nonce-misuse setting, we can further recover the full 320-bit state with time complexity, (T=2^{128}), and then we can recover the secret key with extra data complexity of (2^{31.5}), extra time complexity of (2^{129.5}), and memory complexity of (2^{31.5}). A similar attack of recovering the partial state was independently developed by Baudrin et al. at NIST fifth Lightweight Cryptography workshop. Note that our attack does not violate the NIST LWC security requirements on Ascon-128 and Ascon-80pq as well as the designers’ claims.

ePrint: https://eprint.iacr.org/2022/544

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .