Improved Conditional Cube Attacks on Ascon AEADs in Nonce-Respecting Settings with a Break-Fix Strategy

. The best-known distinguisher on 7-round Ascon -128 and Ascon -128a AEAD uses a 60-dimensional cube where the nonce bits are set to be equal in the third and fourth rows of the Ascon state during initialization (Rohit et al. ToSC 2021/1). It was not known how to use this distinguisher to mount key-recovery attacks. In this paper, we investigate this problem using a new strategy called break-fix for the conditional cube attack. The idea is to introduce slightly-modified cubes which increase the degrees of 7-round output bits to be more than 59 (break phase) and then find key conditions which can bring the degree back to 59 (fix phase). Using this idea, key-recovery attacks on 7-round Ascon -128, Ascon -128a and Ascon -80pq are proposed. The attacks have better time/memory complexities than the existing attacks, and in some cases improve the weak-key attacks as well.


Introduction
Ascon [DEMS21], designed by Dobraunig, Eichlseder, Mendel, and Schläffer, is a family of lightweight Authenticated Encryptions with Associated Data (AEAD) and hash functions.Ascon has been selected as the NIST lightweight cryptography (LWC) standard recently [Ann], so it is crucial to understand its security in more depth.
This paper studies the security of the Ascon-AEADs against conditional cube attacks.The cube attack was originally proposed by Dinur and Shamir on stream ciphers [DS09].Huang et al. adapted it to analyze the security of the permutation-based ciphers such as the Keccak keyed mode [HWX + 17].The technique chooses a set of input variables called the cube variables and observes the value of the coefficient of the maximal-degree term of these cube variables, a.k.a.superpoly.By carefully selecting cube variables, the value of a superpoly can be controlled by some specific key equations, so it can reveal some key information.This technique has been widely used in analyzing the sponge-based AEADs such as [LBDW17,DLWQ17,SGSL18,SG18].
The original version of Ascon has two AEADs: the Ascon-128 (the primary recommendation) and Ascon-128a.In its version 1.2, a new variant Ascon-80pq was added to increase the resistance against the quantum key-search.Most attacks were developed for Ascon-128 but are also applicable to the other members.Analyses of Ascon-AEADs can be divided into several categories according to which part is attacked.For the initialization phase composed of 12 rounds, the most effective attack is the cube-like attack.In [DEMS15], the designers proposed a cube key-recovery attack on up to 6 rounds with the borderline cube technique where the superpoly of a specific cube involves only a corresponding subpart of the key bits.In [LDW17], Li et al. improved the attacking record to 7 rounds using the conditional cube attack.This attack is based on a 65-dimensional cube, which means its data complexity cannot be smaller than 2 64 , which is the security claim set by the designers [DEMS21, Chapter 2, Page 9].The first attack with 2 64 data complexity was proposed by Rohit et al. [RHSS21] which was also a cube attack where a partial polynomial multiplication and the borderline cube technique were leveraged to efficiently compute the superpoly.In the same paper, the authors also gave a cube distinguisher whose dimension is only 60.In [RS21], Rohit and Sarkar further studied the weak-key properties of the Ascon initialization.More efficient distinguishing and key-recovery attacks were found up to 7 rounds (when the weak-key conditions are satisfied).Besides the cube-like attacks, there are also (higher-order) differential-linear attacks on the Ascon-AEAD initialization up to 5 rounds with better complexities [Tez20,DEMS15,LLL21,HPTY22].All these attacks on the initialization phase are nonce-respecting.
When it comes to the encryption phase, most attacks are nonce-misuse, i.e., they assume that a single nonce will be used for several initializations with the same key (which is forbidden by the designers' security claims).The state recovery is usually the first target of attacks on the encryption phase such as in [LZWW17, BCP22,CHKT23].There are also some attacks on the finalization phase, such as the forgery attack in [GPT21].A complete enumeration of attacks on Ascon can be found in the latest NIST report [TMC + 23].
Of these attacks, the most relevant to this paper is the cube distinguisher for the 7-round Ascon initialization in [RHSS21].This distinguisher uses a special construction that requires the first 64 bits and the last 64 bits of the nonce to be equal.Then, a division property model [HLM + 20, Tod15] finds that the algebraic degrees of the 7-round output bits are at most 59.Unfortunately, it was not known how to utilize this distinguisher to mount a key-recovery attack.On the one hand, its specific structure does not satisfy the borderline cube property [DEMS15], thus the superpoly (according to the current theory) involves all key variables, which makes a cube attack based on it impossible.On the other hand, the cube variables in this structure spread fast, such that it is difficult to detect a set of key conditions that can separate one variable from the others to stop the maximal-degree (59-degree) cube term from appearing, as in other conditional cube attacks.
Our contributions.The previous conditional cube attacks [LBDW17,DLWQ17,SGSL18,SG18,LDW17] tend to use an elimination strategy: there should be a d-degree term in the superpoly, then by carefully selecting a set of cube variables, the d-degree term can be eliminated when some (simple) key conditions are satisfied.This strategy does not work for the 60-dimensional cube distinguisher given in [RHSS21].To address this problem, we introduce a new strategy called break-fix.In the break phase, we break the special structure of the 60-dimensional cube (by introducing a slightly modified cube structure), to make the algebraic degrees of the output bits to be greater than 59.Then, in the fix phase, we identify a set of key conditions that fixes the changes caused by the "broken" cube structure and the algebraic degrees can return to 59 again.During the break-fix process, by observing if the algebraic degrees go back to 59, corresponding key information can be recovered.
Our first new conditional cube attack focuses on Ascon-128, but it also applies to Ascon-128a.We introduce 64 proper structures each of which breaks the original 60dimensional cube structure.By identifying the key conditions that can fix the changes, we manage to perform the key-recovery attacks.For about 2 127.97 (out of 2 128 ) keys, our attack can recover the 128-bit key with 2 70 data and 2 72.4 time complexities.For the remaining keys, our attack works with 2 70 data complexity and at worst 2 104.7 time complexity.
Considering the data limit set by the designers that one key can at most protect 2 64 blocks of data, we also adapt our attack to a weak-key version to meet the requirement.The first attack works for a 2 127.3 -size weak-key space and can recover all key bits with a 2 64 data complexity and 2 120 time complexity.The second attack works for a 2 125 -size weak-key space and can recover all key bits with a 2 63.32 data complexity and 2 115 time complexity.The memory cost of our attacks is negligible.
Our second conditional cube attack targets the Ascon-80pq version only.By introducing another set of 32 cube structures that break the 60-dimensional cube structure, we can recover the 32-bit key in the first word of the Ascon-80pq initialization with 2 65 data and time complexity.This process is conducted independently of the above attack on Ascon-128 and Ascon-128a.In other words, after recovering the 32-bit key in the first word, we continue to recover the remaining 128-bit key in the same way as the previous attack on Ascon-128 and Ascon-128a.Consequently, for about 2 127.97+32 = 2 159.97 (out of 2 160 ) keys, our attack can recover the 160-bit key with 2 70 data complexity and 2 72.4 time complexity.For remaining keys, our attack can work with 2 70 data complexity and at worst 2 104.7 time complexity to recover all the 160 bits of the key.Again, our attacks require negligible memory cost. 1 gives a comprehensive comparison between our attacks and previous ones on Ascon-AEADs.As we mentioned, the keyrecovery attack on Ascon-80pq is the first in the nonce-respecting setting, so the following comparison focuses on the case of Ascon-128/Ascon-128a. Compared to Li et al.'s conditional cube attacks [LDW17], our techniques require a lower data complexity (2 70 versus 2 77.2 ).The time complexity is 2 72.4 for 2 127.97 keys while theirs is 2 77 for 2 117 keys.While in the worst case the time complexity of our attacks (2 104.7 ) is slightly larger than theirs (2 103.9 ), this occurs only with a small probability of about (2 128 −2 127.97 )/2 128 ≈ 2 −6 .Hence, we believe our attacks represent an important improvement of [LDW17].

Complexity comparison with previous attacks. Table
Compared to Rohit et al.'s cube attacks [RHSS21], our techniques require a larger data complexity (2 70 versus 2 64 ), but with a significantly lower time complexity (2 72.4 versus 2 123 for almost all keys).Compared to Rohit and Sarkar's weak-key recovery attacks [RS21], our techniques under the weak-key setting can work for a larger fraction of weak keys and require negligible memory cost, with comparable data/time complexity (considering attacks with a data complexity lower than 2 64 ).
Outline of the paper.In Section 2, we introduce the notations and some necessary background knowledge.Section 3 gives a brief specification of the Ascon-AEADs and discusses some of their useful properties.We describe our new conditional cube attacks on Ascon-128/Ascon-128a in Section 4 and on Ascon-80pq in Section 5.In Section 6, we discuss the assumption that our attacks rely on.Section 7 concludes this paper.

Preliminaries
Notations.Let I be a set, we use |I| to represent the size of I. Let F 2 = {0, 1} be the finite field with two elements and f : F n 2 → F 2 be a Boolean function whose algebraic normal form (ANF) is f (x) = u∈F n 2 a u x u , where x = (x 0 , . . ., x n−1 ), a u ∈ F 2 , and Given a set I ⊆ {0, . . ., n − 1} of indexes, x[I] denotes the set of variables {x i : i ∈ I} and x I denotes the monomial i∈I x i .wt(x) is the Hamming weight of x, which is the number of 1 in all bits of x.We use "+" to denote all kinds of additions (of integers, field elements, Boolean functions, etc.), the actual meaning of a specific use instance should be clear from the context.
where each term of q(x, k) misses some variables in x[I].We call x I the cube term and p I (x[ Ī], k) the superpoly of x I in f (x, k).If we set the variables in x[ Ī] to some fixed constants, the superpoly p I (x[ Ī], k) is a Boolean function of k.Concerning the superpoly, we have the following lemma.

Lemma 1 ([DS09]
).For a set I ⊆ {0, . . ., n − 1} and a keyed Boolean function According to Lemma 1, when x[ Ī] is fixed to a constant, the value of p I (x[ Ī], k) can be derived by performing 2 |I| evaluations of f .Usually, a key-recovery attack based on the superpoly is called a cube attack.When the superpoly is zero, the cube sum is always zero, then it can serve as a distinguisher which is called a cube tester [ADMS09].
where k is secret and x is public.Since k is an unknown constant, a u (k) ∈ F 2 , we only consider the algebraic degree of f in the public variable, i.e., [Tod15] as a generalization of integral cryptanalysis.Its bit-based variants [TM16] as well as their automatic search methods [XZBL16] have been found to have great potential in probing the structure of a Boolean function described as a sequence of composition of Boolean functions whose overall ANF is too complicated to compute [TIHM17, WHT + 18, WHG + 19, HLM + 20].In particular, bit-based division property can detect the presence or absence of a monomial in the target Boolean function, and therefore can be used to (partially) determine the algebraic structures of superpolies in cube attacks [TIHM17, WHT + 18, WHG + 19, HLM + 20, HLLT20, HSWW20].In fact, the division property has become a quite standard tool in assisting cube attacks (as well as integral attacks).In this work, we take the MILP (Mixed Integer Linear Programming) based approach [XZBL16] to search for division properties and calculate the degree upper bounds.

Specification and Useful Properties of Ascon
In a high level, the Ascon AEAD algorithm takes as input a nonce N , a secret key K, an associated data A and a plaintext or message M , and produces a ciphertext C and a tag T .The authenticity of the associated data and message can be verified against the tag T .Ascon adopts a MonkeyDuplex [Dae12] mode with a stronger keyed initialization and keyed finalization phases as illustrated in Figure 1. 1 The underlying permutations p a and p b are iterative designs, whose round function p is based on the substitution permutation network (SPN) design paradigm and consists of three simple steps p C , p S , and p L .The round function p = p L • p S • p C operates on a 320-bit state arranged into five 64-bit words.The steps p C , p S , and p L are visualized in Figure 2 and described as follows.

Addition of constants (p C
).An 8-bit constant is XORed to the bit positions 56, . . ., 63 of the 64-bit word x 2 at each round.
Figure 1: The high-level structure of the Ascon-AEAD.
x 4 x 3 x 2 x 1 Substitution layer (p S ).Update each slice of the 320-bit state by applying the 5-bit Sbox defined by the algebraic normal forms in Figure 3. Linear diffusion layer (p L ).Apply a linear transformation Σ i to each 64-bit word x i with 0 ≤ i < 5, where Σ i is defined in Figure 3.
Notations for describing the Ascon permutation states.The 320-bit output state of the Ascon permutation after r rounds is denoted by ), where S (0) is the input into the permutation.We also use S (r.5) to represent a half-round p S • p C (S (r) ).Every state consists of 5 words as i,j where 0 ≤ i < 5, 0 ≤ j < 64, and is the leftmost bit of the first row of the state matrix S (r) .
The adversary can only access the rate part for Ascon-AEADs.Our paper considers only the case where the first 64 bits of output are accessed and thus our attack works for all three versions.Since the linear layer is applied to each row, we do not consider the linear layer of the last round.In other words, for 7-round Ascon-AEAD, the output state we consider is actually S (6.5) which is totally equivalent to S (7) in this paper.
Degree matrix of the Ascon permutation.In [HPTY22], Hu et al. introduced the degree matrix to describe and trace the changes of algebraic degrees of the Ascon permutation states.
Definition 1 (Degree Matrix of S (r) [HPTY22]).The algebraic degrees or their upper bounds of the bits in the state S (r) are called a degree matrix of S (r) , denoted by Considering the ANF of the Sbox and diffusion layer of the Ascon permutation, given the degree matrix of S (r) , we can quickly calculate the degree matrix of S (r+1) according to the following Lemmas 2 and 3.
The inputs to these distinguishers have a special initial structure (for convenience, we Table 3: Algebraic degrees or their upper bounds of Ascon in cube variables with the structure IS −1 derived from the division properties [RHSS21].Note in [RHSS21], the degrees are given for S (r) (2 ≤ r ≤ 7) while here we focus on S (r.5) (1 ≤ r ≤ 6).

Round r
Degrees of words will use IS −1 as its shorthand): the first and second 64-bit nonce are always equal and regarded as 64-bit cube variables, i.e., With IS −1 , the upper bounds on the algebraic degrees of S (r) are calculated by the division properties [HLM + 20, Tod15].These upper bounds are given in Table 3.Therefore, the 7-round Ascon initialization can be distinguished with 2 60 nonces, which is the best distinguisher for 7-round Ascon-AEAD so far.As we mentioned in the introduction, this distinguisher, unfortunately, is difficult to be utilized in a key-recovery attack as it does not satisfy the borderline cube properties [DEMS15].To use it in a key-recovery attack, new techniques are necessary.We notice that the degrees in Table 3 heavily rely on the input structure of Equation 1, i.e., IS −1 .Therefore, we take a break-fix strategy to transpose this distinguisher into a key-recovery attack on 7-round Ascon.

Phase 1: Break
We introduce 64 new initial structures IS j , 0 ≤ j < 64 for the nonce, each of which is slightly adapted from Equation 1, Note that for a specific IS j where 0 ≤ j < 64, the two bits of the nonce S (0) 3 [j] and S (0) 4 [j] are set to different forms, which breaks IS −1 .Such a break will have an effect on the degrees of the Ascon initializations.With a similar modeling strategy as [RHSS21], we use the MILP-based division properties [XZBL16] to calculate the degrees of the states after r.5 (0 ≤ r ≤ 6) rounds.The results are provided in Table 4.
Comparing Table 3 and Table 4, we can find that the degrees resulted from IS j (0 ≤ j < 64) are in general larger than those from IS −1 .The differences between the two tables are actually all due to the differences of the first two rounds (this will be clearly stated by Proposition 2 later).We analyze the reason for the difference in the first and second rounds.According to the ANFs of the Ascon Sbox, the IS −1 that requires S (0) 3,i = S (0) 4,i will make S (1) 2,i and S (1) 3,i be independent of any nonce bits, for 0 ≤ i < 64.In other words, the algebraic degrees of the 128 bits of S (1) 2 and S (1) 3 are all zero.Note that all quadratic terms of the second ANF of the Sbox (y 1 in the left part of Figure 3) are related to x 2 and x 3 , thus, for the IS −1 , the degrees of all 64 bits of S (1.5) 1 are still 1.

Table 4:
Algebraic degrees of Ascon in cube variables with the structure IS j (0 ≤ j < 64) derived from the division properties."x/y" means that the degrees of some bits of that word are x and others are y.

Round r
Degrees of words However, for a specific IS j , (0 ≤ j < 64), we have S (0) 3,j = S (0) 4,j + 1, thus there will be one nonce bit remaining in S (0.5) 2,j making the degree of S (0.5) 2,j be 1.After the diffusion layer, the 1-degree bit spreads to 3 positions.Therefore, the p S of the second round will multiply these 3 1-degree bits with the existing ones, leading to three 2-degree bits for S (1.5) 1 . An illustration for the case of IS 0 is given in Figure 4.
As a result, the degree upper bounds after 7 rounds are 59 for IS −1 and 60 for IS j (0 ≤ j < 64), so we can use the gap to mount a conditional cube attack.
Remark.There are more kinds of methods to break IS −1 , e.g., where (x, y) ∈ {(v i , 0), (0, v i ), (v i , v i + 1)}.We tried all of them and found Equation 2 is the one that requires the least key conditions for the attack.

Phase 2: Fix
In this phase, our task is to identify key conditions that can reset the degrees of S (6.5) back to 59.The differences between the two tables first appear in the first round (see the top part of Figure 4).For IS j (0 ≤ j < 64), the degree of S (0.5) 2,0 is 1.Denote the 128-bit key loaded into Algebriac degrees of S (1.5) 0-degree bits 1-degree bits 2-degree bits Figure 4: Algebraic degrees of bits in S (0.5) and S (1.5) resulted from IS 0 .For the other IS j (1 ≤ j < 64), similar results can be obtained by rotating the bits.
which means the degree of S (0.5) 2,j is impossible to be controlled by any key conditions.We have to handle the second round.At the second round the algebraic degrees of S (1.5) 1 can be 2 for IS j (0 ≤ j < 64) whereas they are always 1 for IS −1 , so if we can reset the algebraic degrees of S (1.5) 2 to 1, the degrees of S (6.5) 0 will return to 59.This is guaranteed by the following proposition.
Proof.Note that the p C operation does not influence the degree matrix of a state in this case.The proposition can be proved by a direct application of Lemmas 2 and 3.
We take IS 0 as an example.The bottom part of Figure 4 gives the concrete algebraic degrees of S (1.5) bits resulted from IS 0 .It can be seen that there are three 2-degree bits in S (1.5) 1 . The ANFs of these three 2-degree bits when j = 0 are where L i (•) for i = 0, 1, 6 are three linear functions.To reset the algebraic degrees of the three 2-degree bits to 1, we need to eliminate all the quadratic terms in S (1.5) 1,0 , S (1.5) 1,1 and S (1.5) 1,6 .For other j ∈ {0, . . ., 64}, the situation are similar.We list all their quadratic terms in Table 5.Note that due to the p C in the first round, 4 key coefficients have constant 1 terms (the constant for the first round is 0xf0, so there are 4 key coefficients that are affected), they have no influence on our analysis (actually, we can even completely ignore the p C in the first round with an equivalent key technique).
According to Tables 3 and 4, if all these quadratic terms are canceled, the degrees of the 7-round Ascon are 59; otherwise, the degrees are 60.Therefore, the dimension of the cube we choose in our attack should be 60.In other words, 4 cube variables will be set as constants.Concretely, if we set any four out of the 8 cube variables (the indices are modulo 64) to be zero and construct a 60-dimensional cube, we can use this cube to test if the corresponding four key coefficients are all zero.Taking the above j = 0 as an example again, if we set v 3 = v 25 = v 1 = v 4 = 0, we derive a 60-dimensional cube with the remaining cube variables v i (i ∈ {0, . . ., 63}\{3, 25, 1, 4}).Then if the cube tester on the 7-round Ascon is zero, we determine that For the sake of a clear description, we introduce the definitions of key set and good/bad key set.
Definition 2 (Key Set and Good/Bad Key Set).Given a 128-bit key, we call the 8 key coefficients in Table 5 derived from a specific IS j (0 ≤ j < 64) the j-th key set (KS).A KS that contains at least four zero key coefficients is called a good key set (GKS), otherwise a bad key set (BKS).
When a KS is good, we can detect the four zero key coefficients with at most testing 8 4 = 70 different 60-dimensional cube testers as described above.Once we detect a GKS and have known the four zero key coefficients, it is easy to use the four known key coefficients to recover the remaining four key coefficients.Taking Equation 3 as an instance, if k 3 + k 67 , k 25 + k 89 , k 1 + k 65 and k 4 + k 68 are zero and we have detected them with a cube that satisfies v 26 = v 6 = v 9 = v 31 = 0, we can observe the cube sum of the cube tester resulted from IS j (0 ≤ j < 64).Note that some key coefficients have a constant 1 term which is caused by the p C of the first round, but they do not influence our analysis.

Settings
Quad. bits Quad.terms Key Coef.To conclude, if a KS is good, we can do (at most) 70 60-dimensional cube testers to recover all its 8 key coefficients.In our attack, we will try 70 cube testers for each of the 64 KS, to recover the keys in those good ones.Thus, in total we need to conduct 64 × 70 = 4, 480 different cube testers.
The whole attack process is summarized in Algorithm 1.In this algorithm, we first compute all 64 × 8 4 = 4, 480 cubes and derive their cube sums.If the cube sum is zero, then we know the corresponding 4 key coefficients are all zero (Line 9).Otherwise, (0, 0, 0, 0) is not considered as their candidates.What's more, if we have known four key coefficients are not all zero but three of them have been known as zero, then we determine the remaining one as 1 (Line 15).In the exhaustive search phase, for those undetermined key coefficient tuples, we already know they cannot be all zero.Since for each IS j , 0 ≤ j < 64, the data complexity is at most 2 64 , the whole data complexity is 2 64 × 64 = 2 70 chosen nonces.The time complexity is influenced by the time complexity of the exhaustive search phase (denoted by T e ) as The memory complexity is negligible.
Note that this attack works under an assumption that before the fixing process the algebraic degree of the 7-round Ascon is really 60 and the cube sum is not highly biased.
The assumption is concluded as Assumption 1.
Assumption 1.The cube sum of a 60-dimensional cube that satisfies IS j (0 ≤ j < 64) is not zero when the corresponding four coefficients are not all zero.Construct cube with the structure ISj (Equation 2) for 4 variables from {vj+3, vj+25, vj+1, vj+4, vj+26, vj+6, vj+9, vj+31} do ▷ 8 4 choices 6: Derive the 60-dimensional cube by setting the 4 selected variables as 0 7: Compute the cube sum of this cube 8: if the cube sum is 0 then 9: Add the corresponding 4 key coefficients into K Check every 4-tuple in N to see if there are 3 elements that have appeared in a certain 4-tuple in K.If so, determine the value of the last key coefficient as 1 and remove the 4 tuple from N

16:
Brute-force search the unknown key information, for those 4 tuples in N, (0, 0, 0, 0) should not be considered ▷ exhaustive search 17: return 128-bit key 18: end procedure A detailed discussion on this assumption will be given in Section 6.

Time Complexity Analysis
Obviously, we want the complexity of the exhaustive search to be significantly smaller than 2 72.1 .Equivalently, we need to recover more than 128 − 72.1 = 55.9 bits of key information from Algorithm 1.For the sake of simplification, in the following we study the probability of such an event that we can recover 58 bits of key information from Algorithm 1 (in this case, the whole time complexity is T = 2 72.1 + 2 128−58 ≈ 2 72.4 ).
To this end, we need to study: (1) The distribution of the GKS as the number of GKS directly influence the key information we will get.(2) Notice that some KS may contain linearly-dependent key coefficients.For example, both two KS from IS 0 and IS 2 contain the same key coefficient k 3 + k 67 .Thus, we also need to estimate how many GKS we need to accumulate sufficient independent key coefficients.
The distribution of the number of GKS.Let x i for 0 ≤ i < 64 be a random variable satisfying x i be a random variable representing the number of GKS.Our task is to find a proper distribution of X.
From the plot in Figure 5, we observe that the points form a curve that is very similar to the normal distribution but with a small skewness.Thus, we use a skew-normal distribution to describe X, denoted by SN (ξ, η, λ).
The skew-normal distribution is a relatively new distribution.In [Azz85], Azzalini introduces the skew-normal class as one being able to reflect varying degrees of skewness, which is mathematically tractable and which includes the normal distribution as a special case.A random variable Z follows a standard skew-normal distribution with the parameter (20, 0.991)

Figure 6:
The probability for the number of KS we need for 58 independent key coefficients.When g = 20, the probability has been 0.991.λ (called the shape parameter) is denoted by Z ∼ SN (λ).The density is of the form, where ϕ(•) and Φ(•) denote the standard normal density and distribution functions, respectively.The case λ = 0 corresponds to the standard normal distribution.The standard skew-normal contribution can be generalized by the inclusion of location and scale parameters denoted by ξ and η, respectively.Thus, if Z ∼ SN (λ), Y = ξ + ηZ is a random variable that follows SN (ξ, η, λ).
Next, we estimate the parameters ξ, η, λ for the skew-normal distribution according to our case.In the one hand, according to [Azz85], for a random variable Y ∼ SN (ξ, η, λ), the first three moments of Y are: The coefficient of skewness for Y is the same as that for Z, namely, On the other hand, since X = 63 i=0 x i and the expectation of x i is The worst case.When we cannot obtain 58 bits of key information from Algorithm 1, the time complexity will increase.For sake of simplification, we directly calculate the time complexity for the worst case, i.e., there is no GKS in the secret key.When a KS is not good, then we know any four key coefficients cannot be zero simultaneously.Thus, i≥4 8 i = 163 out of all 256 possibilities can be excluded.We only need to search for the remaining key values by brute force.With testing 2 32 randomly-chosen 128-bit keys, we detect 420 keys that lead to such worst case.Thus, the percentage of such keys is about 2 −23.3 .In other words, if none of the KS are good, we know that only 2 128−23.3= 2 104.7 keys that are possible to be candidates.Therefore, the time complexity of the worst case is about 2 104.7 .

Weak-Key Attacks Satisfying the Data Limitation
The designers of Ascon have established a security claim as follows, "The number of processed plaintext and associated data blocks protected by the encryption algorithm is limited to a total of 2 64 blocks per key ..." ([DEMS21, Chapter 2, Page 9]) Consequently, the maximal number of nonces we can use should be limited within 2 64 .While at the present stage we should encourage attacks even they do not comply with this restriction to gain a better understanding of Ascon's security features, it is also valuable to explore whether an attack can be adapted to meet this requirement whenever possible.We provide two kinds of attacks on Ascon both of which satisfy the data limit.
Weak-key attack 1.Let us focus on only one certain IS j .If four coefficients of its key set are zero, we can recover values of all these 8 key coefficients.For one IS j , the data complexity is 2 64 , so this satisfies the data limit.The time complexity of this attack is dominated by the exhaustive search process which is 2 120 Ascon initializations.The above event happens with a probability i≥4 8 4 /256 ≈ 0.63, thus the size of the weak-key space is about 2 128 × 0.63 ≈ 2 127.3 .Weak-key attack 2. When we have known that three key coefficients in a key set are zero, we can combine the three with another one in the same key set to obtain the value of the latter by conducting a corresponding cube tester.
When j = 0, the 8 key coefficients in the key set are When j = 2, the 8 key coefficients are Hence, there are three common key coefficients in the two key sets.As a result, for the following 2 125 -size key space, we can do 10 cube testers to recover the other 10 key coefficients in the two key sets for j ∈ {0, 2}.The remaining 115 bits of key information can be recovered by an exhaustive search.The data and time complexities of this attack are 10 × 2 60 ≈ 2 63.2 which are less than the data limitation 2 64 .Comparing with Rohit and Sarkar's key-recovery attacks under the weak-key setting [RS21], our attack works for a significantly larger weak-key space (2 127.3 /2 125 versus 2 116.34 ). ).Once the 32-bit key is recovered, the previous conditional cube attack on Ascon-128 and Ascon-128a in Section 4 can be used to recover the remaining 128 key bits k 0 , . . ., k 127 .
To attack Ascon-80pq, we also take advantage of the 60-dimensional cube distinguisher of IS −1 with the break-fix strategy.

Phase 1: Break
32 new structures IS ′ j (32 ≤ j < 64) are introduced to break IS −1 as follows (we prefer 32 ≤ j < 64 rather than 0 ≤ j < 32 to match the positions of the 32-bit key in the first word), According to the ANFs of Ascon's Sbox, the ANF of the 4 th output bit is For IS −1 where x 3 = x 4 , both x 3 and x 4 will be canceled, always leaving the degree of y 3 be 0.However, for IS ′ j (32 ≤ j < 64) where x 4 is set as 0 for the j th Sbox, there will be a term x 3 (x 0 + 1) in its 4 th output bit of the j th Sbox.The ANF of this output bit of the j th Sbox is then Thus, the value of k ′ j will directly control the degree of S (0.5) 3,j .After the diffusion layer, this bit spreads to another 3 positions, and is multiplied by the p S of the second round with other 1-degree bits to cause some 2-degree bits.With a similar division property model as [RHSS21], we calculate the degrees for Ascon-80pq with IS ′ j which are shown in Table 6.

Phase 2: Fix
For IS ′ j (32 ≤ j < 64), if we reset the degree of S (0.5) 3,j to 0, the degrees of S (6.5) 0 will return to 59.This can be guaranteed by the following proposition, are recovered.
Note that the concrete IV bits only contribute to the constant terms and do not appear in the coefficients of the maximal-degree cube variables in the first and second rounds, so they do not affect our attack in Section 4 on Ascon-128/Ascon-128a. Consequently, after recovering the 32-bit key in the first word, we apply Algorithm 1 to recover the remaining 128-bit key in the second and third words of the initial state.
Complexity.Since the recovery of the 32-bit key in the first word is completely an independent process which costs only 32 × 2 60 = 2 65 data and time complexities, the main part of the complexities is determined by the recovery phase of the remaining 128-bit key.Thus, the data and time complexities are as the same as the attacks on Ascon-128/Ascon-128a in Section 4. In other words, for 2 32+127.97= 2 159.97 keys, the data and time complexities are respectively 2 70 and 2 72.4 .At the worst case, the time complexity can be as large as 2 104.2 .The memory cost is negligible.

Discussions on Assumptions in Our Attacks
Our attacks in Sections 4 and 5, like all previous conditional cube attacks, rely on some common assumptions.In our case, the assumption for 7-round Ascon initialization has been concluded in Assumption 1.
This assumption relies on how complex the superpolies of the cubes are.In our attacks on 7-round Ascon, the superpolies are the coefficients of the corresponding 60-degree cube terms, so, unfortunately, this assumption is hard to practically verify due to the huge complexity (practically verifying it needs to perform several 2 60 Ascon initializations).Therefore, we test the validity of Assumption 1 for 5 and 6 rounds of Ascon.Although the experiments show that the assumption is not perfect for 5-and 6-round Ascon, we observe a clear trend that the likelihood of Assumption 1 grows sharply with increasing the number of rounds, which gives us the confidence that it still has a decent chance to be valid for 7 rounds.

Experiments on 5 and 6 Rounds of Ascon
According to Tables 3 and 4, the degree upper bounds for 5 rounds are 15 and 16 (some bits of S (4.5) 1 have degrees of 16), for 6 rounds are 30 and 31, for IS −1 and IS j , 0 ≤ j < 64, respectively.According to the degree details of S (1.5) which have been shown in Figure 4 and the ANFs of the three 2-degree bits given in Equation 3, if we set v 26 , v 6 , v 9 , v 31 , as constants whereas v 0 , v 1 , v 3 , v 25 , v 4 as variables, the degrees of 5-and 6-round outputs are determined by the values of k 1 + k 65 , k 3 + k 67 , k 25 + k 89 , and k 4 + k 68 .
If the four key coefficients are all zero, the 5-round degree is 15 and the 6-round degree is 30; otherwise, the degree can be 16 and 31 for 5 and 6 rounds, respectively.
To check the validity of Assumption 1 for 5-and 6-round Ascon, we randomly generate 100 keys where the four values k 1 + k 65 , k 3 + k 67 , k 25 + k 89 , and k 4 + k 68 are not zero.Then, we generate the cube by taking all different values of where j n = 16 − 5 for 5-round Ascon and j n = 31 − 5 for 6-round, and letting the remaining variables be constants for each of the 100 keys.If Assumption 1 works well, the cube sums for the 100 experiments will be non-zero.
For 5-round Ascon, unfortunately, all the 100 cube sums are zero.Therefore, Assumption 1 is definitely not valid for 5-round Ascon.The cube distinguisher cannot be used in a key-recovery attack by our break-fix strategy for 5 rounds.For 6-round Ascon, 54 experiments lead to non-zero cube sums.This means Assumption 1 holds with some probability for 6-round Ascon.
What about the case of 7-round Ascon?Although Assumption 1 is still not good for 6-round Ascon, it has become much better than the 5-round cases: Indeed, in the 5-round experiments, all 100 experiments lead to zero cube sums, while in the 6-round experiments, more than a half of experiments succeed.This is not a coincidence.The cube sum is the value of the superpolies of the cube term, i.e., the coefficients of the product of the cube variables.Thus, it is natural that as the number of rounds gets larger, the superpolies become more and more random.As the dimension of cubes used in our attacks is 60, we cannot practically verify Assumption 1 for 7-round Ascon.However, the results of our experiments on 5 and 6 rounds of Ascon show a clear trend that Assumption 1 is becoming more and more promising as the number of rounds increases.
The validity of Assumption 1 is crucial for the success of our attack on 7-round attack, while all cube-like attacks rely on similar assumptions (except for some with small cubes that can be verified by experiments).In the extremest case where there is no GKS, we need all the 4,480 cubes in our attacks to lead to non-zero cube sums.To this end, suppose that the probability for a cube sum to be zero when the four corresponding key coefficients are not all zero is smaller than p, then all the 4,480 cube sums are non-zero with a probability of about (1 − p) 4,480 .For p = 2 −20 , (1 − p) 4,480 ≈ 0.996 which shows the successful probability has been close to 1.Note that if we assume the 7-round Ascon is ideal, p should be 2 −64 , so we believe that p = 2 −20 is not an overly harsh condition.

Key-Recovery Attack on 6-Round Ascon
Note that in our 100 experiments for 6-round Ascon, more than a half of them lead to a non-zero cubes.Thus, our break-fix strategy can be used to perform a key-recovery attack on 6-round Ascon.This experiments show that our break-fix strategy is useful as long as Assumption 1 is not entirely wrong.In this subsection, we describe this attack and practically verify it.
According to Tables 3 and 4, the degree upper bounds for 6 rounds are 30 and 31 for IS −1 and IS j , 0 ≤ j < 64, respectively.We take IS 0 as an example.The degree details of S (1.5) has been shown in Figure 4 and the ANFs of three 2-degree bits given in Equation 3. Therefore, if we set v 3 , v 25 , v 4 , v 26 , v 6 , v 9 , v 31 , as constants whereas v 0 and v 1 as variables, the degree of the 6-round output is determined by the value of k 1 + k 65 .If k 1 + k 65 = 0, then the 6-round degree is 30, otherwise, the degree is 31.As a result, we perform the following experiments to recover k 1 + k 65 .
2. Prepare a cube where v 0 , v 1 and v j0 , v j1 , . . ., v j28 take all possible values and the remaining cube variables are set as random constants.
3. Apply the 6-round Ascon initialization to the cube, and summarize the results to observe the cube sum.
If the cube sum is non-zero, k 1 + k 65 = 1; otherwise k 1 + k 65 = 0. Due to the rotational property of the Ascon state, we can perform the above process for all IS j to recover k j+1 + k 64+j+1 .
What's more, for IS j , we can recover keys by setting another set of 7 cube variables from v j+1 , v j+3 , v j+25 , v j+4 , v j+26 , v j+6 , v j+9 , v j+31 to be constants.For example, if we choose v j , v j+3 together with 29 variables chosen from {v 0 , . . ., v 63 }\{v j , v j+1 , v j+3 , v j+25 , v j+4 , v j+26 , v j+6 , v j+9 , v j+31 } as cube variables and the remaining variables as constants, the cube sums will reflect the values of k j+3 + k j+67 .Obviously, in total we have 8 opportunities to recover k j + k j+64 by setting different variables as constants.Thus, we repeat the above attack process 8 times, each of which uses v 0 , v j , v j0 , . . ., v j29 as cube variables and the remaining as constants.Also, we can repeat trying s different v j0 , . . ., v j29 to increase the precision of the key-recovery attack.If k j + k j+64 is found as 1 in any of the 8s times of experiments, k j + k j+64 is recognized as 1; otherwise, it is recognized as 0.
The whole time complexity (to recover the 64 key coefficients) of this attack 2 31 × 64 × 8 × s = 2 40 s 6-round Ascon initializations.We practically perform this attack for 100 random keys.When setting s = 2 3 , the 64 bits of information k j + k j+64 were recovered successfully for all the 100 keys.The code for the experiments is given in the git repository: https://github.com/hukaisdu/Ascon_6R_Experiments.git Discussion on 7-round attack.Similar to the 6-round case, whenever Assumption 1 is not entirely wrong, it will be useful for the key-recovery attack on 7-round Ascon.For 7-round attack, when we choose 60 cube variables, the remaining 4 variables are set as constants.The 4 varaibles are actually related to 8 nonce bits where different values of these 8 nonce bits will affect the values of the cube sums (note that two constant nonce bits n i and n i+64 should not be equal, otherwise they will not affect the cube sum).As a result, we can repeat the attack process with different constant values to increase the successful probability with an increasing data and time complexity.Suppose we repeat the attack with 16 different values of these 8 nonce bits, and the cube sum is zero with a probability of 0.5 (0.5 is from the 6-round experiment, which should be reasonable considering the trend).Then, the probability of the event that all 16 times of experiments lead to zero cube sum is 2 −16 only.In our worst case, all 4,480 cubes should lead to non-zero cubes, the probability is (1 − 2 −16 ) 4,480 ≈ 0.93.That is to say, we can increase the successful probability to 0.93 with a cost of increasing the data/time complexity by a factor of 16.In this case, the complexity is still better than [LDW17].

Conclusion
In this paper, we proposed a new break-fix strategy for the conditional cube attack, which for the first time succeeded in transforming the cube distinguisher provided in [RHSS21] to a key-recovery attack, which was thought to be difficult before this paper.Thanks to the lower dimension of the cube distinguisher, our attacks led to improvements over the previous attacks on Ascon-128 and Ascon-128a, and gave the first key-recovery attack on Ascon-80pq.The break-fix strategy provides new insights into the conditional cube attacks.Different from most previous conditional cube attacks that tend to use an elimination strategy, we construct a higher-degree term by breaking the special cube structure and then fix the break to force the degree to go back.The basic idea of our attack is generic, so we believe that this strategy can find usage in other ciphers, which will be a direction of our future works.Besides, verifying Assumption 1 for the 7-round Ascon is also an interesting future work.

Figure 2 :
Figure 2: The demonstration of p C , p S and p L .

Figure 3 :
Figure 3: ANF of the Sbox (left) and the linear layer (right) of Ascon.
loaded with the 128-bit nonce.For Ascon-128 and Ascon-128a, S loaded with the 128-bit key and S (0) 0 is loaded with the 64-bit initial value (IV).Ascon-80pq takes a half of the IV positions to allow 32 more key bits.Thus, S (0) 0,{32,33,...,63} ||S (0) 1 ||S (0) 2 is initialized as a 160-bit key, and S (0) 0,{0,1,...,31} is the 32-bit IV.The rates of the Ascon-128 and Ascon-80pq are 64 bits to determine the value of k 26 + k 90 .Actually, when we set v 1 = v 6 = v 9 = v 31 = 0, the key coefficients of the quadratic terms in Equation 3 are k 3 + k 67 , k 25 + k 89 , k 4 + k 68 and k 26 + k 90 .Since we have known the first three key coefficients are zero, the cube sum of this cube tester will tell us the value of k 26 + k 90 directly.Note that all these operations are already done when we check the 70 different 60-dimensional cube testers, so no additional complexities are required.

Figure 5 :
Figure 5: The skew-normal distribution for the number of GKS.The blue dots are the experimental values, whereas the red line is the skewed-normal distribution SN (48.88204620, 12.19456124, −1.52220805).

Table 1 :
Summary of attacks on Ascon-AEAD.The column Var.represents the Ascon variant, including Ascon-128, Ascon-128a and Ascon-80pq.The column Valid N and Valid D describe if the attack violates the nonce-respecting and data limitation (≤ 2 64 )

Table 2 :
Ascon-AEAD variants and their recommended parameters

Table 5 :
Quadratic terms in the ANFs of bits in S

Table 6 :
Algebraic degrees of Ascon-80pq in cube variables with the structure IS ′ j (32 ≤ j < 64) derived from the division properties."x/y"means that the degrees of some bits of that word are x and others are y.Ascon-80pq is a relatively new member of Ascon-AEAD family.The main difference between Ascon-80pq and Ascon-128/Ascon-128a is that it uses the second 32 bits of IV positions for another 32 bits of key.Our attack in this section is designed to recover the 32-bit key.For the sake of convenience, we denote the 32-bit key by k ′