Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

. Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläﬀer) has withstood extensive self and third-party crypt-analysis. The best known attack on Ascon could only penetrate up to 7 (out of 12 ) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 2 64 blocks per key speciﬁed by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To ﬁll these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as speciﬁed in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2 d -dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2 123 7-round Ascon permutations and requires 2 64 data and 2 101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon , they provide new insights in the security analysis of Ascon .


Introduction
Around 2000, Bellare and Namprempre introduced the notion of authenticated encryption (AE) -a type of symmetric-key primitive providing both confidentiality and authenticity.Its subsequent development is shaped by real-world applications and finally it evolves into the notion of authenticated encryption with associated data (AEAD) [Rog02,Rog04,RS06], where the authenticity of the associated data (some public information like packet headers) along with the message is also ensured.
The first major event in the cryptographic community for soliciting and evaluating AEADs was the CAESAR competition (the Competition for Authenticated Encryption: Security, Applicability, and Robustness), initially announced at the Early Symmetrickey Crypto workshop 2013 [Ear, CAE].After several years of intensive analysis and comparison of the 57 submissions, the final portfolio was announced in February 2019, and the winning algorithms are categorized into three use cases listed as follows: • Lightweight applications: Ascon [DEMS16] and ACORN [Wu16a]; • High-performance applications: AEGIS-128 [WP16] and OCB [KR16]; • Defense in depth: Deoxys-II [JNPS16] and COLM [ABD + 16].
Ascon, the main target of this work, is a family of lightweight AEAD which has been selected as the primary choice for the lightweight use case in the final portfolio of the CAESAR competition.It was subsequently submitted to the LWC project -a public competition-like process to solicit, evaluate, and standardize authenticated encryption and hashing schemes suitable for highly constrained computing environments initiated by the US National Institute of Standards and Technology (NIST) [Nat19].On August 30, 2019, Ascon was selected as one of the 32 second-round candidates out of the 57 initial submissions (only 56 were accepted as the first-round candidates) based on public feedbacks and internal reviews.As one of the winning algorithms of the CAESAR competition and second-round candidates of the NIST LWC project, Ascon has withstood extensive self-evaluation and third-party cryptanalysis, which are briefly summarized in the following.
Previous Cryptanalysis.Apart from the self-analysis provided by the designers [DEMS16], Ascon has gone through substantial third-party cryptanalysis.First of all, without considering the AEAD context, the security of the underlying permutation of Ascon was evaluated with respect to (impossible) differential cryptanalysis [Tez16], (zero-correlation) linear cryptanalysis [DEM15], differential-linear cryptanalysis [DEMS15,BDKW19], integral (based on division properties) or zero-sum distinguishing attacks [YLW + 19, DEMS15, GRW16, Tod15], and subspace trail cryptanalysis [LTW18].While these works do provide a deeper understanding of the security of Ascon permutation, generally they do not directly translate into meaningful attacks in the AEAD setting.
Cryptanalysis of Ascon in the AEAD context can be divided into two categories.In the first category, generic security analysis or comparison of a series of constructions with Ascon or its variants as special cases is conducted.For example, security analysis and bounds for the full-state keyed duplex with application to Ascon was discussed in [DMA17].In [VV18], Vaudenay and Vizár analyzed the misuse resistance of Ascon along with other third-round CAESAR candidates.At ASIACRYPT 2014, Jovanovic et al. provided security proofs for sponge-duplex mode concluding that Ascon can process higher data rate without degradation in security [JLM14].Later, in [SY15], Sasaki and Yasuda gave some suggestions on processing associated data efficiently in SpongeWraplike modes (including Ascon), which can achieve the same security bounds as Jovanovic et al. [JLM14].Moreover, Forler et al. discussed the reforgeability of Ascon and many other authenticated encryption algorithms in [FLLW17].
The second category is more relevant to our work, where concrete cryptanalysis specific to Ascon is performed, including state recovery attacks [DKM + 17], differential-linear cryptanalysis [DEMS15], and cube-like attacks [LZWW17,DEMS15,LDW17].A summary of the results are given in Table 1, from which we can see that the best claimed attack penetrates seven rounds of Ascon.It is worth noting that all 7-round attacks on Ascon in literature so far require some misuse of the target violating the security claims of the design and thus are invalid.Therefore, the best previous attack only reaches six rounds [LDW17].The above two statements indicate that any attack requiring more than 2 64 known/chosen data (plaintexts, associated data or nonces) blocks under a same key is invalid.Taking the 7-round attack given by Li et al. [LDW17] for example, it requires at least 2 65 nonces with the same secret key, and since they employed several different cubes of dimension 65, their actual data complexity is more than 2 65 .Accordingly, we conclude that this attack is invalid and the best known attack reaches only six rounds of Ascon. 1 In this work, complying with the security requirements, we present the first misuse-free key recovery and distinguishing attacks on 7-round Ascon.Our contributions are twofold.Firstly, we propose a generic technique called partial polynomial multiplication for cube attacks.The technique enables to recover the superpoly of a given cube by multiplying the simplified versions of the involved Boolean functions.More precisely, under certain conditions, the superpoly of a 2d-dimensional cube at r-th round can be computed by multiplying some specific sets of partial polynomials (the so-called degree-d homogeneous parts) from previous rounds.We apply this technique on 7-round Ascon and could recover the superpolies of a 64 dimensional cube with time complexity of about 2 123 7-round Ascon permutations.We give the superpoly recovering procedure for different configurations of cube and non-cube variables to achieve a key-recovery attack with minimal time complexity.Our best attack can recover the 128-bit secret key with time and memory complexities of 2 123 and 2 101 bits, respectively.
Secondly, we identify several new cube distinguishers for Ascon in the AEAD setting using the division property.We show that there exist 2 19.27 60 dimensional cubes whose superpolies are constant zero after seven rounds.To the best of our knowledge, these are the first distinguishers for 7-round Ascon.For 4-, 5-, and 6-round Ascon, we find distinguishers with complexities 2 5 , 2 16 , and 2 31 which improves the best known cube distinguishers by a factor of 2 4 , 2, and 22 , respectively.All the source codes for verification are publicly available at https://github.com/raghavrohit/ascon_cube_distinguishers.
Outline.The rest of the paper is organized as follows.Section 2 provides an overview of useful techniques in the theory of Boolean functions, cube attacks, and division properties.The specification of Ascon and our attack models are described in Section 3. We introduce the notion of partial polynomial multiplication in Section 4 and give our key recovery attacks in Sections 5 and 6.Our MILP modeling for the division properties and the obtained distinguishers are discussed in Section 7. Finally, we conclude in Section 8 with some open problems.

Notations and Preliminaries
Let A and B be two sets.The number of elements in A is written as |A|.The set of all elements in A but not in B is denoted by A − B. Let F 2 = {0, 1} be the finite field with two elements and f : F n 2 → F 2 be a Boolean function whose algebraic normal form We denote the coefficient of the monomial x u in f by a u = Coe f (x u ).Given a set In addition, the Hamming weight of u is denoted by wt(u).Note that we use "+" to denote all kinds of additions (of integers, field elements, Boolean functions, etc.), the actual meaning of a specific use instance should be clear from the context.Lemma 1 ([Car10,Can16]).Given an oracle access to the Boolean function f , the coefficient of the monomial x u in f for a particular u can be computed as a u x u is defined as the sum of all degree-d terms of f , and is denoted as Keyed Boolean Functions.In the context of symmetric-key cryptanalysis, we typically regard each output bit of a keyed primitive with an m-bit secret key as a keyed Boolean function f k : F n 2 → F 2 whose algebraic normal form is where we regard k as a (secret) constant.In this setting, the coefficient Coe f k (x u ) can be represented as a Boolean function from F m 2 → F 2 which maps k to a u (k).In fact, the function mapping (x, k) to f k (x) can be expressed as a Boolean function from F m+n 2 to F 2 .However, in our work, k (secret constants) and x (Boolean variables) are not treated equally.When we talk about the degree of a keyed Boolean function, the degree is defined with respect to x.Moreover, we may use f (x, k) to denote the keyed Boolean function f k (x) when there is no confusion.We use the following example to clarify potential notation confusions caused by keyed Boolean functions.
Example 2. For a keyed Boolean function f k 2 with a 3-bit secret key (k 0 , k 1 , k 2 ), the degree of f is 3 rather than 6.The set of all terms involved in f is According to Lemma 1, for any keyed Boolean function f and any given k, the value of Coe f (x u ) can be obtained with 2 wt(u) evaluations of f .Thus, the truth table of Coe f (x u ) for all possible k ∈ F m 2 can be obtained with 2 m+wt(u) evaluations of f .Then, applying Lemma 2, the ANF of the Coe f (x u ) in k can be derived with about m2 m = 2 m+log 2 m XOR operations.Therefore, if wt(u) is much larger than log 2 m, the complexity for recovering the ANF of Coe f (x u ) for this particular u can be estimated as 2 m+wt(u) evaluations of f .For the sake of convenience, we write it as a Lemma. 1, it takes 2 m+wt(u) evaluations of f to recover a u (•) for a certain u where wt(u) > log 2 (m).

Cube Attack and Division Property. The cube attack was proposed at EUROCRYPT 2009 by Dinur and Shamir to analyze black-box tweakable polynomials [DS09]. Given a keyed Boolean function
where each term of q(x, k) misses some variables in In Lemma 4, if In this case, recovering the ANF of the superpoly of x I is equivalent to recovering the coefficient Coe f (x I ).
A very useful cryptanalytic technique in literature is the division property initially proposed by Todo at EUROCRYPT 2015 [Tod15] as a generalization of integral cryptanalysis.Its bit-based variants [TM16] together with their automatic search methods [XZBL16] have been found to have a great potential in probing the structure of a Boolean function described as a sequence of composition of Boolean functions whose overall ANF is too complicated to compute [TIHM17, WHT + 18, WHG + 19, HLM + 20].In particular, bit-based division property can detect the presence or absence of a monomial in the target Boolean function, and therefore can be used to (partially) determine the algebraic structures of superpolies in cube attacks [TIHM17, WHT + 18, WHG + 19, HLM + 20, HLLT20, HSWW20].In fact, division property has become a quite standard tool in assisting cube attacks.In this work, we take the MILP (Mixed Integer Linear Programming) based approach to search for division properties and find cube distinguishers of Ascon.The technical details will be introduced on-site in Section 7 when immediately necessary.

Specification and Useful Properties of Ascon
Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) is a family of AEAD algorithms [DEMS16].At a high level, as depicted in Figure 1, the Ascon AEAD algorithm takes as input a nonce N , a secret key K, an associated data A and a plaintext or message M , and produces a ciphertext C and a tag T .The authenticity of the associated data and message can be verified against the tag T .Table 2 lists   The round function p = p L • p S • p C operates on a 320-bit state arranged into five 64-bit words.The input state to the round function at r-th round is denoted by The steps p C , p S , and p L (with round superscript removed for simplicity) are visualized in Figure 3, Figure 5 and Figure 6 3 , respectively and described as follows.).An 8-bit constant is XORed to the bit positions 56, • • • , 63 of the 64-bit word X 2 at each round.
Substitution layer (p S ).Update each slice of the 320-bit state by applying the 5-bit Sbox defined by the following algebraic normal forms: (2) The substitution layer is typically implemented using the bitsliced form rather than applying 5-bit operation on each slice (Equation 2).This is illustrated in Figure 4 where the operations are performed on each of the five 64-bit word.
By studying the ANF of the Sbox in Equation 2, the following properties are given.Property 2. For each bit of the output, always appear together or do not appear.Linear diffusion layer (p L ).Apply a linear transformation Σ i to each 64-bit word Y i with 0 ≤ i < 5, where Σ i is defined as Configurations for Our Attacks.The overall configuration for our attacks is visualized in Figure 7, where only one block of message is involved and there is no associated data.In our key-recovery attack, for each nonce N 0 ||N 1 , we call the Ascon oracle to encrypt a random plaintext P and obtain the corresponding ciphertext C, then X 7 0 can be calculated Since the linear operation Σ 0 acts on word 0, we apply Σ −1 0 to X 7 0 and obtain Y 6 0 .Moreover, since the algebraic degrees of X 7 0 [j] and Y 6 0 [j] are equal and it is simpler for us to recover the superpoly for a certain cube term in Y 6 0 [j] than X 7 0 [j].Therefore, in this paper, we always focus on recovering the superpoly of Y 6 0 [j], 0 ≤ j < 64.When without ambiguity, the 7-round Ascon output means Y 6 0 [j].For the distinguishers, the attack setting is similar.The only difference is that instead of recovering a superpoly, we find cubes whose superpolies are constant zero.In the following, we only give the key recovery attacks and distinguishers for Ascon-128 in detail.However, they are equally applicable to Ascon-128a.

New Technique for Superpoly Recovery: Partial Polynomial Multiplication
In this section, we formally introduce the partial polynomial multiplication technique for superpoly recovery.Let f (x, k) be a keyed Boolean function with algebraic normal form Here, by deg(f ) we mean the algebraic degree in x.If f (x, k) can be written in the following form where n is even, then for where we have To summarize, ultimately, we only need to multiply the degree-n 2 parts of p (t) and q (t) for 0 ≤ t < l to determine the coefficient of x I in f .Putting it another way, the knowledge of all the coefficients of degree-n 2 terms is enough to compute Coe f (x I ).Combining Equation (4) and (5) gives Assuming we have the oracle access to the keyed Boolean functions p (t) (x, k) and q (t) (x, k) for 0 ≤ t < l, we can recover the algebraic normal form of Coe f (x I ) in two steps as follows.First, we compute the algebraic normal forms of Coe p (t) (x J ) and Coe q (t) (x J ) for all J ⊆ I with |J|= n 2 .This step is equivalent to recover the degree-n 2 homogeneous parts of p (t) (x, k) and q (t) (x, k).

Lemma 5. Given an oracle access to the Boolean function
• 2 m+d evaluations of p.
Proof.It follows from Lemma 3 and the fact that there are at most According to Lemma 5, the complexity for recovering all the coefficients of degree-n Moreover, if we know that p (t) (x, k) involves only m t < m bits of k, the time complexity can be reduced to ) • 2 mt+n/2 evaluations of p (t) .Similarly, we can recover the degreen 2 homogeneous part of q (t) .
Next, with the knowledge of all the coefficients of degree-n 2 terms of p (t) (x, k) and q (t) (x, k), we show how to compute ∑ For each J ⊆ I with |J|= n/2, if we know that Coe p (t) (x J ) and Coe q (t) (x J ) involves only m t < m bits of k in total and the set of key bits is {k i0 , • • • , k im t −1 }, then we can represent the algebraic normal form of Coe p (t) (x J ) (or Coe q (t) (x J )) as a 2 mt -bit appears in Coe p (t) (x J ), where bin mt (i)[j] denote the j-th bit of the m tbit binary representation of the integer i.We then store Coe p (t) (x J ) as a 2 mt -bit string described as above into the hash table T p (i) at address addr( with µ i = 1 if and only if i ∈ J.After processing all possible J ⊆ I with |J|= n 2 , T p (t) contains all coefficients of the degree-n 2 terms of p (t) , which requires • 2 mt bits of memory.Similarly, we can construct the hash table T q (t) for the coefficients of all degreen 2 terms of q (t) .Then ) 2 2mt memory accesses.In summary, to compute the coefficient or the superpoly of x I in f : ) 2 2mt memory accesses, and 2 mt+n/2 evaluations of p (t) and q (t) for 0 ≤ t < l.Note that in practice the evaluation of p (t) and q (t) for many different t's may be executed in parallel through an oracle access to a vectorial Boolean function with p (t) and q (t) as its coordinate functions.Therefore, the complexity for this part should be analyzed on a case by case basis.

Key-Recovery Attack on 7-Round Ascon
In this section, we explain our key-recovery attack procedure on 7-round Ascon.Our attack is divided into two phases: an offline phase where we recover the superpolies of a 64-degree cube based on the partial polynomial multiplication technique and an online phase where we recover the secret key.We first describe the configuration of the initial state and some core observations related to our attack and then give details of the offline and online phases.

Initial State Configuration
We start with the initial state as depicted in Figure 8, where the 64 cube variables are set in X 0 4 and shown in green, and X 0 0 is filled with the constant IV = 0x80400c0600000000.The key bits 1 and X 0 2 , respectively.Throughout this section, X 0 3 is fixed to an arbitrary constant and here we set it to (0, • • • , 0) for the sake of simplicity.In this setting, the key bits are treated as symbolic secret constants and the 64 bits of X 0 4 are treated as Boolean variables x = (x 0 , • • • , x 63 ).With  this configuration, every state bit X r i [j] (also denoted as X r [64i + j] hereafter) can be regarded as a keyed Boolean function f (x, k) whose algebraic normal form is where the coefficient of x u is symbolically represented as a Boolean function a u : We now give the core observations based on which our superpoly recovery is performed.Note that some observations have been used in [DEMS15], but for the convenience of reference, we still state them as lemmas.Lemma 6.For any r ∈ {1, • • • , 7}, i ∈ {0, • • • , 4}, and j ∈ {0, • • • , 63}, the degree of X r i [j] is upper bounded by 2 r−1 .Proof.The round function is quadratic and X 1 i [j] is affine with respect to the initial configuration given in Figure 8.
Lemma 7 (Adapted from [DEMS15]).For 1 ≤ r ≤ 7 and Proof.We prove it by induction on r.When r = 1, I = {i 0 }, 0 ≤ i 0 < 64.According to Property 1 and Lemma 6, the coefficient of x I = x i0 in the polynomial X 1 [i], 0 ≤ i < 320, is either k i0 or k i0 + 1.Assuming that this lemma holds for r = l < 7, we are going to show that it also holds for r = l + 1.
For I = {i 0 , i 1 , . . ., i 2 l+1 −1 }, we consider the coefficient of monomial can be expressed as a quadratic function g of the bits of X l .Let According to the induction hypothesis, Coe X s [t] (x J ) and Coe X s [t ′ ] (x I−J ) can be fully determined by {k j : j ∈ J} and {k j : j ∈ I−J} respectively.Therefore,

Offline Phase: Superpoly Recovery
Before going any further, we emphasize that this process is completely offline and is done once for all (secret keys).Let I = {0, 1, . . ., 63} then x I = ∏ 63 i=0 x i .We are going to recover the superpolies of the cube term x I for Y 6 [i] (recall that we can ignore Σ 0 at the 7-th round of Ascon).For the sake of concreteness, we present the detailed procedure for recovering the superpoly of x I for X 6 [0], which is equally applicable to X 6 [i] for all i ∈ {0, • • • , 319}.As Lemma 4 shows, if we choose x I as the cube term, then Coe X 6 [0] (x I ) is just the superpoly of the cube term x I .To recover the algebraic normal form of Coe X 6 [0] (x I ), we apply the method presented in Section 4 to the following equation derived from the algebraic normal forms of the Ascon Sbox given in Equation 2: ) ≤ 32 due to Lemma 6, applying Equation 6 to Equation 7gives where Therefore, to recover the algebraic normal form of Coe Y 6 0 [0] (x I ) (regarded as a Boolean function with variables k i , 0 ≤ i < 64 ), we need to recover the algebraic normal forms of α, β, and γ, which in turn can be derived from the algebraic normal forms of the coefficients of all degree-32 terms of X 6 i [j].
Step 1: Computing the ANFs of α, β, and γ.For a given The truth table of this Boolean function can be obtained after 2 32 × 2 32 = 2 64 evaluations of the 6-round Ascon permutation, where for each possible value of 2 , we evaluate the coefficient value of x I based on Lemma 1.Since one evaluation of the 6-round Ascon permutation gives X 6 [j] for all j ∈ {0, • • • , 319}, after 2 32 × 2 32 = 2 64 evaluations of the 6-round Ascon permutation we get the 320 truth tables for the coefficients of x J in {X 6 [j] : 0 ≤ j < 320}.
By applying the fast Möbius transform given in Lemma 2 to the 320 truth tables, we obtain the algebraic normal forms of Coe X 6 [j] (x J ) for all j ∈ {0, • • • , 319} with about 320×32×2 32 XOR operations.In summary, the time complexity of recovering the algebraic normal forms of Coe X 6 [j] (x J ) for all j ∈ {0, • • • , 319} is dominated by 2 64 evaluations of the 6-round Ascon permutation.Since there are totally ( 64

32
) ×2 2×32 ≈ 2 126.3 memory accesses according to the analysis of Section 4. For 64 superpolies, the complexity would be 2 132.3 memory accesses.In Section 6.1, we will further show several techniques to reduce this complexity to 2 123.28 7-round Ascon.
Step 2: Generating the comparison tables for key candidates.With

Online Phase: Key Recovery
For a cube set {x = (x 0 , x 1 , . . ., x 63 ) ∈ F 64 2 } set as Figure 8, we choose one random 64-bit plaintext P , call the Ascon to encrypt P and obtain the corresponding C. Then the first 64-bit output of 7-round Ascon can be evaluated as P + C. Summing all P + C under all x ∈ F 64 2 , we get the 64-bit cube sum, denoted as (z 0 , z 1 , . . ., z 63 ).Then the key candidates are just obtained from H[(z 0 , z 1 , . . ., z 63 )].On the average only one key candidate is suggested.The complexity of this step is 2 64 queries of Ascon.The remaining 64-bit key (k 64 , k 65 , . . ., k 127 ) can be obtained by an exhaustive search, which requires another 2 64 queries.The total complexity in online phase is then 2 65 7-round Ascon permutations queries.

Improved Key-Recovery Attacks
In this section, we present some techniques (specific to Ascon only) which can reduce the number of memory accesses and give the complexity analysis of key-recovery in 7-round Ascon permutations.

Techniques for Improving the Superpoly-recovery Complexity
Combine the Similar Monomials.Our first technique is based on combining the common terms in the degree-2 homogeneous part of Y 6 0 [j].Recall Equations 8 and 9, where we have computed α, β and γ separately.However, we can rearrange ) , which simplifies Equation 8as This reduces the time complexity of recovering all 64 superpolies by a factor of 3.
Choose New Initial State.Our second technique utilizes Property 2 of the Sbox (related to X 0 3 rather than X 0 4 ) and algebraic degree bounds of the superpolies.The new initial state is depicted in Figure 9 where we regard X 0 3 [i], 0 ≤ i < 64 as the cube variables and set X 0 4 as the zero constant.From Property 2, the following lemma could be deduced (previously used in [DEMS15] to attack 5-and 6-round Ascon).We state it here for completeness.
In the following, we always denote ) is a polynomial of {κ 0 , κ 1 , . . ., κ 63 } (follows from Lemma 8).According to Equation 10, we need to compute Coe X 6 each of which requires 2 32 6-round Ascon permutations.However, if the upper bound on the degree of Coe ) ≤ 2 32 .Thus, we only need to consider the keys with Hamming weight at most d.The complexity of constructing the truth table for Coe X 6 [i] (x J ) then reduces to ) .For d < 32, this complexity can be reduced.
To compute the values of d, we use the division property method similar to [WHT + 18].Since Coe X 6 [i] (x J ) is a polynomial of {κ j : j ∈ J}, it is not trivial to model κ j , i ∈ J into the MILP model.However, we can write each monomial in Coe X 6 [i] (x J ) as The above equation shows that the degree of ∏ j∈J κ j is equivalent to the degree of . The later can be modeled easily in MILP.The upper bound returned by the division property algorithm on the degrees of Coe X 6 [i] (x J ) for all J, |J|= 32 and 0 ≤ i < 320 is 15.Thus, the time complexity to compute Coe • 2 32 ≈ 2 30.78+32= 2 62.78 .Accordingly, the complexity of computing the degree-32 terms of X 6 [i], 0 ≤ i < 320 is then reduced to 2 60.7+62.78= 2 123.48 6-round Ascon permutations.
In the superpoly recovery of Y 6 0 [0] (Equation 10), we have assumed that there are 2 32 monomials in both Coe X 6 4 [0]+X 6 2 [0]+X 6 0 [0] (x J ) and Coe X 6 1 [0] (x I−J ) for each J.As a result, the complexity of computing Coe X 6 ) is roughly estimated as 2 32+32 = 2 64 memory accesses.Now we know that both of them have at most ∑ 15 i=0 ( 32 i ) ≈ 2 30.78 monomials.Hence, the time complexity is reduced to at most 2 61.56 .Finally, the time complexity of computing Equation 10 is reduced to 2 122.26 memory accesses.In other words, it takes 2 122.26 memory accesses to recover one superpoly.complexity of computing degree-32 part of X 6 [i], 0 ≤ i < 320 is about 2 123.28 7-round Ascon permutations.
To estimate the complexity of the multiplication of the partial polynomial, we need to compute the scale factor between the memory access (denoted by N mem ) and the 7-round Ascon permutations (denoted by T Ascon ).Therefore, to compute T Ascon from N mem , we define the scale factor η, satisfying T Ascon ≈ η × N mem .
In a conventional method, we can regard an Sbox operation as one memory access and ignore the cost of the linear layer.Thus one round Ascon equals approximately 64 memory accesses and 7-round Ascon equals 64 × 7 ≈ 2 8.8 memory accesses, i.e., η = 2 −8.8 .Then the complexity of computing Equation 10 phase is equivalent to about 2 122.26−8.8= 2 113.46 7-round Ascon permutations.
Since that Ascon is designed for bit-sliced implementation, we still use another scale for the transformation.Note that the bitsliced implementation of Ascon has eleven 64-bit XORs for the Sbox layer (Figure 4) and ten 64-bit XORs for the linear layer (Equation 3).Thus, there are 7×(11+10) ≈ 2 7.2 64-bit XORs in total for 7 rounds.We ignore the ANDs and NOTs because the XORs are heavier in general.Since all memory operations in our attack are 64-bit vector, we assume one memory access equals one 64-bit XOR operation.Accordingly, we have η = 2 −7.2 .Then the complexity of computing Equation 10 in the offline phase is about 2 115.06 7-round Ascon permutations.At last, comparison between different operations is always a difficult task.We can also compare a memory access to one single encryption, then the time complexity for computing Equation 10 is about 2 122.26 encryptions.Note the complexity of the multiplication is considered in the worst case where we always assume that the monomials in Coe X 6 ) and Coe X 6 1 [0] (x I−J ) will appear if we cannot make sure that they do not appear.Overall, the time complexity in the offline phase is dominated by computing the degree-32 part of X 6 [i], 0 ≤ i < 320, i.e., 2 123.28 7-round Ascon permutations.
The complexity in the online phase is 2 65 which consists of one evaluation of the cube sum and the exhaustive search on 64 key bits.In the end, the overall time complexity is dominated by 2 123.28 7-round Ascon permutations.
Remark.In this paper, we regard one memory access to a big table as one 64-bit XOR operation, which is sometimes controversial.However, even we compare a memory access to one single encryption, the time complexity is still less than exhaustive search, though marginal.We hope the technique of partial polynomial multiplication can inspire further improvements.

Distinguishers for Round-reduced Ascon Based on Divison Property
In this section, we present several distinguishers on round-reduced Ascon by exploiting the properties of Sbox and using the three-subset bit-based division property (3SBDP) [HLM + 20].We first give an efficient MILP model for the 3SBDP propagation rules of Ascon by adopting the arithmetic circuit approach.Next, we use this model to find cubes whose superpolies are constant zero.

Efficient MILP Modeling of Ascon
Let x, y 1 , y 2 , • • • , y n be binary variables.The 3SBDP propagation of a cipher can be modeled with three basic operations, namely bitwise COPY, bitwise AND and bitwise XOR [HLM + 20].To model these operations in MILP, the following linear inequalities are sufficient. • In Ascon, the state is initially loaded with an IV which has certain bits set as constant 1.Further, the constant 1 is XORed to part of state via round constant bits.Hence, to model the division trails of XOR with constant 1, we propose a new propagation rule in Proposition 1.
Proposition 1 (MILP model for XOR+1).Let x, y be binary variables and x XOR+1 − −−−−→ y be the three-subset division trail of y = x + 1.Then the following inequality is sufficient to describe the propagation of y = x + 1.

y ≥ x.
We now proceed to model the 3SBDP of Ascon using the aforementioned rules.Algorithm 1 describes the MILP model for Ascon reduced to r rounds.Below, we explain the individual components of Algorithm 1 and give explicit linear inequalities in Appendix A.
Modeling Sboxes.Ascon utilizes the same Sbox throughout multiple rounds.However, to have an accurate and efficient propagation of division trails, we model the exact vectorial Boolean functions in each round.Let x 0 , • • • , x 4 and y 0 , • • • , y 4 be binary variables.We denote the Sbox modeling by SB([x 0 , x 1 , x 2 , x 3 , x 4 ], [y 0 , y 1 , y 2 , y 3 , y 4 ]), and the corresponding inequalities can be generated with the convex hull computation method [SHW + 14].Note that depending on x j = 0 or 1, the Sbox is modeled accordingly.For instance, if x 0 = 1, then we model the 4-bit to 5-bit vectorial Boolean function given by SB([0, x 1 , x 2 , x 3 , x 4 ], [y 0 , y 1 , y 2 , y 3 , y 4 ]).This approach gives the flexibility to assign the constant 0 or 1 to a state variable which in turn allows the precise modeling.Lines 6, 9, 19, and 22 in Algorithm 1 depict the Addition of constants and Substitution layer.The exact modeling of SB(•) function is provided in Algorithm 3.
Modeling the Linear Layer.The linear layer takes the entire state as an input and mix the 64-bit words by performing XOR operations (Equation 3).Thus, it can be simply modeled with COPY and XOR rules.This is denoted by L in Lines 13 and 26 of Algorithm 1.The exact modeling of L(•) function is provided in Algorithm 4.

Verification.
For verifying the correctness of our model, we computed the ANF of each state bit and matched with the output of Sage.The source codes are available at https: //github.com/raghavrohit/ascon_cube_distinguishers in case reader wants to verify the models.

Finding Good Cubes for Ascon
Our aim here is to find cubes with dimension less than 64 whose superpolies are constant zero.We restrict ourselves to at most 63 dimensional cubes as the prescribed data limit by designers for a single key is 2 64 .The best known cubes that satisfy this limit can reach 4, 5 and 6-round Ascon and have dimensions 9, 17 and 33, respectively [DEMS15].
To the best of our knowledge, there are no distinguishers on 7-round Ascon.Thus, it is worth investigating whether there exists cubes which can distinguish the output of 7-round Ascon with data complexity less than 2 64 encryptions.
To answer the above question, we first recall Property 3 of the Sbox.If we set X 0 3 = X 0 4 in Equation 2, then both Y 0 2 and Y 0 3 become independent of words X 0 3 and X 0 4 .This means if we take N 0 = N 1 , i.e., the nonce variables as v i = v i+64 for i = 0, • • • , 63 and use them as cube variables, then after round 1, no cube variable v i is present in words X 1 2 and X 1 3 .In words X 1 0 , X 1 1 and X 1 4 , the cube variables are linear.Since the algebraic degree of round function is 2, the degree in cube variables is at most 64 after 7 rounds.The fact that two words after round 1 are independent of cube variables suggests that the algebraic degree in cube variables may be less than 4, 8, 16, 32 and 64 after 3, 4, 5, 6 and 7 rounds, respectively.
Upper Bounds of Degree.To compute the upper bounds of algebraic degree in cube variables, we set N 0 = N 1 and model the 3SBDP of Ascon following Algorithm 1.We then compute the degree upper bound of each state bit using Algorithm 2. In Table 3, we list the obtained upper bounds for each state words till 7 rounds.For 7-round, the upper bound is 59 which means the superpoly of any 60 dimensional cube (with N 0 = N 1 ) is constant zero.There exists ( 64
Experimental Verification.We have experimentally verified all our distinguishers for 4, 5 and 6 rounds using the Ascon reference C code.The codes are also publicly available at https://github.com/raghavrohit/ascon_cube_distinguishers.

Conclusion and Open Problem
In this work, we have presented the first cube-based key recovery attack on 7-round Ascon without violating the data limit per key specified by the designers.The main technique employed in this attack is the so-called partial polynomial multiplication, enabling the recovery of superpolies by considering simplified versions of the target Boolean functions.
Our best attack can recover the 128-bit secret key with a time complexity of 2 123 and requires 2 64 data and 2 101 bits memory.Moreover, based on division properties, we identified the first 7-round misuse-free cube distinguishers for Ascon and some 4-, 5-, and 6-round distinguishers with reduced complexities.All our results are equally applicable to Ascon-128a because of same core permutation.We believe that the partial polynomial multiplication technique can find applications in other contexts too.Furthermore, in our key-recovery attacks, we have assumed the worst case for the number of cube terms present in a state bit and their corresponding number of monomials in the superpoly.Any improvement in both or either of these two will reduce the time and memory complexities, and thus requires further investigation.Finally, is there any key-recovery attack using less than 2 64 data?We hope to get the answer in future.
x[I].We call x I the cube term and p I (x[ Ī], k) the superpoly of x I in f (x, k).If we set the variables in x[ Ī] to some fixed constants, the superpoly p I (x[ Ī], k) is a Boolean function of k.How to recover the algebraic normal form of p I (x[ Ī], k) in the key bits is a fundamental problem in cube attacks.Concerning the superpoly, we have the following lemma.Lemma 4 ([DS09]).For a set I ⊆ {0, • • • , n − 1} and a keyed Boolean function

Figure 1 :
Figure 1: The high-level structure of the encryption algorithm of Ascon

Figure 2 :
Figure 2: The encryption algorithm of Ascon

Figure 4 :
Figure 4: Bitsliced implementation of the substitution layer

Figure 5 :
Figure 5: The substitution layer p S

Figure 6 :
Figure 6: The linear diffusion layer p L

Figure 8 :
Figure 8: Initial state with cube variables in X 0 4

Table 1 :
Summary of attacks and distinguishers on Ascon in the AEAD context [DEMS16]d as the required data is beyond 2 64 ; : Invalid as the nonce is repeated; ‡ : Weak key setting Our Contributions.Before listing the contributions, we would like to emphasize the security claims[DEMS16]made by the designers of Ascon and discuss their implications on previous cryptanalysis: "The number of processed plaintext and associated data blocks protected by the encryption algorithm is limited to a total of 2 64 blocks per key ..." (see [DEMS16, Chapter 2, Page 9]) "In order to fulfill the security claims ..., implementations must ensure that the nonce (public message number) is never repeated for two encryptions under the same key ..." (see [DEMS16, Chapter 3, Page 12])

Table 3 :
Upper bounds on the algebraic degree of Ascon in cube variables