Diving Deep into the Weak Keys of Round Reduced Ascon

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem. In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.


Introduction
Undoubtedly, one of the main security criterion of a keyed cryptographic primitive is its random behavior for any randomly selected key from the entire key space. It is often difficult to guarantee this criterion, as there might exist some keys, often termed as weak keys, for which the strength (distinguishability or key recovery) of a primitive may differ significantly. This is evident from a wide range of attacks on symmetric ciphers in the weak key setting [BB93, Haw98, FMS01, KM07, Men17, Kha19, GLR + 20, LIMS21].
A typical weak key attack consists of two steps: (1) finding a weak key set and (2) ensuring that the complexity of a distinguisher or key recovery attack is less than the number of weak keys, both of them being challenging tasks. Some promising generic weak key attacks are the invariant and nonlinear invariant subspace attacks [LAAZ11,LMR15,TLS16,Bey18] which have seen applications to block ciphers only.
This work focuses on weak key analysis (from the algebraic degree perspective) of permutation-based authenticated encryption with associated data (AEAD) scheme Ascon, designed by Dobraunig, Eichlseder, Mendel, and Schläffer [DEMS16,DEMS21]. Being one of the winners of the CAESAR competition (the Competition for Authenticated Encryption: Security, Applicability, and Robustness) [CAE] and currently a finalist of the US National Institute of Standards and Technology (NIST) lightweight cryptographic standardization project [Nat19], Ascon has received substantial third-party security evaluation.
Among all the aforementioned cryptanalytic results, the best attacks on Ascon in the AEAD context considering the two design requirements ([DEMS16, Chapter 2]), namely (1) nonce value should not be repeated for a fixed key and (2) the data limit per key is 2 64 blocks, can reach only 7 (out of 12) rounds due to Rohit et al. [RHSS21]. However, their distinguishers complexity, i.e., 2 60 is still not practical while the data complexity of key recovery attacks equals 2 64 . Furthermore, it is surprising that there is no weak key analysis of Ascon till date. Thus, it is worth investigating the weak key security of Ascon and identifying whether there are any practical distinguishers and key recovery attacks (with data less than 2 64 ) on 7 rounds. Table 1 gives a summary of the attacks on Ascon. We now list our contributions.
Our Contributions. We present a comprehensive security analysis of round-reduced Ascon in the weak key setting without violating any of Ascon's security claims. Our contributions are threefold and summarized as follows.
1. Practical distinguishers for up to 7 rounds: We identify a set of keys and a set of nonce variables (say d out of 64) such that the algebraic degree of the output bits is at most d − 1 in nonce variables. In particular, for 7 rounds, we find that for any fixed set of d = 46 (resp. 33) nonce variables out of 64 46 (resp. 64 33 ) choices, there are 2 82 (resp. 2 63 ) keys where the algebraic degree of the output bits is at most 45 (resp. 32). This gives distinguishers 1 with complexities 2 46 and 2 33 . To the best of our knowledge, these are the first practical distinguishers for 7-round Ascon. Furthermore, in a weak key scenario, our choice of d = 13 (9), 24 (17) and 46 (33) improve the complexities of existing distinguishers (which works for all keys) for 5, 6 and 7 rounds by a factor of 2 3 (2 8 ), 2 8 (2 16 ) and 2 13 (2 27 ), respectively (see Table 1).

2.
Theoretical framework of weak keys: We provide the theoretical construction of a weak key space solely based on the algebraic degree. Our central idea is to partition the key space such that for any key in the weak key space, there must exist a set of d nonce variables which achieves an algebraic degree of at most d − 1 after r rounds. We show that this criterion holds for 2 127.99 , 2 127.97 and 2 116.34 keys (out of 2 128 ) with d = 13, 24 and 46 for r = 5, 6 and 7, respectively. In addition, we find a subset of these keys with d = 9, 17 and 33 where the number of keys are 2 104.1 , 2 103.92 and 2 94.67 for 5, 6 and 7 rounds, respectively. Moreover, we give structural : Although a generic attack but violates the required data limit of ≤ 2 64 per key, and hence, is invalid. †: An experimental distinguisher with a success probability of 0.63.
properties of weak keys such as (1) indices where key bits are equal and/or unequal and (2) Hamming weight of a weak key, which are crucial for key recovery attacks.
3. Key recovery attacks on 7 rounds: We present two key recovery attacks on 7 rounds Ascon with different attack complexities. Our first attack requires 2 64 data, 2 70 bits of memory and 2 97 time 2 while the second attack requires 2 63 data, 2 69 bits of memory and 2 115.2 time (see Table 1). Although the time complexity of the latter attack is marginal, it answers the question "Is there a key recovery attack on 7-round Ascon with less than 2 64 data ?" posed by [RHSS21].
Outline of the Paper. The rest of the paper is organized as follows. In Section 2, we define our notation and some well-known relevant cryptanalytic techniques. Section 3 gives the specification of Ascon along with our attack settings. We present the practical weak key distinguishers of round-reduced Ascon in Section 4. In Section 5, we provide the construction of weak key space of Ascon and their structural properties. Section 6 gives the key recovery attacks on 7-round Ascon in the weak key setting. Finally, we conclude in Section 7 with future research directions.

Notation and Preliminaries
Let A and B be two sets. We use A ∪ B (resp. A ∩ B) to denote the set consisting of elements which are in A or B (resp. A and B), while A \ B represents the set which contains elements from A but not in B. For a set A, its cardinality is given by |A|. Let F 2 = {0, 1} be the finite field with two elements and F n 2 denotes the n-dimensional vector space over F 2 . For x, y ∈ F n 2 , x ⊕ y and x y denote the bitwise XOR and concatenation operations, respectively. In addition, we use "+" to denote all kinds of additions (of integers, field elements, and Boolean functions) and the actual meaning should be clear from the context.

Monomial representation and Boolean functions.
For a given u = (u 0 , · · · , u n−1 ) ∈ F n 2 , we write the monomial x u in n variables from x = (x 0 , · · · , x n−1 ) as Note that x u = 1 if and only if u i ≤ x i for all 0 ≤ i ≤ n − 1. Let f : F n 2 → F 2 be a Boolean function whose Algebraic Normal Form (ANF) is defined by f (x) = u∈F n 2 a u x u where a u ∈ F 2 . For any u ∈ F n 2 , we denote its Hamming weight by wt(u). The algebraic degree of a Boolean function f , represented by deg(f ), is defined as

Keyed Boolean functions.
Let v = (v 0 , · · · , v m−1 ) be m public variables and k = (k 0 , · · · , k n−1 ) be n secret variables. Then, in the context of symmetric ciphers, each output bit can be regarded as a Boolean function f : F m 2 × F n 2 → F 2 given by where a u,w ∈ F 2 . In Equation 2, deg(f ) = max{wt(u) + wt(w) | a u,w = 0}. For a fixed key k, which is usually treated as a secret constant in cryptanalysis, we are interested in the algebraic degree in public variables only. Thus, in our work, we focus on deg(f ) = max{wt(u) | a u,w = 0}.
Cube attacks. The cube attack proposed in [Vie07,DS09] analyzes a keyed Boolean function as a black-box polynomial which is tweakable in public variables. Given n secret variables k = (k 0 , · · · , k n−1 ), m public variables v = (v 0 , · · · , v m−1 ), a set of indices where each monomial in the Boolean function q misses at least one variable from v[I] = {v i | i ∈ I}. Following the terminology of cube attacks, we denote I, v[I] and a Boolean function t(·) as the cube indices set, cube variables set, and the superpoly of cube monomial i∈I v i , respectively. Let C v[I] denote the set consisting of all 2 d possible values of the variables in I while the variables inĪ are fixed to some constant. We call C v[I] as the d-dimensional cube, and summing f (v, k) over it (also termed as the cube-sum) gives the superpoly t(Ī, k). More precisely, we have Finding the ANF of a superpoly or showing that a certain cube monomial does not appear in the ANF are the essence of cube attack and its variants [ADMS09, KMN10, DS11, HWX + 17]. The former is typically exploited for key recovery attacks while the latter is used as a distinguisher. There are division property [Tod15,TM16] based automated techniques which can recover the ANF of a superpoly [TIHM17, WHT + 18, WHG + 19, HLM + 20, HLLT20, HSWW20]. However, in this work, we concentrate on distinguishers and show how they can be utilized for key recovery attacks in case of Ascon without the need of any automated tools.

Specification of Ascon and Attack Settings
Ascon [DEMS16,DEMS21], designed by Dobraunig et al., is a permutation-based family of authenticated encryption with associated data algorithms (AEAD). The Ascon AEAD algorithm takes as inputs a secret key K, a nonce N , a block header AD (a.k.a associated data) and a message M . It then outputs a ciphertext C of the same length as M , and an authentication tag T which authenticates the associated data AD and the message M . It operates in a sponge-duplex mode [BDPA11,Dae12] (as shown in Figure 1) 3 using the iterative permutations p a and p b with a and b rounds, respectively. Ascon has two variants, namely Ascon-128 and Ascon-128a. Table 2 lists these two variants along with their recommended parameters.

The Ascon Permutation
The core permutation p of Ascon is based on a substitution permutation network (SPN) based design paradigm. It operates on a 320-bit state arranged into five 64-bit words and is defined as p : p L • p S • p C . The state at the input of the r-th round is denoted by represents the state after the p S layer. We use X r i [j] (resp. Y r i [j]) to denote the j-th bit (starting from left) of X r i (resp. Y r i ). We now describe the three steps p C , p S , and p L in detail (superscripts are removed for simplicity). Figure 2, an 8-bit constant is added to the bits 56, · · · , 63 of word X 2 at each round.

Addition of constants (p C ). As shown in
Substitution layer (p S ). A 5-bit Sbox is applied on each of the 64 columns (see Figure 3). Let (x 0 , x 1 , x 2 , x 3 , x 4 ) and (y 0 , y 1 , y 2 , y 3 , y 4 ) denote the input and output of the Sbox, respectively. Then the algebraic normal form (ANF) of the Sbox is given in Equation 5. Note that here x i and y i are the bits of the word X i and Y i , respectively.

Figure 3: Substitution layer p S
Linear diffusion layer (p L ). Each 64-bit word is updated by a linear operation Σ i which is defined in Equation 6 and also illustrated in Figure 4. Here ≫ is the right cyclic shift operation over a 64-bit word.

Attack Configuration and Targets
We focus on the initialization phase of Ascon (see Figure 5) reduced to r ∈ {5, 6, 7} out of 12 rounds, in the nonce-respecting setting. In our attacks, we query the Ascon oracle q times for distinct nonces N i and the known-plaintexts P i , and obtain the corresponding ciphertext blocks C i for i = 0, · · · , q − 1. For a fixed key K and AD = φ, we denote these queries by C i ← Ascon(K, N i , φ, M i ) where the tag is omitted. We consider two attacks as follows.

Figure 5: Our attack configuration
Distinguishing attacks. Our goal is to find a set of keys denoted by WK r and a set of Moreover, we aim to achieve small values of d to have low data complexity.

Key recovery attacks.
What are the complexities of recovering K ∈ WK r ? Is there a key recovery attack with data less than 2 64 ? In the following, we only give the distinguishing and key recovery attacks on Ascon-128 in detail. However, they are equally applicable to Ascon-128a as the underlying permutation is the same for both variants.

Practical Weak Key Distinguishers
In this section, we present the distinguishers for round-reduced Ascon with practical data complexities, in the weak key setting. We explain the idea of constructing the distinguishers and give concrete examples.

Core Idea of Distinguishers
Our main idea is to reduce the algebraic degree of the output bits (in terms of nonce bits v 0 , · · · , v 127 ) by imposing certain conditions on nonce bits v 0 , · · · , v 127 and the secret key bits k 0 , · · · , k 127 . We achieve this in two steps as follows.
Step 1. Constraints on nonce bits [RHSS21]. The idea is similar to the one proposed in [RHSS21]. We first look at the Sbox output after round 1 as given in Equation 7 where rc i is a round constant bit, and rc i = 1, for i ∈ {56, 57, 58, 59} and zero otherwise.
to Equation 8 as follows. The Step 2. Constraints on key bits. We now make Y 0 1 [i] independent of v i in Equation 8 by adding the following constraints on the key bits.
Upper bounds on the algebraic degree. Combining Equation 8 and Equation 9, the algebraic degrees of words 0, 1, 2, 3 and 4 after the Sbox and linear layer of round 1 are 1, 0, 0, 0 and 1, respectively. Accordingly, the upper bounds on the algebraic degree (in variables v 0 , · · · , v 63 ) for up to 7 rounds can be easily computed by hand and are given in Table 3.

Weak Key Distinguishers (Theoretical)
In this section, we give two explicit examples of practical weak key distinguishers based on our degree observations in Table 3. For the sake of brevity, we focus on 7-round Ascon.
Here we present a 46 (resp. 33) dimensional cube. We show that there are 2 82 (resp. 2 63 ) keys for which the cube sum after 7 rounds is always zero for these cubes.
Example 2. Let I 2 = {0, 1, · · · , 32} and define Then |WK 7 I2 | = 2 (64−33)·2 × 2 = 2 63 . Now, for the 33-dimensional cube satisfying v i = v i+64 for i ∈ I 2 , the cube sum after 7 rounds is always zero for all K ∈ WK 7 I2 . To see why it holds, note that the quadratic term exists only in X 2 3 (see row 2 in Table 3). These quadratic terms do not appear in the ANF of X 2 Since the algebraic degree is 1 after 2 rounds, the maximum degree can be 2 5 = 32 after 7 rounds. Note that WK 7 I2 ⊂ WK 7 I1 . We follow a similar approach for 5 and 6 rounds. Some examples along with the number of weak keys are depicted in Table 4.
Experimental verification. We have experimentally verified all the weak key distinguishers till 7 rounds. The source codes are available at https://github.com/blacksegal/ ascon_weak_key_analysis. Remark 1. In the above discussion and in Table 4, we have only considered the keys corresponding to one specific indices set. However, there exist multiple indices sets, and consequently, the number of weak keys is the union of keys corresponding to these sets. In Section 5, we define the weak key space for the key recovery attacks.

Weak Key Distinguishers (Experimental)
In this section, we give some distinguishers for 6 rounds based on our experimental observations. We present some small size cubes which give distinguisher with good success probability in the weak key setting. We take different cube indices I ⊂ {0, · · · , 63} with Experimentally we first calculate the probability p < 1/2 of a superpoly to be nonzero. After the cube sum, we have a vector a = (a 0 , · · · , a 63 ) ∈ F 64 2 . For a random source, we have Pr(a i = 1) = 1 2 , for 0 ≤ i ≤ 63. On the other hand, in the case of Ascon, we have Pr(a i = 1) < 1 2 . So, we give a threshold T and if x = |{i ∈ {0, · · · , 63} | a i = 1}| < T , we can assume the source is Ascon; otherwise we assume the source is random. We present this idea in Algorithm 1.
Our distinguisher fails in two ways as follows: Accordingly, the success probability of our distinguisher is given by Experimental results. We did the experiments for 2 16 random keys with a random cube each time. Since each key gives 64 superpolies, we have 2 22 superpolies in total. We take the average over these values. Some of the distinguishers are listed below.
• |I| = 23: In this case p = 0.22 after 6 rounds. The threshold T = 22 gives the best distinguisher with success probability 0.99.
• |I| = 22: In this case p = 0.42 after 6 rounds. The threshold T = 29 gives the best distinguisher with success probability 0.74.
• |I| = 21: In this case p = 0.48 after 6 rounds. The threshold T = 31 gives the best distinguisher with success probability 0.56.
Next we did the experiments with a fixed cube and tried to identify some cubes for 6 rounds which give better distinguishers than a random cube. The results are shown in Table 5.

The Weak Key Space of Ascon
Finding a weak key set for a cipher is typically a challenging task unless some specific structural properties exist within the cipher. In this section, we show how to construct a weak key space of Ascon based on the algebraic degree. We first explain the idea of weak keys, define them formally and then present the theoretical construction which works for r ≥ 2 rounds of Ascon. Next, we identify some additional structural properties of weak keys which are crucial for key recovery attacks. Finally, we present a combinatorial method to count the number of such weak keys (lower bounds) for r = 5, 6 and 7 rounds.

Defining Weak Key Space
Our main idea is to partition the key space such that for any key in the weak key space, there exists a d-dimensional cube for which all 64 superpolies are zero after r rounds, for some d. Remark 2. Definition 1 only is about the existence of a cube. Finding such a cube and then using it in a key recovery attack is discussed later in Section 6.

Construction of weak keys set.
Let r ≥ 2 be the number of rounds. We construct WK r [d] (specific to r-round Ascon only) based on the key constraints given in Equation 9 .
where ( ) is given by Note that for different choices of I, the keys might be repeated. Thus, in order to make the counting of weak keys easy to follow, we redefine Equation 14 by introducing a middle condition, as given in Equation 15.
i ∈ I and i = 56, 57, 58, 59 We now give the values of d for 5, 6 and 7 rounds Ascon.
Specifying d for Ascon. We set d = 13, 24 and 46 for r = 5, 6 and 7 rounds, respectively. Definition 1 holds for these choices as there exist d cube variables of the form . For this setting, the algebraic degrees are 12, 23 and 45 after 5, 6 and 7 rounds, respectively (see Table 3).

Structural Properties of Weak Keys
We state four properties (relevant for key recovery attacks) of the weak key space based on its construction and the values of the cube sum.

Weak Keys and Equality among Key Indices
In Property 1, we give the relationship between a weak key and the number of indices where key bits are equal and/or unequal.

C v[I]
Y r 0 [j] = 0 for all 0 ≤ j ≤ 63, then there exist at least 1 index in I such that 3. If Remark 3. The last two assertions in Property 1 hold for any K in the 2 128 key space.

Smaller Subset of WK r [d]
We find a subset of WK r [d] for which there exists 2 r−2 + 1 cube variables (instead of d) which can reach an algebraic degree of at most 2 r−2 after r rounds. This subset is formally given in Property 2.
where ( 0 ) and ( 1 ) are given by i ∈ I and i = 56, 57, 58, 59 . To see why d = 2 r−2 + 1 holds, note that if we set v i = v i+64 for all i ∈ I , then X 2 3 becomes linear in cube variables (see Table 3). Thus, the algebraic degree in cube variables is at most 1 after 2 rounds and at most 2 r−2 after 2 + r rounds.

Hamming Weight of a Weak Key
For any K ∈ WK r [d], we identify some relations on the Hamming weight of K by simply observing the cube sum. More precisely, we give bounds on the Hamming weight of a weak key. The bounds are given in Property 3 where the core observation is based on the definition of sWK r [2 r−2 ] in Property 2.

Relationship between WK r [d] and WK r [d + 1]
From the construction of weak keys, it is trivial to see that a key which is weak under Weak key sets for Ascon. We use Property 4 and define the weak key set WK r for r-round Ascon as Similarly, we have sWK r ⊂ WK r which can be constructed based on Property 2.

Dimension of Weak Keys
In this section, we present a combinatorial method to count the number of weak keys, i.e. |WK r | and |sWK r | for a given r. • Case 2: I contains at least one index from {56, 57, 58, 59}. The d − 1 indices in I satisfy k i = k i+64 while the remaining 60 − d + 1 indices satisfy k i = 1 + k i+64 . The number of keys is 60 d−1 · 2 d−1 · 2 60−d+1 · α 1 , for some constant α 1 (its actual value and reasoning provided later on).
Adding the keys in cases (1) − (5) (since their intersection is empty), we have

Size of sWK r
We first find the number of keys that satisfy Equation 18. In particular for a given d , we find the size of sWK r [d ]. Let I = {i 0 , · · · , i d−1 } be a set of d indices selected out of {0, · · · , 63}. We count the keys for all choices of I and without repetition. Again, we have 5 cases.
Adding the keys in cases (1) − (5) (since their intersection is empty), the number of keys that satisfy Equation 18 for a fixed d is

Lower Bounds and Experimental Verification
Using Equation 22 and Equation 25, we compute the lower bounds on the sizes of WK r and sWK r . In Table 6, we list these numbers for 5 − 7 rounds.

Key Recovery Attacks in the Weak Key Setting
In this section, we present key recovery attacks on 7-round Ascon in the weak key setting. We give two attacks: (1) an attack with data complexity 2 64 and (2) an improved key recovery attack with data complexity 2 63 .

Key Recovery Attack with 2 64 Data
Let K ∈ WK 7 as defined in Equation 20. Since |WK 7 | ≈ 2 116.34 (see Table 6), the goal is to recover K with complexities (memory and time) strictly less than 2 116.34 Ascon queries. We recover K in two phases, namely (1) Data collection phase and (2) Key recovery phase.
We now explain each phase in detail and discuss the respective attack complexities.

Data Collection Phase
In this phase, we query the Ascon oracle for 2 64 distinct nonces, empty associated data and 1-block of message. The nonces are chosen as discussed in Section 4.1 and for simplicity, we assume that the message block equals 0 64 (64 bit zero string) in each of the queries. The ciphertext block is then stored in a hash table T, indexed by the 64-bit value of the nonce. The entire phase is illustrated in Algorithm 2.

Key Recovery Phase
In this phase, we recover the secret key K. Since K ∈ WK 7 , by Definition 1, there exists a 46-dimensional cube which gives the XOR sum of ciphertexts as 0 64 after 7 rounds. Further, the keys corresponding to these 46-dimensional cubes should satisfy Equation 15. In our attack, we only need to identify a single set of cube variables (by checking all 64 46 cubes) and its respective keys by doing local operations on table T. Next, the obtained set of keys is filtered by doing an exhaustive search. An algorithmic description of this phase is provided in Algorithm 3.
Complexity evaluation. The worst case complexities of this phase are 64 46 · 2 46 ≈ 2 96.67 memory access to T and the same number of 64-bit XOR operations in order to recover a 46-dimensional cube (Lines 3-11 in Algorithm 3). Once such a set I is recovered, then the number of keys corresponding to it satisfying Equation 15 are given as follows.
These keys are then filtered exhaustively to obtain a set of possible key candidates K (Lines 11-20 in Algorithm 3). The time complexity of this step is 2 68 (assuming the worst case) offline Ascon evaluations. 5 Since we are doing a match on 64 bits in Line 14, the size of K is 2 68−64 = 2 4 on average. Finally, we do an exhaustive search on K (Line 21 in Algorithm 3) to recover K.
Combining the complexities of data collection and key recovery phases, the attack complexities are 2 64 data, 2 70 memory (in bits), and 2 97 time (Ascon evaluations).

Discussion on the units of Time Complexity
The overall time complexity should be in terms of number of Ascon queries (online + offline). Since we use memory accesses to table T and 64-bit XOR operations, we define the following scale factors.

Discussion on the Recovered Indices Set
We argue that the indices set I recovered in the data collection phase is correct with very high probability. Let's assume that it is incorrect. In that case, there exists at least one i ∈ I for which the key conditions in Equation 15 does not hold. For simplicity, we further assume that there is only one such i. This implies that the cube variable v i is present in Y 0 1 [i], and consequently, in X 1 1 [i], X 1 1 [i + 3] and X 1 1 [i + 25]. Thus, for an incorrect I, the degree increases quickly compared to the correct one. The differences in the degree upper bounds are shown in Table 7. We see that the degree bounds are 45 and 59 for the right and wrong I, respectively, after 7 rounds. Since the dimension of cube is 46, the probability that the wrong I gives the cube sum as zero in all the 64 output bits is 2 −64 . Now, for a randomly chosen K ∈ WK 7 , we find the expected number of cubes for which all 64 superpolies are zero after 7 rounds. We have N = 64 46 cubes in total. If a cube C is such that all 64 superpolies are zero after 7 rounds, we say that C satisfies property P. Now in the weak key setting, there is at least one cube with P. Let us assume that any other cube apart from this cube satisfies P with probability 2 −64 . We want to find the number of cubes X which satisfy P. Define a binary random variable X i which takes 1 if and only if the i-th cube satisfy P. It is clear that E(X i ) = 2 −64 . Thus

Key Recovery Attack with 2 63 Data
Let K ∈ WK 7 as defined in Equation 20. We show how to recover K with 2 63 data and time < 2 116.34 . The attack is again divided into a data collection phase and a key recovery phase, which are described as follows.

Data Collection Phase
We set the cube variables as v 0 , · · · , v 58 , v 60 , · · · , v 63 and v 59 = 0. We then query the Ascon oracle for 2 63 distinct nonces, empty associated data and a zero message block similar to Subsubsection 6.1.2. The ciphertext block is then stored in a hash table T 1 , indexed by the 64-bit value of the nonce.
Complexity evaluation. The time and memory complexities of this phase are 2 63 Ascon queries and 2 63 · 64 = 2 69 bits of memory, respectively.

Key Recovery Phase
We divide this phase into 5 steps. Each of these steps are sequential, i.e., we only move to the next step if specific conditions (mentioned later) are not met. We denote the time complexity of step i by T i . Further, let L = {56, 57, 58, 59} and J = {0, · · · , 63} \ L.
Step 1: Early filtering with 46 dimension cubes. We apply Algorithm 3 to J using table T 1 . If we find a 46-dimensional cube whose cube sum is zero, then we are done. Else if none of the 60 46 cube sums are zero, then we proceed to the next step. The time complexity T 1 = 60 46 · 2 46 (memory access) + 60 46 · 2 46 (64-bit XORs). Since none of the cube sum equals zero, by Property 1, there exist at least 15 and at most 18 indices in J where k i = k i+64 . We consider the case for 15, 16, 17 and 18 (not equal) indices in step 2, 3, 4 and 5, respectively.
Step 2: 15 not equal indices. This means there are 45 indices in J where k i = k i+64 and 15 indices where k i = k i+64 . Now, to satisfy the definition of WK 7 [46], there must exist at least one index in L satisfying Equation 15. We select 46-dimensional cubes by choosing 45 variables from J and 1 variable from {56, 57, 58}, and then apply Algorithm 3. If none of the cube sums is zero, then k 56 = k 120 , k 57 = k 121 , k 58 = k 122 and k 59 = 1 + k 123 . The number of key candidates are 60 45 · 2 60 · 2 4 . The time complexity of this step is given by Step 5: 18 not equal indices. Since v 59 is not a cube variable, we do an exhaustive search on 60 42 · 2 60 · 2 4 keys. Thus, T 5 = 60 42 · 2 60 · 2 4 . Complexity evaluation. Combining steps (1) to (5), the time complexity is given as follows. In summary, the attack requires 2 63 data, 2 69 memory (in bits) and 2 115.2 offline Ascon evaluations in the worst case.

Discussion on Key Recovery Attacks
Here we compare the complexities of the two key recovery attacks discussed in Subsection 6.1 and Subsection 6.2 with that of exhaustive search in the weak key setting. We also briefly give some insights on the possibility of extension of these attacks.
Comparison with exhaustive search. Since the number of weak keys is 2 116.34 , the exhaustive search requires 2 116.34 time complexity. For our first attack with 2 64 data, the time complexity is 2 97 , and thus, there is an improvement of more than 19 bits over a key space of size 2 116.34 .
For our second attack with 2 63 data, the time complexity is 2 115.2 . Although the time complexity is marginally better (around 1 bit) than the exhaustive search, the presented attack is the first key recovery attack on 7-round Ascon with at most 2 63 data.
We also note that all these complexities are computed in the worst case, i.e., when we go over all steps of the attack in the key recovery phase.
Extending weak key attacks. It is natural to ask whether it is possible to extend our weak key attacks to attacks covering the full key space. Moreover, is it possible to improve the time complexities of existing cube-based attacks [LDW17, RHSS21] on 7 rounds Ascon using the weak key distinguishers. At the moment, Property 1 and Property 3 can certainly reduce the 128-bit key space, but our initial findings suggest that the reduction factor is very low (not even 1 bit). An initial approach in this direction could be to use all smaller sub-cubes of a larger cube to find multiple relations among the key bits. For instance, consider the 6-round Ascon. A 33-dimensional cube gives only 1 relation in key bits if we use the approach of [LDW17]. However, by using Property 1 and Property 3, we could use smaller sub-cubes of dimension 24 and obtain multiple relations among the key bits.
The above mentioned questions certainly need further investigation and therefore, we mention them as an interesting research problem in Section 7.

Conclusion
In this work, we have presented the first in-depth weak key security analysis of roundreduced Ascon. We identified two practical distinguishers for 7 rounds with data complexities 2 46 and 2 33 , and further improved the state-of-the-art distinguishers complexities by a factor of 2 8 , 2 16 and 2 27 for 5, 6 and 7 rounds, respectively. Moreover, we have shown the existence and construction of a large class of weak keys by simply using algebraic degree arguments. The lower bounds on the number of weak keys are 2 127.99 , 2 127.97 and 2 116.34 for 5, 6 and 7 rounds, respectively. We then discussed two key recovery attacks on 7 rounds in the weak key setting with complexities: (1) 2 64 data, 2 70 bits of memory and 2 97 time, and (2) 2 63 data, 2 69 bits of memory and 2 115.2 time. Our second attack is the best till now considering the data limit of less than 2 64 blocks.
Although all our results are in the weak key setting, we believe they will provide new insights to the community in further understanding the security of Ascon. We now list some problems which are worth investigating. Problem 1. How to extend our weak key attacks to attacks covering the full key space? Is it possible to improve the time complexities of existing cube-based attacks [LDW17,RHSS21] on 7 rounds Ascon using the weak key distinguishers?
Problem 2. We believe that the number of weak keys could be increased by relaxing the success probability of a distinguisher from 1 to some α satisfying 0.5 < α < 1. This needs further investigation and a starting point could be the presented experimental distinguishers in Section 4.3.
Problem 3. Is there a weak key distinguisher for 8 rounds Ascon?