Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon


  • Raghvendra Rohit Univ Rennes, Centre National de la Recherche Scientifique (CNRS), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France
  • Kai Hu School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, Shandong, China
  • Sumanta Sarkar TCS Innovation Labs, Hyderabad, India
  • Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China6 University of Chinese Academy of Sciences, Beijing, China




Ascon, Authenticated encryption, Cube attack, Division property, Partial polynomial multiplication


Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.




How to Cite

Rohit, R., Hu, K., Sarkar, S., & Sun, S. (2021). Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon. IACR Transactions on Symmetric Cryptology, 2021(1), 130–155. https://doi.org/10.46586/tosc.v2021.i1.130-155