TY - JOUR
AU - Rohit, Raghvendra
AU - Sarkar, Santanu
PY - 2021/12/03
Y2 - 2023/03/20
TI - Diving Deep into the Weak Keys of Round Reduced Ascon
JF - IACR Transactions on Symmetric Cryptology
JA - ToSC
VL - 2021
IS - 4
SE - Articles
DO - 10.46586/tosc.v2021.i4.74-99
UR - https://tosc.iacr.org/index.php/ToSC/article/view/9329
SP - 74-99
AB - <p>At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designerâ€™s security claims of nonce-respecting setting and data limit of 2<sup>64</sup> blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 2<sup>60</sup> data while the data complexity of key recovery attacks exactly equals 2<sup>64</sup>. Whether there are any practical distinguishers and key recovery attacks (with data less than 2<sup>64</sup>) on 7 rounds Ascon is still an open problem.<br>In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 2<sup>46</sup> and 2<sup>33</sup> which work for 2<sup>82</sup> and 2<sup>63</sup> keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 2<sup>8</sup>, 2<sup>16</sup> and 2<sup>27</sup>, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2<sup>127.99</sup>, 2<sup>127.97</sup> and 2<sup>116.34</sup> weak keys (out of 2<sup>128</sup>) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 2<sup>63</sup> data, 2<sup>69</sup> bits of memory and 2<sup>115.2</sup> time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Asconâ€™s security.</p>
ER -