Figure 1 - uploaded by Cihangir Tezcan
Content may be subject to copyright.
The encryption of ASCON. Figure is taken from the cipher's official website http://ascon.iaik.tugraz.at/
Context in source publication
Similar publications
Il mistero del Monte Sibilla, in Italia, è un enigma antico e ancora inspiegato. La montagna innalza il proprio picco tra l'Umbria e le Marche. La grotta sulla cima è stata oggetto di visite, per secoli, da parte di uomini provenienti da ogni parte d'Europa, in cerca del leggendario reame sotterraneo della Sibilla degli Appennini. Una ricerca che n...
This paper presents necessary and sufficient conditions for generalized Hukuhara differentiability of interval‐valued functions and counterexamples of some equivalences previously presented in the literature, for which important results are based on. Moreover, applications of interval generalized Hukuhara differentiability are presented.
Citations
... In this relation T 0|1,r represents the first and second parts of the tag, k r denotes the key bits, and l As inverse diffusion matrices L −1 3 and L −1 4 contain, respectively, 33 and 35 nonzero elements [13], computing s 3 and s 4 using (3) and (4) would require to make assumptions on 33 + 35 = 68 bits of the key. To reduce the key search hypothesis, ref. [11] proposed a double-fault methodology and a key dividing strategy. ...
... By varying the nonce for each encryption, all key bits can be retrieved. Equation (13) requires to find k 0 before k 1 . ...
With the outstanding growth of Internet of Things (IoT) devices, security and power efficiency of integrated circuits can no longer be overlooked. Current approved standards for cryptographic algorithms are not suitable for constrained environments. In this context, the National Institute of Standards and Technology (NIST) started a lightweight cryptography (LWC) competition to develop new algorithm standards that can be fit into small devices. In 2023, NIST has decided to standardize the Ascon family for LWC. This algorithm has been designed to be more resilient to side-channel and fault-based analysis. Nonetheless, hardware implementations of Ascon have been broken by multiple statistical fault analysis and power analysis. These attacks have underlined the necessity to develop adapted countermeasures to side-channel and perturbation-based attacks. However, existing countermeasures are power and area consuming. In this article, we propose a new countermeasure for the Ascon cipher that does not significantly increase the area and power consumption. Our architecture relies on the nonvolatile feature of the Magnetic Tunnel Junction (MTJ) that is the single element of the emerging Magnetic Random Access Memories (MRAM). The proposed circuit removes the bias exploited by statistical attacks. In addition, we have duplicated and complemented the permutation of Ascon to enhance the power analysis robustness of the circuit. Besides the security aspect, our circuit can save current manipulated data, ensuring energy saving from 11% to 32.5% in case of power failure. The area overhead, compared to an unprotected circuit, is ×2.43.
... The truncated and impossible differentials are investigated using undisturbed bits in Refs. 9,10 . In 6 , it is shown that subspace trails are included in the truncated differentials. ...
We introduce augmented vector spaces of output differences, new generic and black-box distinguishers for Substitution Permutation Network (SPN) ciphers. Our distinguishers are based on a novel method of constructing a vector of size n(d) bits from a given vector of size n bits, where n(d)=∑i=1dni and d is a positive integer. We list all such n(d)-bit vectors into a set called the corresponding dth-order augmented set and define its linear span as the corresponding dth-order augmented vector space . These sets are related to Reed-Muller codes and we prove that the rank of linear span of dth-order augmented set is n(d) using Reed-Muller codes. We then experimentally estimate the number of n-bit vectors required to span augmented vector spaces of output differences. Following these results, we give a generic and efficient algorithm to compute dth-order augmented vector space (of difference sets) for substitution permutation network ciphers. We apply our algorithm to lightweight ciphers GIFT, PRESENT and SKINNY and provide in-depth comparison of round-reduced ciphers’ distinguishers with random sets. Most notably, our new distinguishers for these ciphers cover more rounds than the subspace trails.
... Subsequently, Dobraunig et al. [6] further introduced a heuristic search tool and found linear characteristics for up to five rounds. In [7], the undisturbed bits of Ascon's S-box were provided, and based on them, the four-and five-round truncated, impossible, and improbable differential distinguishers were proposed. In 2021, Rohit et al. [8] provided several new cube distinguishers for Ascon in the AEAD setting using the division property. ...
... The cryptographic properties of Ascon's S-box were analyzed in [7], and it was observed that it has 91 linear structures, 35 of which correspond to the S-box's coordinate functions, that is, the undisturbed bits. Table 3 displays the undisturbed bits of Ascon's S-box, which are the key to construct truncated differentials in this paper. ...
... When constructing differentials in the forward direction, we consider the influence of the linear layer, which has been introduced in Section 2.1 and in essence is three XORs. When constructing differentials in the backward direction, we consider the influence of the inverse of the linear layer, which is provided in [7]. The inverse of the linear layer consists of XOR of right rotations of 64-bit words, and the number of XORs of right rotations corresponding to Σ −1 0 , Σ −1 1 , Σ −1 2 , Σ −1 3 , and Σ −1 4 is 31, 33, 33, 33, and 35, respectively. ...
As the winner of the NIST lightweight cryptography project, Ascon has undergone extensive self-evaluation and third-party cryptanalysis. In this paper, we use constraint programming (CP) as a tool to analyze the Ascon permutation and propose several differential-based distinguishers. We first propose a search methodology for finding truncated differentials for Ascon with CP, the core of which is modeling with the undisturbed bits of the S-box. By using this method, we find the five- and six-round truncated differentials with a probability of 2⁻⁴⁴ and 2⁻¹⁶², respectively. Considering the application of permutation in the context, we also provide the five- and six-round truncated differential distinguishers under the weak-key setting. Then, inspired by our five-round truncated differentials, we propose a six-round boomerang characteristic, and based on this, we obtain the five- and six-round sandwich distinguishers with a complexity of 2⁷⁰ and 2¹³⁴, respectively. Using the CP tool again and specifying that the “3-3” differential pattern is satisfied in the middle rounds, we propose a six-round differential characteristic with a probability of 2⁻²⁸⁰, which increases the probability by 2²⁵ compared to the best known six-round differential characteristic.
... There are two approaches to the cryptanalysis of Ascon: specific and generic cryptanalysis [1]. Specific analysis focuses on the internal design of Ascon, and it includes linear and differential analysis [2] [3], state recovery attacks, key recovery attacks [4] [1], and cube-like attacks [5] [6] [7]. In contrast, generic analysis applies to Ascon and other primitives with the same sponge-based construction, regardless of the specific implementation details [8]. ...
... Nearly the proposition of ASCON, there followed some analysis results. In [9], the author proposed the differential analysis result for ASCON. [10] proposed a cube attack on round-reduced ASCON. ...
... Observing Table 8, when ∈ {0, 8,9,13,18,27,28,31,36,37,46,54,55 In the next, we'll discuss how to use the message modification technique to ensure these 8 conditions hold. ...
... For clarity, here regard all the 8 values of 0 as the bits before state 0 absorbing message −1 . Since 1 = 0 and 0 is known, the modification step of −1 is shown in Equation (9). Notice that 0 = 1 only when = 13, otherwise 0 = 0. ...
Lightweight cryptography algorithms are a class of ciphers designed to protect data generated and transmitted by the Internet of Things. They typically have low requirements in terms of storage space and power consumption, and are well-suited for resource-limited application scenarios such as embedded systems, actuators, and sensors. The NIST-approved competition for lightweight cryptography aims to identify lightweight cryptographic algorithms that can serve as standards. Its objective is to enhance data security in various scenarios. Among the chosen standards for lightweight cryptography, ASCON has been selected. ASCON-HASH is a hash function within the ASCON family. This paper presents a detailed analysis of the differential characteristics of ASCON-HASH, utilizing the quadratic S-box. Additionally, we employ message modification techniques and ultimately demonstrate a non-practical collision attack on the 2-round ASCON-HASH, requiring a time complexity of 2⁹⁸ hash function calls.
... Reference [10] proposes a heuristic search tool and uses this tool in the permutations of ASCON. Reference [11] provides the inverse function of the Ascon linear layer in terms of rotation, which can be used to construct impossible differentials. It shows that the ASCON S-box contains 35 undisturbed bits, which are used to construct 4-round and 5-round truncated, impossible, and impossible difference partitions. ...
In this paper, we discuss the quantum circuit implementations of the lightweight authenticated encryption algorithm ASCON by using the NOT gates, CNOT gates, Toffoli gates, measurements, and the dynamic quantum circuits. Firstly, the quantum circuit of addition of constants is realized by adding the NOT gates according to the position of 1 in round constants. Secondly, the quantum circuit of S-box of the permutation is synthesized according to the classical circuit diagram of S-box. Then the linear layer functions are expressed in matrix form, and their quantum circuits are synthesized according to Gaussian elimination. Finally, we synthesize the whole quantum circuits according to the general diagrams of the authenticated encryption algorithm ASCON. The correctness of the quantum circuits of the S-box and the linear layer was verified by the Aer simulator of the IBM Quantum platform. As far as we know, this is the first implementation of the quantum circuits for the Authenticated Encryption with Associated Data (AEAD) of ASCON in-place. The maximum quantum resources for the three ASCON authenticated encryption algorithms were estimated. The quantum circuit of ASCON-128 uses a total of 320 qubits, 30,639 NOT gates, 128,814 CNOT gates, 8064 Toffoli gates, 10,752 measurements, and 5376 dynamic quantum circuits. The quantum circuit of ASCON-128a uses a total of 320 qubits, 23,558 NOT gates, 98,144 CNOT gates, 6144 Toffoli gates, 8192 measurements, and 4096 dynamic quantum circuits. The quantum circuit of ASCON-80pq uses a total of 320 qubits, 30,736 NOT gates, 128,814 CNOT gates, 8064 Toffoli gates, 10,752 measurements, and 5376 dynamic quantum circuits.
... Various cryptanalytic attacks have been published on these ciphers, some of them are discussed in the succeeding bullets. differential attacks [9]. Yanbin L. et al. used cubelike techniques to perform key-recovery attacks on the reduced round version of ASCON. ...
From the start of the 21st century, resource-constrained devices like smart cards, RFID tags and SCADA systems have been utilized commonly in security-critical systems. This vast adoption raised many security concerns like privacy and integrity of the data for stakeholders. Secure cryptographic mechanisms are a vital tool to resolve these issues. The implementation of conventional symmetric and asymmetric ciphers is not feasible because of the limited resources. In March 2017, NIST requested the research community to submit lightweight cryptographic algorithms for future standardization. After submissions, NIST finalized ten algorithms after two rounds of scrutiny. The confusion layer in these ciphers is the essential component that resists maximum security attacks. This study aims to carry out a comparative analysis of the cryptographic properties of the confusion layer of these finalists. The outcome of this research work will assist stakeholders in selecting the right choice for preserving the privacy and integrity of their data in such systems.
... Differential and linear profile of the Ascon S-box. (a) Differential distribution table: DDT[α, β] = |{x : S(x ⊕ α) ⊕ S(x) = β}| 0 32 · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 1 · · · · · · · · · 4 · 4 · 4 · 4 · · · · · · · · 4 · 4 · 4 · 4 · 2 · · · · · · · · · · · · · · · · · 4 · 4 · 4 · 4 · 4 · 4 · 4 · 4 3 · 4 · · · 4 · · · 4 · · · 4 · · 4 · · · 4 · · · 4 · · · 4 · · · 4 · · · · · · 8 · · · · · · · 8 · · · · · · · 8 · · · · · · · 8 · 5 · · · · · · · · · · · · · · · · · 4 · 4 4 · 4 · 4 · 4 · · 4 · 4 6 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 7 · · 4 4 · · 4 4 · · 4 4 · · 4 4 · · · · · · · · · · · · · · · · 8 · · · · · · 4 4 · · · · · · 4 4 · · · · · · 4 4 · · · · · · 4 4 9 · 2 · 2 2 · 2 · 2 · 2 · · 2 · 2 2 · 2 · · 2 · 2 · 2 · 2 2 · 2 · a · 2 2 · 2 · · 2 · 2 2 · 2 · · 2 · 2 2 · 2 · · 2 · 2 2 · 2 · · 2 b · · 2 2 · · 2 2 · · 2 2 · · 2 2 · · 2 2 · · 2 2 · · 2 2 · · 2 2 c · 8 · · · · · · 8 · · · · · · · 8 · · · · · · · · 8 · · · · · · d · 2 · 2 · 2 · 2 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · · 2 · 2 · 2 · 2 e · 4 4 · 4 · · 4 · · · · · · · · · 4 4 · 4 · · 4 · · · · · · · · f · · · · · · · · 4 4 · · 4 4 · · · · · · · · · · 4 4 · · 4 4 · · 10 · · · · · · · · · 8 · 8 · · · · · · · · · · · · 8 · 8 · · · · · 11 · · · · · · · · · · · · · · · · · 8 · 8 · 8 · 8 · · · · · · · · 12 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 2 · 2 · 2 · 2 · 2 · 2 · 2 · 2 · 13 · · 8 · 8 · · · · · 8 · 8 · · · · · · · · · · · · · · · · · · · 14 · · · · 4 4 4 4 · · · · 4 4 4 4 · · · · · · · · · · · · · · · · 15 · · · · · 4 · 4 · 4 · 4 · · · · · 4 · 4 · · · · · · · · · 4 · 4 16 · · · · · · · · · · · · · · · · 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 17 · · 4 · 4 · · · · · 4 · 4 · · · · · 4 · 4 · · · · · 4 · 4 · · · 18 · · · · 2 2 2 2 · · · · 2 2 2 2 · · · · 2 2 2 2 · · · · 2 2 2 2 19 · · · 4 · · 4 · 4 · · · · 4 · · 4 · · · · 4 · · · · · 4 · · 4 · 1a · 2 2 · · 2 2 · 2 · · 2 2 · · 2 · 2 2 · · 2 2 · 2 · · 2 2 · · 2 1b · · 2 2 2 2 · · · · 2 2 2 2 · · · · 2 2 2 2 · · · · 2 2 2 2 · · 1c · 4 · 4 · · · · 4 · 4 · · · · · 4 · 4 · · · · · · 4 · 4 · · · · 1d · · · 4 · 4 · · 4 · · · · · 4 · 4 · · · · · 4 · · · · 4 · 4 · · 1e · · · · · · · · 2 2 2 2 2 2 2 2 · · · · · · · · 2 2 2 2 2 2 2 2 1f · · 4 4 4 4 · · · · · · · · · · · · 4 4 4 4 · · · · · · · · · · Other published properties include a differential-linear attack on up to 5 rounds of Ascon's initialization with practical complexity [11,34] and truncated differential distinguishers based on undisturbed bits for up to 5 rounds with 2 109 data [89]. Algebraic Properties Ascon's algebraic degree of 2 for each round is useful for efficient secure implementations, but requires a sufficient number of rounds to prevent algebraic attacks. ...
... • Truncated, impossible, and improbable differential distinguishers for 4 and 5 rounds of Ascon's permutation. Differential distinguishers based on undisturbed bits for to 5 rounds reduced variants of Ascon with 2 109 data [89]. • Security of Ascon's S-box with respect to the division property [58]. ...
Authenticated encryption satisfies the basic need for authenticity and confidentiality in our information infrastructure. In this paper, we provide the specification of Ascon -128 and Ascon -128a. Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. Furthermore, they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. In addition, we specify the hash function Ascon-Hash , and the extendable output function Ascon-Xof . Moreover, we complement the specification by providing a detailed overview of existing cryptanalysis and implementation results.
... Apart from the self-analysis provided by the designers [DEMS16], Ascon has gone through substantial third-party cryptanalysis. First of all, without considering the AEAD context, the security of the underlying permutation of Ascon was evaluated with respect to (impossible) differential cryptanalysis [Tez16], (zero-correlation) linear cryptanalysis [DEM15], differential-linear cryptanalysis [DEMS15,BDKW19], integral (based on division properties) or zero-sum distinguishing attacks [YLW + 19, DEMS15, GRW16,Tod15], and subspace trail cryptanalysis [LTW18]. While these works do provide a deeper understanding of the security of Ascon permutation, generally they do not directly translate into meaningful attacks in the AEAD setting. ...
Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.
... Informally, for truncated differentials, instead of trying to understand the exact behavior of the output difference, one restricts to understand certain patterns that appear in the differences with an unusual high probability. Truncated differentials have been introduced by Knudsen [Knu95] more than 20 years ago and since then been used in the analysis of many symmetric primitives, e. g., [BN14;Gra17;Knu+99;Tez16]. Surprisingly, even the case of truncated differentials with probability one is not fully understood yet, as this work shows. ...
Grassi et al. introduced subspace trail cryptanalysis as a generalization of invariant subspaces and used it to give the first five round distinguisher for AES. While it is a generic method, up to now it was only applied to the AES and PRINCE. One problem for a broad adoption of the attack is a missing generic analysis algorithm.
In this work we provide efficient and generic algorithms that allow to compute the provably best subspace trails for any substitution permutation cipher.
