Skip to main content
SpringerLink
Log in

Preimage attacks on reduced-round Ascon-Xof

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Ascon, a family of algorithms that supports authenticated encryption and hashing, has been selected as the new standard for lightweight cryptography in the NIST Lightweight Cryptography Project. Ascon’s permutation and authenticated encryption have been actively analyzed, but there are relatively few analyses on the hashing. In this paper, we concentrate on preimage attacks on Ascon-Xof. We focus on linearizing the polynomials leaked by the hash value to find its inverse. In an attack on 2-round Ascon-Xof, we carefully construct the set of guess bits using a greedy algorithm in the context of guess-and-determine. This allows us to attack Ascon-Xof more efficiently than the method in Dobraunig et al., and we fully implement our attack to demonstrate its effectiveness. We also provide the number of guess bits required to linearize one output bit after 3- and 4-round Ascon’s permutation, respectively. In particular, for the first time, we connect the result for 3-round Ascon to a preimage attack on Ascon-Xof with a 64-bit output. Our attacks primarily focus on analyzing weakened versions of Ascon-Xof, where the weakening involves setting all the IV values to 0 and omitting the round constants. Although our attacks do not compromise the security of the full Ascon-Xof, they provide new insights into their security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Algorithm 1
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Recently, [23] independently developed a preimage attack on 2-round Ascon-Xof.

  2. In the proposal paper of Ascon[11], the bit index for each word starts from the right.

References

  1. Bar-On A., Dunkelman O, Keller N., Weizman A.: Dlct: a new tool for differential-linear cryptanalysis. In: EUROCRYPT 2019. pp. 313–342. Springer (2019). https://doi.org/10.1007/978-3-030-17653-2_11.

  2. Bernstein Daniel J.: Second preimages for 6 (7 (8??)) rounds of keccak? Posted on the NIST mailing list (2010). https://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt.

  3. Bertoni G., Daemen J., Peeters M., Assche G.V.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: SAC 2011. pp. 320–337. Springer (2011). https://doi.org/10.1007/978-3-642-28496-0_19.

  4. Bertoni G., Daemen J., Peeters M., Van Assche G.: Sponge functions. In: ECRYPT hash workshop. Citeseer (2007). https://csrc.nist.rip/groups/ST/hash/documents/JoanDaemen.pdf.

  5. Civek A.B., Tezcan C.: Differential-linear attacks on permutation ciphers revisited: Experiments on ascon and drygascon. In: ICISSP 2022. pp. 202–209. SCITEPRESS (2022). https://doi.org/10.5220/0010982600003120.

  6. Dobraunig C., Eichlseder M., Mangard S., Mendel F., Mennink B., Primas R., Unterluggauer T.: Isap. Submission as a Finalist to the NIST Lightweight Crypto Standardization Process (2021). https://csrc.nist.gov/Projects/lightweight-cryptography/finalists.

  7. Dobraunig C., Eichlseder M., Mendel F.: Heuristic tool for linear cryptanalysis with applications to caesar candidates. In: ASIACRYPT 2015. pp. 490–509. Springer (2015). https://doi.org/10.1007/978-3-662-48800-3_20.

  8. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Cryptanalysis of ascon. In: CT-RSA 2015. pp. 371–387. Springer (2015). https://doi.org/10.1007/978-3-319-16715-2_20.

  9. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016). https://competitions.cr.yp.to/round3/asconv12.pdf.

  10. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Preliminary analysis of ascon-xof and ascon-hash. Technique Report (2019). https://ascon.iaik.tugraz.at/files/Preliminary_Analysis_of_Ascon-Xof_and_Ascon-Hash_v01.pdf.

  11. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021). https://doi.org/10.1007/s00145-021-09398-9.

    Article  MathSciNet  Google Scholar 

  12. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2 submission to nist. LWC Final round submission (2021). https://csrc.nist.gov/Projects/lightweight-cryptography/finalists.

  13. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon resources. https://ascon.iaik.tugraz.at/resources.html. Accessed Oct 2022.

  14. Dwivedi A.D., Klouček M., Morawiecki P., Nikolic I., Pieprzyk J., Wöjtowicz S.: Sat-based cryptanalysis of authenticated ciphers from the Caesar competition. ICETE 2017, 237–246 (2017). https://doi.org/10.5220/0006387302370246.

    Article  Google Scholar 

  15. Dworkin M.: Sha-3 standard: Permutation-based hash and extendable-output functions (2015). https://doi.org/10.6028/NIST.FIPS.202.

  16. Dworkin M., Feldman L., Witte G.: Additional secure hash algorithm standards offer new opportunities for data protection (2015). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919417.

  17. Erlacher J., Mendel F., Eichlseder M.: Bounds for the security of ascon against differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2022(1), 64–87 (2022). https://doi.org/10.46586/tosc.v2022.i1.64-87.

    Article  Google Scholar 

  18. Gerault D., Peyrin T., Tan Q.Q.: Exploring differential-based distinguishers and forgeries for ascon. IACR Trans. Symmetric Cryptol. 2021(3), 102–136 (2021). https://doi.org/10.46586/tosc.v2021.i3.102-136.

    Article  Google Scholar 

  19. Göloğlu F., Rijmen V., Wang Q.: On the division property of s-boxes. Cryptology ePrint Archive (2016). http://eprint.iacr.org/2016/188.

  20. Jovanovic P., Luykx A., Mennink B.: Beyond 2 c/2 security in sponge-based authenticated encryption modes. In: ASIACRYPT 2014. pp. 85–104. Springer (2014). https://doi.org/10.1007/978-3-662-45611-8_5.

  21. Kelsey J., Chang S.j., Perlner R.: Sha-3 derived functions: cshake, kmac, tuplehash, and parallelhash. NIST special publication 800, 185 (2016). https://www.nist.gov/publications/sha-3-derived-functions-cshake-kmac-tuplehash-and-parallelhash.

  22. Leander G., Tezcan C., Wiemer F.: Searching for subspace trails and truncated differentials. IACR Trans. Symmetric Cryptol. 2018(1), 74–100 (2018). https://doi.org/10.13154/tosc.v2018.i1.74-100.

  23. Li H., He L., Chen S., Guo J., Qiu W.: Automatic preimage attack framework on ascon using a linearize-and-guess approach. IACR Trans. Symmetric Cryptol. 2023(3), 74–100 (2023).

    Article  Google Scholar 

  24. Li Y., Zhang G., Wang W., Wang M.: Cryptanalysis of round-reduced ascon. Sci. China Inf. Sci. 60(3), 1–2 (2017). https://doi.org/10.1007/s11432-016-0283-3.

    Article  Google Scholar 

  25. Li Z., Dong X., Wang X.: Conditional cube attack on round-reduced ascon. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017). https://doi.org/10.13154/tosc.v2017.i1.175-202.

    Article  Google Scholar 

  26. Liu M., Lu X., Lin D.: Differential-linear cryptanalysis from an algebraic perspective. In: CRYPTO 2021. pp. 247–277. Springer (2021). https://doi.org/10.1007/978-3-030-84252-9_9.

  27. Makarim R.H., Rohit R.: Towards tight differential bounds of ascon: a hybrid usage of smt and milp. IACR Trans. Symmetric Cryptol. 2022(3), 303–340 (2022). https://doi.org/10.46586/tosc.v2022.i3.303-340.

    Article  Google Scholar 

  28. NIST.: Submission requirements and evaluation criteria for the lightweight cryptography standardization process (2018). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdf.

  29. Qin L., Hua J., Dong X., Yan H., Wang X.: Meet-in-the-middle preimage attacks on sponge-based hashing. In: EUROCRYPT 2023. Lecture Notes in Computer Science, vol. 14007, pp. 158–188. Springer (2023). https://doi.org/10.1007/978-3-031-30634-1_6.

  30. Qin L., Zhao B., Hua J., Dong X., Wang X.: Weak-diffusion structure: Meet-in-the-middle attacks on sponge-based hashing revisited. IACR Cryptol. ePrint Arch. p. 518 (2023). https://eprint.iacr.org/2023/518.

  31. Rohit R., Hu K., Sarkar S., Sun S.: Misuse-free key-recovery and distinguishing attacks on 7-round ascon. IACR Trans. Symmetric Cryptol. 2021(1), 130–155 (2021). https://doi.org/10.46586/tosc.v2021.i1.130-155.

    Article  Google Scholar 

  32. Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In: ASIACRYPT 2014. Lecture Notes in Computer Science, vol. 8873, pp. 158–178. Springer (2014). https://doi.org/10.1007/978-3-662-45611-8_9.

  33. Todo Y.: Structural evaluation by generalized integral property. In: EUROCRYPT 2015. pp. 287–314. Springer (2015). https://doi.org/10.1007/978-3-662-46800-5_12.

  34. Weatherley R.: Additional modes for lwc finalists technical report, version 1.0 (2021). https://rweather.github.io/lwc-finalists/lwc-modes-v1-0.pdf.

  35. Wiethuechter A., Card S.W., Moskowitz R.: DRIP Entity Tag Authentication Formats & Protocols for Broadcast Remote ID. Internet-Draft draft-ietf-drip-auth-29, Internet Engineering Task Force (Feb 2023). https://datatracker.ietf.org/doc/draft-ietf-drip-auth/29/, work in Progress.

  36. Yan H., Lai X., Wang L., Yu Y., Xing Y.: New zero-sum distinguishers on full 24-round Keccak-f using the division property. IET Inf. Secur. 13(5), 469–478 (2019). https://doi.org/10.1049/iet-ifs.2018.5263.

    Article  Google Scholar 

  37. Zong R., Dong X., Wang X.: Collision attacks on round-reduced gimli-hash/ascon-xof/ascon-hash. IACR Cryptol. ePrint Arch. p. 1115 (2019). https://eprint.iacr.org/2019/1115.

Download references

Acknowledgements

This work was supported as part of Military Crypto Research Center(UD210027XD) funded by Defense Acquisition Program Administration(DAPA) and Agency for Defense Development(ADD).

Author information

Authors and Affiliations

  1. Department of Financial Information Security, Kookmin University, Seoul, Republic of Korea

    Seungjun Baek, Giyoon Kim & Jongsung Kim

  2. Department of Information Security, Cryptology, and Mathematics, Kookmin University, Seoul, Republic of Korea

    Jongsung Kim

Authors
  1. Seungjun Baek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giyoon Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jongsung Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jongsung Kim.

Additional information

Communicated by M. Eichlseder.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Baek, S., Kim, G. & Kim, J. Preimage attacks on reduced-round Ascon-Xof. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-024-01383-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10623-024-01383-0

Keywords

Mathematics Subject Classification

Search

Navigation