Abstract
Ascon, a family of algorithms that supports authenticated encryption and hashing, has been selected as the new standard for lightweight cryptography in the NIST Lightweight Cryptography Project. Ascon’s permutation and authenticated encryption have been actively analyzed, but there are relatively few analyses on the hashing. In this paper, we concentrate on preimage attacks on Ascon-Xof. We focus on linearizing the polynomials leaked by the hash value to find its inverse. In an attack on 2-round Ascon-Xof, we carefully construct the set of guess bits using a greedy algorithm in the context of guess-and-determine. This allows us to attack Ascon-Xof more efficiently than the method in Dobraunig et al., and we fully implement our attack to demonstrate its effectiveness. We also provide the number of guess bits required to linearize one output bit after 3- and 4-round Ascon’s permutation, respectively. In particular, for the first time, we connect the result for 3-round Ascon to a preimage attack on Ascon-Xof with a 64-bit output. Our attacks primarily focus on analyzing weakened versions of Ascon-Xof, where the weakening involves setting all the IV values to 0 and omitting the round constants. Although our attacks do not compromise the security of the full Ascon-Xof, they provide new insights into their security.
Similar content being viewed by others
References
Bar-On A., Dunkelman O, Keller N., Weizman A.: Dlct: a new tool for differential-linear cryptanalysis. In: EUROCRYPT 2019. pp. 313–342. Springer (2019). https://doi.org/10.1007/978-3-030-17653-2_11.
Bernstein Daniel J.: Second preimages for 6 (7 (8??)) rounds of keccak? Posted on the NIST mailing list (2010). https://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt.
Bertoni G., Daemen J., Peeters M., Assche G.V.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: SAC 2011. pp. 320–337. Springer (2011). https://doi.org/10.1007/978-3-642-28496-0_19.
Bertoni G., Daemen J., Peeters M., Van Assche G.: Sponge functions. In: ECRYPT hash workshop. Citeseer (2007). https://csrc.nist.rip/groups/ST/hash/documents/JoanDaemen.pdf.
Civek A.B., Tezcan C.: Differential-linear attacks on permutation ciphers revisited: Experiments on ascon and drygascon. In: ICISSP 2022. pp. 202–209. SCITEPRESS (2022). https://doi.org/10.5220/0010982600003120.
Dobraunig C., Eichlseder M., Mangard S., Mendel F., Mennink B., Primas R., Unterluggauer T.: Isap. Submission as a Finalist to the NIST Lightweight Crypto Standardization Process (2021). https://csrc.nist.gov/Projects/lightweight-cryptography/finalists.
Dobraunig C., Eichlseder M., Mendel F.: Heuristic tool for linear cryptanalysis with applications to caesar candidates. In: ASIACRYPT 2015. pp. 490–509. Springer (2015). https://doi.org/10.1007/978-3-662-48800-3_20.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Cryptanalysis of ascon. In: CT-RSA 2015. pp. 371–387. Springer (2015). https://doi.org/10.1007/978-3-319-16715-2_20.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016). https://competitions.cr.yp.to/round3/asconv12.pdf.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Preliminary analysis of ascon-xof and ascon-hash. Technique Report (2019). https://ascon.iaik.tugraz.at/files/Preliminary_Analysis_of_Ascon-Xof_and_Ascon-Hash_v01.pdf.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021). https://doi.org/10.1007/s00145-021-09398-9.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2 submission to nist. LWC Final round submission (2021). https://csrc.nist.gov/Projects/lightweight-cryptography/finalists.
Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon resources. https://ascon.iaik.tugraz.at/resources.html. Accessed Oct 2022.
Dwivedi A.D., Klouček M., Morawiecki P., Nikolic I., Pieprzyk J., Wöjtowicz S.: Sat-based cryptanalysis of authenticated ciphers from the Caesar competition. ICETE 2017, 237–246 (2017). https://doi.org/10.5220/0006387302370246.
Dworkin M.: Sha-3 standard: Permutation-based hash and extendable-output functions (2015). https://doi.org/10.6028/NIST.FIPS.202.
Dworkin M., Feldman L., Witte G.: Additional secure hash algorithm standards offer new opportunities for data protection (2015). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919417.
Erlacher J., Mendel F., Eichlseder M.: Bounds for the security of ascon against differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2022(1), 64–87 (2022). https://doi.org/10.46586/tosc.v2022.i1.64-87.
Gerault D., Peyrin T., Tan Q.Q.: Exploring differential-based distinguishers and forgeries for ascon. IACR Trans. Symmetric Cryptol. 2021(3), 102–136 (2021). https://doi.org/10.46586/tosc.v2021.i3.102-136.
Göloğlu F., Rijmen V., Wang Q.: On the division property of s-boxes. Cryptology ePrint Archive (2016). http://eprint.iacr.org/2016/188.
Jovanovic P., Luykx A., Mennink B.: Beyond 2 c/2 security in sponge-based authenticated encryption modes. In: ASIACRYPT 2014. pp. 85–104. Springer (2014). https://doi.org/10.1007/978-3-662-45611-8_5.
Kelsey J., Chang S.j., Perlner R.: Sha-3 derived functions: cshake, kmac, tuplehash, and parallelhash. NIST special publication 800, 185 (2016). https://www.nist.gov/publications/sha-3-derived-functions-cshake-kmac-tuplehash-and-parallelhash.
Leander G., Tezcan C., Wiemer F.: Searching for subspace trails and truncated differentials. IACR Trans. Symmetric Cryptol. 2018(1), 74–100 (2018). https://doi.org/10.13154/tosc.v2018.i1.74-100.
Li H., He L., Chen S., Guo J., Qiu W.: Automatic preimage attack framework on ascon using a linearize-and-guess approach. IACR Trans. Symmetric Cryptol. 2023(3), 74–100 (2023).
Li Y., Zhang G., Wang W., Wang M.: Cryptanalysis of round-reduced ascon. Sci. China Inf. Sci. 60(3), 1–2 (2017). https://doi.org/10.1007/s11432-016-0283-3.
Li Z., Dong X., Wang X.: Conditional cube attack on round-reduced ascon. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017). https://doi.org/10.13154/tosc.v2017.i1.175-202.
Liu M., Lu X., Lin D.: Differential-linear cryptanalysis from an algebraic perspective. In: CRYPTO 2021. pp. 247–277. Springer (2021). https://doi.org/10.1007/978-3-030-84252-9_9.
Makarim R.H., Rohit R.: Towards tight differential bounds of ascon: a hybrid usage of smt and milp. IACR Trans. Symmetric Cryptol. 2022(3), 303–340 (2022). https://doi.org/10.46586/tosc.v2022.i3.303-340.
NIST.: Submission requirements and evaluation criteria for the lightweight cryptography standardization process (2018). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdf.
Qin L., Hua J., Dong X., Yan H., Wang X.: Meet-in-the-middle preimage attacks on sponge-based hashing. In: EUROCRYPT 2023. Lecture Notes in Computer Science, vol. 14007, pp. 158–188. Springer (2023). https://doi.org/10.1007/978-3-031-30634-1_6.
Qin L., Zhao B., Hua J., Dong X., Wang X.: Weak-diffusion structure: Meet-in-the-middle attacks on sponge-based hashing revisited. IACR Cryptol. ePrint Arch. p. 518 (2023). https://eprint.iacr.org/2023/518.
Rohit R., Hu K., Sarkar S., Sun S.: Misuse-free key-recovery and distinguishing attacks on 7-round ascon. IACR Trans. Symmetric Cryptol. 2021(1), 130–155 (2021). https://doi.org/10.46586/tosc.v2021.i1.130-155.
Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In: ASIACRYPT 2014. Lecture Notes in Computer Science, vol. 8873, pp. 158–178. Springer (2014). https://doi.org/10.1007/978-3-662-45611-8_9.
Todo Y.: Structural evaluation by generalized integral property. In: EUROCRYPT 2015. pp. 287–314. Springer (2015). https://doi.org/10.1007/978-3-662-46800-5_12.
Weatherley R.: Additional modes for lwc finalists technical report, version 1.0 (2021). https://rweather.github.io/lwc-finalists/lwc-modes-v1-0.pdf.
Wiethuechter A., Card S.W., Moskowitz R.: DRIP Entity Tag Authentication Formats & Protocols for Broadcast Remote ID. Internet-Draft draft-ietf-drip-auth-29, Internet Engineering Task Force (Feb 2023). https://datatracker.ietf.org/doc/draft-ietf-drip-auth/29/, work in Progress.
Yan H., Lai X., Wang L., Yu Y., Xing Y.: New zero-sum distinguishers on full 24-round Keccak-f using the division property. IET Inf. Secur. 13(5), 469–478 (2019). https://doi.org/10.1049/iet-ifs.2018.5263.
Zong R., Dong X., Wang X.: Collision attacks on round-reduced gimli-hash/ascon-xof/ascon-hash. IACR Cryptol. ePrint Arch. p. 1115 (2019). https://eprint.iacr.org/2019/1115.
Acknowledgements
This work was supported as part of Military Crypto Research Center(UD210027XD) funded by Defense Acquisition Program Administration(DAPA) and Agency for Defense Development(ADD).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Eichlseder.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Baek, S., Kim, G. & Kim, J. Preimage attacks on reduced-round Ascon-Xof. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-024-01383-0
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10623-024-01383-0