Being one of the winners of the CAESAR competition and a finalist of the ongoing NIST lightweight cryptography competition, the authenticated encryption with associated data algorithm Ascon has withstood extensive security evaluation. Despite the substantial cryptanalysis, the tightness on Ascon’s differential bounds is still not well-understood until very recently, at ToSC 2022, Erlacher et al. have proven lower bounds (not tight) on the number of differential and linear active Sboxes for 4 and 6 rounds. However, a tight bound for the minimum number of active Sboxes for 4 − 6 rounds is still not known.In this paper, we take a step towards solving the above tightness problem by efficiently utilizing both Satisfiability Modulo Theories (SMT) and Mixed Integer Linear Programming (MILP) based automated tools. Our first major contribution (using SMT) is the set of all valid configurations of active Sboxes (for e.g., 1, 3 and 11 active Sboxes at round 0, 1 and 2, respectively) up to 22 active Sboxes and partial sets for 23 to 32 active Sboxes for 3-round differential trails. We then prove that the weight (differential probability) of any 3-round differential trail is at least 40 by finding the minimum weights (using MILP) corresponding to each configuration till 19 active Sboxes. As a second contribution, for 4 rounds, we provide several necessary conditions (by extending 3 round trails) which may result in a differential trail with at most 44 active Sboxes. We find 5 new configurations for 44 active Sboxes and show that in total there are 9289 cases to check for feasibility in order to obtain the actual lower bound for 4 rounds. We also provide an estimate of the time complexity to solve these cases. Our third main contribution is the improvement in the 7-year old upper bound on active Sboxes for 4 and 5 rounds from 44 to 43 and from 78 to 72, respectively. Moreover, as a direct application of our approach, we find new 4-round linear trails with 43 active Sboxes and also a 5-round linear trail with squared correlation 2−184 while the previous best known linear trail has squared correlation 2−186. Finally, we provide the implementations of our SMT and MILP models, and actual trails to verify the correctness of results.
At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.
We introduce a new type of mixing layer for the round function of cryptographic permutations, called circulant twin column parity mixer (CPM), that is a generalization of the mixing layers in Keccak-f and Xoodoo. While these mixing layers have a bitwise differential branch number of 4 and a computational cost of 2 (bitwise) additions per bit, the circulant twin CPMs we build have a bitwise differential branch number of 12 at the expense of an increase in computational cost: depending on the dimension this ranges between 3 and 3.34 XORs per bit. Our circulant twin CPMs operate on a state in the form of a rectangular array and can serve as mixing layer in a round function that has as non-linear step a layer of S-boxes operating in parallel on the columns. When sandwiched between two ShiftRow-like mappings, we can obtain a columnwise branch number of 12 and hence it guarantees 12 active S-boxes per two rounds in differential trails. Remarkably, the linear branch numbers (bitwise and columnwise alike) of these mappings is only 4. However, we define the transpose of a circulant twin CPM that has linear branch number of 12 and a differential branch number of 4. We give a concrete instantiation of a permutation using such a mixing layer, named Gaston. It operates on a state of 5 × 64 bits and uses χ operating on columns for its nonlinear layer. Most notably, the Gaston round function is lightweight in that it takes as few bitwise operations as the one of NIST lightweight standard Ascon. We show that the best 3-round differential and linear trails of Gaston have much higher weights than those of Ascon. Permutations like Gaston can be very competitive in applications that rely for their security exclusively on good differential properties, such as keyed hashing as in the compression phase of Farfalle.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.