Diving Deep into the Weak Keys of Round Reduced Ascon
At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishe...
Guardado en:
| Autores principales: | , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
Ruhr-Universität Bochum
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/b21ae31362114a7eade4c9c4b38936f8 |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:b21ae31362114a7eade4c9c4b38936f8 |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:b21ae31362114a7eade4c9c4b38936f82021-12-03T14:38:30ZDiving Deep into the Weak Keys of Round Reduced Ascon10.46586/tosc.v2021.i4.74-992519-173Xhttps://doaj.org/article/b21ae31362114a7eade4c9c4b38936f82021-12-01T00:00:00Zhttps://tosc.iacr.org/index.php/ToSC/article/view/9329https://doaj.org/toc/2519-173X At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem. In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security. Raghvendra RohitSantanu SarkarRuhr-Universität BochumarticleAsconWeak keysCube attackAlgebraic degreeComputer engineering. Computer hardwareTK7885-7895ENIACR Transactions on Symmetric Cryptology, Vol 2021, Iss 4 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
Ascon Weak keys Cube attack Algebraic degree Computer engineering. Computer hardware TK7885-7895 |
| spellingShingle |
Ascon Weak keys Cube attack Algebraic degree Computer engineering. Computer hardware TK7885-7895 Raghvendra Rohit Santanu Sarkar Diving Deep into the Weak Keys of Round Reduced Ascon |
| description |
At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.
In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.
|
| format |
article |
| author |
Raghvendra Rohit Santanu Sarkar |
| author_facet |
Raghvendra Rohit Santanu Sarkar |
| author_sort |
Raghvendra Rohit |
| title |
Diving Deep into the Weak Keys of Round Reduced Ascon |
| title_short |
Diving Deep into the Weak Keys of Round Reduced Ascon |
| title_full |
Diving Deep into the Weak Keys of Round Reduced Ascon |
| title_fullStr |
Diving Deep into the Weak Keys of Round Reduced Ascon |
| title_full_unstemmed |
Diving Deep into the Weak Keys of Round Reduced Ascon |
| title_sort |
diving deep into the weak keys of round reduced ascon |
| publisher |
Ruhr-Universität Bochum |
| publishDate |
2021 |
| url |
https://doaj.org/article/b21ae31362114a7eade4c9c4b38936f8 |
| work_keys_str_mv |
AT raghvendrarohit divingdeepintotheweakkeysofroundreducedascon AT santanusarkar divingdeepintotheweakkeysofroundreducedascon |
| _version_ |
1718373169230774272 |