Cryptanalysis of round-reduced ASCON



ASCON是CAESAR竞赛的候选认证加密算法之一。在CT-RSA 2015上, 其设计者恢复了含有6轮初始化阶段的ASCON算法的密钥, 并给出了3/4轮的标签生成阶段的伪造攻击, 该伪造需求2^33/2^101个消息。这篇论文对包含7轮初始化阶段和5轮明文处理阶段的简化版ASCON算法执行密钥恢复攻击。除此之外, 我们对4/5/6轮的标签生成阶段建立了伪造, 所需数据量为2^9/2^17/2^33。该伪造相对之前具有实际攻击复杂度。

This is a preview of subscription content, access via your institution.


  1. 1

    Dobraunig C, Eichlseder M, Mendel F, et al. Cryptanalysis of Ascon. In: Proceedings of the Cryptographer’s Track at the RSA Conference, San Francisco, 2015. 371–387

    Google Scholar 

  2. 2

    Dinur I, Morawiecki P, Pieprzyk J, et al. Cube attacks and cube-attack-like cryptanalysis on the roundreduced keccak sponge function. In: Advances in Cryptology—EUROCRYPT 2015. Berlin: Springer, 2015. 733–761

    Google Scholar 

  3. 3

    Aumasson J-P, Dinur I, Meier W, et al. Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Fast Software Encryption. Berlin: Springer, 2009. 1–22

    Google Scholar 

Download references


This work was supported by National Basic Research Program of China (Grant No. 2013CB834205), National Natural Science Foundation of China (Grant Nos. 61133013, 61572293, 61602276), and Program for New Century Excellent Talents in University of China (Grant No. NCET-13-0350).

Author information



Corresponding author

Correspondence to Meiqin Wang.

Additional information

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, Y., Zhang, G., Wang, W. et al. Cryptanalysis of round-reduced ASCON. Sci. China Inf. Sci. 60, 038102 (2017).

Download citation


  • 认证加密
  • cube
  • 密钥恢复