Cryptanalysis of Ascon

  • Christoph DobraunigEmail author
  • Maria Eichlseder
  • Florian Mendel
  • Martin Schläffer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9048)


We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the designers regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.


Ascon CAESAR initiative Cryptanalysis Authenticated encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-\(f\) and for the core functions of Luffa and Hamsi. CHES rump session (2009)Google Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak Specifications. Submission to NIST (Round 3) (2011).
  3. 3.
    Biere, A.: Lingeling, Plingeling and Treengeling entering the SAT Competition 2013. In: Balint, A., Belov, A., Heule, M., Järvisalo, M. (eds.) SAT competition 2013. vol. B-2013-1, pp. 51–52 (2013).
  4. 4.
    Biham, E., Dunkelman, O., Keller, N.: Enhancing Differential-Linear Cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002) Google Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991) Google Scholar
  6. 6.
    Boura, C., Canteaut, A.: A zero-sum property for the Keccak-\(f\) permutation with 18 rounds. In: IEEE International Symposium on Information Theory, pp. 2488–2492. IEEE (2010)Google Scholar
  7. 7.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011) Google Scholar
  8. 8.
    Daemen, J.: Permutation-based Encryption. Authentication and Authenticated Encryption, DIAC - Directions in Authenticated Ciphers (2012)Google Scholar
  9. 9.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function. IACR Cryptology ePrint Archive 2014, 736 (2014).
  10. 10.
    Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009) Google Scholar
  11. 11.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon. Submission to the CAESAR competition (2014).
  12. 12.
    Dunkelman, O., Indesteege, S., Keller, N.: A Differential-Linear Attack on 12-Round Serpent. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 308–321. Springer, Heidelberg (2008) Google Scholar
  13. 13.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007) Google Scholar
  14. 14.
    Huang, T., Wu, H., Tjuawinata, I.: Practical State Recovery Attack on ICEPOLE.
  15. 15.
    Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2\(^{\mathit{c}/2}\) Security in Sponge-Based Authenticated Encryption Modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014) Google Scholar
  16. 16.
    Langford, S.K.: Differential-linear cryptanalysis and threshold signatures. Ph.D. thesis, Stanford University (1995)Google Scholar
  17. 17.
    Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994) Google Scholar
  18. 18.
    Matsui, M., Yamagishi, A.: A New Method for Known Plaintext Attack of FEAL Cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993) Google Scholar
  19. 19.
    National Institute of Standards and Technology: FIPS PUB 180–4: Secure Hash Standard. Federal Information Processing Standards Publication 180–4, U.S. Department of Commerce (March 2012).
  20. 20.
    The CAESAR committee: CAESAR: Competition for authenticated encryption: Security, applicability, and robustness (2014).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Christoph Dobraunig
    • 1
    Email author
  • Maria Eichlseder
    • 1
  • Florian Mendel
    • 1
  • Martin Schläffer
    • 2
  1. 1.IAIKGraz University of TechnologyGrazAustria
  2. 2.Infineon Technologies AGVillachAustria

Personalised recommendations