Diving Deep into the Weak Keys of Round Reduced Ascon

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.

[1]  G. V. Assche,et al.  Permutation-based encryption , authentication and authenticated encryption , 2012 .

[2]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[3]  Orr Dunkelman,et al.  DLCT: A New Tool for Differential-Linear Cryptanalysis , 2019, IACR Cryptol. ePrint Arch..

[4]  Yosuke Todo,et al.  Cube Attacks on Non-Blackbox Polynomials Based on Division Property , 2018, IEEE Transactions on Computers.

[5]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[6]  Florian Mendel,et al.  Ascon v1.2: Lightweight Authenticated Encryption and Hashing , 2021, Journal of Cryptology.

[7]  Yosuke Todo,et al.  Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly , 2018, IEEE Transactions on Computers.

[8]  Philip Hawkes,et al.  Differential-Linear Weak Key Classes of IDEA , 1998, EUROCRYPT.

[9]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[10]  Kai Hu,et al.  An Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums , 2020, IACR Cryptol. ePrint Arch..

[11]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[12]  Xiaoyun Wang,et al.  Conditional Cube Attack on Round-Reduced ASCON , 2017, IACR Trans. Symmetric Cryptol..

[13]  Yu Sasaki,et al.  Nonlinear Invariant Attack: Practical Attack on Full SCREAM, iSCREAM, and Midori64 , 2016, Journal of Cryptology.

[14]  Florian Mendel,et al.  Cryptanalysis of Ascon , 2015, CT-RSA.

[15]  Vincent Rijmen,et al.  On the division property of S-boxes , 2016, IACR Cryptol. ePrint Arch..

[16]  Brice Minaud,et al.  A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro , 2015, EUROCRYPT.

[17]  Bart Mennink,et al.  Weak Keys for AEZ, and the External Key Padding Attack , 2017, CT-RSA.

[18]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[19]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[20]  Wei Wang,et al.  Cryptanalysis of round-reduced ASCON , 2016, Science China Information Sciences.

[21]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[22]  Josef Pieprzyk,et al.  SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition , 2016, IACR Cryptol. ePrint Arch..

[23]  Lei Wang,et al.  New zero-sum distinguishers on full 24-round Keccak-f using the division property , 2019, IET Inf. Secur..

[24]  Yosuke Todo,et al.  Modeling for Three-Subset Division Property without Unknown Subset , 2020, Journal of Cryptology.

[25]  Tim Beyne,et al.  Block Cipher Invariants as Eigenvectors of Correlation Matrices , 2018, Journal of Cryptology.

[26]  Florian Mendel,et al.  Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates , 2015, IACR Cryptol. ePrint Arch..

[27]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[28]  G. Leander,et al.  Weak-Key Distinguishers for AES , 2020, SAC.

[29]  Willi Meier,et al.  Weak Keys in Reduced AEGIS and Tiaoxin , 2021, IACR Cryptol. ePrint Arch..

[30]  Dongdai Lin,et al.  Differential-Linear Cryptanalysis from an Algebraic Perspective , 2021, CRYPTO.

[31]  Meiqin Wang,et al.  Conditional Cube Attack on Reduced-Round Keccak Sponge Function , 2017, EUROCRYPT.

[32]  Mustafa Khairallah,et al.  Weak Keys in the Rekeying Paradigm: Application to COMET and mixFeed , 2020, IACR Trans. Symmetric Cryptol..

[33]  Eli Biham,et al.  Differential cryptanalysis of Lucifer , 1993, Journal of Cryptology.

[34]  Raghvendra Rohit,et al.  Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon , 2021, IACR Cryptol. ePrint Arch..

[35]  Yosuke Todo,et al.  Lower Bounds on the Degree of Block Ciphers , 2020, IACR Cryptol. ePrint Arch..

[36]  Gregor Leander,et al.  Searching for Subspace Trails and Truncated Differentials , 2018, IACR Trans. Symmetric Cryptol..

[37]  Atul Luykx,et al.  Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes , 2014, IACR Cryptol. ePrint Arch..

[38]  Orhun Kara,et al.  A New Class of Weak Keys for Blowfish , 2007, FSE.

[39]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[40]  Jie Guan,et al.  MILP-aided Method of Searching Division Property Using Three Subsets and Applications , 2019, ASIACRYPT.

[41]  Thomas Peyrin,et al.  Exploring Differential-Based Distinguishers and Forgeries for ASCON , 2021, IACR Cryptol. ePrint Arch..

[42]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..