论文信息 - Conditional Cube Attack on Round-Reduced ASCON

Conditional Cube Attack on Round-Reduced ASCON

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with 2 66 time complexity to a practical one with 2 40 time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2 103.9 . In addition, for a weak-key subset, whose size is 2 117 , the attack is more efficient and costs only 2 77 time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

Xiaoyun Wang | Zheng Li | Xiaoyang Dong

[1] Xiaoyun Wang,et al. Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[2] Xiaoyun Wang,et al. How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[3] Adi Shamir,et al. Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[4] Pierre-Alain Fouque,et al. Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[5] Keting Jia,et al. Improved Attacks on Reduced-Round Camellia-128/192/256 , 2015, CT-RSA.

[6] Meiqin Wang,et al. Conditional Cube Attack on Reduced-Round Keccak Sponge Function , 2017, EUROCRYPT.

[7] Antoine Joux,et al. Advances in Cryptology - EUROCRYPT 2009 , 2009, Lecture Notes in Computer Science.

[8] Marian Srebrny,et al. Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[9] Kaisa Nyberg,et al. Topics in Cryptology –- CT-RSA 2015 , 2015, Lecture Notes in Computer Science.

[10] David Joyner,et al. SAGE: system for algebra and geometry experimentation , 2005, SIGS.

[11] Willi Meier,et al. Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.