Exploring Differential-Based Distinguishers and Forgeries for ASCON

Automated methods have become crucial components when searching for distinguishers against symmetric-key cryptographic primitives. While MILP and SAT solvers are among the most popular tools to model ciphers and perform cryptanalysis, other methods with different performance profiles are appearing. In this article, we explore the use of Constraint Programming (CP) for differential cryptanalysis on the Ascon authenticated encryption family (first choice of the CAESAR lightweight applications portfolio and current finalist of the NIST LWC competition) and its internal permutation. We first present a search methodology for finding differential characteristics for Ascon with CP, which can easily find the best differential characteristics already reported by the Ascon designers. This shows the capability of CP in generating easily good differential results compared to dedicated search heuristics. Based on our tool, we also parametrize the search strategies in CP to generate other differential characteristics with the goal of forming limited-birthday distinguishers for 4, 5, 6 and 7 rounds and rectangle attacks for 4 and 5 rounds of the Ascon internal permutation. We propose a categorization of the distinguishers into black-box and non-black-box to better differentiate them as they are often useful in different contexts. We also obtained limited-birthday distinguishers which represent currently the best known distinguishers for 4, 5 and 6 rounds under the category of non-black-box distinguishers. Leveraging again our tool, we have generated forgery attacks against both reduced-rounds Ascon-128 and Ascon-128a, improving over the best reported results at the time of writing. Finally, using the best differential characteristic we have found for 2 rounds, we could also improve a recent attack on round-reduced Ascon-Hash.

[1]  Vincent Rijmen,et al.  The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , 2015, Journal of Cryptology.

[2]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[3]  Marine Minier,et al.  Revisiting AES Related-Key Differential Attacks with Constraint Programming , 2018, IACR Cryptol. ePrint Arch..

[4]  Peter J. Stuckey,et al.  MiniZinc: Towards a Standard CP Modelling Language , 2007, CP.

[5]  Nils J. Nilsson,et al.  Artificial Intelligence , 1974, IFIP Congress.

[6]  Anne Canteaut,et al.  A zero-sum property for the KECCAK-f permutation with 18 rounds , 2010, 2010 IEEE International Symposium on Information Theory.

[7]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[8]  Qingju Wang,et al.  Zero-Sum Partitions of PHOTON Permutations , 2018, IACR Cryptol. ePrint Arch..

[9]  Florian Mendel,et al.  Ascon v1.2: Lightweight Authenticated Encryption and Hashing , 2021, Journal of Cryptology.

[10]  Florian Mendel,et al.  Cryptanalysis of Ascon , 2015, CT-RSA.

[11]  Stefan Kölbl,et al.  Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis , 2018, IACR Cryptol. ePrint Arch..

[12]  Editors , 2003 .

[13]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[14]  A. Gabriel Editor , 2018, Best "New" African Poets 2018 Anthology.

[15]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[16]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[17]  Thomas Peyrin,et al.  Multiple Limited-Birthday Distinguishers and Applications , 2013, IACR Cryptol. ePrint Arch..

[18]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[19]  Lei Hu,et al.  Analysis of AES, SKINNY, and Others with Constraint Programming , 2017, IACR Trans. Symmetric Cryptol..

[20]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[21]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[22]  Wei Wang,et al.  Cryptanalysis of round-reduced ASCON , 2016, Science China Information Sciences.

[23]  Florian Mendel,et al.  Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates , 2015, IACR Cryptol. ePrint Arch..

[24]  Aron Gohr,et al.  Improving Attacks on Round-Reduced Speck32/64 Using Deep Learning , 2019, CRYPTO.

[25]  Marine Minier,et al.  Computing AES related-key differential characteristics with constraint programming , 2020, Artif. Intell..

[26]  Marine Minier,et al.  Constraint Programming Models for Chosen Key Differential Cryptanalysis , 2016, CP.

[27]  Mitsugu Iwamoto,et al.  Limited-birthday Distinguishers for Hash Functions - Collisions Beyond the Birthday Bound can be Meaningful , 2013, IACR Cryptol. ePrint Arch..

[28]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[29]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[30]  Lia Purpura On Tools , 2012 .

[31]  B. Preneel,et al.  Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20⋆ , 2013 .

[32]  Raghvendra Rohit,et al.  Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon , 2021, IACR Cryptol. ePrint Arch..

[33]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[34]  Thomas Peyrin,et al.  Unaligned Rebound Attack: Application to Keccak , 2012, FSE.

[35]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[36]  Xiaoyun Wang,et al.  Collision Attacks on Round-Reduced Gimli-Hash/Ascon-Xof/Ascon-Hash , 2019, IACR Cryptol. ePrint Arch..