Resistance of Ascon Family against Conditional Cube Attacks in Nonce-Misuse Setting.

Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attacks recover the full state and the secret key of Ascon-128a when reduced to 7 out of 8 rounds of Ascon-permutation for the encryption phase, with 2(117) data and 2(116.2) time. These are the best known attack results for Ascon-128a as far as we know, while violating the data limit 2(64) imposed by designers. We also show that the partial state information of Ascon-128 can be recovered with 2(44.8) data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.'s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2(128) time. Although our attacks do not invalidate designers' security claim. those allow us to understand the security of Ascon in nonce-misuse setting.