Update on the Security Analysis of Ascon

Ascon is one of the finalists in the NIST LWC project. Since it was published in 2014 and selected as the first choice for resource-constrained environments of the CAESAR portfolio in 2019, there was already a substantial body of publications on Ascon’s security before the beginning of the NIST LWC project. In this talk, we provide an overview of recent third-party cryptanalysis results as well as our own work on new security bounds. We first focus on our efforts to improve the bounds for security against differential and linear cryptanalysis with new Boolean Satisfiability (SAT) models. We find bounds for 4 and 6 rounds of the permutation which, while probably not tight, reinforce confidence in the security of Ascon, Ascon-Hash, and Ascon-Xof against differential and linear attacks with respect to the security claim. We also discuss the implications of these bounds for the recently proposed MAC variants based on the Ascon permutation. Additionally, we use a similar  SAT model to provide differential bounds for the 1-round Ascon permutation with 1-bit rate as used in Isap, demonstrating the infeasibility of differentially-induced collisions in this construction. We also provide a brief overview and discussion of recent third-party analysis results. Among others, Rohit et al. [RHSS21] slightly reduced the data complexity of previous 7-round attacks to stay below the limit of 2⁶⁴ encrypted blocks. Rohit and Sarkar investigated classes of “weak keys” which permit slightly better attacks for round-reduced Ascon. Gerault et al. investigated the applicability of differential distinguishers for forgeries on round-reduced Ascon. Civek and Tezcan  provided new experiments on differential-linear cryptanalysis. In summary, these results provide a more detailed understanding of Ascon’s security margin, which essentially confirms and slightly refines the previously-known results on up to 7 out of 12 rounds of Ascon’s permutation.