Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting

Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attacks recover the full state and the secret key of Ascon-128a when reduced to 7 out of 8 rounds of Ascon-permutation for the encryption phase, with 2117 data and 2116.2 time. These are the best known attack results for Ascon-128a as far as we know, while violating the data limit 264 imposed by designers. We also show that the partial state information of Ascon-128 can be recovered with 244.8 data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.’s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2128 time. Although our attacks do not invalidate designers’ security claim. those allow us to understand the security of Ascon in nonce-misuse setting.