Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Abstract

Context-committing security of authenticated encryption (AE) that pre-vents ciphertexts from being decrypted with distinct decryption contexts, (K, N, A) comprising a key K, a nonce N, and associate data A is an active research field moti-vated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min{ t+z 2, n+t−k−ν 2,c2 }-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corre-sponds to min{64 +z2,96} with Ascon-128 and Ascon-128a, and min{64 +z2,80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq.