10.06.2025
Security of the Ascon Modes
Abstract
The Ascon authenticated encryption scheme and hash function of Dobraunig et al. (Journal of Cryptology 2021) were recently selected as winner of the NIST lightweight cryptography competition. The mode underlying Ascon authenticated encryption (Ascon-AE) resembles ideas of SpongeWrap, but not quite, and various works have investigated the generic security of Ascon-AE, all covering different attack scenarios and with different bounds. This work systematizes knowledge on the mode security of Ascon-AE, and fills gaps where needed. We consider six mainstream security models, all in the multi-user setting: (i) nonce-respecting security, reflecting on the existing bounds of Chakraborty et al.
(ASIACRYPT 2023, ACISP 2024) and Lefevre and Mennink (SAC 2024), (ii) nonce-misuse resistance, observing a non-fixable flaw in the proof of Chakraborty et al. (ACISP 2024), (iii) nonce-misuse resilience, delivering missing security analysis, (iv) leakage resilience, delivering a new security analysis that supersedes the informal proof sketch (though in a different model) of Guo et al. (ToSC 2020), (v) state-recovery security, expanding on the analysis of Lefevre and Mennink, and (vi) release of unverified plaintext, also delivering missing security analysis. We also match all bounds with tight attacks (up to constant and up to reasonable assumptions). As a bonus, we systematize the knowledge on Ascon-Hash and Ascon-PRF.
Bio
Bart Mennink received his PhD in May 2013 from KU Leuven, Belgium, and has subsequently been a postdoctoral researcher at KU Leuven and in the Digital Security group at Radboud University Nijmegen. Currently, he is associate professor on cryptography in the Digital Security Group at Radboud University Nijmegen. His main field of research is the design and provable security of symmetric cryptographic protocols, with the current focus on lightweight authentication and encryption. Bart Mennink is co-designer of Chaskey, and ISO standardized MAC function, and of COLM, an authenticated encryption scheme that was selected for the final portfolio of the CAESAR competition. He is furthermore co-designer of Elephant and ISAP, finalist authenticated encryption schemes in the NIST Lightweight Cryptography competition. Bart has published over 100 articles, he has been (co-)organizer of multiple international conferences and workshops, and has given over 15 keynotes at various conferences and workshops.
Photo provided by speaker
The Ascon authenticated encryption scheme and hash function of Dobraunig et al. (Journal of Cryptology 2021) were recently selected as winner of the NIST lightweight cryptography competition. The mode underlying Ascon authenticated encryption (Ascon-AE) resembles ideas of SpongeWrap, but not quite, and various works have investigated the generic security of Ascon-AE, all covering different attack scenarios and with different bounds. This work systematizes knowledge on the mode security of Ascon-AE, and fills gaps where needed. We consider six mainstream security models, all in the multi-user setting: (i) nonce-respecting security, reflecting on the existing bounds of Chakraborty et al.
(ASIACRYPT 2023, ACISP 2024) and Lefevre and Mennink (SAC 2024), (ii) nonce-misuse resistance, observing a non-fixable flaw in the proof of Chakraborty et al. (ACISP 2024), (iii) nonce-misuse resilience, delivering missing security analysis, (iv) leakage resilience, delivering a new security analysis that supersedes the informal proof sketch (though in a different model) of Guo et al. (ToSC 2020), (v) state-recovery security, expanding on the analysis of Lefevre and Mennink, and (vi) release of unverified plaintext, also delivering missing security analysis. We also match all bounds with tight attacks (up to constant and up to reasonable assumptions). As a bonus, we systematize the knowledge on Ascon-Hash and Ascon-PRF.
Bio
Bart Mennink received his PhD in May 2013 from KU Leuven, Belgium, and has subsequently been a postdoctoral researcher at KU Leuven and in the Digital Security group at Radboud University Nijmegen. Currently, he is associate professor on cryptography in the Digital Security Group at Radboud University Nijmegen. His main field of research is the design and provable security of symmetric cryptographic protocols, with the current focus on lightweight authentication and encryption. Bart Mennink is co-designer of Chaskey, and ISO standardized MAC function, and of COLM, an authenticated encryption scheme that was selected for the final portfolio of the CAESAR competition. He is furthermore co-designer of Elephant and ISAP, finalist authenticated encryption schemes in the NIST Lightweight Cryptography competition. Bart has published over 100 articles, he has been (co-)organizer of multiple international conferences and workshops, and has given over 15 keynotes at various conferences and workshops.
Photo provided by speaker