Abstract
The NIST Lightweight Cryptography project aims to standardize symmetric cryptographic designs, including authenticated encryption and hashing, suitable for constrained devices. One essential criterion for the evaluation of the 10 finalists is the evidence for their security against attacks like linear and differential cryptanalysis. For Ascon, one of the finalists and previous winner of the CAESAR competition in the ‘lightweight’ category, there is a large gap between the proven bounds and the best known characteristics found with heuristic tools: The bounds only cover up to 3 rounds with 15 differentially and 13 linearly active S-boxes, insufficient for proving a level of security for the full constructions.In this paper, we propose a new modeling strategy for SAT solvers and derive strong bounds for the round-reduced Ascon permutation. We prove that 4 rounds already ensure that any single characteristic has a differential probability or squared correlation of at most 2−72, and 6 rounds at most 2−108. This is significantly below the bound that could be exploited within the query limit for keyed Ascon modes. These bounds are probably not tight. To achieve this result, we propose a new search strategy of dividing the search space into a large number of subproblems based on ‘girdle patterns’, and show how to exploit the rotational symmetry of Ascon using necklace theory. Additionally, we evaluate and optimize several aspects of the pure SAT model, including the counter implementation and parallelizability, which we expect to be useful for future applications to other models.
Highlights
The NIST Lightweight Cryptography (LWC) project [Nat18] aims to standardize symmetric cryptographic designs suitable for constrained devices
After the CAESAR competition for authenticated encryption [CAE14], which introduced its category for lightweight usecases in round 3, this is the second competitive effort aiming to fill this gap in the current cryptographic standard landscape
Ascon was first published as a candidate and eventual ‘first choice’ for lightweight scenarios in the final portfolio of the CAESAR competition for authenticated encryption [DEMS16]
Summary
The NIST Lightweight Cryptography (LWC) project [Nat18] aims to standardize symmetric cryptographic designs suitable for constrained devices. After the CAESAR competition for authenticated encryption [CAE14], which introduced its category for lightweight usecases in round 3, this is the second competitive effort aiming to fill this gap in the current cryptographic standard landscape. The NIST LWC project aims to standardize a lightweight authenticated encryption algorithm, plus potentially a lightweight hash function. Ascon is one of the 10 NIST LWC finalists [DEMS21a] and the ‘first choice’ for lightweight authenticated encryption in the portfolio of the CAESAR competition [DEMS16, DEMS21b]. Ascon was first published as a candidate and eventual ‘first choice’ for lightweight scenarios in the final portfolio of the CAESAR competition for authenticated encryption [DEMS16]. The family has been extended by hashing schemes and is a finalist in the NIST LWC lightweight cryptography standardization process [DEMS21a, DEMS21b].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
