Exact Security Analysis of ASCON
Document Type
Conference Article
Publication Title
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Abstract
The Ascon cipher suite, offering both authenticated encryption with associated data (AEAD) and hashing functionality, has recently emerged as the winner of the NIST Lightweight Cryptography (LwC) standardization process. The AEAD schemes within Ascon, namely Ascon-128 and Ascon-128a, have also been previously selected as the preferred lightweight authenticated encryption solutions in the CAESAR competition. In this paper, we present a tight and comprehensive security analysis of the Ascon AEAD schemes within the random permutation model. Existing integrity analyses of Ascon (and any Duplex AEAD scheme in general) commonly include the term DT/ 2 c, where D and T represent data and time complexities respectively, and c denotes the capacity of the underlying sponge. In this paper, we demonstrate that Ascon achieves AE security when T is bounded by min { 2 κ, 2 c} (where κ is the key size), and DT is limited to 2 b (with b being the size of the underlying permutation, which is 320 for Ascon). Our findings indicate that in accordance with NIST requirements, Ascon allows for a tag size as low as 64 bits while enabling a higher rate of 192 bits, surpassing the recommended rate.
First Page
346
Last Page
369
DOI
10.1007/978-981-99-8727-6_12
Publication Date
1-1-2023
Recommended Citation
Chakraborty, Bishwajit; Dhar, Chandranan; and Nandi, Mridul, "Exact Security Analysis of ASCON" (2023). Conference Articles. 528.
https://digitalcommons.isical.ac.in/conf-articles/528