Tight Multi-user Security of Ascon and Its Large Key Extension

Authors

Bishwajit Chakraborty, Nanyang Technological University
Chandranan Dhar, Indian Statistical Institute, Kolkata
Mridul Nandi, Indian Statistical Institute, Kolkata

Document Type

Conference Article

Publication Title

Lecture Notes in Computer Science Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics

Abstract

The Ascon cipher suite has recently become the preferred standard in the NIST Lightweight Cryptography standardization process. Despite its prominence, the initial dedicated security analysis for the Ascon mode was conducted quite recently. This analysis demonstrated that the Ascon AEAD mode offers superior security compared to the generic Duplex mode, but it was limited to a specific scenario: single-user nonce-respecting, with a capacity strictly larger than the key size. In this paper, we eliminate these constraints and provide a comprehensive security analysis of the Ascon AEAD mode in the multi-user setting, where the capacity need not be larger than the key size. Regarding data complexity D and time complexity T, our analysis reveals that Ascon achieves AEAD security when T is bounded by min{2^κ/μ,2^c} (where κ is the key size, and μ is the number of users), and DT is limited to 2^b (with b denoting the size of the underlying permutation, set at 320 for Ascon). Our results align with NIST requirements, showing that Ascon allows for a tag size as small as 64 bits while supporting a higher rate of 192 bits, provided the number of users remains within recommended limits. However, this security becomes compromised as the number of users increases significantly. To address this issue, we propose a variant of the Ascon mode called LK-Ascon, which enables doubling the key size. This adjustment allows for a greater number of users without sacrificing security, while possibly offering additional resilience against quantum key recovery attacks. We establish tight bounds for LK-Ascon, and furthermore show that both Ascon and LK-Ascon maintain authenticity security even when facing nonce-misuse adversaries.

First Page

57

Last Page

76

DOI

10.1007/978-981-97-5025-2_4

Publication Date

1-1-2024

Recommended Citation

Chakraborty, Bishwajit; Dhar, Chandranan; and Nandi, Mridul, "Tight Multi-user Security of Ascon and Its Large Key Extension" (2024). Conference Articles. 904.
https://digitalcommons.isical.ac.in/conf-articles/904