International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Improved Differential and Linear Trail Bounds for ASCON

Authors:
Solane El Hirch , Radboud University, Nijmegen, The Netherlands
Silvia Mella , Radboud University, Nijmegen, The Netherlands
Alireza Mehrdad , Radboud University, Nijmegen, The Netherlands
Joan Daemen , Radboud University, Nijmegen, The Netherlands
Download:
DOI: 10.46586/tosc.v2022.i4.145-178
URL: https://tosc.iacr.org/index.php/ToSC/article/view/9975
Search ePrint
Search Google
Abstract: Ascon is a family of cryptographic primitives for authenticated encryption and hashing introduced in 2015. It is selected as one of the ten finalists in the NIST Lightweight Cryptography competition. Since its introduction, Ascon has been extensively cryptanalyzed, and the results of these analyses can indicate the good resistance of this family of cryptographic primitives against known attacks, like differential and linear cryptanalysis.Proving upper bounds for the differential probability of differential trails and for the squared correlation of linear trails is a standard requirement to evaluate the security of cryptographic primitives. It can be done analytically for some primitives like AES. For other primitives, computer assistance is required to prove strong upper bounds for differential and linear trails. Computer-aided tools can be classified into two categories: tools based on general-purpose solvers and dedicated tools. General-purpose solvers such as SAT and MILP are widely used to prove these bounds, however they seem to have lower capabilities and thus yield less powerful bounds compared to dedicated tools.In this work, we present a dedicated tool for trail search in Ascon. We arrange 2-round trails in a tree and traverse this tree in an efficient way using a number of new techniques we introduce. Then we extend these trails to more rounds, where we also use the tree traversal technique to do it efficiently. This allows us to scan much larger spaces of trails faster than the previous methods using general-purpose solvers. As a result, we prove tight bounds for 3-rounds linear trails, and for both differential and linear trails, we improve the existing upper bounds for other number of rounds. In particular, for the first time, we prove bounds beyond 2−128 for 6 rounds and beyond 2−256 for 12 rounds of both differential and linear trails.
BibTeX
@article{tosc-2022-32702,
  title={Improved Differential and Linear Trail Bounds for ASCON},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2022, Issue 4},
  pages={145-178},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/9975},
  doi={10.46586/tosc.v2022.i4.145-178},
  author={Solane El Hirch and Silvia Mella and Alireza Mehrdad and Joan Daemen},
  year=2022
}