International Association for Cryptologic Research

International Association
for Cryptologic Research


Chandranan Dhar


Exact Security Analysis of ASCON
The \textsc{ascon} cipher suite, offering both authenticated encryption with associated data (AEAD) and hashing functionality, has recently emerged as the winner of the NIST Lightweight Cryptography (LwC) standardization process. The AEAD schemes within \textsc{ascon}, namely \textsc{ascon}-128 and \textsc{ascon}-128a, have also been previously selected as the preferred lightweight authenticated encryption solutions in the CAESAR competition. In this paper, we present a tight and comprehensive security analysis of the \textsc{ascon} AEAD schemes within the random permutation model. Existing integrity analyses of \textsc{ascon} (and any \textsc{duplex} AEAD scheme in general) commonly include the term $DT/2^c$, where $D$ and $T$ represent data and time complexities respectively, and $c$ denotes the capacity of the underlying sponge. In this paper, we demonstrate that \textsc{ascon} achieves AE security when $T$ is bounded by $\min\{2^{\kappa}, 2^c\}$ (where $\kappa$ is the key size), and $DT$ is limited to $2^b$ (with $b$ being the size of the underlying permutation, which is 320 for \textsc{ascon}). Our findings indicate that in accordance with NIST requirements, \textsc{ascon} allows for a tag size as low as 64 bits while enabling a higher rate of 192 bits, surpassing the recommended rate.