Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Context-committing security of authenticated encryption (AE) that prevents ciphertexts from being decrypted with distinct decryption contexts, (K,N,A) comprising a key K, a nonce N, and associate data A is an active research field motivated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min {t+z/2 , n+t−k−ν/2 , c/2}-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corresponds to min {64 + z/2 , 96} with Ascon-128 and Ascon-128a, and min {64 + z/2 , 80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq.