Publié en ligne: 13 avr. 2024
Pages: 1 - 24
Reçu: 18 août 2022
Accepté: 23 févr. 2024
DOI: https://doi.org/10.2478/tmmp-2024-0007
Mots clés
© 2024 Miloslav Smičík et al., published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Ascon is a family of lightweight authenticated encryption and hashing algorithms, which is a finalist in the NIST Lightweight Cryptography competition. We study the Ascon algorithm from the perspective of algebraic cryptanalysis based on the MRHS representation of the cipher. We call such an approach an MRHS cryptanalysis.
We represent the system on the gate level (focusing on individual AND-gates) and the S-box level (basing MRHS equations on 5-bit S-boxes). We compare the results from the application of two custom MRHS solvers. The RZ solver is based on linear algebra and exhaustive search. The HC solver is based on adaptive bit-flipping with restarts.
We show that both the choice of the solver and the choice of the system representation influence the total complexity of the attack. On the other hand, these choices do not change the fundamental properties of the attack, such as scaling with the amount of information the attacker possesses. A similar assessment holds for using a scaled-down version of Ascon for the experiments. Our method can be used for the experimental evaluation of cipher designs against algebraic attacks.