NIST standard (initial public draft):
Meltem Sönmez Turan, Kerry A. McKay, Donghoon Chang, Jinkeon Kang, John Kelsey. Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions. NIST Special Publication 800 – NIST SP 800-232 ipd (2024) [web]
Journal of Cryptology publication:
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Ascon v1.2: Lightweight Authenticated Encryption and Hashing. Journal of Cryptology 34(3), 33 (2021) [bib|doi]
Design rationale and designers’ results on Ascon’s security (NIST submission):
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Ascon v1.2. Submission to the NIST Lightweight Cryptography competition (2019) [nist|web]
Design rationale and designers’ results on Ascon’s security (CAESAR submission):
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016) [caesar|web]
Ascon permutation
Improved 7-round lower bounds for differential characteristics:
Mathieu Degré, Patrick Derbez, Lucie Lahaye, André Schrottenloher. New Models for the Cryptanalysis of ASCON. IACR Cryptology ePrint Archive 2024/298 (2024) [bib|eprint]
3-round and 4-round MitM collision for Ascon-Hash:
Xiaoyang Dong, Boxin Zhao, Lingyue Qin, Qingliang Hou, Shun Zhang, Xiaoyun Wang. Generic MitM Attack Frameworks on Sponge Constructions. CRYPTO 2024. See also: IACR Cryptology ePrint Archive 2024/604 (2024) [bib|doi|eprint]
2-round preimage with complexity 234, and 3-round preimage with 64-bit input in 256 for Ascon-Xof:
Seungjun Baek, Giyoon Kim, Jongsung Kim. Preimage attacks on reduced-round Ascon-Xof. Des. Codes Cryptogr. 92(8), 2197–2217. See also: IACR Cryptology ePrint Archive 2024/371 (2024) [bib|doi|eprint]
New 4-round preimage approach for Ascon-Xof:
Zhongfeng Niu, Kai Hu, Siwei Sun, Zhiyu Zhang, Meiqin Wang. Speeding Up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations. CRYPTO 2024. See also: IACR Cryptology ePrint Archive 2024/857 (2024) [bib|doi|eprint]
Ting Peng, Wentao Zhang, Jingsui Weng, Tianyou Ding. New Approaches for Estimating the Bias of Differential-Linear Distinguishers. CRYPTO 2024. See also: IACR Cryptology ePrint Archive 2024/871 (2024) [bib|doi|eprint]
7-round cube attack key recovery with 270 data and 272.4 time complexity for 2159.97 keys of Ascon-128a:
Kai Hu. Improved Conditional Cube Attacks on Ascon AEADs in Nonce-Respecting Settings with a Break-Fix Strategy. IACR Trans. Symmetric Cryptol. 2024(2), 118–140. See also: IACR Cryptology ePrint Archive 2024/743 (2024) [bib|doi|eprint]
3-round and 4-round preimages for Ascon-Xof:
Lingyue Qin, Jialiang Hua, Xiaoyang Dong, Hailun Yan, Xiaoyun Wang. Meet-in-the-Middle Preimage Attacks on Sponge-Based Hashing. EUROCRYPT 2023 (2023) [bib|doi]
8-round distinguisher with complexity 248 and zero-sum distinguisher for full-round Ascon with 255 complexity using non-black-box techniques (HATF, DSF):
Kai Hu, Thomas Peyrin, Quan Quan Tan, Trevor Yap. Revisiting Higher-Order Differential-Linear Attacks from an Algebraic Perspective. ASIACRYPT 2023 (2023) [bib|doi]
Large structure of 5-round ID and ZC distinguishers for Ascon:
Hosein Hadipour, Simon Gerhalter, Sadegh Sadeghi, Maria Eichlseder. Improved Search for Integral, Impossible Differential and Zero-Correlation Attacks Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2. IACR Trans. Symmetric Cryptol. 2024(1), 234–325. See also: IACR Cryptology ePrint Archive 2023/1701 (2024) [bib|doi|eprint]
Ascon-Xof preimage attacks on 2, 3, and 4 rounds with complexities 231.56, 2112.205, and 2124.49:
Huina Li, Le He, Shiyao Chen, Jian Guo, Weidong Qiu. Automatic Preimage Attack Framework on Ascon Using a Linearize-and-Guess Approach. IACR Trans. Symmetric Cryptol. 2023(3), 74–100. See also: IACR Cryptology ePrint Archive 2023/1266 (2023) [bib|doi|eprint|web]
2-round collision for Ascon-Hash with complexity 262.6:
Xiaorui Yu, Fukang Liu, Gaoli Wang, Siwei Sun, Willi Meier. A Closer Look at the S-Box: Deeper Analysis of Round-Reduced ASCON-HASH. SAC 2023 (2023) [bib|doi]
Bounds for minimum number of MILP inequalities raised to 31:
Debranjan Pal, Vishal Pankaj Chandratreya, Dipanwita Roy Chowdhury. New Techniques for Modeling SBoxes: An MILP Approach. CANS 2023 (2023) [bib|doi]
No non-trivial perfect linear approximations exist:
Christof Beierle, Patrick Felke, Gregor Leander, Patrick Neumann, Lukas Stennes. On Perfect Linear Approximations and Differentials over Two-Round SPNs. CRYPTO 2023 (2023) [bib|doi]
3-round ciphertext and tag collision for authenticated encryption:
Yusuke Naito, Yu Sasaki, Takeshi Sugawara. Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode. IACR Trans. Symmetric Cryptol. 2023(4), 420–451 (2023) [bib|doi]
4-round and 6-round bounds for differential probability and square correlation of 2-72 and 2-108:
Johannes Erlacher, Florian Mendel, Maria Eichlseder. Bounds for the Security of Ascon against Differential and Linear Cryptanalysis. IACR Trans. Symmetric Cryptol. 2022(1), 64–87 (2022) [bib|doi]
Improved 4-round and 5-round bounds on active S-Boxes in Ascon:
Rusydi H. Makarim, Raghvendra Rohit. Towards Tight Differential Bounds of Ascon A Hybrid Usage of SMT and MILP. IACR Trans. Symmetric Cryptol. 2022(3), 303–340 (2022) [bib|doi]
5-round differential-linear distinguishers:
Aslí Basak Civek, Cihangir Tezcan. Experimentally Obtained Differential-Linear Distinguishers for Permutations of ASCON and DryGASCON. ICISSP 2021 (2022) [bib|doi]
Proving 6-round bounds beyond 2-128 for linear and differential characteristics of the Ascon permutation:
Solane El Hirch, Silvia Mella, Alireza Mehrdad, Joan Daemen. Improved Differential and Linear Trail Bounds for ASCON. IACR Trans. Symmetric Cryptol. 2022(4), 145–178. See also: IACR Cryptology ePrint Archive 2022/1377 (2022) [bib|doi|eprint]
Identifying sets of keys for which the cube-based attacks on 7R are more efficient:
Raghvendra Rohit, Santanu Sarkar. Diving Deep into the Weak Keys of Round Reduced Ascon. IACR Transactions on Symmetric Cryptology 2021(4), 74–99. See also: IACR Cryptology ePrint Archive 2021/1556 (2021) [bib|doi|eprint]
Limited-birthday distinguishers up to 7R, forgeries up to 4R Ascon-128, collisions for 2R Ascon-Hash:
David Gérault, Thomas Peyrin, Quan Quan Tan. Exploring Differential-Based Distinguishers and Forgeries for ASCON. IACR Transactions on Symmetric Cryptology 2021(3), 102–136. See also: IACR Cryptology ePrint Archive 2021/1103 (2021) [bib|doi|eprint]
Optimized cube-based attacks on 7R using at most 264 data:
Raghvendra Rohit, Kai Hu, Sumanta Sarkar, Siwei Sun. Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon. IACR Transactions on Symmetric Cryptology 2021(1), 130–155. See also: IACR Cryptology ePrint Archive 2021/194 (2021) [bib|doi|eprint]
MILP model of the DDT of Ascon’s S-box:
Aleksei Udovenko. MILP modeling of Boolean functions by minimum number of inequalities. IACR Cryptology ePrint Archive 2021/1099 (2021) [bib|eprint]
Differential-linear attacks up to 5R of the permutation:
Meicheng Liu, Xiaojuan Lu, Dongdai Lin. Differential-Linear Cryptanalysis from an Algebraic Perspective. CRYPTO 2021 (2021) [bib|doi]
Improved distinguishers using the bit-based division property for 5R Ascon permutation:
Shibam Ghosh, Orr Dunkelman. Automatic Search for Bit-Based Division Property. LATINCRYPT 2021. See also: IACR Cryptology ePrint Archive 2021/965 (2021) [bib|doi|eprint]
Improved complexity of 4R and 5R differential-linear attacks:
Cihangir Tezcan. Analysis of Ascon, DryGASCON, and Shamash Permutations [bib|eprint]
Cycle properties of Ascon’s linear layer:
Guoqiang Deng, Yongzhuang Wei, Xuefeng Duan, Enes Pasalic, Samir Hodzic. Specifying cycles of minimal length for commonly used linear layers in block ciphers. IACR Cryptology ePrint Archive 2020/1163 (2020) [bib|eprint]
Integral distinguishers for the round-reduced inverse Ascon permutation:
Hailun Yan, Xuejia Lai, Lei Wang, Yu Yu, Yiran Xing. New zero-sum distinguishers on full 24-round Keccak-f using the division property. IET Information Security 13(5), 469–478 (2019) [bib|doi]
Improved 4-round differential-linear analysis and subspace trails:
Cihangir Tezcan. Distinguishers for Reduced Round Ascon, DryGASCON, and Shamash Permutations. NIST Lightweight Cryptography Workshop 2019 (2019) [web]
Collisions for Ascon-Hash reduced to 2 rounds with complexity 2125:
Rui Zong, Xiaoyang Dong, Xiaoyun Wang. Collision Attacks on Round-Reduced Gimli-Hash/Ascon-Xof/Ascon-Hash. IACR Cryptology ePrint Archive 2019/1115 (2019) [bib|eprint]
Designers’ analysis of Ascon’s hash and extendable output functions:
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Preliminary Analysis of Ascon-Xof and Ascon-Hash (version 0.1). Preprint (2019) [web]
Detailed analysis of differential-linear attack on 5 rounds:
Achiya Bar-On, Orr Dunkelman, Nathan Keller, Ariel Weizman. DLCT: A New Tool for Differential-Linear Cryptanalysis. EUROCRYPT 2019. See also: IACR Cryptology ePrint Archive 2019/256 (2019) [eprint]
No good subspace trails exist for Ascon:
Gregor Leander, Cihangir Tezcan, Friedrich Wiemer. Searching for Subspace Trails and Truncated Differentials. IACR Transactions on Symmetric Cryptology 2018(1), 74–100 (2018) [bib|doi]
Cube-like key-recovery attack on 7-round Ascon in 2103.9 time:
Zheng Li, Xiaoyang Dong, Xiaoyun Wang. Conditional Cube Attack on Round-Reduced ASCON. IACR Transactions on Symmetric Cryptology 2017(1), 175–202. See also: IACR Cryptology ePrint Archive 2017/160 (2017) [bib|doi|eprint|web]
Cube-like attacks in a nonce-misuse setting:
Yanbin Li, Guoyan Zhang, Wei Wang, Meiqin Wang. Cryptanalysis of round-reduced ASCON. Science China Information Sciences 60(3), 038102 (2017) [bib|doi]
Security of Ascon against state-recovery attacks:
Ashutosh Dhar Dwivedi, Miloš Klouček, Pawel Morawiecki, Ivica Nikolič, Josef Pieprzyk, Sebastian Wójtowicz. SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition. IACR Cryptology ePrint Archive 2016/1053 (2017) [bib|doi|eprint]
Differential distinguishers based on undisturbed bits for 5 rounds with 2109 data:
Cihangir Tezcan. Truncated, Impossible, and Improbable Differential Analysis of Ascon. ICISSP 2016. See also: IACR Cryptology ePrint Archive 2016/490 (2016) [bib|doi|eprint]
Security of Ascon’s S-box against division property attacks:
Faruk Göloglu, Vincent Rijmen, Qingju Wang. On the division property of S-boxes. IACR Cryptology ePrint Archive 2016/188 (2016) [bib|eprint]
Linear characteristic for 5 rounds with 67 active S-boxes, bias 2-94:
Christoph Dobraunig, Maria Eichlseder, Florian Mendel. Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates. ASIACRYPT 2015. See also: IACR Cryptology ePrint Archive 2015/1200 (2015) [bib|doi|eprint]
Integral distinguishers for 5 to 11 rounds, e.g., 265 texts for 7 rounds:
Yosuke Todo. Structural Evaluation by Generalized Integral Property. EUROCRYPT 2015. See also: IACR Cryptology ePrint Archive 2015/090 (2015) [bib|doi|eprint]
Linear, differential, cube-like attacks (key recovery: 6 rounds, permutation distinguisher):
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Cryptanalysis of Ascon. CT-RSA 2015. See also: IACR Cryptology ePrint Archive 2015/030 (2015) [bib|doi|eprint]
Ascon mode
Efficient modes of operation for standalone message authentication for short and arbitrary-length messages:
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Ascon MAC, PRF, and Short-Input PRF – Lightweight, Fast, and Efficient Pseudorandom Functions. CT-RSA 2024. See also: IACR Cryptology ePrint Archive 2021/1574 (2024) [bib|doi|eprint]
Security bounds including multi-user and nonce-misuse settings:
Bart Mennink, Charlotte Lefevre. Generic Security of the Ascon Mode: On the Power of Key Blinding. IACR Cryptology ePrint Archive 2023/796 (2023) [bib|eprint]
Improved security bound for Ascon AEAD:
Bishwajit Chakraborty, Chandranan Dhar, Mridul Nandi. Exact Security Analysis of ASCON. ASIACRYPT 2023 (2023) [bib|doi]
Improved generic preimage security bound for Ascon-Hash to 2192:
Charlotte Lefevre, Bart Mennink. Tight Preimage Resistance of the Sponge Construction. CRYPTO 2022 (2022) [bib|doi]
Leakage security of Ascon:
Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert. Towards Lighter Leakage-resilient Authenticated Encryption from the Duplex Construction. IACR Cryptology ePrint Archive 2019/193 (2019) [bib|eprint]
Comparison of Ascon’s misuse resistance with other Round-3 CAESAR candidates:
Serge Vaudenay, Damian Vizár. Can Caesar Beat Galois? – Robustness of CAESAR Candidates Against Nonce Reusing and High Data Complexity Attacks. ACNS 2018. See also: IACR Cryptology ePrint Archive 2017/1147 (2018) [bib|doi|eprint]
Security analysis and bounds for the full-state keyed duplex with application to Ascon-128 and Ascon-128a:
Joan Daemen, Bart Mennink, Gilles Van Assche. Full-State Keyed Duplex with Built-In Multi-user Support. ASIACRYPT 2017. See also: IACR Cryptology ePrint Archive 2017/498 (2017) [bib|doi|eprint]
Analysis of the reforgeability of Ascon, i.e., the cost of obtaining multiple forgeries:
Christian Forler, Eik List, Stefan Lucks, Jakob Wenzel. Reforgeability of Authenticated Encryption Schemes. ACISP 2017. See also: IACR Cryptology ePrint Archive 2017/332 (2017) [bib|doi|eprint]
Ascon’s mode supports secure implementations on limited-memory devices:
Megha Agrawal, Donghoon Chang, Somitra Sanadhya. sp-AELM: Sponge Based Authenticated Encryption Scheme for Memory Constrained Devices. ACISP 2015 (2015) [bib|doi]
Suggestions to absorb authenticated data more efficiently:
Yu Sasaki, Kan Yasuda. How to Incorporate Associated Data in Sponge-Based Authenticated Encryption. CT-RSA 2015 (2015) [bib|doi]
Security proof for Ascon’s sponge mode even for higher rates:
Philipp Jovanovic, Atul Luykx, Bart Mennink. Beyond 2c∕2 Security in Sponge-Based Authenticated Encryption Modes. ASIACRYPT 2014. See also: IACR Cryptology ePrint Archive 2014/373 (2014) [bib|doi|eprint]
Ascon implementation
Sinian Luo, Weibin Wu, Yanbin Li, Ruyun Zhang, Zhe Liu. An Efficient Soft Analytical Side-Channel Attack on Ascon. WASA 2022 (2022) [bib|doi]
Siemen Dhooghe. Analyzing Masked Ciphers Against Transition and Coupling Effects. IACR Cryptology ePrint Archive 2021/1095 (2021) [bib|eprint]
Davide Bellizia, Olivier Bronchain, Gaëtan Cassiers, Vincent Grosso, Chun Guo, Charles Momin, Olivier Pereira, Thomas Peters, François-Xavier Standaert. Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography – A Practical Guide Through the Leakage-Resistance Jungle. CRYPTO 2020 (2020) [bib|doi]
Michael Tempelmeier, Fabrizio De Santis, Georg Sigl, Jens-Peter Kaps. The CAESAR-API in the real world – Towards a fair evaluation of hardware CAESAR candidates. HOST 2018 (2018) [bib|doi]
Noël Bangma. Ascon: An attempt in NEON on the Cortex-A8. Bachelor’s Thesis (2018) [web]
Alexandre Adomnicai, Jacques J. A. Fournier, Laurent Masson. Masking the Lightweight Authenticated Ciphers ACORN and Ascon in Software. IACR Cryptology ePrint Archive 2018/708 (2018) [bib|eprint]
Hannes Gross, Rinat Iusupov, Roderick Bloem. Generic Low-Latency Masking in Hardware. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018(2), 1–21. See also: IACR Cryptology ePrint Archive 2017/1223 (2018) [bib|doi|eprint]
Niels Samwel, Joan Daemen. DPA on hardware implementations of Ascon and Keyak. CF 2017 (2017) [bib|doi]
Hannes Groß, Erich Wenger, Christoph Dobraunig, Christoph Ehrenhöfer. Ascon hardware implementations and side-channel evaluation. Microprocessors and Microsystems 52, 470–479 (2017) [bib|doi]
Rajesh Kumar Pal. Implementation and Evaluation of Authenticated Encryption Algorithms on Java Card Platform (master’s thesis). Master’s Thesis (2017) [web|git]
Hannes Gross, Stefan Mangard. Reconciling d+1 Masking in Hardware and Software. CHES 2017. See also: IACR Cryptology ePrint Archive 2017/103 (2017) [bib|eprint]
Ralph Ankele, Robin Ankele. Software Benchmarking of the 2nd round CAESAR Candidates. IACR Cryptology ePrint Archive 2016/740 (2016) [bib|eprint]
Ko Stoffelen. Optimizing S-Box Implementations for Several Criteria Using SAT Solvers. FSE 2016. See also: IACR Cryptology ePrint Archive 2016/198 (2016) [bib|doi|eprint]
Liran Lerman, Olivier Markowitch, Nikita Veshchikov. Comparing Sboxes of Ciphers from the Perspective of Side-Channel Attacks. AsianHOST 2016. See also: IACR Cryptology ePrint Archive 2016/993 (2016) [bib|doi|eprint]
Niels Samwel. Side-Channel Analysis of Keccak and Ascon. Master’s Thesis (2016) [web]
Michael Fivez. Energy Efficient Hardware Implementations of CAESAR Submissions. Master’s Thesis (2016) [web|git]
Hannes Groß, Erich Wenger, Christoph Dobraunig, Christoph Ehrenhöfer. Suit up! – Made-to-Measure Hardware Implementations of Ascon. DSD 2015. See also: IACR Cryptology ePrint Archive 2015/034 (2015) [bib|doi|eprint]