Improved 2-round collision attack on IoT hash standard ASCON-HASH

Abstract

Lightweight cryptography algorithms are a class of ciphers designed to protect data generated and transmitted by the Internet of Things. They typically have low requirements in terms of storage space and power consumption, and are well-suited for resource-limited application scenarios such as embedded systems, actuators, and sensors. The NIST-approved competition for lightweight cryptography aims to identify lightweight cryptographic algorithms that can serve as standards. Its objective is to enhance data security in various scenarios. Among the chosen standards for lightweight cryptography, ASCON has been selected. ASCON-HASH is a hash function within the ASCON family. This paper presents a detailed analysis of the differential characteristics of ASCON-HASH, utilizing the quadratic S-box. Additionally, we employ message modification techniques and ultimately demonstrate a non-practical collision attack on the 2-round ASCON-HASH, requiring a time complexity of 2⁹⁸ hash function calls.

1. Introduction

The demand for lightweight ciphers primarily arises from the widespread use of IoT devices. In resource constrained environments, there are limitations on storage space and power consumption. Traditional cryptographic algorithms may be too complex to operate efficiently in such constrained resources. Hence, there is a need to design lightweight cryptographic algorithms to meet the requirements of these unique environments. The design goal of lightweight cryptographic is to provide sufficient security and performance in resource constrained scenarios. They achieve this by balancing security and resource consumption in their design, offering an appropriate level of security for these environments. These ciphers need to ensure the protection of sensitive data and secure communication while also delivering efficient encryption and decryption performance to meet real-time requirements.

Moreover, standardization plays a vital role in encouraging the use and compatibility of lightweight cryptographic algorithms. By going through the standardization process, these algorithms can guarantee security and dependability, establishing uniform guidelines for developers in relevant domains. This, in turn, simplifies their implementation and utilization in different Internet of Things (IoT) situations. In 2013, the National Institute of Standards and Technology (NIST) initiated the lightweight cryptography project. In 2016, NIST presented an outline of the project and emphasized the necessity to discover novel algorithms for a lightweight cryptography standard. Consequently, in 2019, NIST totally received 57 submissions, out of these 56 were chosen as first-round candidates after the initial evaluation. As the initiative progressed to Round 2 [1], NIST further narrowed down the selection to 32 submissions, including ASCON. ASCON, which was among the Round 2 candidates initially, successfully advanced as one of the ten finalists in the standardization process for lightweight cryptography. Ultimately, on February 7, 2023, NIST officially declared the ASCON family as the selected standard for lightweight cryptography.

The ASCON cipher suite [2] offers authenticated encryption with associated data (AEAD) and hashing capabilities. Its design is straightforward and adaptable, allowing for efficient implementation in both hardware and software. This makes it particularly well-suited for environments with limited resources. Additionally, ASCON is designed to meet different security and performance needs. For example, ASCON-128 and ASCON-128a provide a 128-bit security level, ideal for applications requiring robust security. Conversely, ASCON-80pq offers an 80-bit security level, making it a good fit for low-power and cost-effective scenarios. ASCON stands out for its ability to both encrypt data and protect integrity. It also accommodates associated data, enabling the confirmation of extra details like the sender's and receiver's identities during encryption.

Development of ASCON  ASCON participated in Round 1 of the CEASER competition [3] and introduced its initial design, version v1. ASCON specified a permutation and authenticated encryption mode, recommending ASCON-128 as the primary choice and ASCON-96 as a variant with a 96-bit key. Later versions, namely V1.1 [4] and V1.2 [5], incorporated minor functional tweaks, including the reorganization of round constants. The secondary recommendation was updated to ASCON-128a. These updates, in conjunction with V1.2 [5] and the accompanying status update document [6], were presented to the NIST Lightweight Cryptography initiative. The submission to NIST included not only the authenticated cipher family but also introduced hashing modes: ASCON-HASH and ASCON-XOF. Additionally, ASCON-80pq, a third parameterization for authenticated encryption, was included. ASCON-HASH supports 256-bit hash values, while ASCON-XOF can accommodate hash values of any length.

Related results  ASCON has been the subject of extensive analysis, with numerous analytic results available. The submission document [7] provides detailed information regarding the security of the ASCON permutation. The authors analyzed the security of the newest version in [8]. Nearly the proposition of ASCON, there followed some analysis results. In [9], the author proposed the differential analysis result for ASCON. [10] proposed a cube attack on round-reduced ASCON. A more detailed cryptanalysis for round-reduced ASCON was published in [11].

The security analysis of collision resistance for hash functions, specifically ASCON-XOF and ASCON-HASH, was conducted by the designers and presented in [12]. In the same paper, they also introduced a semi-free-start collision attack on 4-round ASCON-XOF and ASCON-HASH, assuming a chosen IV (initial value), without providing a detailed process or complexity analysis.

In [13], the authors proposed two attack strategies for finding collisions in hash functions based on sponge constructions, including GIMLI-HASH, ASCON-HASH, and ASCON-XOF. They primarily focused on the first strategy and presented the results of attacking the three hash functions using this approach. For brevity, we will omit the results of GIMLI-HASH. Regarding ASCON-XOF, they successfully achieved a practical collision with a designated IV. As for ASCON-HASH, they demonstrated a non-practical 2-round collision attack with a time complexity of 2¹²⁵.

However, according to [14], the characteristic found by the authors is invalid that makes this attack invalid. But the strategy is effective. To a great extent, this time complexity depends on the active S-boxes in the input differential characteristic. Then in [15], the authors found a valid characteristic with fewer active S-boxes. Using the same attack strategy in [13], they gave a 2-round collision with a time complexity of 2¹⁰³ hash function calls. Qin et al. [16] presented collision attacks on 3 and 4 rounds of ASCON-HASH by turning preimages for ASCON-XOF into collisions for ASCON-HASH. Although the authors expand the rounds, the time complexity of 2¹³⁰ is still far from practical attack. Until now, we don't see any results using the message modification technique. So we try to accelerate the collision attack with this technique.

Our contributions  In this paper, our main focus is on ASCON-HASH, a hash function that utilizes the sponge construction. Initially, we present an attack strategy outlined in [13] for detecting collisions in a 2-round ASCON-HASH. Subsequently, we propose our own approach to decrease the time complexity required for this process, reducing it from 2¹⁰³ to 2⁹⁸ hash function calls. Our method is based on a characteristic discovered in [15], and we draw inspiration from the work of [14], who merged conditions in 2 consecutive rounds of GIMLI-HASH using an algebraic method. However, in our case, we primarily employ the message modification technique described in [17]. The related results can be seen in Table 1.

Table 1.

The collision attack results of 2-round ASCON-HASH.

Reference	[13] (invalid)	[15]	This paper
Time complexity	2125	2103	298

Outline. In section 2, we provide a concise overview of ASCON-HASH and introduce several notations that will be utilized in this paper. In section 3, we describe the attack strategy proposed in [13] and the useful observations of the S-box in ASCON-HASH. In section 4, we give our technique of improving this attack, including merging conditions and message modification. At last, section 5 concludes our paper.

2. Preliminaries

2.1. Notations

• •S is the state of the hash function.
• •M is the message.
• •$M_i$ denotes the i-th block after the message being padded.
• •r represents the bit length of the rate part, in this paper, $r=64$.
• •c denotes the bit length of the capacity part, in this paper, $c=256$.
• •$S^r$ is the rate part of S (the first 64 bits).
• •$S^c$ is the capacity part of S (the last $4\times 64$ bits).
• •Δ represents the XOR differential.
• •$p^a$ is the inner primitive of an a-round hash function.
• •$p^{(i)}$ denotes the primitive absorbing the i-th message block.
• •$S^i$ is the state in the i-th round function.
• •$S^{i,s}$ denotes the state after the S-box layer in the i-th round function.
• •$S_j$ represents the j-th line (64-bit) of S.
• •$X[k]$ is the k-th bit of a 64-bit word X, $X[0]$ is the least significant bit.
• •$x_i$ is the i-th bit of a 5-bit word x, 0 denotes the most significant bit.
• •⋙ denotes the right rotation (circular right shift).
• •${\mathrm{\Sigma }}_i$ is the i-th linear diffusion function.
• •⊕ is bitwise XOR.

2.2. Description of ASCON-HASH

ASCON-HASH is a type of hash function that is constructed using the sponge construction method, as described in the reference [18]. This hash function operates on a 320-bit state and applies a 12-round function to it. It takes a message of any length as input and produces an output of fixed size. The process of hashing is depicted in Fig. 1.

Figure 1.

The hash mode of ASCON-HASH.

In ASCON-HASH, the state is divided into five 64-bit words, represented as $S=S_0||S_1||S_2||S_3||S_4$. The first word (64 bits) is referred to as the rate part, while the remaining four words form the capacity part. The round function used in ASCON-HASH consists of three operations: $f_C\circ f_S\circ f_L$. These operations are based on the Substitution-Permutation Network (SPN) construction.

Addition of constants$f_C$  During this step, a round constant $c_r$ is added to the words $S_2$ in each round state, represented as $S_2\leftarrow S_2\oplus c_r$. The round constants $c_r$ for the 12-round ASCON-HASH are provided in Table 2.

Table 2.

Constant c_r used in the permutation of ASCON.

Round	0	1	2	3	4	5	6	7	8	9	10	11
Constant cr	f0	e1	d2	c3	b5	a5	96	87	78	69	5a	4b

Substitution layer$f_S$  This process involves utilizing 64 parallel instances of the 5-bit S-box to modify the state. The S-box is specified in Table 3. Each group of five input bits, denoted as $x_0,\dots ,x_4$, and output bits, denoted as $y_0,\dots ,y_4$, from the S-box, represents a column in the input or output state. Refer to Fig. 2a for a visual representation.

Table 3.

The 5-bit S-box.

x	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
S(x)	4	b	1f	14	1a	15	9	2	1b	5	8	12	1d	3	6	1c

x	10	11	12	13	14	15	16	17	18	19	1a	1b	1c	1d	1e	1f
S(x)	1e	13	7	e	0	d	11	18	10	c	1	19	16	a	f	17

Figure 2.

Substitution layer and linear layer.

Linear diffusion layer$f_L$  This step introduces diffusion within each 64-bit word $X_i$, as depicted in Fig. 2b. The corresponding word $S_i$ undergoes linear functions ${\mathrm{\Sigma }}_i$ according to the following expressions:

$$S_0\leftarrow {\mathrm{\Sigma }}_0(S_0)=S_0\oplus (S_0⋙19)\oplus (S_0⋙28),S_1\leftarrow {\mathrm{\Sigma }}_1(S_1)=S_1\oplus (S_1⋙61)\oplus (S_1⋙39),S_2\leftarrow {\mathrm{\Sigma }}_2(S_2)=S_2\oplus (S_2⋙1)\oplus (S_2⋙6),S_3\leftarrow {\mathrm{\Sigma }}_3(S_3)=S_3\oplus (S_3⋙10)\oplus (S_3⋙17),S_4\leftarrow {\mathrm{\Sigma }}_4(S_3)=S_4\oplus (S_4⋙7)\oplus (S_4⋙41).$$

The state will be denoted within the i-th ($0\le i<12$) round function as follows:

$S^i\stackrel{f_C}{⟶}{S}^{i,c}\stackrel{f_S}{⟶}{S}^{i,s}\stackrel{f_L}{⟶}{S}^{i+1}$.

The hash function begins by initializing the 320-bit state using a constant value of $IV=00400c0000000000$. Subsequently, a permutation is applied to initialize the state $S^0$, denoted as $S^0=p^{12}(IV||0^{256})$. In the context of the absorbing phase, we consider $S^0$ as the initial state. For the 12-round ASCON-HASH, the value of $S^0$ is as follows:

$$\begin{gathered} ee9398aadb67f03d \\ 8bb21831c60f1002 \\ {S}^0\leftarrow b48a92db98d5da62 \\ 43189921b8f8e3e8 \\ 348fa5c9d525e140 \end{gathered}$$

The padding procedure for ASCON-HASH is as follows: it adds a single 1 followed by the fewest number of 0s to the message M in order to make the length of the padded message a multiple of $r=64$ bits. The detailed explanation of the hash function can be found in Algorithm 1. The security claim for ASCON-HASH is 2¹²⁸.

Algorithm 1.

ASCON-HASH.

3. The 2-round collision attack strategy on ASCON-HASH

3.1. Observations

The ANF of ASCON's 5-bit S-box with input $x=x_0||x_1||x_2||x_3||x_4$ and output $y=y_0||y_1||y_2||y_3||y_4$ is shown in Equation (1).

$$\{\begin{array}{c}{y}_0=x_4{x}_1\oplus x_3\oplus x_2{x}_1\oplus x_2\oplus x_1{x}_0\oplus x_1\oplus x_0,\hfill \\ y_1=x_4\oplus x_3{x}_2\oplus x_3{x}_1\oplus x_3\oplus x_2{x}_1\oplus x_2\oplus x_1\oplus x_0,\hfill \\ y_2=x_4{x}_3\oplus x_4\oplus x_2\oplus x_1\oplus 1,\hfill \\ y_3=x_4{x}_0\oplus x_4\oplus x_3{x}_0\oplus x_3\oplus x_2\oplus x_1\oplus x_0,\hfill \\ y_4=x_4{x}_1\oplus x_4\oplus x_3\oplus x_1{x}_0\oplus x_1.\hfill \end{array}$$ (1)

[13] proposed some useful observations of the S-box. We here take most advantage of Observation 1, as the details following.

Observation 1

When all the last four input difference bits are inactive, i.e., $\mathrm{\Delta }{x}_1=\mathrm{\Delta }{x}_2=\mathrm{\Delta }{x}_3=\mathrm{\Delta }{x}_4=0$ the following constraints hold (note that $\mathrm{\Delta }{x}_0=1$):

-The output difference satisfies some conditions:

$$\{\begin{array}{c}\mathrm{\Delta }{y}_0\oplus \mathrm{\Delta }{y}_4=1,\hfill \\ \mathrm{\Delta }{y}_1=\mathrm{\Delta }{x}_0,\hfill \\ \mathrm{\Delta }{y}_2=0.\hfill \end{array}$$ (2)

-The input value satisfy some conditions:

$$\{\begin{array}{c}{x}_1=\mathrm{\Delta }{y}_0\oplus 1,\hfill \\ x_3\oplus x_4=\mathrm{\Delta }{y}_3\oplus 1.\hfill \end{array}$$ (3)

The proof of Observation 1 can be seen in the appendix of [13]. Just following this thinking, we get Observation 2.

Observation 2

Focusing on $y_0$ of an S-box, we can get the equations hold as follows. When $x_2$, $x_3$, $x_4$ are known and specifically $x_1=0$, the value of $y_0$ is determined by $x_0$ as Equation (4) shows.

$$y_0=\{\begin{array}{cc}{x}_3\oplus x_2\hfill & x_0=0,\hfill \\ x_3\oplus x_2\oplus 1\hfill & x_0=1,\hfill \end{array}$$ (4)

and while $x_1=1$, $x_0$ has no affection on $y_0$.

Proof

Substituting $x_0=0$ or $x_0=1$ into $y_0$ of Equation (1), we can easily get the equation as follows:

$$y_0=\{\begin{array}{cc}{x}_4{x}_1\oplus x_3\oplus x_2{x}_1\oplus x_2\oplus x_1,\hfill & x_0=0\hfill \\ x_4{x}_1\oplus x_3\oplus x_2{x}_1\oplus x_2\oplus 1,\hfill & x_0=1\hfill \end{array}$$ (5)

It's easy to see if $x_1=1$, the two equations in Equation (5) are the same. So when we let $x_1=0$, the value of $y_0$ can be controlled by $x_0$. Moreover, since in $S_0$, $x_0$ can be adjusted by the message absorbed, the value of $y_0$ can be adjusted by modifying the message.

3.2. The attack process

Here we describe the first strategy described in [13] in detail. It takes use of k-round differential characteristics where both the input and output have nonzero difference in the rate part but zero difference in the capacity part. Assume that there are totally s $(s>2)$ pairs of message blocks we have to construct.

Before $S^0$, the first $s-2$ message pairs absorbed have no difference. After these $s-2$ message block pairs are absorbed, the constraints of the capacity part in $S^0$ are satisfied. Next, we construct one more message pair to satisfy the difference in the rate part, namely $M_{s-1}\oplus M_{s-1}^{\prime }=\mathrm{\Delta }{S}_0^0$. After the 2-round permutation, last message pair is needed to eliminate the difference in the rate part of the output difference, namely constructing one more message pair that satisfies $M_s\oplus M_s^{\prime }=\mathrm{\Delta }{S}_0^2$. So assuming that we will totally construct s message block pairs, the first $s-2$ pairs have no difference and only the last 2 message pairs have difference. The point is shown in Fig. 3. The whole process is described as follows.

Figure 3.

The attack strategy.

-Find a 2-round differential.

In [15], the authors discovered a 2-round ASCON differential characteristic, as presented in Table 4. This characteristic exhibits a lower number of active S-boxes compared to the one described in [13]. The overall probability of this characteristic is $2^{-156}$. It is evident that the input and output differences are only non-zero in the rate part. With 27 active S-boxes in $\mathrm{\Delta }{S}^0$, according to Observation 1, there are 54 constraints in the capacity part of $S^0$. Specifically, within these 27 active S-boxes, the corresponding capacity bits must satisfy $x_1=\mathrm{\Delta }{y}_0\oplus 1$ and $x_3\oplus x_4=\mathrm{\Delta }{y}_3\oplus 1$.

Table 4.

The differential characteristic of the ASCON in [15] for two rounds.

ΔS0 (2−54)	ΔS1 (2−102)	ΔS2
bb450325d90b1581	2201080000011080	baf571d85e1153d7
0	2adf0c201225338a	0
0	0	0
0	0000000100408000	0
0	2adf0c211265b38a	0

-Construct message pairs.

As mentioned earlier, we select pairs of messages that only differ in the last two blocks, denoted as $\mathrm{\Delta }{M}_i=0,1\le i\le s-2$. Each message consists of s blocks. As stated in Observation 1, when we have the input difference of the original $(s-1)$ round characteristic, there will be corresponding constraints on the value of the capacity part of $S^0$ of $p^{(s-1)}$. Assuming there are X constraints, and considering the r bits of freedom provided by the primitive, we need at least $\lceil \frac{X}{r}\rceil$ blocks to obtain one valid $S^0$ of $p^{(s-1)}$. In the case of the characteristic mentioned in Table 4, we have $X=54$ and $r=64$. Finally, we generate two additional message blocks that respectively lead to the characteristic and eliminate the output difference. For the given characteristic, these blocks would be $\mathrm{\Delta }{M}_{s-1}=bb450325d90b1581$ and $\mathrm{\Delta }{M}_s=baf571d85e1153d7$.

-Search for the collisions.

We attempt to discover suitable values for $S^0$ of $p^{(s-1)}$ by randomly selecting the first $s-2$ message blocks. The filtering probability is $2^{-54}$. For each qualified $S^0$, considering the characteristic's probability as p, on average, we can find a pair that adheres to the difference model of the characteristic by utilizing $1/p$ pairs of the $(s-1)$-th block. To summarize, the attack strategy consists of the aforementioned three steps. In this particular case, the complete attack process is outlined as follows.

• 1.By taking advantage of the 64-bit freedom provided by one ASCON message block, we generate $2^{54+102-64}=2^{92}$ pairs of 2-block messages ($M_0,M_1$) randomly. We then apply the hash function and keep track of all the state values.
• 2.Theoretically, there is a probability of $2^{-54}$ to obtain 2³⁸ values ($M_0,M_1$) that satisfy the 54 constraints.
• 3.We exhaustively iterate through all 2⁶⁴ pairs of message blocks $M_2$ and compute $M_2^{\prime }=M_2\oplus \mathrm{\Delta }{S}_0^0$ for each of the 2³⁸ 2-block messages ($M_0,M_1$) obtained in Step 2. This results in a total of $2^{64+38}=2^{102}$ pairs of 3-block messages.
• 4.With a probability of $2^{-102}$, a message pair will satisfy the constraints in the second round. Consequently, one message pair will produce the desired output difference.
• 5.By applying a random message block $M_3$ and computing $M_3^{\prime }=M_3\oplus \mathrm{\Delta }{S}_0^2$ for the message blocks selected at the end of Step 4, we can directly obtain a collision.

Complexity. The complexity of the attack procedure above is $(2\times 2^{92})+(2\times 2^{102})\simeq 2^{103}$ hash function calls.

The result is improved compared to 2¹²⁵ hash function calls in [13]. In next section, we will discuss how to improve this attack, reducing the time complexity to 2⁹⁸ hash function calls.

4. To improve the 2-round collision attack on ASCON-HASH

The main idea to improve this attack is converting the constraints in latter rounds to the constraints in former rounds of the two consecutive rounds. We are inspired by [14] where the authors used the specific properties of SP-boxes in hash function GIMILI and successfully merged the conditions in two consecutive rounds. Also we use the message modification technique proposed in [17] to further reduce the complexity.

4.1. Find the fixed bits in the states

Taking the linear layer into account, the complete differential characteristic of a primitive is shown in Table 5. The differential propagation is as follows: $\mathrm{\Delta }{S}^0\stackrel{f_S}{⟶}\mathrm{\Delta }{S}^{0,s}\stackrel{f_L}{⟶}\mathrm{\Delta }{S}^1\stackrel{f_S}{⟶}\mathrm{\Delta }{S}^{1,s}\stackrel{f_L}{⟶}\mathrm{\Delta }{S}^2$.

Table 5.

The 2-round ASCON-HASH differential characteristic including linear diffusion layer.

ΔS0(2−54)	ΔS0,s	ΔS1(2−102)	ΔS1,s	ΔS2
bb450325d90b1581	0000000000011080	2201080000011080	2adf0c211265b38a	baf571d85e1153d7
0	bb450325d90b1581	2adf0c201225338a	0	0
0	0	0	0	0
0	0000000100000000	0000000100408000	0	0
0	bb450325d90a0501	2adf0c211265b38a	0	0

In fact, we originally took $f_C$ (add constants) into account and then we found it has no affection in any steps. So for clarity, we don't discuss it here.

According to Observation 1, since there are 27 active S-boxes in the input difference, we can totally get 54 constraints in the capacity part. Moreover, there are 28 active S-boxes in $\mathrm{\Delta }{S}^1$, and the probability from $\mathrm{\Delta }{S}^1$ to $\mathrm{\Delta }{S}^{1,s}$ is $2^{-102}$. So we are going to find out the 102 constraints that the value $S^1$ has to satisfy. We observe that the 28 active S-boxes in $\mathrm{\Delta }{S}^1$ only have 3 different pairs of the input and output values from $\mathrm{\Delta }{S}^1$ to $\mathrm{\Delta }{S}^{1,s}$ as Table 6 shows. The difference from $\mathrm{\Delta }{S}^0$ to $\mathrm{\Delta }{S}^{0,s}$ is clearly as Equation (2) shows.

Table 6.

The input and output differential between the S-boxes of ΔS₁ and $\mathrm{\Delta }{S}_1^s$ (0 refers to the least significant bit).

situation	$\mathrm{\Delta }{S}_{0-4}^1[i]$	$\mathrm{\Delta }{S}_{0-4}^{1,s}[i]$	number of S-boxes	i
1	11001	10000	7	7,12,16,43,48,57,61
2	00011	10000	3	15,22,32
3	01001	10000	18	1,3,8,9,13,18,21,25,28,37,42,49,50,51,52,54,55,59

Considering the relation between the difference and the state of S-boxes, for these 3 situations we got some constraints. In the following, we refer x as the input of a 5-bit S-box and y as the output of the same 5-bit S-box. And $x_i$ refers to the i-th bit of x and the same as $y_i$. The proof of equations (6-8) is shown in Appendix A.

Situation 1. When $\mathrm{\Delta }x=11001$ and $\mathrm{\Delta }y=10000$ for an S-box, the following 3 equations hold. For there are 7 such S-boxes between $\mathrm{\Delta }{S}^1$ and $\mathrm{\Delta }{S}^{1,s}$, we will totally get 21 constraints in $S^1$.

$$\{\begin{array}{c}{x}_0\oplus x_4=0,\hfill \\ x_2=1,\hfill \\ x_3=0.\hfill \end{array}$$ (6)

Situation 2. When $\mathrm{\Delta }x=00011$ and $\mathrm{\Delta }y=10000$ for an S-box, the following 3 equations hold. For there are 3 such S-boxes between $\mathrm{\Delta }{S}^1$ and $\mathrm{\Delta }{S}^{1,s}$, we will totally get 9 constraints in $S^1$.

$$\{\begin{array}{c}{x}_1=0,\hfill \\ x_2=0.\hfill \\ x_3\oplus x_4=0,\hfill \end{array}$$ (7)

Situation 3. When $\mathrm{\Delta }x=01001$ and $\mathrm{\Delta }y=10000$ for an S-box, the following 4 equations hold. For there are 18 such S-boxes between $\mathrm{\Delta }{S}^1$ and $\mathrm{\Delta }{S}^{1,s}$, we will totally get 72 constraints in $S^1$.

$$\{\begin{array}{c}{x}_0=0,\hfill \\ x_1\oplus x_4=1,\hfill \\ x_2=0,\hfill \\ x_3=0.\hfill \end{array}$$ (8)

Note that in Situation 3, because of $x_0=0$, the corresponding 18 bits in $\mathrm{\Delta }{S}_0^1$ have been fixed to 0.

Now we've got totally $21+9+72=102$ constraints that $S^1$ has to satisfy. We'll next show how to convert 8 of them into the constrains in $S^0$. In the following, we use X denoting $S^0$ and Y denoting $S^{0,s}$. And as above, we still refer x as the input of a 5-bit S-box and y as the output of the same 5-bit S-box.

As discussed above, since there are 27 active S-boxes in ΔX, according to Equation (3) in Observation 1 we can easily get these 54 constraints corresponding to these 27 active S-boxes. In other words, in these 27 columns, $x_1$ and $x_3\oplus x_4$ can be fixed. We can see in Equation (3), $x_1$ and $x_3\oplus x_4$ are determined by $\mathrm{\Delta }{y}_0$ and $\mathrm{\Delta }{y}_3$. From Table 5, it's easy to see that there are three different value pairs of $\mathrm{\Delta }{y}_0$ and $\mathrm{\Delta }{y}_3$ in these 27 active S-boxes as we will discuss below. After we get the fixed X's bits, we can substitute them into Equation (1) to get fixed Y's bits.

Wheni = 32, $\mathrm{\Delta }{Y}_0[i]=0$ and $\mathrm{\Delta }{Y}_3[i]=1$, so $X_1[i]=1$ and $X_3[i]\oplus X_4[i]=0$. Substituting them into equation (1), we can get that

$$Y_0[i]=1.$$

Wheni = 7, 12, 16, $\mathrm{\Delta }{Y}_0[i]=1$ and $\mathrm{\Delta }{Y}_3[i]=0$, so $X_1[i]=0$ and $X_3[i]\oplus X_4[i]=1$. Substituting them into equation (1), we can get that

$$Y_4[i]=1.$$

Wheniequals to the other 23 locations of the active S-boxes, $\mathrm{\Delta }{Y}_0[i]=0$ and $\mathrm{\Delta }{Y}_3[i]=0$, so $X_1[i]=1$ and $X_3[i]\oplus X_4[i]=1$. Substituting them into equation (1), we can get that

$$Y_0[i]=0.$$

After calculating all the 27 columns, there are 24 bits fixed in $Y_0$, namely in $S_{0,0}^s$. It's easy to see $S_0^{0,s}$ is transformed into $S_0^1$ after the linear function ${\mathrm{\Sigma }}_0$. As soon as $S_0^{0,s}[i]$ is fixed, $S_0^{0,s}[i]⋙j$ (j is a constant) can be fixed. For clarity, we fulfill those bits as shown in Table 7. By using ${\mathrm{\Sigma }}_0$ we can fix more bits, we'll discuss it in the next section.

Table 7.

The fixed bits in $S_0^{0,s}$ and $S_0^1$.

4.2. Transforming conditions

As above, we've fixed some bits in $S_0^{0,s}$ and $S_0^1$. With the current known conditions, we can infer more fixed bits in the two states. Taking the least significant bit as an example, for $S_0^{0,s}[0]=0,S_0^{0,s}⋙19[0]=0$ and $S_0^{0,s}⋙28[0]=0$ are known, $S_0^1[0]=0\oplus 0\oplus 0=0$ can be fixed. Next, as it can be seen that $S_0^{0,s}[8]=0$, $S_0^{0,s}⋙19[8]=0$ and $S_0^1[8]=0$ are fixed, $S_0^{0,s}⋙28[8]=0$ can be got. Considering the rotation operation, $S_0^{0,s}[36]=0$ and $S_0^{0,s}⋙19[17]=0$ can be known.

Calculating all the bits as above, we can get more fixed bits as shown in Table 8. The derivation process is shown in Table B.9 in Appendix B. Compared to Table 7, we got 8 more bits fixed in $S_{0,0}^s$ and 6 more bits fixed in $S_0^1$. It's unnecessary to take the latter 6 bits into account in the next, because once all constraints in $S^0$ and $S^1$ are satisfied, they hold with probability 1.

Table 8.

The fixed bits in $S_0^{0,s}$ and $S_0^1$ after derivation.

Observing Table 8, when $i\in \{0,8,9,13,18,27,28,31,36,37,46,54,55,63\}$, the all four bits of the i-th column are fixed, namely $S_0^{0,s}[i]$, $S_0^{0,s}⋙19[i]$, $S_0^{0,s}⋙28[i]$ and $S_0^1[i]$. Ignoring the extra 6 bits deduced in $S_0^1$, 8 of these 14 columns, namely $i\in \{8,9,13,18,28,37,54,55\}$ are part of the original 102 constrains in $S^1$. This means if we let $S^{0,s}$ satisfy these 8 constraints derived in $S_0^{0,s}$, the corresponding 8 constraints in $S^1$ will hold with probability 1. So the 8 constraints in $S^1$ can be transformed into the corresponding 8 constraints in the former round.

In the next, we'll discuss how to use the message modification technique to ensure these 8 conditions hold.

4.3. Message modification

In Table 8, it can be seen that 8 more bits are fixed in $S_0^{0,s}$ compared to Table 7. These 8 columns correspond to $S_0^{0,s}[i]$ where $i\in P$ $(P=\{1,9,13,18,36,46,47,55\})$. And it's easy to obtain that when $i\in P$, the S-boxes are all inactive in $\mathrm{\Delta }{S}^0[i]$.

We use a five-bit x denoting the input of the i-th S-box in state $S^0$ and a five-bit y denoting the output of the i-th S-box in state $S^{0,s}$ ($i\in P$). According to Equation (4) in Observation 2, since $x_2,x_3,x_4$ are known and $x_1=0$, the value of $y_0$ is determined by $x_0$, which can be adjusted by the message block $M_{s-1}$. So we add another 8 constraints $x_1=0$, namely $S_1^0[i]=0$ $(i\in P)$, to the capacity part. In other words, we add another 8 constraints to the first $s-2$ message blocks that ensure $S_1^0[i]=0$ $(i\in P)$. Then we can modify message $M_{s-1}$ in these 8 bits to make $S_0^{0,s}$ that equals to the corresponding value as above.

For clarity, here regard all the 8 values of $x_0$ as the bits before state $S^0$ absorbing message $M_{s-1}$. Since $x_1=0$ and $y_0$ is known, the modification step of $M_{s-1}$ is shown in Equation (9). Notice that $y_0=1$ only when $i=13$, otherwise $y_0=0$.

$$M_{s-1}[i]=\{\begin{array}{cc}{x}_3\oplus x_2\oplus x_0\oplus 1,\hfill & i=13,\hfill \\ x_3\oplus x_2\oplus x_0,\hfill & i=1,9,18,36,46,47,55.\hfill \end{array}$$ (9)

4.4. Time complexity

This improved attack builds on the attack strategy given in Section 3. The constraints in $S^0$ increase to $54+8=62$ and in $S^1$ decrease to $102-8=94$. But because of the message modification, the freedom of message block $M_{s-1}$ and $M_{s-1}^{\prime }$ is reduced to 2⁵⁶. We observe that if we let all the 8 extra constraints hold in $S^0$, the time complexity has almost no improvement.

So we don't convert all the 8 constraints into $S_0$ straightforward. Observing the attack process, we can see the time complexity is decided by two steps, namely constructing random 2-block messages ($M_0,M_1$) and constructing message pairs of ($M_2,M_2^{\prime }$) to satisfy the input difference. To make the time complexity lowest, we can just convert part of these 8 constraints instead of all of them. Assuming that we add λ constraints into $S^0$, and $8-\lambda$ constraints unchanged, the constrains in capacity part of $S^0$ will increase to $54+\lambda$ and decrease to $102-\lambda$ in $S^1$. And the freedom offered by message block $M_{s-1}$ will be reduced to $2^{64-\lambda }$. Then the time complexity of the first step can be calculated as $2^{(54+\lambda )+(102-\lambda )-(64-\lambda )}=2^{92+\lambda }$ hash function calls. The time complexity of the second step is $2^{102-\lambda }$ hash function calls. The ideal λ should make the equation $92+\lambda =102-\lambda$ holds. It's easy to get that $\lambda =5$.

Finally, the constraints in $S^0$ are $54+5=59$ and in $S^1$ is $102-5=97$. The freedom of message $M_2$ is $64-5=59$. So the complete procedure is as follows:

• 1.First, we totally generate $2^{59+97-59}=2^{97}$ pairs of random 2-block messages ($M_0,M_1$).
• 2.With probability of $2^{-59}$, we can get 2³⁸ messages corresponding to the constraints in $S_0$.
• 3.For these 2³⁸ messages, exhausting the 2⁵⁹ messages for each, we can totally get $2^{38+59}=2^{97}$ message pairs of ($M_2,M_2^{\prime }$) with $M_2\oplus M_2^{\prime }=\mathrm{\Delta }{S}_{0,0}$.
• 4.It is expected that one pair of these 2⁹⁷ message pairs will lead to the output difference.
• 5.Apply one more random message block $M_3$ and $M_3^{\prime }=M_3\oplus \mathrm{\Delta }{S}_{2,0}$ at the end of step 4.

Complexity. The whole complexity of this attack is $(2\times 2^{97})+(2\times 2^{97})\simeq 2^{98}$ hash function calls, which is superior to 2¹⁰³.

5. Conclusion

In this paper, we reduce the attack complexity of 2-round ASCON-HASH. At beginning, we analyze the currently optimal characteristic to find the fixed bits in the states. Specifically, we find the properties of the S-box with particular differences so that we can get some constraints of the input state. After that, we take use of the linear layer to convert 8 constraints of round 1 into 8 constraints of round 0. To reach the lowest time complexity, we convert only 5 of these 8 constraints instead of all of them using the message modification technique.

Funding

This research was funded by State Grid Science and Technology Project (No. 5108-202218280A-2-201-XG).

CRediT authorship contribution statement

Di Zhai: Methodology, Conceptualization. Wei Bai: Writing – review & editing, Writing – original draft, Conceptualization. Jianding Fu: Writing – review & editing, Methodology. Hongjian Gao: Writing – review & editing, Writing – original draft, Formal analysis. Xueqiong Zhu: Writing – review & editing, Writing – original draft, Formal analysis.

Declaration of Competing Interest

The authors declare the following financial interests/personal relationships which may be considered as potential competing interests:

Di Zhai reports financial support was provided by State Grid Corporation of China. Di Zhai reports a relationship with State Grid Corporation of China that includes: employment. All the co-authors are employed by State Grid Corporation of China.

Appendix A. Proof of equations (6), (7), (8)

First we introduce this obvious theorem that when $\mathrm{\Delta }a=0$, $\mathrm{\Delta }(ab)=a\mathrm{\Delta }b$. It's easy to prove since $\mathrm{\Delta }(ab)=(ab\oplus a{b}^{\prime })$.

As it is already known the ANF of ASCON's 5-bit S-box as equation (1), it's easy to derive the relation between difference as below:

$$\{\begin{array}{c}\mathrm{\Delta }{y}_0=\mathrm{\Delta }(x_4{x}_1)\oplus \mathrm{\Delta }{x}_3\oplus \mathrm{\Delta }(x_2{x}_1)\oplus \mathrm{\Delta }{x}_2\oplus \mathrm{\Delta }(x_1{x}_0)\oplus \mathrm{\Delta }{x}_1\oplus \mathrm{\Delta }{x}_0,\hfill \\ \mathrm{\Delta }{y}_1=\mathrm{\Delta }{x}_4\oplus \mathrm{\Delta }(x_3{x}_2)\oplus \mathrm{\Delta }(x_3{x}_1)\oplus \mathrm{\Delta }{x}_3\oplus \mathrm{\Delta }(x_2{x}_1)\oplus \mathrm{\Delta }{x}_2\oplus \mathrm{\Delta }{x}_1\oplus \mathrm{\Delta }{x}_0,\hfill \\ \mathrm{\Delta }{y}_2=\mathrm{\Delta }(x_4{x}_3)\oplus \mathrm{\Delta }{x}_4\oplus \mathrm{\Delta }{x}_2\oplus \mathrm{\Delta }{x}_1,\hfill \\ \mathrm{\Delta }{y}_3=\mathrm{\Delta }(x_4{x}_0)\oplus \mathrm{\Delta }{x}_4\oplus \mathrm{\Delta }(x_3{x}_0)\oplus \mathrm{\Delta }{x}_3\oplus \mathrm{\Delta }{x}_2\oplus \mathrm{\Delta }{x}_1\oplus \mathrm{\Delta }{x}_0,\hfill \\ \mathrm{\Delta }{y}_4=\mathrm{\Delta }(x_4{x}_1)\oplus \mathrm{\Delta }{x}_4\oplus \mathrm{\Delta }{x}_3\oplus \mathrm{\Delta }(x_1{x}_0)\oplus \mathrm{\Delta }{x}_1.\hfill \end{array}$$ (A.1)

Then substitute equation (8) with the values, where we always have $\mathrm{\Delta }{y}_0=1,\mathrm{\Delta }{y}_1=\mathrm{\Delta }{y}_2=\mathrm{\Delta }{y}_3=\mathrm{\Delta }{y}_4=0$.

Proof of equation (6)

We have $\mathrm{\Delta }{x}_0=1$, $\mathrm{\Delta }{x}_1=1$, $\mathrm{\Delta }{x}_2=0$, $\mathrm{\Delta }{x}_3=0$, $\mathrm{\Delta }{x}_4=1$.

• •Focusing on $\mathrm{\Delta }{y}_2$, we can get $\mathrm{\Delta }{y}_2=\mathrm{\Delta }(x_3{x}_4)=0$. For $\mathrm{\Delta }{x}_4=1$, then $x_3=0$.
• •So the values of the monomials formally like $x_3{x}_i$ are all equal to zero so that $\mathrm{\Delta }{x}_3{x}_i=0$. Substitute this into $\mathrm{\Delta }{y}_0$, we can get $\mathrm{\Delta }(x_1{x}_2)=1$. Similarly because $\mathrm{\Delta }{x}_1=1$, $x_2=1$ can be got.
• •Using the same way, then observing the other 3 equations, there is $\mathrm{\Delta }{y}_3=\mathrm{\Delta }(x_0{x}_4)\oplus 1=0$. Based on that condition, we get $x_0\oplus x_4=0$.

Proof of equation (7)

We have $\mathrm{\Delta }{x}_0=0$, $\mathrm{\Delta }{x}_1=0$, $\mathrm{\Delta }{x}_2=0$, $\mathrm{\Delta }{x}_3=1$, $\mathrm{\Delta }{x}_4=1$.

• •Just like the method used above, we first substitute the values known and derive new conditions and then substitute until there are no new conditions. First observing $\mathrm{\Delta }{y}_4$, we can get $\mathrm{\Delta }{y}_4=\mathrm{\Delta }(x_4{x}_1)$. For $\mathrm{\Delta }{x}_4=0$, $x_1=0$ can be got. And then the monomials formally like $\mathrm{\Delta }(x_1{x}_i)=0$.
• •Then we further substitute $x_1=0$ into $\mathrm{\Delta }{y}_1$. We can get $\mathrm{\Delta }{y}_1=\mathrm{\Delta }(x_3{x}_2)=0$, so $x_2=0$ can be got.
• •And then observing $\mathrm{\Delta }{y}_2$, there are $\mathrm{\Delta }{y}_2=\mathrm{\Delta }(x_4{x}_3)=0$. So we get $x_3\oplus x_4=1$.

Proof of equation (8)

We have $\mathrm{\Delta }{x}_0=0$, $\mathrm{\Delta }{x}_1=1$, $\mathrm{\Delta }{x}_2=0$, $\mathrm{\Delta }{x}_3=0$, $\mathrm{\Delta }{x}_4=1$. We eliminate some redundant steps here.

• •We start the derivation process from $\mathrm{\Delta }{y}_2$ because this equation $\mathrm{\Delta }{y}_3=\mathrm{\Delta }(x_4{x}_3)=0$ is the simplest compared to other 4. We can get $x_3=0$ so that all the values of the monomials formally like $\mathrm{\Delta }(x_3{x}_i)$ are equal to 0.
• •Then the equation of $\mathrm{\Delta }{y}_3$ can be simplified into $\mathrm{\Delta }(x_4{x}_0)=0$. We can get one more constraint $x_0=0$. And it's the same as above, all the values of the monomials formally like $\mathrm{\Delta }(x_0{x}_i)$ are equal to 0.
• •Substituting the values we got above into $\mathrm{\Delta }{y}_4$, we can get $x_1\oplus x_4=1$.
• •At last, substituting all the values we have got into $\mathrm{\Delta }{y}_1$, we can get $x_2=0$.

Appendix B. Derivation process in Section 4.2

The complete derivation process in Table 7 and Table 8 of Section 4 is shown in Table B.9.

Table B.9.

The derivation process between Table 7 to Table 8 (for simplicity, x = $S_{0,0}^s$, a = $S_{0,0}^s⋙19$, b = $S_{0,0}^s⋙28$, y = S_1,0).

Step	Known bits	Derived bits
1	a[55]=b[55]=y[55]=0	x[55]=a[36]=b[27]=0
2	a[13]=1,b[13]=[13]=0	x[13]=a[58]=b[49]=1
3	a[9]=b[9]=y[9]=0	x[9]=a[54]=b[45]=0
4	x[8]=b[8]=y[8]=0	b[8]=x[36]=a[27]=0
5	x[36]=a[36]=b[36]=0	y[36]=0
6	x[0]=a[0]=b[0]=0	y[0]=0
7	x[28]=b[28]=y[28]=0	a[28]=x[47]=b[19]=0
8	x[31]=a[31]=b[31]=0	y[31]=0
9	x[54]=a[54]=y[54]=0	b[54]=x[18]=a[63]=0
10	x[63]=a[63]=b[63]=0	y[63]=0
11	x[18]=a[18]=y[18]=0	b[18]=x[46]=a[27]=0
12	x[27]=a[27]=b[27]=0	y[27]=0
13	x[37]=a[37]=y[37]=0	b[37]=x[1]=a[46]=0
14	x[46]=a[46]=b[46]=0	y[46]=0

Data availability

Data is contained within the article.