This paper evaluates the secure level of authenticated encryption \textsc{Ascon} against cube-like method. \textsc{Ascon} submitted by Dobraunig \emph{et~al.} is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur \emph{et~al.} to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig \emph{et~al.} applied this method to 5/6-round reduced \textsc{Ascon}, whose structure is similar to Keccak keyed modes. However, for \textsc{Ascon} the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round \textsc{Ascon}, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang \emph{et~al.}, and find new cubes depending on some key bit conditions for 5/6-round reduced \textsc{Ascon}, and translate the previous theoretic 6-round attack with $2^{66}$ time complexity to a practical one with $2^{40}$ time complexity. Moreover, we propose the first 7-round key-recovery attack on \textsc{Ascon}. By introducing \emph{the cube-like key-subset technique}, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about $2^{103.9}$. In addition, for a weak-key subset, whose size is $2^{117}$, the attack is more efficient and costs only $2^{77}$ time complexity. Those attacks do not threaten the full round (12 rounds) \textsc{Ascon}.

翻译：本文评估了认证加密算法 \textsc{Ascon} 对抗类立方方法的安全性级别。由 Dobraunig 等人提交的 \textsc{Ascon} 是第三轮 CAESAR 竞赛的 16 个幸存算法之一。类立方方法最初由 Dinur 等人用于分析 Keccak 密钥模式。在 CT-RSA 2015 上，Dobraunig 等人将此方法应用于 5/6 轮精简的 \textsc{Ascon}，其结构与 Keccak 密钥模式相似。然而，对于 \textsc{Ascon}，其非线性层更为复杂且状态规模更小，这使得攻击者难以在第一轮之后选取足够多互不相关的立方变量。这似乎是先前最佳密钥恢复攻击仅针对 6 轮 \textsc{Ascon} 的原因，而对于 Keccak 密钥模式（Keccak-MAC 和 Keyak），攻击轮数不少于 7 轮。在本文中，我们推广了 Huang 等人提出的条件立方攻击，并针对 5/6 轮精简的 \textsc{Ascon} 找到了依赖于某些密钥比特条件的新立方变量，从而将先前理论上的 6 轮攻击（时间复杂度为 $2^{66}$）转化为时间复杂度为 $2^{40}$ 的实际攻击。此外，我们首次提出了针对 \textsc{Ascon} 的 7 轮密钥恢复攻击。通过引入 \emph{类立方密钥子集技术}，我们根据不同的密钥条件将整个密钥空间划分为多个子集。对于每个密钥子集，我们启动立方测试器以判断密钥是否落入该子集。最终，我们通过测试所有密钥子集来恢复整个密钥空间。总时间复杂度约为 $2^{103.9}$。此外，对于一个大小为 $2^{117}$ 的弱密钥子集，攻击效率更高，仅需 $2^{77}$ 的时间复杂度。这些攻击并不威胁完整轮数（12 轮）的 \textsc{Ascon}。