Resistance of Ascon Family Against Conditional Cube Attacks in Nonce-Misuse Setting

Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attacks recover the full state and the secret key of Ascon-128a when reduced to 7 out of 8 rounds of Ascon-permutation for the encryption phase, with 2117 data and 2116.2 time. These are the best known attack results for Ascon-128a as far as we know, while violating the data limit 264 imposed by designers. We also show that the partial state information of Ascon-128 can be recovered with 244.8 data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.’s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2128 time. Although our attacks do not invalidate designers’ security claim. those allow us to understand the security of Ascon in nonce-misuse setting.


I. INTRODUCTION
Ascon, designed by Dobraunig et al. [5], is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. Ascon is also selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition [3]. Ascon family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary submission for the NIST process), Ascon-128a, and Ascon-80pq. The mode of operation for these algorithms is based on duplex modes like MonkeyDuplex [2], and use key initialization and finalization functions. They use 12-round Ascon permutation for their initialization and finalization with key. For data processing The associate editor coordinating the review of this manuscript and approving it for publication was Barbara Masucci . such as associated data (AD) absorption and plaintext encryption, Ascon-128 and Ascon-80pq use 6-round Ascon permutation, while Ascon-128a use 8-round one. The state size of Ascon permutation is 320 bits, the key size of Ascon-128 and Ascon-128a is 128 bits, and the key size of Ascon-80pq is 160 bits.
Ascon designers claim that AEAD variants provide 128-bit security of privacy and authenticity when unique nonce values are used for the encryption under the same key [5]. The maximum available data to the attacker is limited to 2 64 VOLUME 11, 2023 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ 64-bit blocks per key. In nonce-misuse scenario, the designers claimed that Ascon-128a provides 128-bit security of privacy and authenticity if nonces are reused a few times by accident as long as the combination of nonce and AD stays unique. The designers said that they do not expect that any key recovery attack on Ascon-128a can be found with complexity significantly below 2 96 even after a secret state is recovered by an implementation attack, due to the extra key additions during initialization and finalization. The security of Ascon family have been widely analyzed. In particular, most successful key recovery attacks for Ascon are based on cube attacks [4]. Li et al. [9] presented two nonce-respecting key recovery attacks. One of them is a cube attack on (7, , )-round Ascon, where the data complexity is 2 77.2 and the time complexity is 2 103.92 . The other one is a conditional cube attack on (6, , )-round Ascon, where both data and time complexities are 2 40 . Rohit et al. [10] presented the nonce-respecting key recovery attack on (7, , )-round Ascon which is a cube attack with data complexity of 2 64 and time complexity of 2 123 . The security of Ascon in noncemisuse setting was studied in [8].
Huang et al. [6] introduced the concept of conditional cube attacks. The authors proposed some of conditions on the key to obtain the set V of cube variables such that the variables in V are not multiplied with each other after the first round and V contains one cube variable that are not multiplied with other cube variables after the second round. With this technique, Huang et al. achieved the optimal cube propagation for Keccak permutation. We observe that the security of Ascon AEAD algorithms against cube attacks has been analyzed a lot in nonce-respecting setting, but not so much in nonce-misuse setting. Baudrin et al. [1] suggested a conditional cube attack on full ( , 6, )-round Ascon-128 recovering the full state information with the data complexity less than 2 40 in nonce-misuse setting. Considering these existing work results, we have been motivated to study how conditional cube attack techniques can be most effectively applied to Ascon AEAD algorithms in nonce-misuse setting.

A. CONTRIBUTIONS
Our main idea is to recover the secret state information using cubes where certain conditions make the cube-sums zero, and then recover the secret key for the finalization permutation. We use five cube patterns to make new nonce-misuse state-recovery and key recovery attacks on ( , 7, )-round Ascon-128a. Those attacks require 2 117 data and 2 116.2 time, and are the best known attack results for Ascon-128a as far as we know. We also use a family of patterns to make a nonce-misuse partial-state-recovery conditional-cube attack on ( , 6, )-round Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered, with 2 44.8 time and data complexity and negligible memory complexity. This attack was researched independently of those by Baudrin et al. [1]. Additionally, we show that the 160-bit secret key of Ascon-80pq can be recovered based on the recovered state information with 2 128 time, much faster than an exhaustive key search. Table 1 summarizes the existing cube attacks and our attacks on Ascon AEAD algorithms. In the table, an entry for 'Target' field can be 128, 128a and 80pq, which mean Ascon-128, Ascon-128a and Ascon-80pq as a target of the attack, respectively. An entry for 'Type' field can be KR, SR and F, which mean Key Recovery, State Recovery and Forgery as a type of the attack, respectively. An entry for 'Complexity' field is a 3-tuple of data, time, and memory. An entry of 'Set.' field can be NR and NM, which mean Nonce-Respecting and Nonce-Misuse as a setting of the attack, respectively.
Our attacks do not invalidate the security claims of the Ascon designers. In particular, the key-recovery attack on Ascon-128a also violates the data limitation of 2 64 imposed by designers. Nevertheless, they are meaningful in analyzing how secure Ascon is in the nonce-misuse setting.

B. ORGANIZATION
In Section II, we introduce notations, Ascon AEAD algorithms, and cube attacks. In Section III, we describe cube patterns used in our attacks. In Section IV, we explain how the attacks on ( , 7, )-round Ascon-128a recover the internal state and the secret key. In Section V, we explain the partial-state-recovery attack on ( , 6, )-round Ascon-128 and Ascon80pq and the key recovery attack on ( , 6, )-round Ascon80pq.

A. DEFINITIONS AND NOTATIONS
Let x and y be bitstrings of same length. We denote bitwise XOR, and bitwise AND of x and y by x ⊕ y and xy. We denote the concatenation of x and y by x y or (x, y). MSB m (x) and LSB m (x) mean the most and the least significant m bits of x, respectively. Len(x) means the length of x in bits. We denote a bitstring of n consecutive 0-bits by 0 n . 0 * means an arbitrary-length bitstring of consecutive 0-bits. Likewise, we denote a bitstring of n consecutive 1-bits by 1 n .

B. Ascon AEAD ALGORITHMS
The design of Ascon AEAD algorithms is based on mon-keyDuplex construction [2] with extra key additions during initialization and finalization. The 320-bit state State is initialized as where IV is a constant as an initial value, K is a k-bit secret key, and N is a 128-bit nonce. Let p i be the i-round Ascon permutation. The algorithm works in the order initialization phase, data processing phase, and finalization phase. In the initial phase, the state State is updated as The data processing phase consists of AD absorption phase and plaintext encryption phase, but we assume AD is empty because it is not necessary for our attacks. The plaintext P is padded to P 1 0 * such that the length of the padded string is the least multiple of r, where r is the block size of plaintext and the rate of sponge-like construction. c = 320 − r is the capacity. Then, the padded plaintext string is divided into t blocks P 1 , . . . , P t . We consider State as State = State r State c , where State r is r bits and State c is c bits. When the AD is empty, in the encryption phase, the update of State and the encryption of the plaintext P proceed as follows: State ← State ⊕ (0 319 1) for i = 1, . . . , t do : where C i 's are ciphertext blocks and = Len(P) mod r. Finally, in the finalization phase, State is updated and the tag T is produced as follows: Therefore, an Ascon AEAD algorithm outputs the ciphertext C 1 · · · C t and the tag T . The nonces and tags are 128 bits for every Ascon AEAD algorithm. Table 2 summarizes the parameters a, b, r, c, and k. See [5] for a more detailed description of Ascon.
The j-th round function, Roundj of Ascon permutation is defined as p L • p S • p C , where p C adds the 8-bit constant c j to the internal state, p S is the substitution layer, and p L is the linear diffusion layer. Note that the round number j starts from zero (i.e., j = 0, 1, . . .). We denote the input state of Roundj by S j = S j [0] · · · S j [4] [4][i]) T and is called the column #i of S j . We denote the internal state after the p S •p C operation at Roundj by S j+0.5 = S j+0. 5 [0]|| · · · ||S j+0.5 [4]. Then, the internal state after the p L layer is denoted by S j+1 , which is the output of Roundj.

1) SUBSTITUTION LAYER p S
The nonlinearity of Ascon permutation is provided by the p S layer. Let x i for 0 ≤ i ≤ 4 be the i-th row in a 5 × 64 array of 320-bit state. p S (x 4 , . . . , x 0 ) is computed as follows: We can also regard (1) as a system of equations for a 5-bit input x = (x 4 , . . . , x 0 ) ∈ {0, 1} 5 , and p S as the application of 64 5-bit nonlinear S-boxes to the columns of 5 × 64 array. We have the following properties derived from (1): for x ∈ {0, 1} 5 , The p L layer consists of 64-bit linear functions i (x i ) for i = 0, 1, . . . , 4, where each x i is the i-th row in a 5 × 64 array of 320-bit state.

C. TIME COMPLEXITY OF EXHAUSTIVE KEY SEARCH
We should compare the time complexity of our attack to that of an exhaustive key search. If we assume that AD A is empty and the length of the plaintext P is less than r, the number of permutation calls per one encryption are minimized to two calls of p 12 , which approximates p 24 . So, we can compare the time complexity of our attack to 2 128 operations of p 24 for Ascon-128 and Ascon-128a, and 2 160 operations of p 24 for Ascon-80pq.

D. CUBE ATTACKS 1) CUBE AND CUBE-SUM
Let We consider the division expression where f is the dividend, the monomial v 0 v 1 · · · v l−1 is the divisor, Q is the quotient and R is the remainder. When Q only depends on x, the expression is as follows: For (5), Xuejia Lai [7] proved the following relation between the cube C v and the quotient Q(x).
The left side of (6) is called the cube-sum of f for the cube C V . The relation shows that the cube-sum is equal to the quotient Q(x). When x is fixed, Q(x) is constant, so the cube-sum is constant.
Let g(v, x) be another nonlinear Boolean function from {0, 1} l+m to {0, 1}. Suppose that we obtain the division expression of g with the divisor v 0 v 1 · · · v l−2 : where Q (x) is the quotient and R (v, x) is the remainder. Let C . When x is fixed, the cube-sum of g for C v is zero because When we say that the cube-sum of F for C v is zero, we mean that for every i = 0, . . . , n − 1, the cube-sum of f i for C v is zero. In other words, we can say that the cube-sum on y = F(v, x) is zero.

2) CONDITIONAL CUBE ATTACKS
We briefly introduce the concept of conditional cube attacks which was proposed by Huang et al. [6]. Let F be a nonlinear permutation which iterates a round function with algebraic degree of 2. Note that the degree of the round function of Ascon permutation is also 2. For the set V = {v 0 , v 1 , . . . , v l−1 } of cube variables, they considered a par- We assume that that the following requirements hold if and only if certain conditions are true.
• Requirement 1: After the first round, there is no multiplication of two different cube variables from V. For the case of Ascon permutation, the output state S 1 of Round0 has no v i v j such that i = j and v i , v j ∈ V.
• Requirement 2: After the second round, there is no multiplication of two different cube variables from V 0 . For the case of Ascon permutation, the output state • Requirement 3: After the second round, there is no multiplication between a cube variable from V 0 and a cube variable from V 1 . For the case of Ascon permutation, the output state S 2 of Round1 has no v i v j such that v i ∈ V 0 and v j ∈ V 1 .
Theorem 1: [6] Let F be a nonlinear permutation which iterates a round function with algebraic degree of 2. Let V = {v 0 , v 1 , . . . , v λ+µ−1 } be the set of cube variables on the input state of F, and let {V 0 , V 1 } be a partition of V where |V 0 | = λ and |V 1 | = µ. Assume that Requirements 1, 2 and 3 hold, and that for a positive number n, Then, the term v 0 v 1 · · · v λ+µ−1 does not appear on the output state of (n + 2)-th round function. Section II-D1 and Theorem 1 implies, if the nonlinear permutation F satisfies Requirements 1, 2, and 3 and satisfies (8) or (9), then F does not have the term v 0 v 1 · · · v λ+µ−1 on its output state of (n + 2)-th round function, and so the cube-sum for (n + 2) rounds of F is zero. In the next section, for Ascon permutation, we make a set of cube variables satisfying (8), and construct the conditions under which Requirements 1, 2, and 3 hold.

III. VARIABLES AND CONDITIONS OF CUBE PATTERNS
Let S 0 be the input state to the Ascon permutation of the first block in the encryption phase, as depicted in Figure 1. We describe five cube patterns used in our conditional cube attack on Ascon-128a in Sections III-A to III-E. We use the set V of 64 cube variables and consider the partition {V 0 , V 1 } of V such that λ = |V 0 | = 1 and µ = |V 1 | = 63. Following the notations in Theorem 1, we have n = 5. We can choose the first block P 1 of plaintext to control the first two rows of S 0 for Ascon-128a. In each pattern, cube variables are assigned to the first two rows of S 0 so that each column of S 0 has at most one cube variable. We consider that (S 0 [2], S 0 [3], S 0 [4]) is secret in Ascon-128a, and use a guessed value to construct cube patterns in Sections III-B to III-E.
We also show a family of cube patterns used in our conditional cube attacks on Ascon-128 and Ascon-80pq in Section III-F. We can choose the first block P 1 of plaintext to control the first row of S 0 for Ascon-128 and Ascon-80pq. We use 40 cube variables. In each pattern, 32 among them are assigned to the first row of S 0 such that λ = |V 0 | = 1 and µ = |V 1 | = 31. Following the notations in Theorem 1, we have n = 4.
With this configuration, each pattern satisfies Requirements 1 and 2 in Section II-D2. Requirement 1 holds because in the beginning of Round0, each column uses at most one cube variable and the nonlinear S-box operation is applied column-wise in parallel. Requirement 2 holds because |V 0 | = 1. In the following subsections, we describe the structure of each pattern, and show what conditions satisfy Requirement 3. For simplicity, the cube variables in V 0 is called V 0 -variables and the cube variables in V 1 is called Table 3. The other bits of S 0 are constants. Table 4 lists 38 conditions of Pattern-A for satisfying Requirement 3. The 'Conditions' field of Table 4 shows condition expressions and the 'Count' field provides the number of conditions for each expression. We get Lemma 1.  Table 4 are true. Proof: We assume that all conditions in Table 4 (1), no multiplication between v 63 and v i for any v i ∈ V 1 appears on S 1.5 and S 2 . See Figure 2.
Next, we consider the case that not all conditions in Table 4 are true. It can be split into two subcases as follows: The proof is provided in Appendix VI-A.
• Subcase 2: If all conditions on column #63 of S 0 are true, but any of the other conditions is false, then v 63 v i for some v i ∈ V 1 appears on S 2 . The proof is provided in Appendix VI-B. Therefore, the proof is completed.
The other bits of S 0 are constants. 10 implies that Pattern-B contains 128 different assignments of cube variables depending on α ∈ {0, 1} 7 . Table 6 lists 12 conditions of Pattern-B with α for satisfying Requirement 3. Then, we get Lemma 2.  Table 6 are true.
Proof: We concentrate on showing that a quadratic term v 62 v i for v i ∈ V 1 appears on S 1.5 if all the conditions on column #62 of S 0 are true and α is wrong. When all the conditions on column #62 of S 0 are true, by (1), S 0.5 [2][62] contains v 62 only as a linear term and the other bits of the column #62 of S 0.5 are constant. After the p L layer, S 1 [2][62], S 1 [2][61] and S 1 [2][56] contain v 62 as a linear term.
Firstly, we consider the case of [2]. It implies that S 0.5 [3] [2] contains v 2 as a linear term. After p L layer, S 1 [3][56] contains v 2 as a linear term. Thus, the quadratic term v 62 v 2 appears on the column #56 of S 1.5 . We can similarly show that v 62 v 7 appears on the column #61 of S 1.5 when [7], and that v 62 v 14 appears on the column #61 of S 1.5 when α 2 = S 0 [3] contains v 31 as a linear term. After p L layer, S 1 [1][56] contains v 31 as a linear term. Thus, the quadratic term v 62 v 31 appears on the column #56 of S 1.5 . We can similarly show that v 62 v 36 appears on the column #61 of S 1.5 when α 4 = S 0 [2][36] ⊕ S 0 [3][36], that v 62 v 53 appears on the column #56 of S 1.5 when α 5 = S 0 [2][53] ⊕ S 0 [3][53], and that v 62 v 58 appears on the column #61 of S 1.5 when The remaining of the proof is similar to that of Lemma 1.

C. PATTERN-C
We assume that β = (β 5 Table 7. Additionally, we assign more V 1 -variables depending on β as follows. The other bits of S 0 are constants. (11) implies that Pattern-C contains 64 different assignments of cube variables depending on β ∈ {0, 1} 6 .  Table 9. Additionally, we assign more V 1 -variables depending on γ as follows.
The other bits of S 0 are constants. (12) implies that Pattern-D contains 32 different assignments of cube variables depending on γ ∈ {0, 1} 5 .  Table 11. Additionally, we assign more V 1 -variables depending on δ as follows.
The other bits of S 0 are constants. (13) implies that Pattern-E contains 256 different assignments of cube variables depending on δ ∈ {0, 1} 8 . Table 12 lists 11 conditions of Pattern-E with δ for satisfying Requirement 3. Then, we get Lemma 5.  Table 12 are true.
Proof: We concentrate on showing that a quadratic term v 60 v i for v i ∈ V 1 appears on S 1.5 if all the conditions on column #60 of S 0 are true and δ is wrong. When all the conditions on column #60 of S 0 are true, by (1), S 0.5 [2][60] contains v 60 only as a linear term and the other bits of the column #60 of S 0.5 are constant. After the p L layer, S 1 [2][60], S 1 [2][59] and S 1 [2][54] contain v 60 as a linear term.
Similarly to the proof of Lemma 2, we can show that v 60 v 0 appears on the column #54 of S 1.5 when δ 0 = S 0 [3][0]⊕ S 0 [4][0], that v 60 v 5 appears on the column #59 of S 1.5 when [5], that v 60 v 6 appears on the column #60 of S 1.5 when δ 2 = S 0 [3][6] ⊕ S 0 [4] [6], that v 60 v 7 appears on the column #54 of S 1.5 when [7], that v 60 v 12 appears on the column #59 of S 1. 5  TABLE 9. Assignment of V 1 -variables for Pattern-D.  The remaining of the proof is similar to that of Lemma 1.

F. A FAMILY OF PATTERNS Pattern-F
We denote a cube variable assigned to bits of the column #i for 0 ≤ i ≤ 63 of the initial state S 0 by v i . We define a family of patterns, {Pattern-F(t)} for t ∈ {0, 1, . . . , 63}. Pattern-F(t) has 40 cube variables. v t is the only V 0 -variable of Pattern-F(t) and assigned as S 0 [0][t] = v t . We define the set V 1 (t) of the V 1 -variables of Pattern-F(t) as The other bits of S 0 are constants. Table 13 lists 13 conditions of Pattern-F(t) for satisfying Requirement 3. Then, we get Lemma 6.   [3][t + 54] contain v t as a linear term, too. Likewise, it is easy to see that the other bits in columns #t, #(t +3), #(t +25), #(t + 36), #(t + 45), #(t + 47), and #(t + 54) are constants. Therefore, by (1), no multiplication between v t and v i for any i ∈ I t ∪ J t appears on S 1.5 and S 2 .
Next, we consider the case that not all conditions in Table 13 are true. It can be split into two subcases as follows: • Subcase 1: If any of the conditions on the column #t of S 0 is false, then v t v i for some i ∈ I t appears on S 2 . This is proved similarly to that given in Appendix VI-A.
• Subcase 2: If all conditions on the column #t of S 0 are true, but any of the other conditions is false, then v t v j for some j ∈ J t appears on S 2 . This is proved similarly to that given in Appendix VI-B. Therefore, the proof is completed.
Additionally, we define Pattern-F(t, G) as the cube pattern having v t as the only V 0 -variable and {v i } i∈I t ∪G as V 1 -variables, where G ⊂ J t . Lemma 6 also implies that Pattern-F(t, G) satisfies Requirement 3 if and only if all conditions of the columns #j (j ∈ G) of the state S 0 in Table 13 are true.

IV. CONDITIONAL CUBE ATTACK ON Ascon-128a
We assume that the AD A is empty. Let S 0 = S 0 [0] · · · S 0 [4] be the input state to the Ascon permutation for the first block of plaintext in the encryption phase. Because of the rate r = 128 for Ascon-128a, we can control or know values of S 0 [0] S 0 [1]    Ascon-128a, and how the key recovery attack in Section IV-B recovers the secret key K for ( , 7, )-round Ascon-128a based on the knowledge of the recovered state S 0 .

A. STATE-RECOVERY ATTACK
Our state-recovery attack on Ascon-128a recovers 192 bits [4] of the state S 0 by using Pattern-A, Pattern-B, Pattern-C, Pattern-D, and Pattern-E in this order. We construct cubes based on them. Since we have λ = 1 and µ = 63 for each pattern, we have n = 5 and so, by Theorem 1, the cube-sums corresponding to the patterns after Round6 of Ascon permutation would be zero if all conditions for them are satisfied. Figure 5 shows how we use these patterns. The conditions which are highlighted with gray color were already defined from the previous pattern. We expect each of the conditions which are highlighted with a black-line box be satisfied with probability 1 2 . In total, 74 different conditions should be satisfied for success of the attack.
In order to make a cube, for the same nonce N , we choose the first plaintext blocks such that the cube variables on S 0 [0] S 0 [1] are activated and the other bits on S 0 [0] S 0 [1] are constants. The second plaintext blocks can be any values. Then, we check whether the cube-sum is zero by using the knowledge of plaintexts and ciphertexts in the second block. Namely, we use online cubes and online cube-sum computations.
The procedure of our state-recovery attack on ( , 7, )-round Ascon-128a consists of five steps as depicted in Figure 6, and is described as follows.
Step 1. We make a cube for Pattern-A and check whether its cube-sum on S 7 [0] S 7 [1] is zero, where S 7 is the state right after Round6 and the first two rows of the output of p 7 in the first block of the encryption phase. We repeat this process until a zero cube-sum is found, by choosing the nonce N randomly. Since the all the 38 conditions in Table 4 hold with the probability 2 −38 , on average, we expect 2 38 iterations for it. With each N , we choose 2 64 two-block plaintexts of the form P = P 1 P 2 where P 1 's are used for constructing a cube and (P 2 , C 2 )'s are used for evaluating the cube-sum. In particular, to minimize the data complexity, we choose the last plaintext block P 2 's with Len(P 2 ) = 127. It implies that we can check the cube-sum for 127 bits at the output of p 7 . We expect that Step 1 require 2 102 (= 2 38 × 2 64 ) plaintexts, while the chance that false conditions make such a cube-sum to be zero is negligible. If we find a zero cube-sum, we go to Step 2 together with the corresponding nonce N , which we denote by N zero .
Step 2. We make cubes for Pattern-B with N zero . Pattern-A and Pattern-B share 8 conditions, highlighted with gray color in Pattern-B column in Figure 5. Guessing α ∈ {0, 1} 7 , we try at most 2 7 cubes. If we find a zero cube-sum on S 7 [0] S 7 [1], we go to Step 3. Otherwise, we go to Step 1. So, Step 2 requires at most 2 71 (= 2 7 × 2 64 ) two-block plaintexts. Since Step 1 ensures those common conditions are true, we only need to consider the remaining 4 conditions for Pattern-B. Therefore, we go to Step 3 with the probability of 2 −4 .  Step 3. We make cubes for Pattern-C with N zero . Pattern-C shares 10 conditions with previous patterns, highlighted with gray color in Pattern-C column in Figure 5. Letting (β 5 , β 3 , β 0 ) = (α 5 , α 3 , α 0 ) and guessing (β 4 , β 2 , β 1 ) ∈ {0, 1} 3 , we try at most 2 3 cubes. If we find a zero cube-sum on S 7 [0] S 7 [1], we go to Step 4. Otherwise, we go to Step 1. So, Step 3 requires at most 2 67 (= 2 3 × 2 64 ) two-block plaintexts. Since Step 2 ensures those common conditions are true, we only need to consider the remaining 3 conditions for Pattern-C. Therefore, we go to Step 4 with the probability of 2 −3 .
Step 4. We make cubes for Pattern-D with zero. Pattern-D shares 7 conditions with previous patterns, highlighted with gray color in Pattern-D column in Figure 5. Letting γ 0 = β 0 and guessing (γ 4 , . . . , γ 1 ) ∈ {0, 1} 4 , we try at most 2 4 cubes. If we find a zero cube-sum on S 7 [0] S 7 [1], we go to Step 5. Otherwise, we go to Step 1. So, Step 4 requires at most 2 68 (= 2 4 × 2 64 ) two-block plaintexts. Since Step 3 ensures those common conditions are true, we only need to consider the remaining 7 conditions for Pattern-D. Therefore, we go to Step 5 with the probability of 2 −7 .
Step 5. We make cubes for Pattern-E with zero. Pattern-E shares 10 conditions with previous patterns, highlighted with gray color in Pattern-E column in Figure 5. Letting δ 3 = α 1 and guessing (δ 7 , . . . , δ 4 , δ 2 , . . . , δ 0 ) ∈ {0, 1} 7 , we try at most 2 7 cubes. If we find a zero cube-sum on S 7 [0] S 7 [1], we return 74 bits of secret information of S 0 [2] S 0 [3] S 0 [4] because the number of essentially considered conditions from Pattern-A to Pattern-E is 53 and the number of essentially guessed bits Step 2 to Step 5 is 21. Otherwise, we go to Step 1. So, Step 5 requires at most 2 71 (= 2 7 ×2 64 ) two-block plaintexts. Since Step 4 ensures those common conditions are true, we only need to consider the one remaining condition for Pattern-E. Therefore, we terminate this procedure and get the 74-bit information of S 0 [2] S 0 [3] S 0 [4] with the probability of 2 −1 .
Note that the nonce N is randomly chosen for different cubes. Therefore, this attack requires the data complexity of 2 117 two-block plaintexts because Step 1 requires the data complexity of 2 102 and is repeated 2 15 (= 2 4 × 2 3 × 2 7 × 2). After recovering 74 bits of S 0 [2] S 0 [3] S 0 [4], we recover the remaining 118 bits of S 0 [2] S 0 [3] S 0 [4] through an exhaustive search by using a plaintext P = P 1 P 2 and the corresponding ciphertext C = C 1 C 2 . Considering the discussion about time complexity in Section II-C, we estimate its time complexity as 2 116.2 (≈ 2 118 × 7/24).

B. KEY RECOVERY ATTACK
We assume that the full information of the state right after the initialization phase is recovered by the state-recovery attack in Section IV-A and that we reuse the nonce value N zero such that the recovered state information is fixed during the key recovery attack. The attack consists of online and offline phases, and requires the memory complexity of 2 32 256-bit values. Since the state-recovery attack must be preceded for the key recovery attack and the complexity of the former largely dominates that of the latter both in data and time, VOLUME 11, 2023 we do not specifically explain any cost except memory in Sections IV-B1 and IV-B2.

1) ONLINE PHASE
Let X Y Z be the state right after the encryption phase, where X and Y are 128 bits and Z is 64 bits, as you see Figure 7. We construct a two-block plaintext as follows.
The first 128-bit block P 1 is randomly chosen. Since we know the state value after the initialization phase, we can use P 1 to get the output state of the permutation p 7 by offline computation. P 2 is chosen as the 127-bit value for which the padded last block P 2 1 is XORed with the first 128 bits of the output state of the permutation p 7 to fix the most significant 127 bits of X to a certain value. After this computation, (X , Z ) is fixed to a certain 192-bit value (X 0 , Z 0 ) with the probability of 2 −65 . At cost of 2 97 operations of p 7 , we can collect 2 32 X 0 Y Z 0 's. We denote them by Then, by using the plaintexts P 1 P 2 's corresponding to {X 0 Y i Z 0 } 1≤i≤2 32 as an online query where the nonce is fixed, we get the tag corresponding to X 0 Y i Z 0 . Essentially, we only need to store {(Y i , T i )} 1≤i≤2 32 and (X 0 , Z 0 ) in a table Q.

2) OFFLINE PHASE
Let V be the 128-bit value such that V = Y ⊕ K for the 128-bit secret key K . Let W be the 64-bit value such that T = W ⊕ K for the tag T by Ascon-128a. As you see Figure 7, V and W are contained in the input and output states of the Ascon permutation p 12 in the finalization phase. Given X 0 and Z 0 which were computed from the online phase, we randomly choose 2 96 128-bit values of V j to get the corresponding W j 's by the offline computation of p 12 (X 0 V j Z 0 ). Since we have 2 32 tuples of (Y i , T i )'s and tuples of 2 96 (V j , W j ) and (14) holds with the probability of 2 −128 , we expect to get one match.
Then, we expect to obtain the right key value for K by computing the form of Y i ⊕ V j . We can run this process without any additional memory.

3) COMPLEXITY
We should consider that the full-state-recovery attack must precede the key recovery attack. Therefore, we estimate the total cost for the key recovery attack on the ( , 7, )-round Ascon-128a as the data complexity of 2 117 , the time complexity of 2 116.2 , and the memory complexity of 2 32 .

V. CONDITIONAL CUBE ATTACK ON Ascon-128 AND Ascon-80pq
We assume that the AD A is empty.  The procedure of the state-recovery attack on ( , 6, )-round Ascon-128 or Ascon-80pq consists of four steps and is described as follows.
Step 1. We use Pattern-F(0, G) by defining G = {7, 17, 19, 28} ⊂ J 0 . We choose a nonce N randomly, make a cube for Pattern-F(0, G), and check whether its cube-sum on S 6 [0] is zero, where S 6 is the state right after Round5 and the first row of the output of p 6 in the first block of the encryption phase. We repeat this process until a zero cube-sum is found, by choosing the nonce N randomly. Since the five conditions related to v 0 , v 7 , v 17 , v 19 and v 28 in Table 13 hold with the probability of 2 −5 , on average, we expect 2 5 iterations for it. With each N , we choose 2 32 two-block plaintexts of the form P = P 1 P 2 where P 1 's are used for constructing a cube and (P 2 , C 2 )'s are used for evaluating the cube-sum. So, we expect Step 1 require 2 37 (= 2 5 × 2 32 ) plaintexts, while the chance that false conditions mask such a cube-sum to be zero is negligible. If we find a zero cube-sum, we go to Step 2 together with the corresponding nonce N zero .
We make a cube for Pattern-F(0, G) with N zero by redefining G such that the element i 0 is replaced with any other element in J 0 \ A and by choosing 2 32 two-block plaintexts similarly to Step 1. If the cube-sum on S 6 [0] is zero, we guess the condition corresponding to i 0 is true. Otherwise, we guess the condition corresponding to i 0 is wrong.
We repeat the above process by updating A ← A ∪ {i 0 } until we get information of all conditions corresponding to J 0 . Since we need 8 iterations, we expect Step 2 require 2 35 (= 8×2 32 ) plaintexts. At the end of Step 2, we have 13-bit [4], and go to Step 3.
Then, with an index t such that S 0 [1][t] = 0, we define G as the set of any four elements randomly selected from J t , make a cube for Pattern-F(t, G), and check whether its cube-sum on S 6 [0] is zero.
If the cube-sum is nonzero, we try the above process by selecting any other four elements from J t to redefine G. Since the number of ways to choose 4 out of 12 indices is 12 4 = 495, we should repeat the above process at most 495 times for finding a zero cube-sum. However, since a cube has a zero cube-sum with the high probability of 92.7%, we expect the number of iterations to average 16. It requires 2 36 = 2 4 × 2 32 plaintexts.
If we do not find any zero cube-sum, we apply a new cube for Pattern-F(t, G) with a different t to the above process. If a zero-sum is found, we go to Step 4 together with t.
Step 4 is similar to Step 2. Let A = G. We select an index i 0 from A, and do the followings.
We make a cube for Pattern-F(t, G) with N zero by redefining G such that the element i 0 is replaced with any other element in J t \ A. If the cube-sum on S 6 [0] is zero, we guess the condition corresponding to i 0 is true. Otherwise, we guess the condition corresponding to i 0 is wrong.
We repeat the above process by updating A ← A ∪ {i 0 } until we get information of all conditions corresponding to J t . Since we need 8 iterations, we expect it require 2 35 (= 8×2 32 ) plaintexts.
We repeat these Steps 3 and 4 31 times to collect secret information of (S 0 [1] We expect around 32 patterns among 64 patterns in  with both data complexity and time complexity of 2 39.6 . Ours and Baudrin et al.'s attacks can be also applied to Ascon-80pq.

B. KEY RECOVERY ATTACK ON Ascon-80pq
We assume that the full state information is already recovered with the empty AD A by Baudrin et al's attack [1] and that we know the nonce N zero related to the recovered information. We describe the key recovery attack on Ascon-80pq based on the state information. The attack recovers the 160-bit secret key through online and offline phases. We reuse the nonce value N zero such that the recovered state information is fixed during the key recovery attack.

1) ONLINE PHASE
Let X Y Z be the state right after the encryption phase, where X is 64 bits, Y is 160 bits, and Z is 96 bits, as you see Fig. 8. We need 2 32 X Y Z 's for the next attack phase, where X and Z are fixed. Note that we know the state value after the initialization phase. We can compute them with four-block plaintext P = (P 1 , P 2 , P 3 , P 4 ) at cost of 2 129 offline computations of p 6 , as follows. Firstly, we perform two operations for the first p 6 permutation with two randomly chosen 64-bit values for P 1 . Secondly, for two output states of the first p 6 permutation, we perform 2 64 operations for the second p 6 permutation with all possible 2 64 64-bit values for P 2 . Thirdly, for the 2 65 output states of the second p 6 permutation, we perform 2 64 operations for the third p 6 permutation with all possible 2 64 64-bit values for P 3 . Finally, for the 2 129 output states of the third p 6 permutation, we choose the 63-bit values for P 4 such that the most significant 63 bits of X is fixed to a certain 63-bit value. After these computations, for a fixed 160-bit value (X 0 , Z 0 ), we obtain 2 32 X 0 Y Z 0 's because each P leads to (X 0 , Z 0 ) with the probability of 2 −97 .
We denote the computed X 0 Y Z 0 's by {X 0 Y i Z 0 } 1≤i≤2 32 . Then, by using the plaintexts P 1 P 2 P 3 's corresponding to {X 0 Y i Z 0 } 1≤i≤2 32 as online queries where the nonce is fixed, we get {(X 0 Y i Z 0 , T i )} 1≤i≤2 32 , where T i is the tag corresponding to X 0 Y i Z 0 . Essentially, we only need to store {(Y i , T i )} 1≤i≤2 32 and (X 0 , Z 0 ) in a table Q.

2) OFFLINE PHASE
Let V be the 160-bit value such that V = Y ⊕ K for the 160-bit secret key K . Let W be the 128-bit value such that T = W ⊕ LSB 128 (K ) for the tag T by Ascon-80pq. As you see Figure 8, V and W are contained in the input and output states of the Ascon permutation p 12 in the finalization phase.
Given X 0 and Z 0 which were computed from the online phase, we randomly choose 2 128 160-bit values of V j to get the corresponding W j 's by the offline computation of p 12 (X 0 V j Z 0 ). Since we have 2 32 tuples of (Y i , T i )'s and tuples of 2 128 (V j , W j ) and (15) holds with the probability of 2 −128 , we expect to get 2 32 matches.
Then, we expect to obtain the right key value for K by testing 2 32 candidates with the form of Y i ⊕ V j . We can run this process without any additional memory.

3) COMPLEXITY
We should consider that the full-state-recovery attack must precede the key recovery attack. Therefore, considering the discussion about time complexity in Section II-C, we estimate the total cost for the key recovery attack on the fullround Ascon-80pq as the data complexity of 2 39.6 , the time complexity of 2 128 (≈ 2 129 × 6/24 + 2 128 × 12/24), and the memory complexity of 2 32 .

VI. CONCLUSION
In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state-and key-recovery attacks. In particular, our attack results on Ascon-128a are the best known ones as far as we know, while violating the data limit 2 64 imposed by designers. Although our attacks do not invalidate designers' claim, those allow us to understand the security of Ascon in nonce-misuse setting.
linear term. After p S operation on the state S 1 , the product between S 1 [2][53] and S 1 [3][53] appears on the column #53 of S 1.5 , which contains v 63 v 59 and v 63 v 54 , and the product between S 1 [2][46] and S 1 [3][46] appears on the column #46 of S 1.5 , which contains v 63 v 52 .

B. PROOF OF SUBCASE 2
Since the conditions on the column #63 of S 0 are true, by (1) [2][57] contain v 63 as a linear term. Then, for any i = 63, if any condition on the column #i of S 0 in Table 4 is false, then the V 1 -variable v i appears as a linear term on the columns #63, #62, #57, #44, or #35 of the state S 1 , It is followed by the appearance of the quadratic term v 63 v i appear on the states S 1.5 and S 2 . Table 14 summarizes (i, j)'s such that v 63 v i appears on the column #j of S 1.5 if any condition on the column #i for nonzero i of S 1 in Table 4 is false. Note that j ∈ {35, 44, 57, 62, 63}. With Table 14 we can conclude the proof because it implies a quadratic term v 63 v i for some nonzero i also appears on the state S 2 under the same assumption.