Abstract
Ascon is a family of lightweight authenticated encryption and hashing algorithms, which is a finalist in the NIST Lightweight Cryptography competition. We study the Ascon algorithm from the perspective of algebraic cryptanalysis based on the MRHS representation of the cipher. We call such an approach an MRHS cryptanalysis.
We represent the system on the gate level (focusing on individual AND-gates) and the S-box level (basing MRHS equations on 5-bit S-boxes). We compare the results from the application of two custom MRHS solvers. The RZ solver is based on linear algebra and exhaustive search. The HC solver is based on adaptive bit-flipping with restarts.
We show that both the choice of the solver and the choice of the system representation influence the total complexity of the attack. On the other hand, these choices do not change the fundamental properties of the attack, such as scaling with the amount of information the attacker possesses. A similar assessment holds for using a scaled-down version of Ascon for the experiments. Our method can be used for the experimental evaluation of cipher designs against algebraic attacks.