Differential-linear cryptanalysis of ascon and drygascon

Civek, Aslı Başak
Due to rapidly developing technology, devices have become smaller along with their performance capacity and memory. If possible, existing NIST-approved encryption standards should be used on these resource-constrained devices. When an acceptable performance cannot be achieved in this way, there is a need for more lightweight algorithms. Since taking individual measures leads to simplistic designs when designing lightweight algorithms, ciphers can become more vulnerable to cryptographic attacks. Hence some regulation is necessary. To satisfy this need, NIST has decided to start a lightweight cryptography competition to select one or more lightweight algorithms. In this study, we examined Second Round NIST Lightweight Cryptography Standardization Competition candidates to contribute to the course of the competition. Then we focused on two different but structurally very similar cipher suites Ascon and Drygascon to compare their security. We observed 2, 3, 3.5-round truncated differential and 5-round differential-linear distinguishers that were given for Drygascon are erroneous. We present the corrected results and provide the longest practical differential-linear distinguisher of Drygascon. After that, we compared the security of Ascon and Drygascon. We observed that the practical data complexity of the two is very close. However, since Ascon has more rounds than Drygascon, we concluded that Ascon might be more resistant against differential-linear cryptanalysis.
Citation Formats
A. B. Civek, “Differential-linear cryptanalysis of ascon and drygascon,” M.S. - Master of Science, Middle East Technical University, 2021.