Recent ascon standardization w.r.t quantum resistance

[Thomas Braun]

The NIST has recently standardized Ascon for a "lightweight" symmetric cipher scheme. Would the quantum-resistance be similar to the quantum-resistance provided by other symmetric ciphers like AES and ChaCha20Poly1305?

[Mike Hamburg]

Hi Thomas,

Ascon is weaker than AES, in that AES and ChaCha/Poly support 256-bit keys.  Ascon supports only 128-bit, or in “Ascon80pq” mode, 160-bit keys.

I haven’t seen a detailed analysis of Ascon’s resistance to quantum attack to justify the 80-bit post-quantum security claim.  If anyone has one, I’d be interested to see it.  As I understand it, quantum resistance is largely an afterthought with the lightweight competition.

If the best attack on Ascon80pq is Grover on the key, then it’s really more like 100 bits since 2^80 is an unrealistic depth limit, and that’s before counting any of the overhead from the quantum computer itself.  So while not as strong as AES-{192,256} or ChaCha, it would probably be resistant enough for less-important secrets for a few decades even if a cryptographically relevant QC can be built in that time.  But I have no idea if that’s the best quantum attack.

Regards,

— Mike

On Feb 8, 2023, at 8:21 PM, Thomas Braun <tbra...@gmail.com> wrote:

The NIST has recently standardized Ascon for a "lightweight" symmetric cipher scheme. Would the quantum-resistance be similar to the quantum-resistance provided by other symmetric ciphers like AES and ChaCha20Poly1305?

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/6a48cde6-72c9-4e4d-98be-a240110f1759n%40list.nist.gov.

[Mike Hamburg]

On Feb 9, 2023, at 10:40 AM, Anubhab Baksi <anubha...@ntu.edu.sg> wrote:

 

This paper might be  interest to you...? By the way, we have already found some improvements.

Hi Anubhab,

Yes, this is interesting, though it’s only one piece of the puzzle: an estimate of the cost of running the permutation on a quantum computer.

The other and likely more impactful question is, how many times must an attacker run the permutation, and at what depth, for a brute-force attack to succeed with whatever probability?  This is claimed as “2^80” but is it 2^160 / depth, or 2^128 / sqrt(depth), or something else?  And how certain are we in those estimates?

I don’t expect that anyone has yet analyzed the security of the permutation itself against quantum attack, but even in the QROM, what are the best attacks / best lower bounds on the mode?

For hashing modes, there is at least some material to start on from Keccak’s evaluation, such as https://eprint.iacr.org/2017/771.pdf, but I’m not familiar with sponge AEAD evaluations to know the state of the art.

Thanks,

— Mike

[Thomas Braun]

Hi Mike,

Thanks for the reply.

Since there is a lifetime of "decades" (assuming the state of the art with respect to public-sector knowledge is indeed state of the art, which it usually isn't) for the security of Ascon128, we should assume that Ascon is not meant for protecting data that requires a longer security lifetime (e.g., social security numbers, military data, bank routing numbers, etc).

[Blumenthal, Uri - 0553 - MITLL]

Since there is a lifetime of "decades" (assuming the state of the art with respect to public-sector knowledge is indeed state of the art, which it usually isn't) for the security of Ascon128, we should assume that Ascon is not meant for protecting data that requires a longer security lifetime (e.g., social security numbers, military data, bank routing numbers, etc).

And this is the problem with the NIST choice of a winner that does not provide 256-bit key option.

P.S. I understand that some “lightweight” use cases do not need a 256-bit key. But many enough do… NIST, I’m surprised.

 

On Thursday, February 9, 2023 at 8:49:04 AM UTC-5 Mike Hamburg wrote:

On Feb 9, 2023, at 10:40 AM, Anubhab Baksi <anubha...@ntu.edu.sg> wrote:

 

This paper might be  interest to you...? By the way, we have already found some improvements.

 

Hi Anubhab,

 

Yes, this is interesting, though it’s only one piece of the puzzle: an estimate of the cost of running the permutation on a quantum computer.

 

The other and likely more impactful question is, how many times must an attacker run the permutation, and at what depth, for a brute-force attack to succeed with whatever probability?  This is claimed as “2^80” but is it 2^160 / depth, or 2^128 / sqrt(depth), or something else?  And how certain are we in those estimates?

 

I don’t expect that anyone has yet analyzed the security of the permutation itself against quantum attack, but even in the QROM, what are the best attacks / best lower bounds on the mode?

 

For hashing modes, there is at least some material to start on from Keccak’s evaluation, such as https://eprint.iacr.org/2017/771.pdf, but I’m not familiar with sponge AEAD evaluations to know the state of the art.

 

Thanks,

— Mike

 

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/efbb0b1a-2f70-4a50-aa77-b90dd5f16cf9n%40list.nist.gov.