Keywords

1 Introduction

The Sponge function, initially proposed by Bertoni et al. at the ECRYPT Hash Workshop [3], serves as a mode of operation for variable output-length hash functions and has gained significant popularity. This is evident from the numerous Sponge-based constructions submitted in the NIST SHA-3 competition, with Keccak [7] being the notable winner. At a high level, a Sponge construction utilizes a fixed permutation \(\pi \) of size b and a b-bit state, which is divided into a c-bit capacity and an \(r:=(b-c)\)-bit rate for the Sponge. The Sponge construction begins by initializing the state to zero and padding the input message using a padding function, followed by dividing it into r-bit blocks. Then, the absorption phase of the Sponge construction commences, where the message is XOR-ed with the rate part of the sponge while interleaved with applications of \(\pi \). Once the absorption phase is complete, the squeezing phase begins. In this phase, the first r bits of the state are outputted as output blocks, again interleaved with applications of \(\pi \).

The Duplex construction [4] is a variant of the Sponge construction and serves as a widely used approach for constructing authenticated encryption schemes. The Duplex construction maintains a state between calls and processes input strings while producing output strings that depend on all previously received inputs. At a high level, the Duplex mode is a stateful construction that comprises an initialization interface and a duplexing interface. Initialization creates an initial state using the underlying permutation \(\pi \), and each duplexing call to \(\mathsf {\pi }\) absorbs and squeezes r bits of data. The usage of keyed Duplex approach in constructing authenticated encryption modes is evident from the numerous submissions in competitions like CAESAR (including the winner Ascon [13, 14]) and the recently concluded NIST LwC competition (with 26 total Duplex-type submissions, notably including the winner Ascon). The security analysis of keyed Duplex-type AEAD modes involves considering two parameters: the data complexity D (representing the total number of initialization and duplexing calls to \(\pi \)) and the time complexity T (representing the total number of direct calls to \(\pi \)).

1.1 Ascon

Ascon was initially introduced as a candidate in Round 1 of the CAESAR competition [11]. Subsequent versions (v1.1 and v1.2) incorporated minor modifications to the original design (version 1 [14]). The latest version (v1.2 [13]), declared as the winner of the NIST Lightweight Cryptography (LwC) project [20], includes the Ascon-128 and Ascon-128a authenticated ciphers, as well as the Ascon-Hash hash function and the Ascon-Xof extendable output function. All the schemes in the suite ensure 128-bit security and utilize a common 320-bit permutation internally, enabling the implementation of both duplex-based AEAD and sponge-based extendable-output hashing with a single lightweight primitive.

The authenticated encryption mode of Ascon is based on the duplex construction [4], specifically the MonkeyDuplex construction [6]. However, unlike MonkeyDuplex, Ascon ’s mode employs double-keyed initialization and double-keyed finalization to enhance its robustness. For a detailed description of the Ascon AEAD mode, please refer to Sect. 4.

1.2 Existing Security Analysis

It has come to our attention that previous analyses of Ascon predominantly regard it as a variant of the Duplex construction (as indicated in [13]), with no specific security analysis dedicated to Ascon available in the literature. Hence, we briefly discuss the security bounds of generic Duplex constructions here. At a high level, the Sponge construction is known to achieve \(2^{c/2}\) bits security, where c is the capacity of the Sponge. This security level has been extended to its keyed variations, such as MonkeyDuplex. The first result which indicates that the duplex-based modes can provide security beyond the birthday bound on the capacity c, was by Bertoni et al. [5]. However, they could achieve this only when the time complexity (roughly, this is the number of permutation computations an adversary does) remains well below \(2^{c/2}\). In fact, the dominating term in their security analysis was

$$\frac{D^2+DT}{2^c},$$

where D is the data complexity and T is the time complexity. In 2014 [16], and later in 2019 [17], Jovanovic et al. achieve an improved security of the form

$$\frac{(D+T)q_d}{2^c}$$

where \(q_d\) is the number of decryption queries. Andreeva et al. [2] show that the time complexity can be made close to \(2^c/\mu \) where \(\mu \) is the total multiplicity (i.e., the number of queries with a repeated nonce). As the nonce is allowed to repeat in decryption queries, the \(\mu \) can be as large as \(q_d\) (the number of decryption queries). Hence, their security bound is essentially of the form

$$\frac{q_d T}{2^c}.$$

Considering full-state keyed Duplex, Daemen et al. [12] establish stronger bounds for the Duplex mode of operation. These bounds are based on comparing the Duplex mode to an Ideal Extendable Input Function (IXIF). They also do this in a multi-user setting and take into account both respectful and misusing adversaries. The results indicate that the data limit or key could potentially be increased further. One of the dominating terms in their security bound is \(\frac{LT}{2^c}\) where L represents the number of construction queries that have some common prefix to some prior query. So, an adversary can easily achieve \(L = q_d\) (the number of decryption queries) as nonce is allowed to repeat in decryption queries. So, their bound essentially reduces to \(\frac{q_dT}{2^c}\).

Recently, Chakraborty et al. [9] introduced a generic AEAD construction called the Transform-then-Permute (TtP) construction. They demonstrated that well-known constructions such as the keyed Sponge Duplex construction, Beetle [8], and SpoC [1] can be viewed as specific examples of this generic construction. In their work, they provided rigorous proof for a tight security bound of the TtP construction in the form of \(\frac{\mu _{T}D}{2^c}+\) other smaller order terms, where \(\mu _T\) is a parameter defined in their paper [9]. For a special class of TtP constructions where the decryption feedback function (defined in their paper) is invertible, they showed that \(\mu _T = \mathcal {O}\left( \max \{T/2^r, T/2^\tau , T^2/2^b\}\right) \). This result indicates that these constructions achieve security levels much higher than \(q_d T /2^c\) when D (data complexity) is significantly smaller than T (time complexity). Importantly, this holds true for the upper limits of D and T as specified by the NIST guidelines for Lightweight Cryptography (LwC). However, for other TtP constructions, such as the keyed Sponge Duplex and Ascon constructions, where the decryption feedback function is not invertible, bounding \(\mu _T\) was left as an open problem for future research.

In a concurrent work [18], Mennink and Lefevre also presented a dedicated security analysis of Ascon. While they focus on a different setting (authenticity under nonce misuse and state recovery, multi-user security), they could show the impact of strengthened initialization and finalization of Ascon in the case of authenticity under state recovery. However, in the case of conventional single-user nonce-based authenticity, their bounds reduce to \(\frac{q_dT}{2^c}\).

As observed, a common constraint in the existing analyses of Ascon, as well as other Duplex constructions, is the condition \(DT \ll 2^c\), or similar variants where D may be replaced by \(q_d\). It is important to note that no forgery attack matching this bound has been discovered. Notably, the best-known attack on Duplex constructions by Gilbert et al. [15] establishes a lower bound of the form \(DT \gg 2^{3c/2}\).

1.3 Our Contribution

In this paper, motivated by the recently concluded NIST LwC competition, we try to provide an improved security bound for the Ascon AEAD mode. As already stated above, previous analyses of Ascon have treated it as a variant of the Duplex construction, overlooking its unique key robustness features, namely the double-keyed initialization and double-keyed finalization.

Our analysis establishes a tight security bound, considering the tag size \(\tau \) bits, key size \(\kappa \) bits, capacity c bits, and state size b bits. The derived bound is given by

$$\begin{aligned} \frac{T}{2^{\min \{\kappa ,c\}}}+\frac{D}{2^{\min \{\tau ,c\}}}+\frac{DT}{2^b}. \end{aligned}$$

Comparing our result with the recent analysis by Gilbert et al. [15], it becomes evident that Ascon surpasses other generic Duplex constructions in terms of security, solidifying its status as a true champion. Notably, our proof leverages the double-keyed finalization process of Ascon during tag generation, which plays a vital role in achieving such a tight and improved security bound. It should be emphasized that our proof methodology is not applicable to classical sponge constructions, as they do not incorporate a key at the final stage. Furthermore, the recent attack by Gilbert et al. [15] conclusively demonstrates that Ascon consistently offers higher security than other sponge-based modes of operation.

Lastly, in the context of NIST LwC requirements (\(D \le 2^{53}, T\le 2^{112}\), \(\kappa \ge 128\), \(\tau \ge 64\)), our conclusion is that a capacity size of \(c = 128\) (given \(b=320\)) and \(\tau =64\) is sufficient to ensure adequate security for Ascon. This choice enables a higher rate of 192 bits, thereby significantly enhancing efficiency without compromising security within the random permutation model. We believe this represents a substantial improvement compared to existing analyses.

1.4 Organization of the Paper

In Sect. 2, we define the basic notations used in the paper. We give a brief description of the AEAD security in the random permutation model, and also briefly describe the H-coefficient technique. Additionally, in Sect. 3, we elaborate on function graph structures that play a crucial role in our subsequent analyses. Moving forward, in Sect. 4, we present a detailed examination of the Ascon AEAD scheme. We present our primary result, the security bound of Ascon, and establish its significance in relation to the NIST LwC criteria. To support our claims, we provide an interpretation of our findings within the context of the NIST guidelines. In Sect. 5, we present a rigorous proof of our main theorem, using the H-coefficient technique. Finally, in Sect. 6, we discuss the tightness of our bound, and conclude the paper.

2 Preliminaries

2.1 Notations

For all \( a\le b \in \mathbb {N}\), let [b] and [ab] denote the sets \(\{1,2,\ldots ,b\}\) and \( \{a,a+1,\ldots ,b\} \) respectively. For \(n,k \in \mathbb {N}\), such that \( n \ge k \), we define the falling factorial \( (n)_k := n(n-1)\cdots (n-k+1) \). Note that \( (n)_k \le n^k \).

Let \( \{0,1\}^n \) denote the set of bit strings of length n, and \(\{0,1\}^+\) denote the set of bit strings of arbitrary length. Let \(\lambda \) denote the empty string and we write \(\{0,1\}^* = \{\lambda \} \cup \{0,1\}^+\). For any bit string \(x = x_1 x_2 \cdots x_k \in \{0,1\}^k\) of length k, and for \(n \le k\), we write \( \lceil x \rceil _n := x_1 \cdots x_n\) (resp. \( \lfloor x \rfloor _n := x_{k-n+1} \cdots x_k\)) to denote the most (resp. least) significant n bits of x. We use \(\Vert \) to denote the bit concatenation operation. We also abuse the notation \((x_1, \ldots , x_r)\) to denote the bit concatenation operation \(x_1 \Vert \cdots \Vert x_r\) where \(x_i \in \{0,1\}^*\). So, if \(V := x \Vert z := (x, z) \in \{0,1\}^r \times \{0,1\}^c\) then \(\lceil V \rceil _r = x\) and \(\lfloor V \rfloor _c = z\). We use \(\oplus \) to denote bitwise xor operation.

Padding and Parsing a Bit String. Let \(r > 0\) be an integer and \(X \in \{0,1\}^*\). Let \(d = |X|\) mod r (the remainder while dividing |X| by r).

$$\textsf{pad}_1(X) = {\left\{ \begin{array}{ll} \lambda &{}\text { if } |X|=0 \\ X \Vert 1 \Vert 0^{r-1-d} &{} \text { otherwise} \end{array}\right. }$$

and

$$\begin{aligned} \textsf{pad}_2(X) = X \Vert 1 \Vert 0^{r-1-d}. \end{aligned}$$

Given \(X \in \{0,1\}^*\), let \(x = \lceil \frac{|X|+1}{r} \rceil \). We define \((X_{1}, \ldots , X_{x}) {\mathop {\leftarrow }\limits ^{r}}_* X\) where \(X_{1}\Vert \cdots \Vert X_{x} = X\), \(|X_1| = \cdots = |X_{x-1}| = r\) and

$$ X_x ={\left\{ \begin{array}{ll} \lambda &{}\text {if } |X|=r(x-1)\\ \lfloor X\rfloor _{|X|-r(x-1)}&{}\text {otherwise} \end{array}\right. }.$$

2.2 Authenticated Encryption with Associated Data: Definition and Security Model

An authenticated encryption scheme with associated data functionality (called AEAD in short), is a tuple of algorithms \( \textsf {AE} = (\textsf {E}, \textsf {D}) \), called the encryption and decryption algorithms, respectively, and defined over the key space \( \mathcal {K}\), nonce space \( \mathcal {N}\), associated data space \( \mathcal {A}\), message space \( \mathcal {M}\), ciphertext space \( \mathcal {C}\), and tag space \( \mathcal {T}\), where

$$\begin{aligned} \textsf {E}: \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {C}\times \mathcal {T}\quad \text {and} \quad \textsf {D}: \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {C}\times \mathcal {T}\rightarrow \mathcal {M}\cup \{\textsf{rej}\}. \end{aligned}$$

Here, \(\textsf{rej}\) indicates the tag-ciphertext pair is invalid and hence rejected. Further, we require the correctness condition: \( \textsf {D} (K,N,A,\textsf {E} (K,N,A,M)) = M \) for any \( (K,N,A,M) \in \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {M}\). For all key \( K \in \mathcal {K}\), we write \( \textsf {E} _K(\cdot ) \) and \( \textsf {D} _K(\cdot ) \) to denote \( \textsf {E} (K,\cdot ) \) and \( \textsf {D} (K,\cdot ) \), respectively. In this paper, we have \( \mathcal {K}= \{0,1\}^{\kappa }, \mathcal {N}= \{0,1\}^{\nu }, \mathcal {T}= \{0,1\}^{\tau }\) and \(\mathcal {A}, \mathcal {M}= \mathcal {C}\subseteq \{0,1\}^*\).

AEAD Security in the Random Permutation Model

For a finite set \( \mathcal {X}\), \( \textsf{X} {\mathop {\leftarrow }\limits ^{\$}}\mathcal {X}\) denotes the uniform and random sampling of \(\textsf{X} \) from \( \mathcal {X}\), and \(\textsf{X} {\mathop {\leftarrow }\limits ^{\textsf {wor}}}\mathcal {X}\) denotes without replacement sampling of \(\textsf{X} \) from \( \mathcal {X}\). Let \( \textsf{Perm}(b) \) denote the set of all permutations over \( \{0,1\}^b \) and \(\textsf{Func}(\mathcal {N}\times \mathcal {A}\times \mathcal {M}, \mathcal {M}\times \mathcal {T}) \) denote the set of all functions from (NAM) to (CT) such that \(|C| = |M|\). Let

  • \(\mathsf {\Pi }{\mathop {\leftarrow }\limits ^{\$}}\textsf{Perm}(b)\),

  • \(\mathsf {\Gamma }{\mathop {\leftarrow }\limits ^{\$}}\textsf{Func}(\mathcal {N}\times \mathcal {A}\times \mathcal {M}, \mathcal {M}\times \mathcal {T})\), and

  • \(\textsf{rej}\) denotes the degenerate function from \((\mathcal {N},\mathcal {A},\mathcal {M},\mathcal {T}) \) to \( \{\textsf{rej}\} \).

We use the superscript \( \pm \) to denote bidirectional access to \( \mathsf {\Pi }\).

Definition 1

Let \( \textsf{AE}_\mathsf {\Pi }\) be an AEAD scheme based on the random permutation \( \mathsf {\Pi }\), defined over \( (\mathcal {K},\mathcal {N},\mathcal {A},\mathcal {M},\mathcal {T}) \). The AEAD advantage of an adversary \( \mathscr {A}\) against \( \textsf{AE}_\mathsf {\Pi }\) is defined as

$$\begin{aligned} \textbf{Adv}^{\textsf{aead}}_{\textsf{AE}_{\mathsf {\Pi }}}(\mathscr {A}) := \left| {\mathop {\Pr }\limits _{\begin{array}{c} \textsf{K} {\mathop {\leftarrow }\limits ^{\$}}\mathcal {K}\\ \mathsf {\Pi }^\pm \end{array}}\left[ \mathscr {A}^{\textsf {E} _{\textsf{K}},\textsf {D} _{\textsf{K}},\mathsf {\Pi }^\pm } = 1\right] } - {\mathop {\Pr }\limits _{\mathsf {\Gamma },\mathsf {\Pi }^\pm }\left[ \mathscr {A}^{\mathsf {\Gamma },\mathsf {\textsf{rej}},\mathsf {\Pi }^\pm } = 1\right] }\right| . \end{aligned}$$

Here \( \mathscr {A}^{\textsf {E} _{\textsf{K}},\textsf {D} _{\textsf{K}},\mathsf {\Pi }^\pm } \) denotes \( \mathscr {A}\)’s response after its interaction with \( \textsf {E} _{\textsf{K}} \), \( \textsf {D} _{\textsf{K}} \), and \( \mathsf {\Pi }^\pm \) respectively. Similarly, \( \mathscr {A}^{\mathsf {\Gamma },\mathsf {\textsf{rej}},\mathsf {\Pi }^\pm } \) denotes \( \mathscr {A}\)’s response after its interaction with \( \mathsf {\Gamma }\), \( \textsf{rej}\), and \( \mathsf {\Pi }^\pm \) respectively.

In this paper, we assume that the adversary is adaptive, that is it neither makes any duplicate queries nor makes any query for which the response is already known due to some previous query. Let \( q_e, q_d \) and \(q_p\) denote the number of queries to \( \textsf {E} _\textsf{K}, \textsf {D} _\textsf{K} \) and \(\mathsf {\Pi }^\pm \) respectively. Let \( \sigma _e \) and \( \sigma _d \) denote the sum of input (associated data and message) lengths across all encryption and decryption queries respectively. Also, let \( \sigma := \sigma _e + \sigma _d \) denote the combined construction query resources.

Remark 1

Here \( \sigma \) corresponds to the online or data complexity, and \( q_p \) corresponds to the offline or time complexity of the adversary. Any adversary that adheres to the resource constraints mentioned above is called an \( (q_p,\sigma _e,\sigma _d) \)-adversary.

2.3 H-Coefficient Technique

Consider a deterministic and computationally unbounded adversary \( \mathscr {A}\) trying to distinguish the real oracle (say \( \mathcal {O}_\textrm{re} \)) from the ideal oracle (say \( \mathcal {O}_\textrm{id} \)). Let the transcript \(\omega \) denote the query-response tuple of \( \mathscr {A}\)’s interaction with its oracle. Sometimes, at the end of the query-response phase of the game, if the oracle chooses to reveal any additional information to the distinguisher, then the extended definition of the transcript may also include that information. Let \( \varTheta _\textrm{re} \) (resp. \( \varTheta _\textrm{id} \)) denote the random transcript variable when \( \mathscr {A}\) interacts with \( \mathcal {O}_\textrm{re} \) (resp. \( \mathcal {O}_\textrm{id} \)). The probability of realizing a given transcript \( \omega \) in the security game with an oracle \( \mathcal {O}\) is known as the interpolation probability of \( \omega \) with respect to \( \mathcal {O}\). Since \( \mathscr {A}\) is deterministic, this probability depends only on the oracle \( \mathcal {O}\) and the transcript \( \omega \). A transcript \( \omega \) is said to be realizable if \( {\mathop {\Pr }\limits _{ }\left[ \varTheta _\textrm{id} = \omega \right] } > 0 \). In this paper, \( \mathcal {O}_\textrm{re} = (\textsf {E} _\textsf{K},\textsf {D} _\textsf{K},\mathsf {\Pi }^\pm ) \), \( \mathcal {O}_\textrm{id} = (\mathsf {\Gamma },\mathsf {\textsf{rej}},\mathsf {\Pi }^\pm ) \), and the adversary is trying to distinguish \( \mathcal {O}_\textrm{re} \) from \( \mathcal {O}_\textrm{id} \) in AEAD sense.

Theorem 1

(H-coefficient technique [21, 22]). Let \( \varOmega \) be the set of all realizable transcripts. For some \( \epsilon _{\textsf{bad}}, \epsilon _{\textsf{ratio}}> 0 \), suppose there is a set \( \varOmega _\textsf{bad}\subseteq \varOmega \) satisfying the following:

  • \( {\mathop {\Pr }\limits _{ }\left[ \varTheta _\textrm{id} \in \varOmega _\textsf{bad}\right] } \le \epsilon _{\textsf{bad}}\);

  • For any \( \omega \notin \varOmega _\textsf{bad}\),

    $$\begin{aligned} \frac{{\mathop {\Pr }\limits _{ }\left[ \varTheta _\textrm{re} = \omega \right] }}{{\mathop {\Pr }\limits _{ }\left[ \varTheta _\textrm{id} = \omega \right] }} \ge 1-\epsilon _{\textsf{ratio}}. \end{aligned}$$

Then for any adversary \( \mathscr {A}\), we have the following bound on its AEAD distinguishing advantage:

$$\begin{aligned} \textbf{Adv}^{\textsf{aead}}_{\mathcal {O}_\textrm{re}}(\mathscr {A}) \le \epsilon _{\textsf{bad}}+ \epsilon _{\textsf{ratio}}. \end{aligned}$$

A proof of Theorem 1 can be found in multiple papers including [10, 19, 22].

2.4 Expected Multicollision in a Uniform Random Sample

Let \(S := (x_i)_{i \in I}\) be a tuple with elements from a set T. For any \(x \in T\), we define \(\textsf{mcoll}_x(S) = |\{i \in I: x_i = x \}|\) (the number of times x appears in the tuple). Finally, we define multicollision of S as the \(\textsf{mcoll}(S) := \max _{x \in T} \textsf{mcoll}_x(S)\). In this section, we revisit some multicollision results discussed in [9].

For \(N \ge 4,\ n= \log _2 N\), we define

$$\textsf{mcoll}(q, N) = {\left\{ \begin{array}{ll} 3 &{} \textit{ if } 4\le q \le \sqrt{N}\\ \frac{4\log _2 q}{\log _2\log _2 q} &{} \textit{ if } \sqrt{N} < q \le N\\ 5n \left\lceil \frac{q}{nN} \right\rceil &{} \textit{ if } N < q.\\ \end{array}\right. } $$

Lemma 1

[9] Let \(\mathcal {D}\) be a set of size \(N \ge 4\), \(n= \log _2 N\). Given random variables \(\textsf{X}_1, \ldots , \textsf{X}_q {\mathop {\leftarrow }\limits ^{\$}}\mathcal {D}\), we have \({\mathbb {E}_{ }\left[ \textsf{mcoll}(\textsf{X}_1, \ldots , \textsf{X}_q)\right] } \le \textsf{mcoll}(q, N)\).

Remark 2

Similar bounds as in the above Lemma 1 can be achieved in the case of non-uniform samplings. Let \(\textsf{Y}_1, \ldots , \textsf{Y}_q {\mathop {\leftarrow }\limits ^{\textsf {wor}}}\{0,1\}^b\) and define \( X_i:=\lceil Y_i\rceil _r\) for some \(r < b\). If we take \(N=2^r\) for this truncated random sampling, then we have the same result as above for multicollisions among \(\textsf{X}_1, \ldots , \textsf{X}_q\).

We also have the following general result:

Lemma 2 (general multicollision bound)

Let \(\mathscr {A}\) be an adversary which makes queries to a b-bit random permutation \(\mathsf {\Pi }^{\pm }\) and \(\tau \)-bit to \(\tau \)-bit random function \(\mathsf {\Gamma }\). Let \((\textsf{X}_1, \textsf{Y}_1), \ldots , (\textsf{X}_{q_1}, \textsf{Y}_{q_1})\) and \((\textsf{X}_{q_1+1}, \textsf{Y}_{q_1+1}), \ldots , (\textsf{X}_{q_1+q_2}, \textsf{Y}_{q_1+q_2})\) be the tuples of input-output corresponding to \(\mathsf {\Pi }\) and \(\mathsf {\Gamma }\) respectively obtained by the \(\mathscr {A}\). Let \(q := q_1 + q_2 \le 2^b\) and \(\textsf{Z}_i := trunc_{\tau } (\textsf{X}_i) \oplus trunc_{\tau }(\textsf{Y}_i)\) for \(i \in [q_1]\) and \(\textsf{Z}_i := (\textsf{X}_i \oplus \textsf{Y}_i)\) for \(i \in [q_1+1,q]\) where \(trunc_{\tau }\) represents some \(\tau \)-bit truncation. For \(\tau \ge 2\),

$${\mathbb {E}_{ }\left[ \textsf{mcoll}(\textsf{Z}^q)\right] } \le \textsf{mcoll}(q, 2^{\tau }).$$

3 Function Graph Structures

3.1 Partial Function Graph

A partial function \(\mathcal {L}: \{0,1\}^b \dashrightarrow \{0,1\}^c\) is a subset \(\mathcal {L}= \{(p_1,q_1),\dots ,(p_t,q_t)\}\subseteq \{0,1\}^b\times \{0,1\}^c\) with distinct \(p_i\) values. We call it an injective partial function if \(q_i\)’s are also distinct. We define

$$\textsf{domain}(\mathcal {L}) = \{p_i: i \in [t]\}, ~~~ \textsf{range}(\mathcal {L}) = \{q_i: i \in [t]\}.$$

We write \(\mathcal {L}(p_i) = q_i\) and for all \(p \not \in \textsf{domain}(\mathcal {L})\), \(\mathcal {L}(p) = \bot \) (a special symbol to mean that the value is undefined).Footnote 1 For \(f: \{0,1\}^b \dashrightarrow \{0,1\}^b\), \(c \in [b-1]\), we define \(\lfloor f \rfloor _c : \{0,1\}^b \dashrightarrow \{0,1\}^c \) such that \(\lfloor f \rfloor _c(x) = \lfloor f(x) \rfloor _c\) whenever \(f(x) \ne \bot \).

Definition 2

Let \(\mathcal {L}: \{0,1\}^b \dashrightarrow \{0,1\}^c\) for \(r := b - c > 0\). We associate a labeled directed graph \(G := G^\mathcal {L}\), called (labeled) partial function graph, over the set of vertices

$$V := \lfloor \textsf{domain}(\mathcal {L}) \rfloor _c ~\cup ~ \textsf{range}(\mathcal {L}) \subseteq \{0,1\}^c$$

with the label set \(\{0,1\}^r\) and the following labeled edge set

$$\begin{aligned} E(G):= \{u{\mathop {\longrightarrow }\limits ^{x}}v~|~ \mathcal {L}(x \Vert u) = v\}. \end{aligned}$$

We call it (labeled) function graph if \(\mathcal {L}\) is known to be a function.

We write a walk

$$\begin{aligned} u_0{\mathop {\longrightarrow }\limits ^{x_1}}u_1{\mathop {\longrightarrow }\limits ^{x_2}}\cdots {\mathop {\longrightarrow }\limits ^{x_{l-1}}}u_{l-1}{\mathop {\longrightarrow }\limits ^{x_l}}u_l \end{aligned}$$

simply as \(u_0{\mathop {\longrightarrow }\limits ^{x^l}}u_l\). It is easy to see that if \(u {\mathop {\longrightarrow }\limits ^{x}} v_1\) and \(u {\mathop {\longrightarrow }\limits ^{x}} v_2\) then \(v_1 = v_2\) (this follows from the fact that \(\mathcal {L}\) is a partial function).

3.2 Sampling Process of a Labeled Walk

Let \(f: \{0,1\}^b \dashrightarrow \{0,1\}^b\), \(x = x^k\) be a k-tuple label, \(k \ge 0\), and \(z_0 \in \{0,1\}^c\). We now describe a process that extends the partial function f to \(f'\) so that there is a walk

$$\begin{aligned} z_0 {\mathop {\longrightarrow }\limits ^{x_1}} z_1 {\mathop {\longrightarrow }\limits ^{x_2}} \cdots {\mathop {\longrightarrow }\limits ^{x_k}} z_k \end{aligned}$$

in the graph \(G^{\lfloor f \rfloor _c}\). The process we define below is denoted as

$$\textsf {Rand\_Extn}^f(z_0, x^k),$$

which randomly extends the elements of the partial function f whenever required to complete the walk.

\(\underline{\textsf {Rand\_Extn}^f(z_0, x^k)}\):

Initialize \(f' = f\).

For \(j = 1\) to k:

  1. 1.

    \(v_j = f'(x_j, z_{j-1})\).

  2. 2.

    If \(v_j = \bot \) then

    • \(v_j {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b\) and

    • \(f' \leftarrow f' \cup \{ (x_j \Vert z_{j-1}, v_j)\}\)

  3. 3.

    \(z_j = \lfloor v_j \rfloor _c\).

The described process provides a clear and effective method for successfully completing a labeled walk. It operates based on a simple rule: when the current value falls within the defined domain, we utilize the corresponding output to progress further in the walk. In cases where the current value is outside the domain, we employ a random sampling approach to determine the next output. This ensures the completion of the walk.

3.3 Partial XOR-Function Graph

Now, consider a partial function \(\mathcal {P}: \{0,1\}^b \dashrightarrow \{0,1\}^b\) and \(r \in [b-1]\). We define a new partial function \(\mathcal {P}^{\oplus }: \{0,1\}^b \times \{0,1\}^r \dashrightarrow \{0,1\}^b\) as follows. Let \(u = u' \Vert u''\) where \(u' \in \{0,1\}^r\). Now,

$$\begin{aligned} \mathcal {P}^{\oplus }(u, x) = \mathcal {P}(( u' \oplus x) \Vert u''). \end{aligned}$$

Note that the above may not be defined, in which case we define the output \(\bot \) as before. We similarly define partial function graph \(G^{\oplus } := G^{\mathcal {P}^{\oplus }}\) with label edges denoted as \(u {\mathop {\longrightarrow }\limits ^{x}}_{\oplus } v\) (whenever \(\mathcal {P}^{\oplus }(u, x) = v\)). A walk

$$\begin{aligned} u_0 {\mathop {\longrightarrow }\limits ^{x_1}}_{\oplus } u_1 {\mathop {\longrightarrow }\limits ^{x_2}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{x_{l-1}}}_{\oplus } u_{l-1} {\mathop {\longrightarrow }\limits ^{x_l}}_{\oplus } u_l \end{aligned}$$

is denoted as \(u_0{\mathop {\longrightarrow }\limits ^{x^l}}_{\oplus } u_l\). Similar to \(\textsf {Rand\_Extn}^f\) Algorithm, we now define a randomized extension algorithm for \(\mathcal {P}^{\oplus }\), denoted as \(\textsf {xorRand\_Extn}^{\mathcal {P}}(v_0, x^k)\), \(v_0 \in \{0,1\}^b, x_i \in \{0,1\}^r\).

\(\underline{\textsf {xorRand\_Extn}^{\mathcal {P}}(v_0, x^k)}\):

Initilaize \(\mathcal {P}' = \mathcal {P}\).

For \(j = 1\) to k:

  1. 1.

    \(v_j = \mathcal {P}'(v_{j-1} \oplus (x_j \Vert 0^c))\).

  2. 2.

    If \(v_j = \bot \) then

    • \(v_j {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b\) and

    • \(\mathcal {P}' \leftarrow \mathcal {P}' \cup \{ v_{j-1} \oplus (x_j \Vert 0^c), v_j)\}\)

After this process, we obtain a modified partial function \(\mathcal {P}' : \{0,1\}^b \dashrightarrow \{0,1\}^b\) for which we have the following walk:

$$\begin{aligned} v_0 {\mathop {\longrightarrow }\limits ^{x_1}}_{\oplus } v_1 {\mathop {\longrightarrow }\limits ^{x_2}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{x_{k-1}}}_{\oplus } v_{k-1} {\mathop {\longrightarrow }\limits ^{x_k}}_{\oplus } v_k \end{aligned}$$

4 Ascon AEAD

In this section, we define the Ascon AEAD [13] construction. Note that the Ascon AEAD is a simple variation of the Duplex construction. Let b denote the state size of the underlying permutation \(\mathsf {\Pi }\) and \(0 < r < b\) be the number of bits of associated data/message processed per permutation call. We call r the rate of the Ascon construction, and \(c=b-r\) is called the capacity. Let \(\kappa ,\nu ,\tau \) denote the key size, nonce size, and tag size respectively such that

  • \(\tau \le \kappa \le c\),

  • \(\kappa + \nu \le b\),

  • \(\kappa + r\le b\).

We fix an \(IV \in \{0,1\}^{b - \kappa - \nu }\). The AEAD uses a permutation \(\pi \) (Ascon permutation), modeled to be the random permutation while we analyze its security.

Encryption Algorithm. It receives an input of the form \((N, A, M) \in \{0,1\}^{\nu } \times \{0,1\}^* \times \{0,1\}^*\) and a key \(K \in \{0,1\}^{\kappa }\). Broadly we divide the encryption algorithm into three phases: (i) initialization, (ii) associated data and message processing, and (iii) tag generation, run sequentially.

. In this phase, we first apply the following function

$$\textsc {Init}^{\pi }(K, N) = \pi ( IV \Vert K \Vert N) \oplus (0^{b - \kappa } \Vert K) := V_0.$$

Before we process associated data and messages, we first parse them:

$$\begin{aligned} (A_1, \ldots , A_a) {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_1(A), (M_1, \ldots , M_m) {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_2(M). \end{aligned}$$

Note that a can be zero in which case it is parsed as an empty string. But \(m \ge 1\).

. Using the XOR-function graph corresponding to the function \(\pi ^\oplus \), we obtain a walk

$$\begin{aligned} V_0 {\mathop {\longrightarrow }\limits ^{A_1}}_{\oplus } V_1 {\mathop {\longrightarrow }\limits ^{A_2}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{A_a}}_{\oplus } V_a, ~~V_a \oplus 0^*1 {\mathop {\longrightarrow }\limits ^{M_1}}_{\oplus } V_{a+1} \cdots {\mathop {\longrightarrow }\limits ^{M_{m-1}}}_{\oplus } V_{a+m-1}. \end{aligned}$$

We define the ciphertext as follows:

$$C_i = \lceil V_{a+i-1} \rceil _r \oplus M_i,~~ \forall i \in [m],~~~ C = \lceil C_1 \Vert \cdots \Vert C_m \rceil _{|M|}.$$

We denote the above process as

$$\textsf {AM\_Proc}^{\pi }(V_0, A, M) \rightarrow \big (C, F := V_{t-1} \oplus (M_m \Vert 0^r) \big ).$$

. Finally, we compute

$$T := \textsc {Tag}^{\pi }(K, F) = \lfloor \pi \big (F \oplus (0^r \Vert K \Vert 0^{c- \kappa })\big ) \rfloor _{\tau } \oplus \lfloor K \rfloor _{\tau }$$

The \(\textsc {Ascon} \) AEAD returns (CT).

Remark 3

The Ascon construction uses two different permutations, \(p^a\) and \(p^b\), where a and b indicate the specific rounds used for the underlying permutation p (called the Ascon permutation). In the Ascon implementation, \(p^a\) is employed during the initialization phase and for tag generation and verification. On the other hand, \(p^b\) is utilized for processing associated data, messages, and ciphertext. For instance, in the Ascon-128 construction, a is set to 12, while b is set to 6.

When modeling Ascon in the random permutation model, there are two options: either using the same permutation \(\pi = p^a = p^b\), or utilizing independent permutations \(\pi _1\) and \(\pi _2\). Our analysis focuses on the assumption that the permutations are the same, which is generally more challenging to prove compared to assuming independent random permutations. A similar analysis (with bounds of the same order) can be made for the independent random permutation model.

Verification Algorithm. The decryption algorithm performs a verification process to ensure the correctness of the ciphertext and tag pair. If the verification is successful, the algorithm proceeds to generate the corresponding message. While the details of message computation are omitted in this analysis, readers can refer to [13] for a comprehensive explanation. It is important to note that our focus lies primarily on the verification process itself, rather than the specific steps involved in message computation. On receiving an input of the form \((N, A, C, T) \in \{0,1\}^{\nu } \times \{0,1\}^* \times \{0,1\}^* \times \{0,1\}^{\tau }\) and a key \(K \in \{0,1\}^{\kappa }\), the steps of the verification process is outlined below:

  1. 1.

    \((A_1, \ldots , A_a) {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_1(A)\) and \((C_1, \ldots , C_l) {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_2(C)\).

  2. 2.

    Compute \(V_0 := \textsc {Init}^{\pi }(K, N)\).

  3. 3.

    We compute the walk for the permutation \(\pi \)

    $$\begin{aligned} V_0 {\mathop {\longrightarrow }\limits ^{A_1}}_{\oplus } V_1 {\mathop {\longrightarrow }\limits ^{A_2}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{A_a}}_{\oplus } V_a \end{aligned}$$
  4. 4.

    Let \(C_l = C'_l \Vert 10^*\) for some \(C'_l\) (may be the empty string) and \(|C'_l| = d\). Let \(z_a = \lfloor V_a \rfloor _c\).

    • Case \(l = 1\):   We define \(F = C'_l ~\Vert ~ (\lfloor V_a \rfloor _{b-d} \oplus 10^{*}1)\).

    • Case \(l \ge 2\):   We compute

      $$\begin{aligned} z_a \oplus 0^{*}1 {\mathop {\longrightarrow }\limits ^{C_1}} z_{a+1} {\mathop {\longrightarrow }\limits ^{C_2}}_{} \cdots {\mathop {\longrightarrow }\limits ^{C_{l-2}}} z_{a+l-2} \end{aligned}$$

      We define \(F = C'_l ~\Vert ~ (\lfloor \pi (C_{l-1} \Vert z_{a+l-2}) \rfloor _{b-d} \oplus 10^{*})\).

  5. 5.

    Rejects if \(T \ne \textsc {Tag}^{\pi }(K, F)\), otherwise, it accepts.

Fig. 1.
figure 1

Encryption in Ascon AEAD. The final ciphertext is \(C= \lceil C_1\Vert \cdots |C_m\rceil _{|M|} \). Here \(t:=a+m\), \(K_1=\lceil K\rceil _{\kappa - \tau }\), \(K_2=\lfloor K\rfloor _{\tau }\). The \(\textrm{Fanout}\) operation parses \(F=F_1\Vert F_2\Vert F_3\Vert F_4\) such that \(|F_1|=r\), \(|F_2|=\kappa -\tau \), \(|F_3|=\tau \) and \(|F_4|=c-\kappa \). It is easy to follow that in the decryption protocol, the permutation input generated after processing \(C_1\) is simply \(C_{i}\Vert \lfloor V_{a+i-1}\oplus 0^{b-1}\Vert 1\rfloor _{b-r}\). Similarly after the i-th ciphertext processing where \(1<i\le m-1\) , the permutation input is simply \(C_{i}\Vert \lfloor V_{a+i-1}\rfloor _{b-r}\). For processing the last block, the \(|C|-r(m-1)\) most significant bits of \(M_m\) are calculated using \(V_{t-1}\) and \(C_{m}\) and then \(\textsf{pad}_2\) is applied to determine the remaining bits of \(M_m\). Finally, this \(M_m\) is used in the same way as the encryption protocol to generate F.

Full size image

4.1 Security Bound of Ascon

Theorem 2 (Main Theorem)

Consider a nonce-respecting AEAD adversary \(\mathscr {A}\) making \(q_p\) permutation queries, \(q_e\) encryption queries with a total number of \(\sigma _e\) data blocks, and \(q_d\) decryption queries with a total number of \(\sigma _d\) data blocks. Define \(\sigma := \sigma _e+\sigma _d\). Then, we can upper bound the AEAD advantage of \(\mathscr {A}\) against Ascon as follows:

$$\begin{aligned} \textbf{Adv}^{\textrm{AEAD}}_{\textsc {Ascon}}(\mathscr {A}) \le & ~\frac{2q_d}{2^{\tau }} + \frac{\sigma ^2_e}{2^b} + \frac{\sigma _d(q_p + \sigma _d)}{2^b} + \frac{\textsf{mcoll}(\sigma _e, 2^r) (\sigma _d + q_p)}{2^c} \\ & + \frac{q_p + \sigma }{2^{\kappa }} + \frac{\textsf{mcoll}(q_e, 2^{\tau }) q_d}{2^c} + \frac{q_e q_d + (q_e + q_d)(\sigma + q_p)}{2^b} \\ & + \frac{\textsf{mcoll}(\sigma +q_p, 2^{\tau }) q_d}{2^\kappa }. \end{aligned}$$

4.2 Interpretation of Theorem 2

We interpret our bound in light of the requirements proposed by NIST for the LwC competition, and the choices of the parameters, namely rate (and hence capacity) and tag size. Ascon operates with a state size (size of the permutation) \(b=320\) bits. We assume \(q_p \le 2^{112}\) and \(r\sigma \le 2^{53}\) as prescribed by NIST.

We give upper bounds to \(\textsf{mcoll}(\sigma _e,2^r)\), \(\textsf{mcoll}(q_e, 2^\tau )\) and \(\textsf{mcoll}(\sigma + q_p, 2^\tau )\), depending on the choice of r and \(\tau \).

First, from the definition of \(\textsf{mcoll}(q,N)\), we have

$$\textsf{mcoll}(\sigma _e,2^r) \le 3 ~~\forall r \ge 128.$$

Now, we fix two choices for tag size \(\tau :\) 64 bits (the minimum tag size required by NIST) and 128 bits (the tag size recommended by the designers of Ascon). Again, from the definition of \(\textsf{mcoll}(q,N)\), we have

  • For \(\tau = 64\):

    $$\textsf{mcoll}(q_e, 2^\tau ) \le \frac{4\log _2 \sigma }{\log _2\log _2 \sigma } < 40, \quad \text {and} \quad \textsf{mcoll}(\sigma + q_p, 2^\tau ) \le \frac{5(q_p+\sigma )}{2^\tau }.$$

    Here we assume \(q_p \gg 2^{\tau }\).

  • For \(\tau = 128\):

    $$\textsf{mcoll}(q_e, 2^\tau ) \le 3, \quad \text {and} \quad \textsf{mcoll}(\sigma + q_p, 2^\tau ) \le \frac{4\log _2 (q_p + \sigma )}{\log _2\log _2 (q_p + \sigma )} < 75. $$

So, if \(r \ge 128, \tau = 64\), we have

$$\begin{aligned} \textbf{Adv}^{\textrm{AEAD}}_{\textsc {Ascon}}(\mathscr {A}) &\le \frac{2q_d}{2^{\tau }} + \frac{\sigma ^2_e}{2^b} + \frac{\sigma _d(q_p + \sigma _d)}{2^b} + \frac{3 (\sigma _d + q_p)}{2^c} + \frac{40 q_d}{2^c} \\ {} &\quad + \frac{q_p + \sigma }{2^{\kappa }} + \frac{q_e q_d + (q_e + q_d)(\sigma + q_p)}{2^b} + \frac{5(q_p + \sigma _e) q_d}{2^{\kappa +\tau }} \\ & = O(\frac{q_d}{2^{\tau }}) + O(\frac{\sigma q_p}{2^{b}}) + O(\frac{q_p}{2^{\kappa }}) + O(\frac{q_p}{2^{c}}) \end{aligned}$$

(assuming \(\sigma \le q_p\)).

If \(r \ge 128, \tau = 128\), we have

$$\begin{aligned} \textbf{Adv}^{\textrm{AEAD}}_{\textsc {Ascon}}(\mathscr {A}) &\le \frac{2q_d}{2^{\tau }} + \frac{\sigma ^2_e}{2^b} + \frac{\sigma _d(q_p + \sigma _d)}{2^b} + \frac{3 (\sigma _d + q_p)}{2^c} + \frac{3 q_d}{2^c}\\ &\quad + \frac{q_p + \sigma }{2^{\kappa }} + \frac{q_e q_d + (q_e + q_d)(\sigma + q_p)}{2^b} + \frac{75 q_d}{2^\kappa }\\ & = O(\frac{q_d}{2^{\tau }}) + O(\frac{\sigma q_p}{2^{b}}) + O(\frac{q_p}{2^{\kappa }}) + O(\frac{q_p}{2^{c}}). \end{aligned}$$

Thus, in terms of order, a tag size of 64 bits yields the same security as a tag size of 128 bits. Given that the key size \(\kappa \) is at least 128 bits (required by NIST), we can see that Ascon is secure even when \(c = 128\) (implying \(r = 192\)), and \(\tau = 64\).

Remark 4

Our assumption \(\kappa \le c\) is only for the sake of simplicity as this implies the key is always xor-ed in the capacity part. However, it can be easily verified that the analysis remains the same even when \(\kappa > c\).

5 Proof of Theorem 2

5.1 Description of the Real World

The real-world samples \(K {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{\kappa }\) and a random permutation \(\mathsf {\Pi }\). All queries are then responded to honestly following Ascon AEAD as defined above (including direct primitive queries to \(\mathsf {\Pi }\)). A transcript in the real world would be of the form

$$\varTheta _{\textrm{re, on}} = \big ((\textsf{N}_i, \textsf{A}_i, \textsf{M}_i, \textsf{C}_i, \textsf{T}_i)_{i \in [q_e]},~ (\textsf{N}'_i, \textsf{A}'_i, \textsf{C}'_i, \textsf{T}'_i, \textsf{M}'_i)_{i \in [q_d]},~~ \textsf{P}\big ) $$

where \(\textsf{P}\) represents the query responses for primitive queries (represented in terms of the partial function for \(\mathsf {\Pi }\)). When the i-th decryption query is rejected we write \(M'_i = \textsf {rej}\) (we keep this as one of the necessary conditions for a good transcript in the ideal world). After all queries have been made, all inputs-outputs used in \(\mathsf {\Pi }\) for all encryption and decryption queries have been included in the offline transcript. Let \(\textsf{P}_\textsf {fin} \) denote the extended partial function and clearly, all encryption and decryption queries are determined by \(\textsf{P}_\textsf {fin} \). Note that the key K is also determined from the domain of \(\textsf{P}_\textsf {fin} \). It is implicitly understood that the domain and range elements of \(\textsf{P}_\textsf {fin} \) are given in order of the execution of the underlying permutation to compute all encryption and decryption queries. Let

$$\varTheta _{\textrm{re}} = \big ((\textsf{N}_i, \textsf{A}_i, \textsf{M}_i, \textsf{C}_i, \textsf{T}_i)_{i \in [q_e]},~ (\textsf{N}'_i, \textsf{A}'_i, \textsf{C}'_i, \textsf{T}'_i, \textsf{M}'_i)_{i \in [q_d]},~~ \textsf{P}_\textsf {fin} \big ) $$

denote the extended real world transcript. For any real world realizable transcript \(\theta = \big ((N_i, A_i, M_i, C_i, T_i)_{i \in [q_e]},~ (N'_i, A'_i, C'_i, T'_i, M'_i)_{i \in [q_d]},~~ P_\textsf {fin} \big )\),

$$\Pr (\varTheta _{\textrm{re}} = \theta ) = \Pr (P_\textsf {fin} \subseteq \mathsf {\Pi }) = 1/(2^b)_{|P_\textsf {fin} |}$$

5.2 Description of the Ideal World

Now we describe how the ideal oracle behaves with the adversary \(\mathscr {A}\). This description consists of two primary phases: (i) the online phase, which encompasses the actual interaction between the adversary and the ideal oracle, and (ii) the offline phase, which occurs after the online phase and involves the ideal oracle sampling intermediate variables to ensure compatibility with the Ascon construction.

The offline phase is further segmented into several stages, each dependent on events defined over the preceding stages. In the event of a bad event occurring at any stage, the ideal oracle has the option to either abort or exhibit arbitrary behavior. To effectively analyze the situation, we aim to establish an upper bound on the probability of all such bad events. Consequently, at any given stage, we assume that all prior bad events have not occurred. To simplify notation, we utilize the same notations for the transcripts in both the real and ideal worlds.

. The adversary can make three types of queries in an interleaved manner without any repetition: (i) encryption queries (ii) decryption queries, and (iii) primitive queries.

  • On i-th Encryption Query \((\textsf{N}_i,\textsf{A}_i,\textsf{M}_i)\), \(\forall i \in [q_e]\), respond randomly:

    $$\textsf{C}_i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{|\textsf{M}_i|}, ~\textsf{T}_i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{\tau }, ~~\textsf {return} (\textsf{C}_i, \textsf{T}_i).$$

  • On i-th Decryption Query \((\textsf{N}'_i,\textsf{A}'_i, \textsf{C}'_i, \textsf{T}'_i)\), \(i \in [q_d]\), reject straightaway: Ideal oracle returns \(\textsf {rej}\) for all decryption queries (here we assume that the adversary does not make any decryption query that is obtained from a previous encryption query).

  • On i-th Primitive Query \((\textsf{Q}_i, \textsf{dir}_i) \in \{0,1\}^{b} \times \{+1, -1\}\), \(i \in [q_p]\), respond honestly: We maintain a list \(\textsf{P}\) of responses of primitive queries, representing the partial (injective) function of a random permutation \(\mathsf {\Pi }\). Initially, \(\textsf{P} = \emptyset \).

    1. 1.

      If \(\textsf{dir}_i = +1\), we set \(\textsf{U}_i = \textsf{Q}_i\). Let \(\textsf{V}_i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b \setminus \textsf{range}(\textsf{P})\), \(\textsf{P}\leftarrow \textsf{P} \cup \{(\textsf{U}_i, \textsf{V}_i)\}\), return \(\textsf{V}_i\).

    2. 2.

      If \(\textsf{dir}_i = -1\), we set \(\textsf{V}_i = \textsf{Q}_i\). Let \(\textsf{U}_i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b \setminus \textsf{domain}(\textsf{P})\), \(\textsf{P} \leftarrow \textsf{P} \cup \{(\textsf{U}_i, \textsf{V}_i)\}\), return \(\textsf{U}_i\).

After all queries have been made we denote the online transcript (visible to the adversary) as

$$\varTheta _{\textrm{id, on}} = \big ((\textsf{N}_i, \textsf{A}_i, \textsf{M}_i, \textsf{C}_i, \textsf{T}_i)_{i \in [q_e]},~ (\textsf{N}'_i, \textsf{A}'_i, \textsf{C}'_i, \textsf{T}'_i, \textsf {rej})_{i \in [q_d]},~ \textsf{P} \big ) $$

Bad Event. We set \(\textsf{bad}_1 = 1\), if

$$(\textsf{N}_i, \textsf{A}_i, \textsf{C}_i, \textsf{T}_i) = (\textsf{N}'_j, \textsf{A}'_j, \textsf{C}'_j, \textsf{T}'_j),~~~ i \in [q_e],~ j \in [q_d]$$

for which the encryption query is made later. It is important to note that the adversary is not allowed to make a decryption query that matches a previous encryption query. However, there is a possibility that a decryption query accidentally matches an encryption query made subsequently. This situation is referred to as a “bad event" and is of concern. Since the adversary has the capability to make nonce-respecting encryption queries only, we can establish an upper bound for the probability of \(\textsf{bad}_1\) as given in the Lemma below. Although the proof for this is omitted here, it can be straightforwardly derived from the description of the ideal world for encryption queries (by looking at the randomness of the tag values).

Lemma 3

\(\Pr (\textsf{bad}_1 =1) \le \displaystyle \frac{q_d}{2^{\tau }}\).

. The offline phase is divided into three stages, performed sequentially: (i) setting internal states of encryption queries, (ii) setting internal states of decryption queries, and (iii) sampling a key, and verifying compatibility with the online phase.

First, we set the input-output pairs for all permutations used in processing associated data and message part of each encryption query. For \(i \in [q_e]\) (i.e., for i-th encryption query) we perform the following:

  1. 1.

    We first parse all data we have in the online transcript.

    $$\begin{aligned} (\textsf{A}_{i,1}, \ldots , \textsf{A}_{i, a_i}) & {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_1(\textsf{A}_i) \\ (\textsf{M}_{i,1}, \ldots , \textsf{M}_{i, m_i}) & {\mathop {\leftarrow }\limits ^{r}}_* \textsf{M}_i \\ (\textsf{C}_{i,1}, \ldots , \textsf{C}_{i, m_i}) & {\mathop {\leftarrow }\limits ^{r}}_* \textsf{C}_i \end{aligned}$$
  2. 2.

    Let \(t_i = a_i+ m_i\), \(d_i = |\textsf{M}_{i, m_i}| = |\textsf{C}_{i, m_i}|\). We now sample

    $$\begin{aligned} \textsf{V}_{i,0}, \ldots , \textsf{V}_{i,a_i-1} & {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{b} \\ \textsf{Z}_{i,a_i}, \ldots , \textsf{Z}_{i, t_i-1} & {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{c}, \delta ^*_{i} {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{r-d_i} \end{aligned}$$

    The values of \(\textsf{V}_{i,j}\) would determine all inputs and outputs for associate data processing. Similarly, \(\textsf{C}_{i}, \textsf{Z}_{i,j}, \delta _i^*\) would determine the input and outputs for message processing.

  3. 3.

    We now set all inputs and outputs of the permutation used in associate data and message processing. Note that while \(a_i=0\) is possible, \(m_i \ge 1\). If \(a_i>0\), we define the following:

    • \(\textsf{U}_{i,j} = \textsf{V}_{i,j-1} \oplus (\textsf{A}_{i,j} \Vert 0^c)\), \(\forall j \in [a_i]\).

    • \(\textsf{V}_{i, a_i} = (\textsf{C}_{i, 1} \oplus \textsf{M}_{i,1}) \Vert \textsf{Z}_{i, a_i}\).

    If \(m_i \ge 2\):

    • \(\textsf{U}_{i, a_i+1} = \textsf{C}_{i,1} \Vert (\textsf{Z}_{i, a_i} \oplus 0^{c-1}1)\).

    • \(\textsf{U}_{i, a_i+j} = \textsf{C}_{i,j} \Vert \textsf{Z}_{i,a _i + j-1}\), \(2 \le j \le m_i-1\).

    • \(\textsf{V}_{i, a_i+j} = (\textsf{C}_{i,j+1} \oplus \textsf{M}_{i,j+1}) \Vert \textsf{Z}_{i,a _i + j-1}\), \(\forall j \in [m_i-2]\).

    • \(\textsf{V}_{i, t_i-1} = (\textsf{C}_{i,m_i} \oplus \textsf{M}_{i,m_i}) \Vert \delta _i^* \Vert \textsf{Z}_{i,t_i-1}\).

    • \(\textsf{F}_{i} = \textsf{C}_{i,m_i} \Vert \delta ^*_i \Vert \textsf{Z}_{i, t_i-1}\).

    Otherwise:

    • \(\textsf{F}_{i} = \textsf{C}_{i,m_1} \Vert \delta ^*_i \Vert (\textsf{Z}_{i, a_i} \oplus 0^{c-1}1)\).

We define \(\textsf{P}_{\textsf {E}}\) to be the partial function mapping \(\textsf{U}_{i, j}\) to \(\textsf{V}_{i,j}\) for all \(i \in [q_e]\), \(j \in [t_i-1]\), provided all \(\textsf{U}_{i,j}\)’s are distinct. In this case, it is easy to see that

$$\begin{aligned} \textsf{V}_{i,0} {\mathop {\longrightarrow }\limits ^{\textsf{A}_{i,1}}}_{\oplus } \textsf{V}_{i,1} {\mathop {\longrightarrow }\limits ^{\textsf{A}_{i,2}}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{\textsf{A}_{i,a_i}}}_{\oplus } \textsf{V}_{i,a_i}; \textsf{V}_{i,a_i} \oplus 0^{b-1}1 {\mathop {\longrightarrow }\limits ^{\textsf{M}_{i,1}}}_{\oplus } \textsf{V}_{i,a_i + 1} \cdots {\mathop {\longrightarrow }\limits ^{\textsf{M}_{i,m_i-1}}}_{\oplus } \textsf{V}_{i,t_i-1}. \end{aligned}$$

Moreover, \(\textsf{P}_{\textsf {E}}\) would be an injective partial function if \(\textsf{V}_{i,j}\)’s are all distinct.

Bad Event: \(\textsf{P}_{\textsf {E}}\) is Not an Injective Partial Function.   We set

  1. 1.

    \(\textsf{bad}_2 = 1\) if for some \((i,j) \ne (i', j')\), either \(\textsf{U}_{i,j} = \textsf{U}_{i', j'}\) or \(\textsf{V}_{i,j} = \textsf{V}_{i', j'}\),

  2. 2.

    \(\textsf{bad}_3 = 1\) if for some \(i \ne i' \in [q_e]\), \(\textsf{F}_i = \textsf{F}_{i'}\) (if this happens then it would force \(\textsf{T}_i = \textsf{T}_{i'}\) to hold).

Lemma 4

\(\Pr (\textsf{bad}_2=1 \vee \textsf{bad}_3=1) \le \displaystyle \frac{\sigma ^2_e}{2^b}\).

Proof

The proof of the above statement is straightforward as it is easy to see that \(\textsf{V}_{i,j}\)’s are randomly sampled and \(\textsf{U}_{i,j}\)’s are defined through a bijective mapping of \(\textsf{V}_{i,j-1}\) values. The same applies to \(\textsf{F}_i\) values. Given that we have at most \(\sigma _e \atopwithdelims ()2\) choices for inputs and outputs, we get the above bound by simply using the union bound.    \(\square \)

Contingent on the condition that none of the aforementioned bad events occur, we would like to set the input-output pairs for all permutations used in associated data and ciphertext processing for all decryption queries. Here, we only use \(\textsf{P}\) to run the randomized extension. Later, we set a bad event if it is not disjoint (both from the domain and the range) with \(\textsf{P}_{\textsf {E}}\). This would ensure the compatibility of \(\textsf{P}_1 \sqcup \textsf{P}_{\textsf {E}}\) (where \(\textsf{P}_1\) is the randomized extension of \(\textsf{P}\)) and would also help later in upper bounding the forging probability of a decryption query. For \(i \in [q_d]\) (i.e., for the i-th decryption query) with \(t_i \ge 2\), we perform the following:

We first parse all data as we have done for encryption queries:

$$\begin{aligned} (\textsf{A}'_{i,1}, \ldots , \textsf{A}'_{i, a'_i}) & {\mathop {\leftarrow }\limits ^{r}} \textsf{pad}_1(\textsf{A}'_i) \\ (\textsf{C}'_{i,1}, \ldots , \textsf{C}'_{i, c_i}) & {\mathop {\leftarrow }\limits ^{r}}_* \textsf{C}'_i \end{aligned}$$

Let \(t'_i = a'_i+ c_i\), \(d'_i = |\textsf{C}_{i,c_i}|\). Now, we define \(p_i\) indicating the length of the longest common prefix of the i-th decryption query and an encryption query.

Definition of \(p_i\), \(i \in [q_d]\).  

  1. 1.

    If there does not exist any \(j \in [q_e]\) such that \(\textsf{N}_j = \textsf{N}'_i\), we define \(p_i = -1\).

  2. 2.

    Otherwise, there exists a unique j for which \(\textsf{N}_j = \textsf{N}'_i\) (since the adversary is nonce-respecting and hence every nonce in encryption queries is distinct). Define \(p_i\) denote the length of the largest common prefix of

    • \((\textsf{A}'_{i,1}, \ldots , (\textsf{A}'_{i, a'_i}, *) , \textsf{C}'_{i,1}, \ldots , \textsf{C}'_{i, c_i})\) and

    • \((\textsf{A}_{j,1}, \ldots , (\textsf{A}_{j, a_j}, *), \textsf{C}_{j,1}, \ldots , \textsf{C}_{j, m_i})\).

    Here \(*\) is used to distinguish associate data blocks and ciphertext blocks.

Now, for each \(i \in [q_d]\), depending on the value of \(p_i\), we perform the following:

Associated Data and Ciphertext Processing  

  1. 1.

    For \(i = 1\) to \(q_d\) with \(p_i = -1\):

    • \(\textsf{V}'_{i,0} {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b\).

    • If \(a'_i>0\), run \(\textsf {xorRand\_Extn}^{P}(\textsf{V}'_{i,0}, (\textsf{A}'_{i,1}, \ldots , \textsf{A}'_{i,a'_i}))\) to obtain a walk

      $$\begin{aligned} \textsf{V}'_{i,0} {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,1}}}_{\oplus } \textsf{V}'_{i,1} {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,2}}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,a'_i}}}_{\oplus } \textsf{V}'_{i,a'_i}. \end{aligned}$$

    • If \(c_i>1\), run \(\textsf {Rand\_Extn}^{P}(\textsf{V}'_{i,a_i} \oplus 0^*1, \textsf{C}'_{i,1}\Vert \dots \Vert \textsf{C}'_{i,c_i-1})\) to obtain a walk

      $$\begin{aligned} \textsf{V}'_{i,a'_i} \oplus 0^*1 {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,1}}} \textsf{V}'_{i,a'_i + 1} {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,2}}} \cdots {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,c_i-1}}} \textsf{V}'_{i,a'_i + c_i-1}. \end{aligned}$$
  2. 2.

    For \(i = 1\) to \(q_d\) with \(0 \le p_i \le a'_i\):

    • \(\textsf{V}'_{i,p_i} := \textsf{V}_{j,p_i}\).

    • If \(a'_i > p_i\), run \(\textsf {xorRand\_Extn}^{P}(\textsf{V}'_{i,p_i}, (\textsf{A}'_{i,p_i+1}, \ldots , \textsf{A}'_{i,a'_i}))\) to obtain a walk

      $$\begin{aligned} \textsf{V}'_{i,p_i} {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,p_i+1}}}_{\oplus } \textsf{V}'_{i,p_i+1} {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,p_i+2}}}_{\oplus } \cdots {\mathop {\longrightarrow }\limits ^{\textsf{A}'_{i,a'_i}}}_{\oplus } \textsf{V}'_{i,a'_i}. \end{aligned}$$

    • If \(c_i > 1\), run \(\textsf {Rand\_Extn}^{P}(\textsf{V}'_{i,a_i} \oplus 0^*1, \textsf{C}'_{i,1}\Vert \dots \Vert \textsf{C}'_{i,c_i-1})\) to obtain a walk

      $$\begin{aligned} \textsf{V}'_{i,a'_i} \oplus 0^*1 {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,1}}} \textsf{V}'_{i,a'_i + 1} {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,2}}} \cdots {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,c_i-1}}} \textsf{V}'_{i,a'_i + c_i-1}. \end{aligned}$$
  3. 3.

    For \(i = 1\) to \(q_d\) with \(a'_i < p_i < t_i\):

    • \(\textsf{V}'_{i,p_i} := \textsf{V}_{j,p_i}\).

    • If \(p_i< t_i-1\), run \(\textsf {Rand\_Extn}^{P}(\textsf{V}'_{i,p_i}, \textsf{C}'_{i,p_i-a'_i+1}\Vert \dots \Vert \textsf{C}'_{i,c_i-1})\) to obtain a walk

      $$\begin{aligned} \textsf{V}'_{i,p_i} {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,p_i-a'_i+1}}} \textsf{V}'_{i,p_i + 1} {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,p_i-a'_i+2}}} \cdots {\mathop {\longrightarrow }\limits ^{\textsf{C}'_{i,c_i-1}}} \textsf{V}'_{i,a'_i + c_i-1}. \end{aligned}$$
  4. 4.

    For \(i = 1\) to \(q_d\) with \(p_i = t_i\):

    • \(\textsf{V}'_{i,a'_i+c_i-1} := \textsf{V}_{j,a'_i+c_i-1}\).

For all the cases above, we define

$$\textsf{F}'_i = {\left\{ \begin{array}{ll} \textsf{C}'_{i, c_i} \Vert 10^* \Vert \lfloor \textsf{V}'_{i,a'_i + c_i-1} \rfloor _c &{} \textit{ if } c_i \ge 2 \\ \textsf{C}'_{i, c_i} \Vert 10^* \Vert (\lfloor \textsf{V}'_{i,a'_i + c_i-1} \rfloor _c \oplus 0^{c-1}1) &{} \textit{ if } c_i =1 \end{array}\right. }.$$

Note that for each \(i \in [q_d]\), \(\textsf{P}\) is updated by both the randomized extension algorithms, and although we start with a permutation, the resulting extended function \(\textsf{P}_1\) need not be injective.

Bad Event: \(\textsf{P}_1\) is Not an Injective Partial Function.   We define \(\textsf{bad}_4 = 1\) if there exist (XY) and \((X',Y')\) in the set \(\textsf{P}_1\) such that \(Y = Y'\). It is important to note that \(\textsf{P}\) is an injective partial function, and thus this bad event can only occur when at least one of the values Y or \(Y'\) is obtained during the offline phase. Considering that both inputs and outputs are uniformly sampled, the probability of \(\textsf{bad}_4\) can be straightforwardly bounded using the union bound.

Lemma 5

\(\Pr (\textsf{bad}_4=1 ) \le \displaystyle \frac{\sigma _d(q_p + \sigma _d)}{2^b}\).

Bad Event (Permutation Compatibility of \(\textsf{P}_{\textsf {E}}\) and \(\textsf{P}_1\)).   We now set \(\textsf{bad}_5 = 1\) if

$$\begin{aligned} \textsf{domain}(\textsf{P}_1) \cap \textsf{domain}(\textsf{P}_\textsf {E}) \ne \emptyset \text { or } \textsf{range}(\textsf{P}_1) \cap \textsf{range}(\textsf{P}_\textsf {E}) \ne \emptyset . \end{aligned}$$

Given that this bad event does not hold, \(\textsf{P}_{\textsf {E}} \cup \textsf{P}_1\) is an injective partial function that is desired for a random permutation.

Lemma 6

\(\Pr (\textsf{bad}_5 = 1) \le \displaystyle \frac{\textsf{mcoll}(\sigma _e, 2^r) \times (\sigma _d + q_p)}{2^c}\).

Proof

Let \(\rho _1\) (and \(\rho _2\)) denote the multicollision on the values of \(\lceil x \rceil _r\), for all \(x \in \textsf{domain}(\textsf{P}_{\textsf {E}})\) (and for all \(x \in \textsf{range}(\textsf{P}_{\textsf {E}})\) respectively). Then, by the randomness of the randomized extension process and randomized xor-extension process, \(\Pr (\textsf{bad}_5 = 1 ~|~ \max \{\rho _1, \rho _2\} = \rho ) \le \rho (\sigma _d + q_p)/2^c\). Hence, using the expectation of \(\max \{\rho _1,\rho _2\}\), and applying Lemma 1 and the remark following it, we get the above bound.    \(\square \)

Bad Event (Correctly Forging).   We now set bad events whenever we have a correct forging in the ideal world based on the injective partial function \(\textsf{P}_2 := \textsf{P}_1 \sqcup \textsf{P}_{\textsf {E}}\) constructed so far. We set \(\textsf{bad}_6 = 1\) if

$$\begin{aligned} (\textsf{F}'_i, \textsf{T}'_i) = (\textsf{F}_j, \textsf{T}_j), ~~i \in [q_d], ~~j \in [q_e]. \end{aligned}$$

This is similar to \(\textsf{bad}_3\) as this would force a decryption query to be valid.

Lemma 7

\(\Pr (\textsf{bad}_6 = 1) \le \displaystyle \frac{\textsf{mcoll}(q_e, 2^{\tau }) q_d}{2^c}.\)

Proof

We divide this into two cases. First, consider \(p_i = c_i-1\) and \(\textsf{T}'_i = \textsf{T}_j\). Then \(\textsf{F}'_i \ne \textsf{F}_j\), and hence \(\textsf{bad}_6\) does not occur.

Next, we assume \(p_i \ne c_i-1\). Let \(\rho _3\) denote the number of multicollision of \(\textsf{T}_j\) values. By using the randomness of \(\textsf{Z}_{j, t_i-1}\) and using the multicollision we have, \(\Pr (\textsf{bad}_6 = 1~|~\rho _3 = \rho ) \le \frac{\rho q_d}{2^c}\). Hence, using the expectation of \(\rho _3\), and applying Lemma 1, we have the above bound.    \(\square \)

We also have to consider some other ways to become a valid forgery. Now, we reach the time to sample the key

$$K = (K_1, K_2) {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{\kappa }, ~~ K_2 \in \{0,1\}^\tau .$$

Let

$$\mathcal {J}= \{j \in [q_d]: \textsf{N}'_j \ne \textsf{N}_i \; \forall i \in [q_e]\}.$$

Now, we can define all remaining input-outputs for the underlying permutation used in the initialization and tag generation phase as follows:

  1. 1.

    For all \(i \in [q_e]\),

    • \(\textsf{I}_i := IV \Vert K \Vert \textsf{N}_i\), \(\textsf{O}_i := \textsf{V}_{i,0} \oplus 0^{b - \kappa } \Vert K\),

    • \(\textsf{X}_i := \textsf{F}_i \oplus 0^r\Vert K \Vert 0^{c- \kappa }\), \(\textsf{Y}_i := \alpha _i \Vert (\textsf{T}_i \oplus K_2)\), where \(\alpha _i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^{b-\tau }\).

  2. 2.

    For all \(j \in \mathcal {J}\),

    • \(\textsf{I}'_j := IV \Vert K \Vert \textsf{N}'_j\) and \(\textsf{O}'_j := \textsf{V}'_{j,0} \oplus 0^{b - \kappa } \Vert K\).

  3. 3.

    For all other \(j \in [q_d]\), there exists \(i \in [q_e]\) such that \(\textsf{N}'_j = \textsf{N}_i\), and we define \(\textsf{I}'_j := \textsf{I}_i\), \(\textsf{O}'_j := \textsf{O}_i\).

Define \(\textsf{P}_{\textsf {in}\text {-}\textsf {tag}} = \big ( (\textsf{I}_i,\textsf{O}_i)_{i \in [q_e]}, ~~(\textsf{X}_i,\textsf{Y}_i)_{i \in [q_e]}, ~~(\textsf{I}'_j,\textsf{O}'_j)_{j \in \mathcal {J}} \big )\).

Bad Event (Permutation Compatibility of \(\textsf{P}_{\textsc {in}\text {-}\textsc {tag}}\) and \(\textsf{P}_2\)).  We define \(\textsf{bad}_7 = 1\) if one of the following holds:

  1. 1.

    \(\textsf{I}_i, \textsf{I}'_j \in \textsf{domain}(\textsf{P}_2)\) for some \(i \in [q_e], j \in [q_d]\).

  2. 2.

    \(\textsf{O}_i = \textsf{O}'_j\) for \(i \in [q_e]\) and \(j \in [q_d]\) such that \(\textsf{N}_i \ne \textsf{N}'_j\).

  3. 3.

    \(\textsf{O}_i, \textsf{O}'_j \in \textsf{range}(\textsf{P}_2)\) for some \(i \in [q_e], j \in [q_d]\).

Once again, if this bad event does not hold, \(\textsf{P}_3 := \textsf{P}_2 \sqcup \textsf{P}_{\textsf {in}\text {-}\textsf {tag}}\) is an injective partial function. By using the randomness of K, \(\textsf{V}_{i,0}\) and \(\textsf{V}'_{i,0}\) we can easily bound the probability of \(\textsf{bad}_7\) as stated below.

Lemma 8

\(\Pr (\textsf{bad}_7=1) \le \displaystyle \frac{q_p+\sigma }{2^{\kappa }} + \displaystyle \frac{q_e q_d + (q_e + q_d)(\sigma + q_p)}{2^b}\).

Finally, we settle the tag computation of all decryption queries and we set bad whenever a valid forgery occurs. For all \(i \in [q_d]\), we define \(\textsf{X}'_i := \textsf{F}'_i \oplus (0^r\Vert K \Vert 0^{c- \kappa })\). If \(\textsf{X}'_i \in \textsf{domain}(\textsf{P}_3)\) then we define \(\textsf{Y}'_i = \textsf{P}_3(\textsf{X}'_i)\). Else, \(\textsf{Y}'_i {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}^b\).

Bad Event (Decryption Queries are Not Rejected). We divide this into two cases depending on whether \(\textsf{X}'_i \in \textsf{domain}(\textsf{P}_3)\) or not:

  • Let \(\textsf{F}'_i = (\beta '_i \Vert x'_i \Vert \gamma '_i)\), where \(|\beta '_i| = r + \kappa - \tau \), \(|x'_i| = \tau \) and \(|\gamma '_i| = c- \kappa \). We set \(\textsf{bad}_8=1\) if

    $$\begin{aligned} \exists i \in [q_d], ~~~~~ \textsf{X}'_i \in \textsf{domain}(\textsf{P}_3) ~\wedge ~ \lfloor \textsf{P}_3(\textsf{X}'_i) \rfloor _{\tau } \oplus K_2 = \textsf{T}'_i. \end{aligned}$$

    If \(\textsf{bad}_8=1\), then

    1. (i)

      for some \((\beta _j \Vert x_j \Vert \gamma _j) \in \textsf{domain}(\textsf{P}_3)\), \(\textsf{X}'_i = (\beta _j \Vert x_j \Vert \gamma _j)\), \(|\beta _j| = r + \kappa - \tau \), \(|x_j| = \tau \) and \(|\gamma _j| = c - \kappa \), and

    2. (ii)

      \(x_j \oplus y_j = \textsf{T}'_i \oplus x'_{i}\) where \(y_j = \lfloor \textsf{P}_3(\beta _j \Vert x_j \Vert \gamma _j) \rfloor _{\tau }\).

    Let \(\rho _4\) denote the multicollision on the values of \((x_a \oplus y_a)_a\) varying over all elements of \(\textsf{P}_3\). Hence, the number of choices of j is at most \(\rho _4\). Then, by the randomness of K,

    $$\Pr (\textsf{bad}_8 = 1~|~\rho _4 = \rho ) \le \frac{\rho q_d}{2^\kappa }.$$

    So, using the expectation of \(\rho _4\), and applying Lemma 2,we have

Lemma 9

\(\Pr (\textsf{bad}_8 = 1) \le \displaystyle \frac{\textsf{mcoll}(\sigma +q_p, 2^{\tau }) q_d}{2^\kappa }\).

  • \(\textsf{X}'_i \notin \textsf{domain}(\textsf{P}_3)\). Let \(y_i = \lfloor \textsf{Y}'_i \rfloor _\tau \). We set \(\textsf{bad}_9=1\) if there exists \(i \in [q_d]\) such that \(y_i \oplus K_2 = \textsf{T}'_i\). Similarly, by the randomness of \(y_i\), we have

Lemma 10

\(\Pr (\textsf{bad}_9 = 1) \le \displaystyle \frac{q_d}{2^\tau }\).

Let \(\textsf{bad}\) denote the union of all bad events, namely \(\cup _{i=1}^9 \textsf{bad}_i\). By Lemmas 3 through 10, we have shown that

$$\begin{aligned} \Pr (\textsf{bad}= 1) &\le \frac{2q_d}{2^{\tau }} + \frac{\sigma ^2_e}{2^b} + \frac{\sigma _d(q_p + \sigma _d)}{2^b} + \frac{\textsf{mcoll}(\sigma _e, 2^r) \times (\sigma _d + q_p)}{2^c} + \frac{q_p + \sigma }{2^{\kappa }} \\ &\quad + \frac{\textsf{mcoll}(q_e, 2^{\tau }) q_d}{2^c} + \frac{q_e q_d + (q_e + q_d)(\sigma + q_p)}{2^b} + \frac{\textsf{mcoll}(\sigma +q_p, 2^{\tau }) q_d}{2^\kappa }. \end{aligned}$$

If all these \(\textsf{bad}\) events do not occur, then all the decryption queries are correctly rejected for the injective partial function \(\textsf{P}_3\).

Let \(\textsf{P}_\textsf {fin}:= \textsf{P}_3 \cup \big ( (\textsf{X}'_i,\textsf{Y}'_i)_{i \in [q_d]} \big )\). In the offline transcript, we provide all the input-outputs of \(\textsf{P}_\textsf {fin} \). Then,

$$\varTheta _{\textrm{id}} = \big ((\textsf{N}_i, \textsf{A}_i, \textsf{M}_i, \textsf{C}_i, \textsf{T}_i)_{i \in [q_e]},~ (\textsf{N}'_i, \textsf{A}'_i, \textsf{C}'_i, \textsf{T}'_i, \textsf {rej})_{i \in [q_d]},~ \textsf{P}_\textsf {fin} \big ). $$

Let \(\theta \) be a good transcript (no \(\textsf{bad}\) events occur). Note that we sample either inputs or outputs of \(\textsf{P}_\textsf {fin} \setminus \textsf{P}\) uniformly. Thus,

$$\Pr (\varTheta _{\textrm{id}} = \theta ) = \Pr (P \subseteq \mathsf {\Pi }) \times 2^{-b(|\textsf{P}_\textsf {fin} |- |\textsf{P}|)} \le 1/(2^b)_{|\textsf{P}_\textsf {fin} |} = \Pr (\varTheta _{\textrm{re}} = \theta )$$

By using the H-coefficient technique, we complete the proof of our main theorem.

6 Final Discussion

In this paper, we have proved a bound for Ascon AEAD, the winner of the recently concluded NIST LwC competition. This mode follows a Sponge type of construction. Notably, the inclusion of a key XOR operation during the Tag Generation phase allows us to derive a bound in the following form:

$$\begin{aligned} \frac{q_p}{2^\kappa }+\frac{q_p}{2^c}+ \frac{q_d}{2^c}+\frac{\sigma ^2_e}{2^b}+\frac{\sigma ^2_d}{2^b}+\frac{q_d}{2^\tau }+\frac{q_p\sigma _d}{2^b}+\frac{q_d}{2^\kappa } \end{aligned}$$

One can easily see that these bounds are tight:

  • \(\frac{q_p}{2^\kappa }, \frac{q_d}{2^\kappa }\) correspond to generic attacks which guess the key in primitive calls or decryption queries.

  • \(\frac{q_d}{2^\tau }\) is also a generic attack that guesses the tag in decryption queries.

  • Attacks for the terms \(\frac{\sigma ^2_e}{2^b},\frac{q_p}{2^c},\frac{q_d}{2^c}, \frac{\sigma ^2_d}{2^b}\) and \(\frac{q_p\sigma _d}{2^b}\) can be constructed by observing state collisions in the encryption, primitive and decryption queries.

Further, when \(\tau \le \min \{\kappa , c\}\), the obtained security bound can be reduced to

$$\begin{aligned} \frac{T}{2^{\min \{\kappa , c\}}} +\frac{D}{2^\tau }+\frac{DT}{2^b} \end{aligned}$$

where T is the time complexity and D is the data complexity of the adversary.

We would like to again emphasize that our analysis cannot be directly applied to general Sponge constructions without the double-keyed tag generation/verification protocol. Exploring the security of sponge constructions and achieving improved security, considering the gap between the current known security bounds and recent attacks [15], poses an interesting research problem.

Finally, in the multi-user setting, it is worth noting that our analysis indicates that the first term in the bound for \(\textsf{bad}_7\) (Lemma 8) becomes \(\frac{\mu (q_p + \sigma )}{2^\kappa }\), where \(\mu \) denotes the number of users. Therefore, our current result does not directly extend to the multi-user setting, and a separate analysis would be required to address it.