###### tags: `bibliography` [toc] # Papers ## [An Efficient Soft Analytical Side-Channel Attack on Ascon (WASA'22)](https://link.springer.com/chapter/10.1007/978-3-031-19208-1_32) * Perform the soft analytical side-channel attack (SASCA) on Ascon encryption * Analyzed the initialization phase only * Run simulations instead analyzing real traces * For all simulations, they chose a *hamming weight with an additive Gaussian noise leakage model* to simulate leakage. * Simulations run on 8-bit platforms. * 32-bit is left for future work. ## [SCARL: Side-Channel Analysis with reinforcement Learning on the Ascon Authenticated Cipher (IACR 2020)](https://arxiv.org/pdf/2006.03995.pdf) * On a lightweight implementation of the Ascon authenticated cipher on the Artix-7 FPGA, SCARL is able to recover the secret key using 24K power traces during the key insertion, or Initialization Stage, of the cipher * "We also demonstrate that classical techniques such as DPA and CPA fail to identify the correct key using traditional linear leakage models and more than 40K power traces." * As of June 2023, this paper appears to have remained not formally published. ## [ASCON v1.2: Lightweight Authenticated Encryption and Hashing (JoC)](https://link.springer.com/article/10.1007/s00145-021-09398-9) * Christoph Dobraunig, Maria Eichlseder, Florian Mendel & Martin Schläffer * Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. * they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. * In masked implementations, it can be sufficient that the initialization and finalization provides high robustness against side-channel analysis, whereas the bulk data can be processed at higher speed with a lower protection level. * Side-channel protection is one of the primary design goals of ASCON. ## [An Open-Source Platform for Evaluation of Hardware Implementations of Lightweight Authenticated Ciphers (IEEE ReConFig 2019)](https://ieeexplore.ieee.org/document/8994788) * Abubakr Abdulgadir; William Diehl; Jens-Peter Kaps * "Our results show that Ascon consumes the least power at 50 MHz, and has the lowest change in dynamic power per increase in frequency, while GIFT-COFB consumes the least energy-per-bit. We also show that side-channel countermeasures applied to implementations of Ascon and AES-GCM are effective using leakage detection tests." * Consider DPA ## [Comparison of cost of protection against differential power analysis of selected authenticated ciphers (IEEE HOST 2018)](https://ieeexplore.ieee.org/document/8383904) * William Diehl, Abubakr Abdulgadir, Farnoud Farahmand, Jens-Peter Kaps, and Kris Gaj * "We use this capability to show that implementations in the Spartan-6 FPGA of the CAESAR Round 3 candidates ACORN, ASCON, CLOC (AES and TWINE), SILC (AES, PRESENT, and LED), JAMBU (AES and SIMON), and Ketje Jr., as well as AES-GCM, are potentially vulnerable to 1st order DPA. We then implement versions of the above ciphers, protected against 1st order DPA, using threshold implementations." ## [Masking the lightweight authenticated ciphers ACORN and ascon in software (IACR, 2018)](https://eprint.iacr.org/2018/708) * There are two recommended parameters for Ascon. The only two differences are the block size and the number of rounds b of the transformation p when applied to the state after absorbing the plaintext blocks. Ascon-128 works on 64-bit data blocks with b = 6 while Ascon-128a works on 128-bit data blocks with b = 8. Because Ascon-128 is the primary recommendation by the designers, we focus on this version and Ascon refers to Ascon-128 throughout the rest of this paper. * Side-channel attacks do not target the encryption algorithm itself, but side effects that occur during the execution of an implementation such as computation time, electromagnetic (EM) fields and power consumption. * ACORN and Ascon do not need any conditional branches depending on the internal state, nor do they employ look-up tables. Although they are generally not vulnerable to timing attacks, they remain vulnerable to power or EM related attacks such as DPA ## [DPA on Hardware Implementations of Ascon and keyak (CF 2017)](https://dl.acm.org/doi/10.1145/3075564.3079067) * Niels Samwel, Joan Daemen * Side channel analysis on **hardware** implementation of keyak and Ascon. ## [Ascon hardware implementations and side-channel evaluation (Microprocessors and Microsystems 2017)](https://www.sciencedirect.com/science/article/abs/pii/S0141933116302721)] * Hannes Gross, ErichWenger, Christoph Dobraunig, and Christoph Ehren * Presented a Ascon-128 hardware implementation * Assume the attacker can only do first-order DPA attacks. Don't consider attacks based on learning the powere characteristtics of inidivudal devices, so-called template atttacks. * Used simulated power tracees # Secondary # Links * https://www.nist.gov/news-events/news/2023/02/nist-selects-lightweight-cryptography-algorithms-protect-small-devices * It was selected in 2019 as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition * https://www.healthcareitnews.com/news/nist-selects-ascon-new-lightweight-cryptography-standard * Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks, says NIST. * https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/documents/papers/active-passive-recovery-attacks-ascon-lwc2020.pdf * Using a lightweight implementation of Ascon on an Artix-7 FPGA, we demonstrate a successful statistical ineffective fault analysis (SIFA) attack using voltage glitches on the supply pin of the FPGA chip * The power consumption of the hardware during processing the state initialized with the secret key is the target of our PA attack. * In the proposed attack methodology, faults are injected into the operation of two selected S-boxes, during every encryption. * https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/ascon-spec-round2.pdf * Ascon v 1.2 - submission to NIST * "The primary recommendation is Ascon-128 and the secondary recommendation is Ascon-128a" * Ascon’s permutation uses S-boxes of degree 2 and thus lends itself to efficient countermeasures against side-channel attacks by masking with a low overhead. ## [Side-Channel Analysis of Keccak and Ascon (Master thesis 2016)](https://www.ru.nl/publish/pages/769526/niels_samwel.pdf) * A master thesis. It doesn't seem to have useful new results.