Differential-linear Attacks on Permutation Ciphers Revisited: Experiments on Ascon and DryGASCON

Civek A. B., Tezcan C.

8th International Conference on Information Systems Security and Privacy (ICISSP), ELECTR NETWORK, 9 - 11 February 2022, pp.202-209 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Doi Number: 10.5220/0010982600003120
  • Page Numbers: pp.202-209
  • Keywords: Lightweight Cryptography, Cryptanalysis, Differential-linear Analysis, NIST
  • Middle East Technical University Affiliated: Yes


Ascon and DryGASCON are very similar designs that were submitted to NIST's lightweight cryptography standardization process. While Ascon made it to the finals, DryGASCON was eliminated in the second round. We analyze these algorithms against truncated, linear and differential-linear distinguishers to compare their security. We correct 2, 3, 3.5-round truncated differentials and 5-round differential-linear distinguishers that were given for DryGASCON-128. Moreover, we provide the longest practical differential-linear distinguisher of DryGASCON-128. Finally, we compare the security of Ascon-128 and DryGASCON-128 against differential-linear cryptanalysis.