{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T19:47:38Z","timestamp":1775245658626,"version":"3.50.1"},"reference-count":20,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,5,24]],"date-time":"2025-05-24T00:00:00Z","timestamp":1748044800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,5,24]],"date-time":"2025-05-24T00:00:00Z","timestamp":1748044800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62132008"],"award-info":[{"award-number":["62132008"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62372213"],"award-info":[{"award-number":["62372213"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62202460"],"award-info":[{"award-number":["62202460"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"Abstract<\/jats:title>\n Ascon, a family of algorithms that supports hashing and authenticated encryption, is the winner of the NIST Lightweight Cryptography Project. In this paper, we propose an improved preimage attack against 2-round Ascon-XOF-64 with a complexity of \n \n $$2^{33}$$<\/jats:tex-math>\n \n \n 2<\/mml:mn>\n 33<\/mml:mn>\n <\/mml:msup>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> via a more effective guessing strategy. Furthermore, we successfully extend our preimage attack on 2-round Ascon-XOF-64 to 2-round Ascon-XOF-128, achieving a complexity of \n \n $$2^{97}$$<\/jats:tex-math>\n \n \n 2<\/mml:mn>\n 97<\/mml:mn>\n <\/mml:msup>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula>, which is currently the best preimage attack against 2-round Ascon-XOF-128. Apart from the preimage attack, we also investigate the resistance of Ascon-HASH against collision attacks. To be specific, we introduce the linearization of the inverse of S-boxes and then propose a free-start collision attack on 3-round Ascon-HASH with a complexity of \n \n $$2^{14}$$<\/jats:tex-math>\n \n \n 2<\/mml:mn>\n 14<\/mml:mn>\n <\/mml:msup>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> using a differential trail searched dedicatedly. In addition, we construct different 2-round connectors using the linearization of the inverse of S-boxes and successfully extend the collision attack to 4 rounds and 5 rounds of Ascon-HASH with complexities of \n \n $$2^{18}$$<\/jats:tex-math>\n \n \n 2<\/mml:mn>\n 18<\/mml:mn>\n <\/mml:msup>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> and \n \n $$2^{41}$$<\/jats:tex-math>\n \n \n 2<\/mml:mn>\n 41<\/mml:mn>\n <\/mml:msup>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula>, respectively. Although our attacks do not compromise the security of the full 12-round Ascon-XOF and Ascon-HASH, they provide some insights into Ascon\u2019s security.<\/jats:p>","DOI":"10.1186\/s42400-024-00340-7","type":"journal-article","created":{"date-parts":[[2025,5,24]],"date-time":"2025-05-24T01:02:28Z","timestamp":1748048548000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Preimage and collision attacks on reduced Ascon using algebraic strategies"],"prefix":"10.1186","volume":"8","author":[{"given":"Qinggan","family":"Fu","sequence":"first","affiliation":[]},{"given":"Ye","family":"Luo","sequence":"additional","affiliation":[]},{"given":"Qianqian","family":"Yang","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9298-7313","authenticated-orcid":false,"given":"Ling","family":"Song","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,5,24]]},"reference":[{"key":"340_CR1","doi-asserted-by":"publisher","unstructured":"Baek S, Kim G, Kim J (2024) Preimage attacks on reduced-round Ascon-Xof. Designs, Codes and Cryptography, pp 1\u201321. https:\/\/doi.org\/10.1007\/s10623-024-01383-0","DOI":"10.1007\/s10623-024-01383-0"},{"key":"340_CR2","unstructured":"Bertoni G, Daemen J, Peeters M, Van\u00a0Assche G (2007) Sponge functions. In: ECRYPT Hash Workshop, vol. 2007"},{"key":"340_CR3","unstructured":"Daemen J (1995) Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Doctoral Dissertation, March 1995, KU Leuven"},{"key":"340_CR4","doi-asserted-by":"publisher","first-page":"442","DOI":"10.1007\/978-3-642-34047-5_25","volume-title":"Fast software encryption","author":"I Dinur","year":"2012","unstructured":"Dinur I, Dunkelman O, Shamir A (2012) New attacks on Keccak-224 and Keccak-256. In: Canteaut A (ed) Fast software encryption. Springer, Berlin, pp 442\u2013461"},{"key":"340_CR5","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-319-16715-2_20","volume-title":"Topics in cryptology \u2013 CT-RSA 2015","author":"C Dobraunig","year":"2015","unstructured":"Dobraunig C, Eichlseder M, Mendel F, Schl\u00e4ffer M (2015) Cryptanalysis of Ascon. In: Nyberg K (ed) Topics in cryptology \u2013 CT-RSA 2015. Springer, Cham, pp 371\u2013387"},{"key":"340_CR6","doi-asserted-by":"publisher","unstructured":"Dobraunig C, Eichlseder M, Mendel F, Schl\u00e4ffer M (2021) Ascon v1.2: lightweight authenticated encryption and hashing. https:\/\/doi.org\/10.1007\/S00145-021-09398-9","DOI":"10.1007\/S00145-021-09398-9"},{"key":"340_CR7","unstructured":"Dobraunig C, Eichlseder M, Mendel F, Schl\u00e4ffer M (2019) Preliminary analysis of Ascon-xof and Ascon-hash. (2019). https:\/\/api.semanticscholar.org\/CorpusID:218514785"},{"issue":"1","key":"340_CR8","doi-asserted-by":"publisher","first-page":"64","DOI":"10.46586\/TOSC.V2022.I1.64-87","volume":"2022","author":"J Erlacher","year":"2022","unstructured":"Erlacher J, Mendel F, Eichlseder M (2022) Bounds for the security of Ascon against differential and linear cryptanalysis. IACR Trans Symmetric Cryptol 2022(1):64\u201387. https:\/\/doi.org\/10.46586\/TOSC.V2022.I1.64-87","journal-title":"IACR Trans Symmetric Cryptol"},{"key":"340_CR9","doi-asserted-by":"publisher","first-page":"584","DOI":"10.1007\/978-3-319-44953-1_37","volume-title":"Principles and practice of constraint programming","author":"D Gerault","year":"2016","unstructured":"Gerault D, Minier M, Solnon C (2016) Constraint programming models for chosen key differential cryptanalysis. In: Rueher M (ed) Principles and practice of constraint programming. Springer, Cham, pp 584\u2013601"},{"issue":"1","key":"340_CR10","doi-asserted-by":"publisher","first-page":"33","DOI":"10.13154\/tosc.v2016.i1.33-56","volume":"2016","author":"J Guo","year":"2016","unstructured":"Guo J, Jean J, Nikolic I, Qiao K, Sasaki Y, Sim SM (2016) Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans Symmetric Cryptol 2016(1):33\u201356. https:\/\/doi.org\/10.13154\/tosc.v2016.i1.33-56","journal-title":"IACR Trans Symmetric Cryptol"},{"issue":"3","key":"340_CR11","doi-asserted-by":"publisher","first-page":"102","DOI":"10.46586\/TOSC.V2021.I3.102-136","volume":"2021","author":"D G\u00e9rault","year":"2021","unstructured":"G\u00e9rault D, Peyrin T, Tan QQ (2021) Exploring differential-based distinguishers and forgeries for ASCON. IACR Trans Symmetric Cryptol 2021(3):102\u2013136. https:\/\/doi.org\/10.46586\/TOSC.V2021.I3.102-136","journal-title":"IACR Trans Symmetric Cryptol"},{"issue":"3","key":"340_CR12","doi-asserted-by":"publisher","first-page":"74","DOI":"10.46586\/TOSC.V2023.I3.74-100","volume":"2023","author":"H Li","year":"2023","unstructured":"Li H, He L, Chen S, Guo J, Qiu W (2023) Automatic preimage attack framework on Ascon using a linearize-and-guess approach. IACR Trans Symmetric Cryptol 2023(3):74\u2013100. https:\/\/doi.org\/10.46586\/TOSC.V2023.I3.74-100","journal-title":"IACR Trans Symmetric Cryptol"},{"key":"340_CR13","doi-asserted-by":"publisher","first-page":"247","DOI":"10.1007\/978-3-030-84252-9_9","volume-title":"Advances in cryptology - CRYPTO 2021","author":"M Liu","year":"2021","unstructured":"Liu M, Lu X, Lin D (2021) Differential-linear cryptanalysis from an algebraic perspective. In: Malkin T, Peikert C (eds) Advances in cryptology - CRYPTO 2021. Springer, Cham, pp 247\u2013277"},{"issue":"3","key":"340_CR14","doi-asserted-by":"publisher","first-page":"303","DOI":"10.46586\/TOSC.V2022.I3.303-340","volume":"2022","author":"RH Makarim","year":"2022","unstructured":"Makarim RH, Rohit R (2022) Towards tight differential bounds of Ascon a hybrid usage of SMT and MILP. IACR Trans Symmetric Cryptol 2022(3):303\u2013340. https:\/\/doi.org\/10.46586\/TOSC.V2022.I3.303-340","journal-title":"IACR Trans Symmetric Cryptol"},{"key":"340_CR15","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1007\/978-3-319-56617-7_8","volume-title":"Advances in cryptology - EUROCRYPT 2017","author":"K Qiao","year":"2017","unstructured":"Qiao K, Song L, Liu M, Guo J (2017) New collision attacks on round-reduced Keccak. In: Coron J-S, Nielsen JB (eds) Advances in cryptology - EUROCRYPT 2017. Springer, Cham, pp 216\u2013243"},{"key":"340_CR16","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-031-30634-1_6","volume-title":"Advances in cryptology - EUROCRYPT 2023","author":"L Qin","year":"2023","unstructured":"Qin L, Hua J, Dong X, Yan H, Wang X (2023) Meet-in-the-middle preimage attacks on sponge-based hashing. In: Hazay C, Stam M (eds) Advances in cryptology - EUROCRYPT 2023. Springer, Cham, pp 158\u2013188"},{"key":"340_CR17","doi-asserted-by":"publisher","first-page":"459","DOI":"10.1007\/978-3-662-49890-3_18","volume-title":"Advances in cryptology - EUROCRYPT 2016","author":"M Stevens","year":"2016","unstructured":"Stevens M, Karpman P, Peyrin T (2016) Freestart collision for full SHA-1. In: Fischlin M, Coron J-S (eds) Advances in cryptology - EUROCRYPT 2016. Springer, Berlin, pp 459\u2013483"},{"key":"340_CR18","unstructured":"Turan MS, McKay K, Chang D, Bassham LE, Kang J, Waller ND, Kelsey JM, Hong D (2023) Status report on the final round of the NIST lightweight cryptography standardization process"},{"key":"340_CR19","doi-asserted-by":"crossref","unstructured":"Yu X, Liu F, Wang G, Sun S, Meier W (2023) A closer look at the S-box: deeper analysis of round-reduced Ascon-hash. Cryptology ePrint Archive","DOI":"10.1007\/978-3-031-53368-6_2"},{"key":"340_CR20","unstructured":"Zong R, Dong X, Wang X (2019) Collision attacks on round-reduced Gimli-hash\/Ascon-xof\/Ascon-hash. Cryptology ePrint Archive (2019)"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00340-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00340-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00340-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,24]],"date-time":"2025-05-24T01:02:35Z","timestamp":1748048555000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00340-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,24]]},"references-count":20,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["340"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00340-7","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,5,24]]},"assertion":[{"value":"23 April 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 November 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 May 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"34"}}