Preliminary Analysis of Ascon-Xof and Ascon-Hash

We consider pre-image attacks on a version of Ascon-Xof where the number of rounds in pa has been reduced to 2 and the length of the hash value H is truncated to 64 bits. Hence, it is expected to hit this value with a probability of 2−64 and thus, the expected workload to find a pre-image is around 264. For simplicity, we consider the round-reduced variant of Ascon-Xof without round constants and with an all-zero equivalent IV. If we then take a look at the output of the S-box of the first round, we see that the 3 bits SL 0,0,i, S L 0,1,i, and S L 0,3,i of the S-box output depend on the input bit S N 0,0,i, while the bits SL 0,2,i = 1 and S L 0,4,i = 0. Hence, after the application of the linear layer, bit i of the first word SN 1,0,i = Σ0,i(S N 0,0), bit i of the second word SN 1,1,i = Σ1,i(S N 0,0), bit i of the third word SN 1,2,i = 1, bit i of the fourth word SN 1,3,i = Σ3,i(S N 0,0), and bit i of the fifth word SN 1,4,i = 0. Due to the word-wise structure of Ascon’s linear layer, we only have to obey the first bit of the ANF of the S-box and get: