Ascon, a family of algorithms that supports authenticated encryption and hashing, has been selected as the new standard for lightweight cryptography in the NIST Lightweight Cryptography Project. Ascon’s permutation and authenticated encryption have been actively analyzed, but there are relatively few analyses on the hashing. In this paper, we concentrate on preimage attacks on Ascon-Xof. We focus on linearizing the polynomials leaked by the hash value to find its inverse. In an attack on 2-round Ascon-Xof, we carefully construct the set of guess bits using a greedy algorithm in the context of guess-and-determine. This allows us to attack Ascon-Xof more efficiently than the method in Dobraunig et al., and we fully implement our attack to demonstrate its effectiveness. We also provide the number of guess bits required to linearize one output bit after 3- and 4-round Ascon’s permutation, respectively. In particular, for the first time, we connect the result for 3-round Ascon to a preimage attack on Ascon-Xof with a 64-bit output. Our attacks primarily focus on analyzing weakened versions of Ascon-Xof, where the weakening involves setting all the IV values to 0 and omitting the round constants. Although our attacks do not compromise the security of the full Ascon-Xof, they provide new insights into their security.

Ascon是一个支持经过身份验证的加密和散列的算法系列，已被选为 NIST 轻量级密码学项目中轻量级密码学的新标准。Ascon的排列和认证加密已经被积极分析，但对散列的分析相对较少。在本文中，我们专注于对Ascon-Xof的原像攻击。我们专注于对哈希值泄漏的多项式进行线性化以找到其倒数。在对 2 轮Ascon-Xof的攻击中，我们在猜测和确定的背景下使用贪婪算法仔细构造猜测位集。这使得我们能够 比 Dobraunig 等人的方法更有效地攻击Ascon-Xof ，并且我们完全实施了我们的攻击以证明其有效性。我们还分别提供了 3 轮和 4 轮Ascon排列后线性化一个输出位所需的猜测位数。特别是，我们第一次将 3 轮Ascon的结果与 具有 64 位输出的Ascon-Xof 的原像攻击联系起来。我们的攻击主要集中于分析Ascon-Xof的弱化版本，其中弱化涉及将所有IV值设置为 0 并忽略舍入常数。尽管我们的攻击不会损害整个Ascon-Xof的安全性，但它们提供了对其安全性的新见解。