This work evaluates the security of the authenticated encryption scheme ASCON against cube-like attacks under round reductions (5/6 and 7 rounds). To address the challenges posed by ASCON’s compact state size and complex nonlinear layer—which hinder conventional cube attacks—we propose the first successful extension of conditional cube attacks and introduce the novel “cube-key subset” technique. This method partitions the key space and applies conditional filtering to enable efficient divide-and-conquer key recovery. Our attack reduces the practical complexity of 6-round ASCON key recovery from the theoretical 2⁶⁶ to 2⁴⁰; achieves the first full-key recovery for 7-round ASCON with total complexity ≈ 2¹⁰³.⁹; and breaks a weak-key subset of size 2¹¹⁷ using only 2⁷⁷ operations. By overcoming fundamental limitations of prior approaches, this work significantly advances the state-of-the-art in high-round cryptanalysis of ASCON.

This paper evaluates the secure level of authenticated encryption extsc{Ascon} against cube-like method. extsc{Ascon} submitted by Dobraunig emph{et~al.} is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur emph{et~al.} to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig emph{et~al.} applied this method to 5/6-round reduced extsc{Ascon}, whose structure is similar to Keccak keyed modes. However, for extsc{Ascon} the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round extsc{Ascon}, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang emph{et~al.}, and find new cubes depending on some key bit conditions for 5/6-round reduced extsc{Ascon}, and translate the previous theoretic 6-round attack with $2^{66}$ time complexity to a practical one with $2^{40}$ time complexity. Moreover, we propose the first 7-round key-recovery attack on extsc{Ascon}. By introducing emph{the cube-like key-subset technique}, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about $2^{103.9}$. In addition, for a weak-key subset, whose size is $2^{117}$, the attack is more efficient and costs only $2^{77}$ time complexity. Those attacks do not threaten the full round (12 rounds) extsc{Ascon}.