ascon: update formulas and check for API compatibility #406
Conversation
armfazh
commented
Feb 21, 2023
•
armfazh
commented
- Updating code points for Modes.
- Check the cipher.AEAD interface works as expected.
- The interface allows to reuse the plaintext to store the ciphertext.
| // more resistance against a quantum adversary using Grover’s algorithm for | ||
| // key search. Since Ascon-128 and Ascon-80pq share the same building blocks | ||
| // and same parameters except the size of the key, it is claimed the same | ||
| // security for Ascon-80pq against classical attacks as for Ascon-128. |
There was a problem hiding this comment.
Doesn't Ascon80pq provide 160b of classical security?
There was a problem hiding this comment.
I think it's good to add although Ascon-128 already reaches approximately NIST level 1 post-quantum security.
There was a problem hiding this comment.
@meichlseder can give us more details.
There was a problem hiding this comment.
The text is correct, we don't claim 160 bits of classical security for Ascon-80pq.
Several parts of Ascon are scaled for 128-bit security (with data limit 2^64), including the sponge capacity, tag size, permutation distinguisher bounds, etc., thus the common 128-bit security claim for all variants.
Depending on your precise definition of b-bit security and additional constraints besides offline time complexity (data limits including number of encryption/decryption queries, misuse settings, etc), ymmv.
