Present-day IoT systems that capture, process, and transfer real-world data, employ lightweight ciphers in sensor devices for applications with multiple limitations, such as restricted size, power consumption, and processing speed. The largest security threat that such devices incur comprises implementation-based attacks, such as fault attacks, power analysis attacks, etc. Therefore, it is imperative to perform a meticulous security evaluation of lightweight ciphers against such implementation attacks. This paper aims at evaluating the security of ASCON against fault analysis attacks. ASCON is an authenticated cipher, the CAESAR competition winner under lightweight use case portfolio, in February 2019. The use of 128-bit random nonce as part of the input state makes the cipher resistant against classical cryptanalysis techniques such as differential cryptanalysis, linear cryptanalysis, and variants. However, the key whitening operation with the finalization stage's output to produce the tag T (a publicly available value) creates an attack path for an adversary. Based on this vulnerability, we propose a key recovery attack called Preliminary attack, in which we discuss three methods to mount the proposed Preliminary attack. Furthermore, the S-box used in ASCON possesses a component function with zero correlation immunity that renders it vulnerable against subset cryptanalysis. We propose a novel key recovery attack: Subset fault analysis (SSFA) attack that exploits the vulnerable S-box. Both the proposed attacks can be mounted with different granularities and can uniquely determine the key of full-round ASCON. We also discuss some probable countermeasures to throttle the proposed attacks. Particularly, we recommend an S-box mapping that is resistant to the proposed attack. The recommended S-box preserves all other essential cryptographic properties of the original S-box used in ASCON.

当今的物联网系统捕获、处理和传输真实世界的数据，在传感器设备中采用轻量级密码，适用于具有多种限制的应用，例如受限的尺寸、功耗和处理速度。此类设备带来的最大安全威胁是基于实现的攻击，例如故障攻击、功率分析攻击等。因此，针对此类实现攻击对轻量级密码进行细致的安全评估势在必行。本文旨在评估ASCON对故障分析攻击的安全性。ASCON 是一种经过身份验证的密码，是 2019 年 2 月轻量级用例组合下的 CAESAR 竞赛获胜者。 128 位随机数的使用作为输入状态的一部分，密码可以抵抗经典的密码分析技术，例如差分密码分析、线性密码分析和变体。然而，带有最终阶段输出的密钥白化操作以产生标签T（一个公开可用的值）为对手创建了一条攻击路径。基于此漏洞，我们提出了一种称为 Preliminary 攻击的密钥恢复攻击，其中我们讨论了三种方法来发起所提出的 Preliminary 攻击。此外，ASCON 中使用的 S-box 具有零相关免疫的组件函数，使其容易受到子集密码分析的影响。我们提出了一种新的密钥恢复攻击：子集故障分析（SSFA）攻击它利用了易受攻击的 S-box。两种提议的攻击都可以以不同的粒度进行安装，并且可以唯一确定全轮 ASCON 的密钥。我们还讨论了一些可能的对策来限制提议的攻击。特别是，我们推荐一种能够抵抗提议攻击的 S-box 映射。推荐的 S-box 保留了 ASCON 中使用的原始 S-box 的所有其他基本加密属性。