ABSTRACT
This paper analyzes the authenticated encryption algorithm ACORN, a candidate in the CAESAR cryptographic competition. We identify weaknesses in the state update function of ACORN which result in collisions in the internal state of ACORN. This paper shows that for a given set of key and initialization vector values we can construct two distinct input messages which result in a collision in the ACORN internal state. Using a standard PC the collision can be found almost instantly when the secret key is known. This flaw can be used by a message sender to create a forged message which will be accepted as legitimate.
- Wu, H., ACORN: A Lightweight Authenticated Cipher (v1). CAESAR Competition. Retrieved from http://competitions.cr.yp.to/round1/acornv1.pdf, Accessed 29 May 2015.Google Scholar
- CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. Available from: http://competitions.cr.yp.to/index.html, Accessed 10 September 2015.Google Scholar
- Wu, H., ACORN: A Lightweight Authenticated Cipher (v2). CAESAR Competition. Retrieved from http://competitions.cr.yp.to/round2/acornv2.pdf, Accessed 10 September 2015.Google Scholar
- Liu, M. and Lin, D., Cryptanalysis of Lightweight Authenticated Cipher Acorn. Cryptographic Competitions Mailing List. Retrieved from https://groups.google.com/forum/#!topic/crypto-competitions/2mrDnyb9hfM, Accessed 29 May 2015.Google Scholar
- Chaigneau C., Fuhr T., and H., G., Full Key-Recovery on ACORN in Nonce-Reuse and Decryption-Misuse Settings. Cryptographic Competitions Mailing List. Retrieved from https://groups.google.com/forum/#!topic/crypto-competitions/RTtZvFZay7k, Accessed 10 August 2015.Google Scholar
- Courtois, N., Klimov, A., Patarin, J., and Shamir, A., Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In B. Preneel (Ed.), Advances in Cryptology - EUROCRYPT 2000, Vol. 1807, pp. 392--407, Springer Berlin Heidelberg, 2000. Google ScholarDigital Library
- Sage Mathematics Software (Version 6.4.1), The Sage Developers, 2015, http://www.sagemath.org.Google Scholar
- Buchberger, B., An Algorithm for Finding the Bases Elements of the Residue Class Ring Modulo a Zero Dimensional Polynomial Ideal (German). PhD Thesis, Univ. of Innsbruck, 1965.Google Scholar
Index Terms
- Finding state collisions in the authenticated encryption stream cipher ACORN
Recommendations
Integrity analysis of authenticated encryption based on stream ciphers
We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated ...
Forgery attacks on ++AE authenticated encryption mode
ACSW '16: Proceedings of the Australasian Computer Science Week MulticonferenceIn this paper, we analyse a block cipher mode of operation submitted in 2014 to the cryptographic competition for authenticated encryption (CAESAR). This mode is designed by Recacha and called ++AE (plus-plus-ae). We propose a chosen plaintext forgery ...
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers
ProvSec 2016: Proceedings of the 10th International Conference on Provable Security - Volume 10005We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD authenticated ...
Comments