Cube Cryptanalysis of Round-Reduced ACORN

Abstract

The cube attack is one of the most powerful techniques in cryptanalysis of symmetric cryptographic primitives. The basic idea of cube attack is to determine the value of a polynomial in key bits by summing over a cube (a subset of public variables, e.g., plaintext bits or IV bits). If the degree of the polynomial is relatively low, then we can obtain a low-degree equation in key bits, thus may contribute to reducing the complexity of key recovery.

In this paper, we use cube cryptanalysis to analyze the authenticated stream cipher ACORN (one of the 6 algorithms in the final portfolio of the CAESAR competition), and give some new results in both distinguishing attacks and key recovery attacks. Firstly, we give a new method of finding cube testers, which is based on the greedy algorithm of finding cubes, and the numeric mapping method for estimating the algebraic degree of NFSR-based cryptosystems. We apply it to ACORN, and obtain the best practical distinguishing attacks for its 690-round variant using a cube of size 38, and its 706-round variant using a cube of size 46. Then we theoretically analyze the security bound of ACORN via the division property based cube attack. By exploiting the embedded property, we find some new distinguishers for ACORN, so the zero-sum property of the output of its 775-round variant can be observed with a complexity of \(2^{127}\). Finally, we propose a key recovery attack on ACORN reduced to 772 rounds. The time complexity to recover the linear superpoly of the 123-dimensional cube is \(2^{127.46}\). As far as we know, this is the best key recovery attack on round-reduced ACORN. It is also worth noting that this work does not threaten the security of ACORN.

This work was supported by the National Natural Science Foundation of China (Grant No. 61872359 and No. 61672516) and Youth Innovation Promotion Association CAS.

Appendices

A \(\texttt {KSG128}(t)\) and \(\texttt {FBK128}(t)\)

B Proof of Theorem 1

Proof

It is sufficient to justify Algorithms 8 and 9. By the rule of state update of ACORN, we have

and

In the above expressions, each underlined term corresponds to an estimated algebraic degree. For example, we have

$$\begin{aligned} \begin{aligned} \deg (s_{t+244}(s_{t+23} \oplus s_{t+160}))&\le \deg (s_{t+244})+\max \{\deg (s_{t+23}),\deg (s_{t+160})\}\\&\le d^{(t+244)}+\max \{d^{(t+23)},d^{(t+160)}\}. \end{aligned} \end{aligned}$$

Hence, the super numeric degree of \(s_{t+244}(s_{t+23} \oplus s_{t+160})\) is \(d^{(t+244)}+\max \{d^{(t+23)},d^{(t+160)}\}\), which can be found at line 5 in Algorithm 9. One can check that the degrees of all underlined terms are evaluated. Thus, our algorithms of degree estimation of ACORN are correct.    \(\square \)

C Cube Testers of Different Dimensions

Table 2. Some cubes found by the accelerated greedy algorithm. The sizes of these cubes range from 38 to 54.

D Embedded Property

The embedded property [18] says that, for different initial division properties \(\varvec{k}_0\) and \(\varvec{k}_1\) s.t. \(\varvec{k}_0 \succeq \varvec{k}_1\), there is no need to test \(\varvec{k}_1\), if the output multi-set under \(\varvec{k}_0\) does not have integral property, likewise, it is not necessary to test \(\varvec{k}_0\), if the output multi-set under \(\varvec{k}_1\) has integral property.