Cryptography and Security Tools and Techniques for Networked Embedded Systems
View this Special IssueResearch Article  Open Access
Lin Ding, Lei Wang, Dawu Gu, Chenhui Jin, Jie Guan, "Algebraic Degree Estimation of ACORN v3 Using Numeric Mapping", Security and Communication Networks, vol. 2019, Article ID 7429320, 5 pages, 2019. https://doi.org/10.1155/2019/7429320
Algebraic Degree Estimation of ACORN v3 Using Numeric Mapping
Abstract
ACORN v3 is a lightweight authenticated encryption cipher, which was selected as one of the seven finalists of CAESAR competition in March 2018. It is intended for lightweight applications (resourceconstrained environments). By using the technique numeric mapping proposed at CRYPTO 2017, an efficient algorithm for algebraic degree estimation of ACORN v3 is proposed. As a result, new distinguishing attacks on 647, 649, 670, 704, and 721 initialization rounds of ACORN v3 are obtained, respectively. So far, as we know, all of our distinguishing attacks on ACORN v3 are the best. The effectiveness and accuracy of our algorithm is confirmed by the experimental results.
1. Introduction
ACORN, which is known as ACORN v1 [1], is a lightweight authenticated encryption cipher which had been submitted to the CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) competition [2] in 2014. The structure is based on nonlinear feedback shift register. Later, with minor modifications, it was updated as ACORN v2 [3] and ACORN v3 [4] by enhancing the security. In March 2018, ACORN v3 was selected as one of seven finalists of CAESAR competition. In February 2019, ACORN v3 was listed into the final CAESAR portfolio and recommended for the use case of lightweight applications (resource constrained environments). The state size of ACORN v3 is 293 bits. It uses a 128bit key and a 128bit initialization vector. The initialization of ACORN v3 consists of loading the key and IV into the state and running the cipher for 1792 steps.
1.1. Previous Attacks on ACORN
In 2014, Wu had submitted an authenticated encryption cipher, known as ACORN v1 to CAESAR competition. After then, some attacks on ACORN v1 and its tweaked version ACORN v2 were presented in [5–11]. Besides these attacks, a cube attack on 477 rounds of ACORN v2 was proposed in [12] to recover the 128bit key with a total attack complexity of , and when the goal is to recover one bit of the secret key, 503 rounds of ACORN v2 were attacked. Later, the authenticated encryption cipher was updated as ACORN v3 with minor modifications by enhancing the security.
Until now, several attacks on ACORN v3 have been published in [13–16]. However, there are no attacks better than exhaustive key search on ACORN v3 so far. Based on cube testers and dmonomial test, Ghafari and Hu proposed a new attack framework in [17, 18] and presented a practical distinguishing attack on 676 rounds of ACORN v3 with time complexity of . This has been the bestknown distinguishing attack on the round reduced variants of ACORN v3 so far. Recently, some key recovery attacks on ACORN v3 had been proposed. At CRYPTO 2017, Todo et al. [19] proposed possible key recovery attacks on 647, 649, and 704 rounds of ACORN v3, where no more than one bit of the secret key can be recovered with unknown probability in around , , and , respectively. The attack was improved by Wang et al. in [20, 21].
1.2. Numeric Mapping
At CRYPTO 2017, Liu [22] exploited a new technique, called numeric mapping, to iteratively estimate the upper bound on the algebraic degree of the internal states of an NFSR. Based on this new technique, he developed an algorithm for estimating the algebraic degree of NFSRbased cryptosystems and gave distinguishing attacks on Triviumlike ciphers, including Trivium, Kreyvium, and TriviASC as applications.
1.3. Our Contributions
In this paper, we focus on proposing an efficient algorithm for algebraic degree estimation of ACORN v3. By applying our algorithm, we investigate the mixing efficiency of ACORN v3. When taking all the key and IV bits as initial input variables, the result shows that the lower bound on the maximum number of initialization rounds of ACORN v3 such that the generated keystream bit does not achieve maximum algebraic degree is 669 (out of 1792). When taking all the IV bits as input variables, the result shows that the lower bound on the maximum number of initialization rounds of ACORN v3 such that the generated keystream bit does not achieve maximum algebraic degree is 708 (out of 1792). When taking a subset of all the IV bits as initial input variables, we apply our algorithm to ACORN v3 to exploit new distinguishing attacks. Some distinguishing attacks on round reduced variants of ACORN v3 we have obtained are listed in Table 1, and comparisons with previous works are made. As shown in Table 1, our results are the bestknown distinguishing attacks on the cipher so far. Note that three key recovery attacks on the cipher in [19–21] are also listed in Table 1. In these attacks, the recovered secret variables are generally smaller than 1 bit, while the time complexities are significantly high. Because of the high time complexities, these attacks are impractical and cannot be verified by experiments, and the success probabilities of key recovery are difficult to estimate as they are based on some assumptions. Compared with them, our attacks have significantly better time complexities. Meanwhile, our attacks are deterministic rather than statistical, that is, our attacks hold with probability 1.

To verify these cryptanalytic results, we make an amount of experiments on round reduced variants of ACORN v3. The experimental results show that our distinguishing attacks are always consistent with our evaluated results. They are strong evidences of high accuracy of our algorithm.
This paper is organized as follows. Some notations are defined and the technique numeric mapping is introduced in Section 2. In Section 3, algebraic degree estimation of ACORN v3 is presented. The paper is concluded in Section 4.
2. Preliminaries
2.1. Notations
Let be the finite field with two elements. Denote the ndimension vector space over the binary field . Let be the set of all nvariable Boolean functions mapping from into , and let . The algebraic normal form (ANF) of the given Boolean function f over n variables can be uniquely expressed aswhere the coefficient is a constant in and denotes the ith digit of the binary encoding of c (and so the sum spans all monomials in ). The algebraic degree of f, denoted by , is defined as , where is the Hamming weight of c. Thus, for a multivariate Boolean function, the degree of a term is the sum of the exponents of the variables in the term, and then the algebraic degree of the multivariate Boolean function is the maximum of the degrees of all terms in the Boolean function.
2.2. Cube Attack and Cube Tester
Almost any cryptographic scheme can be described by tweakable polynomials over the binary field , which contain both secret variables (e.g., key bits) and public variables (e.g., IV bits). Cube attack, proposed by Dinur and Shamir [23] at EUROCRYPT 2009, is one of general and powerful cryptanalytic techniques against symmetrickey cryptosystems. It treats the output bit of a stream cipher as an unknown Boolean polynomial , where are secret key variables and are public IV variables. Given any monomial which is the product of variables in , f can be represented as the sum of terms which are supersets of I and terms that miss at least one variable from I:where is called the superpoly of I in f and the set is called a cube. The idea behind cube attacks is that the sum of the Boolean polynomial over the cube which contains all possible values for the cube variables is exactly , while this is a random function for a random polynomial. In cube attacks, lowdegree superpolys in secret variables are exploited to recover the key, while cube testers [24] work by distinguishing from a random function. Especially, the superpoly is equal to a zero constant, if the algebraic degree of f in the variables from I is smaller than the size of I. Thus, from the perspective of cube tester, estimation on algebraic degree of NFSRbased cryptosystems is an efficient way of constructing distinguishing attacks.
2.3. Numeric Mapping
At CRYPTO 2017, Liu [22] exploited a new technique, called numeric mapping, to iteratively estimate the upper bound on the algebraic degree of the internal states of an NFSR. Based on this new technique, he developed an algorithm for estimating the algebraic degree of NFSRbased cryptosystems. Let . The numeric mapping, denoted by DEG, is defined aswhere , ’s are coefficients of algebraic normal form of f as defined previously, and denote the ndimension vector space over the integer field . Let be Boolean functions on n variables and denote for . We call a numeric degree of h if for all , where . The algebraic degree of h is always less than or equal to the numeric degree of h. The algebraic degrees of the output bits with respect to the internal states can be estimated iteratively for NFSRbased cryptosystems by using numeric mapping.
3. Algebraic Degree Estimation of ACORN v3
In this section, we first briefly give a description of ACORN v3 and then propose an efficient algorithm for algebraic degree estimation of ACORN v3 to exploit new distinguishing attacks on it.
3.1. Brief Description of ACORN v3
This section presents a brief description of the authenticated encryption cipher ACORN v3. The structure of ACORN v3 is shown in Figure 1. The state size of ACORN v3 is 293 bits, denoted by at tth clock. It is constructed by using 6 LFSRs of different lengths 61, 46, 47, 39, 37, and 59 and one additional register of length 4. It supports a 128bit key and a 128bit initialization vector. As an authenticated encryption scheme, ACORN v3 passes through 4 procedures: initialization, processing the associated data, encryption, and finalization. In this paper, we only focus on the process of initialization, since the number of rounds we can attack is smaller than the 1792 initialization rounds. For more details about ACORN v3, we refer to [4].
The initialization of the authenticated encryption cipher ACORN v3 consists of loading the 128bit key () and 128bit IV () into the state and running the cipher for 1792 steps.(1)Initialize the state to 0(2)Let for to 127 Let for to 127 Let for Let for to 1535(3)For to ,
At tth clock, the cipher executes the state update function: , which is given as follows: Step 1. Linear feedback update Step 2. Generate keystream bit Step 3. Generate the nonlinear feedback bit Step 4. Shift the 293bit register with the feedback bit for
3.2. Algorithm for Algebraic Degree Estimation of ACORN v3
In this section, we will propose an efficient algorithm for algebraic degree estimation of ACORN v3 using numeric mapping, as depicted in Algorithm 1.

Algorithm 1 gives a numeric degree of the output function f after N rounds over initial input variables as output, which gives an upper bound on the algebraic degree of the first output bit after N rounds.
The time complexity of Algorithm 1 mainly depends on the values of N and the ANFs of the update function . Since all of the update function are shifting operations except one quadratic function and six linear functions, Algorithm 1 has a time complexity of . Algorithm 1 requires to store for . Since the number of initial input variables is constant for ACORN v3, it leads to a negligible memory complexity of .
3.3. Experimental Results
By using Algorithm 1, we will investigate the mixing efficiency of ACORN v3 and exploit new distinguishing attacks on the cipher.
3.3.1. When Will the Initial Input Variables Be Sufficiently Mixed?
By applying Algorithm 1, we investigate the mixing efficiency of ACORN v3. When taking all the key and IV bits as initial input variables, the result shows that the maximum number of initialization rounds of ACORN v3 such that the generated keystream bit does not achieve maximum algebraic degree is at least 669 (out of 1792). When taking all the IV bits as input variables, the result shows that the maximum number of initialization rounds of ACORN v3 such that the generated keystream bit does not achieve maximum algebraic degree is at least 708 (out of 1792). The results are listed in Table 2. Note that both of these two results are lower bounds on the maximum number of initialization rounds of ACORN v3 such that the generated keystream bit does not achieve maximum algebraic degree. In other words, the true maximum numbers of initialization rounds which do not achieve maximum algebraic degree could be higher.

Furthermore, we also take a subset of IV bits as initial input variables X and apply Algorithm 1 to ACORN v3. Since the IV bits are sequentially loaded into the internal state in the second 128 initialization rounds, it is a natural and reasonable idea that we select the latter IV bits into the cube. We consider an exhaustive search on the subset of all 128 IV bits for all . Some results we have found are listed in Table 3. All these results are obtained on a common PC with 2.5 GHz Intel Pentium 4 processor within one second. In Table 3, the cube size d means that the cube is used in our attack. As for 676 rounds of ACORN v3, when , the best result is found, which leads to a practical distinguishing attack on it with time complexity of and improves the previous distinguishing attack [17] by a factor of . Furthermore, the distinguishing advantage of our attack is 1, while the attack of [17] is based on limited chisquare statistical test and its distinguishing advantage is certainly smaller than 1. As for 721 rounds of ACORN v3, when , the best result is found, which leads to a distinguishing attack on it with time complexity of . This is the best result we have found. Clearly, our results are the best distinguishing attacks on round reduced variants of ACORN v3 so far. Note that all our attacks are deterministic rather than statistical, that is, our attacks hold with probability 1.

3.3.2. Experiments
Since , , and in Table 3 are practical, we verify these results by carrying out a test for random 100 keys within half a day on a common PC with 2.5 GHz Intel Pentium 4 processor. All outputs of 647, 649, and 670 rounds of ACORN v3 over the cubes , and , respectively, always sum to 0. This clearly confirms the effectiveness and accuracy of our algorithm.
4. Conclusions
In this paper, we focus on proposing an efficient algorithm for algebraic degree estimation of ACORN v3. By applying our algorithm, we investigate the mixing efficiency of ACORN v3 and exploit distinguishing attacks on it. As a result, new distinguishing attacks on 647, 649, 670, 704, and 721 initialization rounds of ACORN v3 are obtained, respectively. So far as we know, all of our distinguishing attacks on ACORN v3 are the best. The effectiveness and accuracy of our algorithm is confirmed by the experimental results.
Data Availability
No data were used to support this study.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work was supported by the National Natural Science Foundation of China under Grants 61602514, 61802437, 61272488, 61202491, 61572516, 61272041, and 61772547, National Cryptography Development Fund under Grant MMJJ20170125, and National Postdoctoral Program for Innovative Talents under Grant BX201700153.
References
 H. Wu, “ACORN: a lightweight authenticated cipher (v1). caesar first round submission,” 2014, http://competitions.cr.yp.to/round1/acornv1.pdf. View at: Google Scholar
 Caesar, “Competition for authenticated encryption: security, applicability, and robustness,” http://competitions.cr.yp.to/index.html. View at: Google Scholar
 H. Wu, “ACORN: a lightweight authenticated cipher (v2). caesar second round submission,” 2015, http://competitions.cr.yp.to/round2/acornv2.pdf. View at: Google Scholar
 H. Wu, “ACORN: a lightweight authenticated cipher (V3). CAESAR submission,” 2016, http://competitions.cr.yp.to/round3/acornv3.pdf. View at: Google Scholar
 L. Jiao, B. Zhang, and M. Wang, “Two generic methods of analyzing stream ciphers,” in ISC 2015. LNCS, J. Lopez and C. J. Mitchell, Eds., vol. 9290, pp. 379–396, Springer, Cham, Switzerland, 2015. View at: Google Scholar
 M. I. Salam, K. K. H. Wong, H. Bartlett, L. Simpson, E. Dawson, and J. Pieprzyk, “Finding state collisions in the authenticated encryption stream cipher acorn,” Tech. Rep., 2015, https://eprint.iacr.org/2015/908. View at: Google Scholar
 F. Lafitte, L. Lerman, O. Markowitch, and D. Van Heule, “SATbased cryptanalysis of ACORN,” Tech. Rep., 2016, https://eprint.iacr.org/2016/521. View at: Google Scholar
 D. Roy and S. Mukhopadhyay, “Some results on ACORN,” Tech. Rep., 2016, https://eprint.iacr.org/2016/1132. View at: Google Scholar
 P. Dey, R. S. Rohit, and A. Adhikari, “Full key recovery of ACORN with a single fault,” Journal of Information Security and Applications, vol. 29, pp. 57–64, 2016. View at: Publisher Site  Google Scholar
 D. K. Dalai and D. Roy, “A state recovery attack on ACORNv1 and ACORNv2,” in NSS 2017, LNCS, Z. Yan, Ed., vol. 10394, pp. 332–345, Springer, Finland, 2017. View at: Google Scholar
 X. Zhang, X. Feng, and D. Lin, “Fault attack on the authenticated cipher ACORN v2,” Security and Communication Networks, vol. 2017, Article ID 3834685, 16 pages, 2017. View at: Publisher Site  Google Scholar
 M. I. Salam, H. Bartlett, E. Dawson, J. Pieprzyk, L. Simpson, and K. K.H. Wong, “Investigating cube attacks on the authenticated encryption stream cipher ACORN,” in ATIS 2016. CCIS, L. Batten and G. Li, Eds., vol. 651, pp. 15–26, Springer, Singapore, 2016. View at: Google Scholar
 A. A. Siddhanti, S. Maitra, and N. Sinha, “Certain observations on ACORN v3 and the implications to TMDTO attacks,” in Space 2017. LNCS, S. Ali, JL. Danger, and T. Eisenbarth, Eds., vol. 10662, pp. 264–280, Springer, Cham, Switzerland, 2017. View at: Google Scholar
 X. Zhang and D. Lin, “Cryptanalysis of acorn in noncereuse setting,” in Inscrypt 2017. LNCS, X. Chen, D. Lin, and M. Yung, Eds., vol. 10726, pp. 342–361, Springer, Cham, Switzerland, 2017. View at: Google Scholar
 X. Zhang, X. Feng, and D. Lin, “Fault attack on ACORN v3,” The Computer Journal, vol. 61, no. 8, pp. 1166–1179, 2018. View at: Publisher Site  Google Scholar
 A. Adomnicai, L. Masson, and J. J. A. Fournier, “Practical algebraic sidechannel attacks against ACORN,” in ICISC 2018. LNCS, K. Lee, Ed., vol. 11396, pp. 325–340, Springer, Cham, Switzerland, 2018. View at: Google Scholar
 V. A. Ghafari and H. Hu, “A new chosen IV statistical distinguishing framework to attack symmetric ciphers, and its application to ACORNv3 and Grain128a,” 2017, https://eprint.iacr.org/2017/1103.pdf. View at: Google Scholar
 V. A. Ghafari and H. Hu, “A new chosen IV statistical distinguishing framework to attack symmetric ciphers, and its application to ACORNv3 and Grain128a,” Journal of Ambient Intelligence and Humanized Computing, vol. 10, no. 6, pp. 2393–2400, 2018, https://doi.org/10.1007/s126520180897x. View at: Google Scholar
 Y. Todo, T. Isobe, Y. Hao, and W. Meier, “Cube attacks on nonblackbox polynomials based on division property,” in Crypto 2017. LNCS, J. Katz and H. Shacham, Eds., vol. 10403, pp. 250–279, Springer, Cham, Switzerland, 2017. View at: Google Scholar
 Q. Wang, Y. Hao, Y. Todo, C. Li, T. Isobe, and W. Meier, “Improved division property based cube attacks exploiting algebraic properties of superpoly,” in CRYPTO 2018, LNCS, H. Shacham and A. Boldyreva, Eds., vol. 10991, pp. 275–305, Springer, Cham, Switzerland, 2018. View at: Google Scholar
 Q. Wang, Y. Hao, Y. Todo, C. Li, T. Isobe, and W. Meier, “Improved division property based cube attacks exploiting algebraic properties of superpoly (full version),” 2017, https://eprint.iacr.org/2017/1063. View at: Google Scholar
 M. Liu, “Degree evaluation of NFSRbased cryptosystems,” in CRYPTO 2017. LNCS, J. Katz and H. Shacham, Eds., vol. 10403, pp. 227–249, Springer, Cham, 2017. View at: Google Scholar
 I. Dinur and A. Shamir, “Cube attacks on tweakable black box polynomials,” in Eurocrypt 2009. LNCS, A. Joux, Ed., vol. 5479, pp. 278–299, Springer, Heidelberg, Germany, 2009. View at: Google Scholar
 J.P. Aumasson, I. Dinur, W. Meier, and A. Shamir, “Cube testers and key recovery attacks on reducedround MD6 and trivium,” in FSE 2009. LNCS, O. Dunkelman, Ed., vol. 5665, pp. 1–22, Springer, Heidelberg, Germany, 2009. View at: Google Scholar
Copyright
Copyright © 2019 Lin Ding et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.