Cryptanalysis of Acorn in Nonce-Reuse Setting

  • Xiaojuan Zhang
  • Dongdai Lin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10726)


Acorn is a third-round candidate of the CAESAR competition. It is a lightweight authenticated stream cipher. In this paper, we show how to recover the initial state of Acorn when one pair of Key and IV is used to encrypt three messages. Our method contains two main steps: (1) gathering different states; (2) retrieving linear equations. At the first step, we demonstrate how to gather the relation between states when two different plaintexts are encrypted under the same nonce. And at the second step, we exploit how to retrieve a system of linear equations with respect to the initial state, and how to recover the initial state from this system of equations. We apply this method to both Acorn v2 and Acorn v3. The time complexity to recover the initial state of Acorn v2 is \(2^{78} c\), where c is the time complexity of solving linear equations. It is lower than that of the previous methods. For Acorn v3, we can recover the initial state with the time complexity of \(2^{120.6}c\), lower than that of the exhaustion attack. We also apply it on shrunk ciphers with similar structure and properties of Acorn v2 and Acorn v3 to prove the validity of our method. This paper is the first time to analyze Acorn v3 when a nonce is reused and our method provides some insights into the diffusion ability of such stream ciphers.


CAESAR Authenticated cipher Stream cipher Acorn State recovery attack 



The authors would like to thank anonymous reviewers for considerate and helpful comments. This work is supported by National Natural Science Foundation of China (Grant No. 61379139) and the “Strategic Priority Research Program” of the Chinese Academy of Sciences (Grant No. XDA06010701).


  1. 1.
    Wu, H.: Acorn: a lightweight authenticated cipher (v3) (2016).
  2. 2.
    Wu, H.: Acorn: a lightweight authenticated cipher (v1) (2014).
  3. 3.
    Wu, H.: Acorn: a lightweight authenticated cipher (v2) (2015).
  4. 4.
    Liu, M., Lin, D.: Cryptanalysis of Lightweight Authenticated Cipher ACORN. Posed on the crypto-competition mailing list (2014)Google Scholar
  5. 5.
    Chaigneau, C., Fuhr, T., Gilbert, H.: Full Key-recovery on Acorn in Nonce-reuse and Decryption-misuse settings. Posed on the crypto-competition mailing list (2015)Google Scholar
  6. 6.
    Salam, M.I., Bartlett, H., Dawson, E., Pieprzyk, J., Simpson, L., Wong, K.K.-H.: Investigating cube attacks on the authenticated encryption stream cipher Acorn. In: Batten, L., Li, G. (eds.) ATIS 2016. CCIS, vol. 651, pp. 15–26. Springer, Singapore (2016). Google Scholar
  7. 7.
    Salam, M.I., Wong, K.K.-H., Bartlett, H., Simpson, L., Dawson, E., Pieprzyk, J.: Finding state collisions in the authenticated encryption stream cipher Acorn. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 36. ACM (2016)Google Scholar
  8. 8.
    Lafitte, F., Lerman, L., Markowitch, O., Heule, D.V.: SAT-based cryptanalysis of Acorn. IACR Cryptology ePrint Archive, 521 (2016)Google Scholar
  9. 9.
    Josh, R.J., Sarkar, S.: Some observations on Acorn v1 and Trivia-SC. In: Lightweight Cryptography Workshop, NIST, USA, pp. 20–21 (2015)Google Scholar
  10. 10.
    Roy, D., Mukhopadhyay, S.: Some results on ACORN. IACR cryptology ePrint report 1132 (2016)Google Scholar
  11. 11.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations