1. Introduction
Authenticated encryption (AE) [1] provides both confidentiality and authenticity. In order toselect AE algorithms with strong security and superior performance exceeding the current standard AES-GCM, the CAESAR competition [2] was launched. CAESAR is similar with AES [3] and SHA-3 hash [4] algorithm competitions, which were supported by the National Institute of Science and Technology(NIST). Authenticated encryption algorithms can be used in many scenarios, such as Internet of Things (IoT) [5][6][7].There are firstly 57 proposalssubmitted to the first round of the CAESAR competition in 2014. In August 2016, fifteensuccessful candidates for the third round were announced, then the security of them attracts many researchers [8][9][10][11].
ACORN v3 [12], a lightweight authenticated stream cipher proposed by Wu, is one of the 15 third-round submissions. The structure of ACORN consists of six binary linear feedbackshift registers (LFSRs) with lengths of 61, 46, 47, 39, 37 and 59 respectively, and an additional4-bit register. ACORN uses a 128-bit key and a 128-bit initialization vector, and the state size of internal state is 293-bit. There are three Boolean functions in ACORN: one is to generate key stream bit, one is to compute the overall feedback bit, and the other one is to update the state. It should be noted that the following three requirements should be satisfied when using ACORN.
1. Each key should be generated in a random and secure way.
2. Nonce should not be reused, namely, each key and IV pair should not be used to protectmore than one message; and each key and IV pair should not be used with two different tagsizes.
3. If verification fails, the decrypted plaintext and the wrong tag should not be released.
Related work. Liu et al. [13] analyzed the slid properties of keys and IVs in ACORN v1. Furthermore, they proposed state recovery attacks using guess-and-determine and differential algebraic techniques. The time complexities of the attacks are approximately 2180 and 2130 CPU cycles. Chaigneau et al. [14] explored key-recovery attack on ACORN v1 in nonce-reuse and decryption-misuse settings. Salam et al. [15] showed the existence of state collision attacks on ACORN v1 when the secret key is known. The same attacks in [15] can be extended to ACORN v2. Salam et al. [16] also investigated cube attacks on ACORN v1. Wang et al.[17]recover the state of ACORN in nonce-reuse attack.The cube attack on 477 initialization rounds of ACORN v1 can recover the 128-bit key with a complexity of 235. Jiao et al. [18] evaluated the security of ACORN v1 by using linear approximations, which needs about 2157 tests. Recently, a sat-based cryptanalysis of ACORN v3 is given by Lafitte [19]. Zhang et al.[ 20]studied the fault attack on ACORNv2. Siddhanti et al.[21] presented the implication of suchresults towards mounting TMDTO attack on ACORN v3.
In general, the majority of presented attacks that threaten ACORN are in nonce-reuse and misuse settings.There may be three reasons why we continue to study the security of ACORN in nonce-reuse setting.
First, as the users, the nonce should not be reused in the practical application when we need strong security. But when ACORN is used in various cryptosystems, we cannot assure every user use ACORN correctly in non-reuse setting. Then, as the designers, the security of the authentication encryption algorithm should be analyzed comprehensively. And in the drafts of other authentication encryption algorithms, the designers evaluated the security of these algorithms in nonce-reuse setting. Although the nonce should not be reused, the designers d onot ignore the threat of nonce-reuse. Last, as the other cryptographers, they want to break the authentication encryption algorithms and any information leakage would be the key to breakthese algorithms. So they would analyze the security of these algorithms in any setting.
In this paper, we focus on the latest version of ACORN, ACORN v3. Without specification, ACORN in the rest of paragraphs refers to ACORN v3. We discuss the properties of cipheragainst forgery attack in nonce-respect setting and non-repudiation in nonce-reuse settingrespectively. In the former case, This part of work is based on our previous research on statecollisions of ACORN [22], and forgery attacks can be mounted with a success probability higher than 2-128 when the number of finalization rounds less than 87. However,the fullversion of ACORN has 792 rounds, thus we detect that the authenticated process in ACORNhas a good performance on resistance against forgery attack. In the latter case, we study the non-repudiation of ACORN by presenting how to repudiate concretely based on the availablecollision.
The known attacks on ACORN are shown in Table 1.
Table 1. The comparisons of attack results on ACORN
This paper is organized as follows. Section 2 provides a brief description of ACORN. In Section 3, we evaluate the security of ACORN against forgery attack in nonce-respect setting. We discuss the non-repudiation of ACORN in nonce-reuse setting in Section 5, followed by a conclusion in Section 6.
2. Description of ACORN
ACORN performs in five phases: initialization, processing the associated date, encryption, taggeneration and decryption&verification. This section gives the three functions used in ACORN and then each phase. The cipher executes as Fig. 1.
Fig. 1. Detailed representation of the internal state of ACORN
Output keystream generation function. Let ,0 ,1 ,292 ( , , , ) i i i i S s s s = indicate the internal state in the i-th step. ACORN generates the keystream i ks from state iS as follows ( ) i i ks KSG S = :
(1)
where the Boolean function maj is defined by
(2)
Nonlinear feedback function. The feedback bit if is computed as ( , , ) i i i i f FBK S ca cb =
(3)
where ,107 iS denotes the complement value of ,107 iS , i ca and i c brepresent two control bits used in different progresses. The Boolean function ch is defined by
(4)
State update function. 1 ( , , , ) i i i i i S Stateupdate S m ca cb + = . The state is updated as the following pseudo-code.
,289 ,289 ,235 ,230, 230 ,230 ,196 , 193, 193 ,193 ,160 , 154,154 ,154 ,111 , 107, 107 ,107 ,66 ,61
,61 ,61 ,23 , 0; For 0 j= to 291
End For
2.1 The initialization of ACORN
During the initialization, ACORN loads the key and IV into the internal state, and runs for 1792 rounds. This progress is described by the following pseudo-code.
0 (0,0, ,0) S = For 0 i= to 127
( , ) (1,1) i i ca cb =i im k = ( , , , ); i i i i i S Stateupdate S m ca cb + =
End for For 128 i= to 255
( , ) (1,1) i i ca cb =i im iv =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for 1; m k= ⊕ ( , , , ); i i i i i S Stateupdate S m ca cb + =
For 257 i= to 1791
( , ) (1,1) i i ca cb =mod128
; i i m k = ( , , , ); i i i i i S Stateupdate S m ca cb + =
End for
2.2 Processing the associated data
After the initialization, the associated data 0 1 ( , , ) adlen AD ad ad − = is used to update the state as shown in the following, where adlen denotes the bit length of the associated data.
For 0 i= to 1 adlen & minus; i im ad =( , ) (1,1) i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for 1; adlen m =( , , , ); i i i i i S Stateupdate S m ca cb + =
For 1 i adlen = + to 127 adlen+0; adlen m =( , ) (1, 0); i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for For 128 i adlen = + to 255 adlen+
0; adlen m =( , ) (0,0) i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + = End for
2.3 The Encryption
At each step of encryption, the plaintext bit ip is used to update the cipher, and ip isencrypted by XOR key stream bit i ks . Let pl denote the bit length of plaintext.
( , , , ) ( , , , ,1,0, 0) pl pl m m m p p p + − =
For 0 i= to 1 pl− ( , ) (1, 0) i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =( ) i i i c p KSG S = ⊕
End for
For i pl = to 127 pl+( , ) (1, 0) i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for
For 128 pl+ to 255 pl+( , ) (0,0) i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for
2.4 The Finalization
The authentication tag T is generated in the finalization, which is described by the following pseudo-code.
For 0 i= to 767
0; im =( , ) (1,1); i i ca cb =( , , , ); i i i i i S Stateupdate S m ca cb + =
End for
The tag is the last t key stream bits, as follows:
|| || || t t Tag ks ks ks −+ −+ = (5)
The decryption and verification are very similar to the encryption and tag generation. So we leave out the description of them here.
3. Forgery Attack on round-reduced ACORN
This section provides a description of the forgery attack on the reduced-round ACORN. Innonce-respect setting, we are not allowed to modify the plaintext. Consequently, a commonapproach is to modify the ciphertext and corresponding tag, then forge in decryption and verification. Our attacks mainly depend on the differential technique.
The main issue affecting differential charateristic is nonlinear function. We first brieflyshow the differential properties of two nonlinear functions (maj and ch). Then we give the differential characteristics in the encryption and tag generation.
3.1 Differential properties of maj and ch
This part of work is based on our previous research on state collisions of ACORN [22]. The maj and chare two nonlinear Boolean functions involved in the feedback function. Below, we present the differential properties of them.
For 1 2 3 ( , , ) maj x x x ,
( , , ) maj x x x x x x x x x = ⊕ ⊕
Let 1 2 3 ( , , ) ∆ ∆ ∆ denote the input difference of 1 2 3 ( , , ) maj x x x , and the output difference of ( , , ) maj x x x can be describe as
(6)
If 1 2 3 ( , , ) (0,0,0) ∆ ∆ ∆ = , the output difference of 1 2 3 ( , , ) maj x x xis 0 with probability 1; If 1 2 3 ( , , ) (1,1,1) ∆ ∆ ∆ = , the output difference of 1 2 3 ( , , ) maj x x x is 1 with probability 1; Otherwise, if there is any other possible values of 1 2 3 ( , , ) ∆ ∆ ∆ , due to some of the variables, , x x x exist in the output difference and they are random and independent from each other, the output difference of ( , , ) maj x x x is 0 or 1 with probability 0.5.
For 1 2 3 ( , , ) ch x x x
( , , ) ch x x x x x x x = ⊕
Let 1 2 3 ( , , ) ∆ ∆ ∆ be the input difference of 1 2 3 ( , , ) ch x x x , and the output difference of ( , , ) ch x x xcan be describe as
( , , ) ch x x x x x x x ⊕∆ ⊕∆ ⊕∆ =∆∆ ⊕∆ ⊕∆ ⊕∆ ⊕ ∆ ⊕ ∆ ⊕∆∆ (7)
If 1 2 3 ( , , ) (0,0,0) ∆ ∆ ∆ = , the output difference of 1 2 3 ( , , ) maj x x x is 0 with probability 1; If 1 2 3 ( , , ) (0,1,1) ∆ ∆ ∆ = , the output difference of 1 2 3 ( , , ) maj x x x is 1 with probability 1; Otherwise, if there is any other possible values of 1 2 3 ( , , ) ∆ ∆ ∆ , due to some of the variables
, , x x x exist in the output difference and they are random and independent from each other, the output difference of 1 2 3 ( , , ) ch x x x is 0 or 1 with probability 0.5.
The differential properties of two functions shown in Table 2.
Table 2. The differential properties of functions maj and ch
Moreover, the differential characteristics in encryption and finalization will be presented as below.
3.2 Differential property of ACORN
As a valid forgery attack on ACORN, the success probability must be higher than 128 2− . Let ( , , , ) ∆ ∆ ∆ denote the input difference of internal state, if∆ denote the output difference of if . Next, we propose the differential properties of state update function indecryption based on the differential properties of the nonlinear functions in ACORN. Because the values of the parameters ( , ) i i ca cb in decryption and verification are different, we set itinto three phases to introduce the differential rules of if .
,0 ,107 ,244 ,23 ,160 ,196
( , , ) & & i i i i i i i i i i f S S maj S S S ca S cb ks = ⊕ ⊕ ⊕ ⊕ (8)
Phase 1: During the first 128 steps after encrypting the last ciphertext bit, the control parameters ( , ) (1, 0) i i ca cb = . Thus the feedback function is described as, 0 ,107 ,244 ,23 ,160 ,196
( , , ) i i i i i i i f S S maj S S S S = ⊕ ⊕ ⊕ , and the rules used in differential deduction aregiven as follows:
If 244 23 160 ( , , ) (0,0,0) ∆ ∆ ∆ = , then; if∆ =∆ ⊕∆ ⊕ ∆If 244 23 160 ( , , ) (1,1,1) ∆ ∆ ∆ = , then 1; if∆ =∆ ⊕∆ ⊕∆ ⊕ Otherwise, 0 if∆ = .
Phase 2: During the second 128 steps after encrypting the last ciphertext bit, the control parameters ( , ) (0,0) i i ca cb = . Thus the feedback function is described as, 0 ,107 ,244 ,23 , 160( , , ) i i i i i i f S S maj S S S = ⊕ ⊕ , and the rules used in differential deduction are givenas follows:
If 244 23 160 ( , , ) (0,0,0) ∆ ∆ ∆ = , then 0 107 ; if∆ =∆ ⊕ ∆If 244 23 160 ( , , ) (1,1,1) ∆ ∆ ∆ = , then 1; if∆ =∆ ⊕∆ ⊕ Otherwise, 0 if∆ = . Phase 3: In the first 128 steps after encrypting the last ciphertext, the control parameters ( , ) (1,1) i i ca cb = . Thus the feedback function is described as
, 0 ,107 ,244 ,23 , 160, 196 ,12 ,154 ,235 ,61 ,193 ,230 ,111 ,66( , , )
( , , ) ( , , )
f S S maj S S SS S S maj S S S ch S S S= ⊕ ⊕⊕ ⊕ ⊕ ⊕ ⊕ (9)
For maj and ch, there are two kinds of input difference leading to the output difference with probability 1. Otherwise, if there is any difference in the input, the output difference is 0/1 with probability 0.5. There are two maj functions and one ch function involved, so there are eightout of 29 input differences whose corresponding output differences are fixed with probability 1, others with probability 0.5. As a result, the rules used in differential deduction are given as follows:
If 244 23 160 ( , , ) (0,0,0) ∆ ∆ ∆ = or (1,1,1) , 235 61 193 ( , , ) (0,0,0) ∆ ∆ ∆ = or (1,1,1) , and ( , , ) (0,0,0) ∆ ∆ ∆ = or (0,1,1) , then; if∆ =∆ ⊕∆ ⊕∆ ⊕∆ ⊕∆ ⊕∆ ⊕∆ ⊕ ∆Otherwise, 0 if∆ = .
After encrypting the last ciphertext bit, there is no message participate in the upstate function, so 292 i i i f m f ∆ =∆ ⊕∆ =∆ . Algorithm 1 provides a pseudo-code of the differential deduction.
From the above algorithm, we are allowed to launch attack on arbitrary rounds and gain the differential characteristics, where the probability is 2 n− .
Our attacks are searching for a differential chain as long as possible with the probability noless than 128 2− . We introduce various weights (Hamming weight) of input differences onciphertext, including 1 bit, 2 bits, 3 bits, and calculate the probability respectively. The following Table 3 lists various probabilities of a forgery in different weights of input differences.
Table 3. Probabilities for a forgery in various Hamming weights of input differences
Hamming weight Round Probability Note that our attacks are searching for a differential chain as long as possible with the probability no less than 128 2− , so we only list the results whose probabilities around the boundary 2-128. We illustrate Table 3 using an example. When the weight of the input difference is 2 and the finalization round is less than 70, the probability of a forgery is higher than 2-127. When the weight of the input difference is 2 and round is 70, the probability of a forgery is 2-127.
Experimental results show that if a difference is in the last bit of ciphertext, a differential characteristic with probability 127 2− covering 256-round decryption and 86-round verification is available. The details of the results are given in Appendix. As a consequence, we can launch forgery attacks on cipher whose finalization rounds are less than 87 with a probability higher than 128 2− .
Meanwhile, we analyzed the cause why the round in our attack is limited. The reason mainly consists of 3 parts as below:
- The empty running rounds after each phase. After encryption, the cipher runs for another 256 steps. In fact, the empty rounds also
exist after the initialization and the associated data loading process. It makes the differencemust through more rounds.
- Alternate setting of control parameters ( , ) i i ca cb in encryption and finalization. It can be known from the former analysis that we set it into three phases to introduce
the differential rules. In another hand, control parameters separate the finalization from theciphertext means preventing using part of the keystream (derived from ciphertext) as thetag.
- Nonlinear transforms participating in each upstate round.
The nonlinear transforms lead the differential probability drop swiftly. Thus the cipher has agood performance on differential properties, and then resists forgery attack.
4. The non-repudiation of ACORN in nonce-reuse setting
Non-repudiation [23] of sender is mainly used to prevent the originator from denying the sentmessage. As an authentication encryption algorithm which may be used widely in future, the 4070 practical security of ACORN should be evaluated carefully and it is necessary to analyze the non-repudiation of ACORN. In this section, we evaluate the non-repudiation of ACORN. Firstly, we introduce the details of an internal collision which is used to construct therepudiation. Next, by using the available collision, we can repudiate practically.
If the nonce is reused, an attacker can modify the plaintext during the encryption, and thenalways introduce difference to eliminate the difference in the internal state. As a result, two different plaintexts have an identical authenticated tag. Designers showed that when input difference (290 bits) d∆ is as below, the internal collision occurs with differential probability 120 2− .
d∆ ={1000 0000 0000 0000 0000 0000 0000 0000 0110 0111 1011 0110 01}
However, attackers could only control the message difference, so we let m d ∆ =∆ . Thus the user has the access to collision.
Considering the limit that nonce should not be reused, this type of forgery attack is not a concern in the design of ACORN. Different from the status of designers, we investigate the non-repudiation of cipher in practical applications.
Data non-repudiation is very important in the secure communication. However, our results disclose a potential weakness of ACORN. Repudiation performs in the following 3 steps.
- Step1: Alice, a malicious user, who masters the secret K can encrypt the message mand send the corresponding ( , ) c tag to the receiver Bob.
- Step2: Soon after, Bob receives ( , ) c tag and decrypts it to get m then verities the authenticity of m using tag .
- Step3: In this case, the attacker Alice is able to deny the already authenticated message m , and claims that the untreated message m m m ′= ⊕∆ is the message that has been sent. Thus ACORN algorithm cannot facilitate non-repudiation.
Fig. 2 illustrates the details of repudiation which is generated by Alice. In fact, allowing the sender to access the secret key and create collisions is an undesirable property. For ACORN, the sender can find a collision for any given nonce and input plaintext, thereby the authenticity component of the authenticated encryption is compromising.
Fig. 2. Detialed representation of repudiation in ACORN
5. Conclusion
This paper discusses the security of authentication in ACORN. Forgery attack on 87-round ACORN is proposed, it shows that the finalization of ACORN has large security marginagainst forgery attack. Our results do not contradict the security claims by the designer. Furthermore, we present the repudiation existing in ACORN while there is no security claim for ACORN in these settings. However, it is difficult to evaluate the performance of the forgery attack for full version of ACORN since the large scale of algorithm. We cannot realizepractical attack in the process of repudiation because of the requirement on data. As a consequence, it may be a potential weakness in practical applications. With the advancement of CAESAR competition, authenticated encryption receives more attentions and develops rapidly; meanwhile, it becomes much harder to break through the third-round candidates. So itis necessary to take the practical security into consideration.
In the future, we will use the similar method to analyze more candidates in the third-round CAESAR competition to find the potential weakness of these authenticated encryptionalgorithms.
References
- M. Bellare and C. Namprempre, "Authenticated encryption: Relations among notions and analysis of the generic composition paradigm," Journal of Cryptology, vol. 21, no. 4, pp. 469-491, Oct. 2008. https://doi.org/10.1007/s00145-008-9026-x
- J. Daemen and V. Rijmen, "The Design of Rijndael: AES-the advanced encryption standard," Springer, Berlin, 2002.
- "Caesar: Competition for authenticated encryption: Security, applicability, and robustness," Aug. 2016.
- "SHA-3 Competition (2007-2012)," Feb. 2005.
- P. Hu, H. Ning, T. Qiu et al., "Security and Privacy Preservation Scheme of Face Identification and Resolution Framework Using Fog Computing in Internet of Things," IEEE Internet of Thingsf Journal, vol. 4, no. 5, pp. 1143-1155, Jan. 2017. https://doi.org/10.1109/JIOT.2017.2659783
- Q. Xu, P. Ren, H. Song et al., "Security Enhancement for IoT Communications Exposed to Eavesdroppers with Uncertain Locations," IEEE Access, vol. 4, pp. 2840-2853, Jun. 2016. https://doi.org/10.1109/ACCESS.2016.2575863
- S. Javanmardi, M. Shojafar, S. Shariatmadari et al., "FRTRUST: a fuzzy reputation based model for trust management in semantic P2P grids," International Journal of Grid & Utility Computing, vol. 6, no. 1, pp. 57-66, Apr. 2014. https://doi.org/10.1504/IJGUC.2015.066397
- C. Dobrauning, M. Eichlseder and F. Mendel, "Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates," in Proc. of ASIACRYPT 2014, pp.490-509, December 7-11, 2014.
- T. Peyrin, S. M. Sim, L. Wang et al., "Cryptanalysis of JAMBU," in Proc. of FSE 2015, pp. 264-281, March 8-11, 2015.
- V. T. Hoang, T. Krovetz, and P. Rogaway, "Robust authenticated-encryption: AEZ and the problem that it solves," in Proc. of EUROCRYPT 2015, pp. 15-44, April 26-30, 2015.
- T. Fuhr, G. Leurent and V. Suder, "Collision Attacks against CAESAR Candidates Forgery and Key-Recovery against AEZ and Marble," in Proc. of ASIACRYPT 2015, pp. 510-532, November 29 - December 3, 2015.
- H. J. Wu, "ACORN: A Lightweight Authenticated Cipher (v3)," Aug. 2015.
- M. C. Liu and D. D. Lin, "Cryptanalysis of Lightweight Authenticated Cipher ACORN," 2014.
- C. Colin, F.Thomas, and G. Henri, "Full key-recovery on ACORN in nonce-reuse and decryption misuse settings," 2015.
- M. I. Salam, K. K. Wong, H. Bartlett et al., "Finding state collisions in the authenticated encryption stream cipher ACORN," in Proc. of Australasian Computer Science Week Multiconference, pp. 36-56, February 2-5, 2016.
- M. I. Salam , H. Bartlett , E. Dawson et al., "Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN," in Proc. of Applications and Techniques in Information Security, pp.15-26, Oct 26-28, 2016.
- S. Wang, B. Hu, Y. Liu et al., "Nonce-reuse Attack on Authenticated Cipher ACORN". in Proc. of AICS 2016, pp.379-385, September 20-21 2016.
- L. Jiao, B. Zhang and M. Wang, "Two Generic Methods of Analyzing Stream Ciphers," in Proc. of ISC 2015, pp. 379-396, Sep. 9-11, 2015.
- F. Lafitte, L. Lerman, O. Markowitch et al., "SAT-based cryptanalysis of ACORN,".
- X Zhang, X Feng, D Lin, et al, "Fault Attack on the Authenticated Cipher ACORN v2," Security & Communication Networks, 2017, 1-16, 2017.
- Siddhanti A A, Maitra S, Sinha N, "Certain Observations on ACORN v3 and the Implications to TMDTO Attacks," in Proc. of Security, Privacy, and Applied Cryptography Engineering, pp. 264-280, Dec. 13-17, 2017.
- P. Zhang, J. Guan, J. Li et al., "Research on State Collisions of Authenticated Cipher ACORN," in Proc. of ICSMIM 2015, pp.459-465, July 23-24, 2016.
- S. Steve, "Formal analysis of a non-repudiation protocol," in Proc. of CSFW 1998, pp. 54-65, June 9-11, 1998.