**Some results on ACORN**

*Dibyendu Roy and Sourav Mukhopadhyay*

**Abstract: **In this paper we obtain a weakness in the design specification of ACORN, which is a competitor of CAESAR competition. We show that there exists a probabilistic linear relation between message bits and ciphertext bits, which holds with probability greater than $\frac{1}{2}$. This is the first paper which finds a probabilistic linear relation between message and corresponding ciphertext bits of ACRON, and which holds with probability greater than $\frac{1}{2}$. We also propose a new type of CPA attack on ACORN. By our attack method, it is possible to recover full initial state of the encryption phase of the cipher, and the attack has complexity $\approx 2^{40}$. After obtaining the initial state of the encryption phase, one can invert the associated data loading phase and key-IV initialization phase to recover the secret key bits.

**Category / Keywords: **secret-key cryptography / CAESAR, ACORN, linear approximation, CPA.

**Date: **received 5 Dec 2016, last revised 25 Dec 2016

**Contact author: **dibyendu roy1988 at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20161225:073220 (All versions of this report)

**Short URL: **ia.cr/2016/1132

[ Cryptology ePrint archive ]