Certain observations on ACORN v3 and the implications to TMDTO attacks

Abstract

ACORN is a lightweight authenticated cipher which is one of the selected designs among the fifteen third round candidates. This is based on the underlying model of a stream cipher with 6 LFSRs of different lengths and three additional bits. In this paper we consider the scenario that certain amount of key stream bits and some portion of the state is known. Then we try to discover the rest of the state bits. For example, we show that the LFSR of length 47 can be recovered from 47 key stream bits and guessing the rest of the state bits. We also present the implication of such results towards mounting TMDTO attack on ACORN v3. We show that a TMDTO attack can be mounted with preprocessing complexity 2171 and 2180 (without and with the help of a SAT solver) and the maximum of online time, memory and data complexity 2122 and 2120 respectively. While our results do not refute any claim of the designer, these observations might be useful for further understanding of the cipher.