Linear Forgery Attacks on the Authenticated Encryption Cipher ACORN-Like

The authenticated encryption stream cipher ACORN is one of the finalists of the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) and is intended for lightweight applications. Because of structural weaknesses in the state update function of ACORN, we can introduce a linear function to analyze conditions and differential trails of the state collision and present a linear method to construct forgery messages under the condition that the key and initialization vector are known or the register state at a certain time is known. The attack method is suitable for three versions of ACORN and may be also extended to any ACORN-like, of which the linear feedback shift register (LFSR) can be replaced by other LFSRs and the feedback function can be replaced by other nonlinear functions. For continuous $l(l > 293)$ bits of new input data, we can construct $2^{l-294}$ forgery messages for any given message of ACORN. Using a standard personal computer, a concrete forgery message can be constructed almost instantly and the required central processing unit time and memory are equivalent to the required resources for solving a system of 293 linear equations over the binary field. These attacks in this paper make that the sender and receiver may easily cheat each other, which is not a desirable property for an ideal cipher and casts some doubt on the necessary authentication security requirements of ACORN.