Key recovery attack against ACORN in misuse scenarios

[Thomas Fuhr]

Dear all,

We recently studied the CAESAR candidate ACORN in the nonce-reuse scenario. We found that with 7 chosen plaintexts of length a few hundred bits, the encryption key can be recovered almost instantly. Our attack can be transposed into the release of unverified plaintext scenario. More details can be found in the attachment.

Please note that our attack does not contradict the security claims of ACORN, as its specifications clearly state that no security is expected in such scenarios. However, we think that our result strengthens this statement and gives clear evidence that the use of ACORN must be restricted to cases where nonce reuse and decryption misuse are clearly excluded.

Best Regards,

Colin Chaigneau,

Thomas Fuhr,

Henri Gilbert