Cryptanalysis of Rocca and Feasibility of Its Security Claim

Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (th...

Full description

Saved in:
Bibliographic Details
Published inIACR Transactions on Symmetric Cryptology Vol. 2022; no. 3; pp. 123 - 151
Main Authors Hosoyamada, Akinori, Inoue, Akiko, Ito, Ryoma, Iwata, Tetsu, Minematsu, Kazuhiko, Sibleyras, Ferdinand, Todo, Yosuke
Format Journal Article
LanguageEnglish
Japanese
Published Universitatsbibliothek der Ruhr-Universitat Bochum 09.09.2022
Ruhr-Universität Bochum
Subjects
AEAD
Computer engineering. Computer hardware
Decryption oracle
Differential cryptanalysis
IND-CCA
Releasing unverified plaintexts
Rocca
TK7885-7895
Online AccessGet full text

Cover

More Information
Summary:Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (the security claim regarding distinguishing attacks was subsequently weakened in the full version in ePrint 2022/116). A notable aspect of the claim is the gap between the privacy and authenticity security. In particular, the security claim regarding key-recovery attacks allows an attacker to obtain multiple forgeries through the decryption oracle. In this paper, we first present a full key-recovery attack on Rocca. The data complexity of our attack is 2128 and the time complexity is about 2128, where the attack makes use of the encryption and decryption oracles, and the success probability is almost 1. The attack recovers the entire 256-bit key in a single-key and nonce-respecting setting, breaking the 256-bit security claim against key-recovery attacks. We then extend the attack to various security models and discuss several countermeasures to see the feasibility of the security claim. Finally, we consider a theoretical question of whether achieving the security claim of Rocca is possible in the provable security paradigm. We present both negative and positive results to the question.
ISSN:2519-173X
2519-173X
DOI:10.46586/tosc.v2022.i3.123-151