Cryptanalysis of Rocca and Feasibility of Its Security Claim
Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (t...
Main Authors: | , , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2022-09-01
|
Series: | IACR Transactions on Symmetric Cryptology |
Subjects: | |
Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/9852 |
_version_ | 1798001562836008960 |
---|---|
author | Akinori Hosoyamada Akiko Inoue Ryoma Ito Tetsu Iwata Kazuhiko Mimematsu Ferdinand Sibleyras Yosuke Todo |
author_facet | Akinori Hosoyamada Akiko Inoue Ryoma Ito Tetsu Iwata Kazuhiko Mimematsu Ferdinand Sibleyras Yosuke Todo |
author_sort | Akinori Hosoyamada |
collection | DOAJ |
description |
Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (the security claim regarding distinguishing attacks was subsequently weakened in the full version in ePrint 2022/116). A notable aspect of the claim is the gap between the privacy and authenticity security. In particular, the security claim regarding key-recovery attacks allows an attacker to obtain multiple forgeries through the decryption oracle. In this paper, we first present a full key-recovery attack on Rocca. The data complexity of our attack is 2128 and the time complexity is about 2128, where the attack makes use of the encryption and decryption oracles, and the success probability is almost 1. The attack recovers the entire 256-bit key in a single-key and nonce-respecting setting, breaking the 256-bit security claim against key-recovery attacks. We then extend the attack to various security models and discuss several countermeasures to see the feasibility of the security claim. Finally, we consider a theoretical question of whether achieving the security claim of Rocca is possible in the provable security paradigm. We present both negative and positive results to the question.
|
first_indexed | 2024-04-11T11:39:22Z |
format | Article |
id | doaj.art-b8437938d3c94fea8666ec428e3f0ad9 |
institution | Directory Open Access Journal |
issn | 2519-173X |
language | English |
last_indexed | 2024-04-11T11:39:22Z |
publishDate | 2022-09-01 |
publisher | Ruhr-Universität Bochum |
record_format | Article |
series | IACR Transactions on Symmetric Cryptology |
spelling | doaj.art-b8437938d3c94fea8666ec428e3f0ad92022-12-22T04:25:53ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2022-09-012022310.46586/tosc.v2022.i3.123-151Cryptanalysis of Rocca and Feasibility of Its Security ClaimAkinori Hosoyamada0Akiko Inoue1Ryoma Ito2Tetsu Iwata3Kazuhiko Mimematsu4Ferdinand Sibleyras5Yosuke Todo6NTT Social Informatics Laboratories, Musashino, JapanNEC Corporation, Kawasaki, JapanNational Institute of Information and Communications Technology, Koganei, JapanNagoya University, Nagoya, JapanNEC Corporation, Kawasaki, JapanNTT Social Informatics Laboratories, Musashino, JapanNTT Social Informatics Laboratories, Musashino, Japan Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (the security claim regarding distinguishing attacks was subsequently weakened in the full version in ePrint 2022/116). A notable aspect of the claim is the gap between the privacy and authenticity security. In particular, the security claim regarding key-recovery attacks allows an attacker to obtain multiple forgeries through the decryption oracle. In this paper, we first present a full key-recovery attack on Rocca. The data complexity of our attack is 2128 and the time complexity is about 2128, where the attack makes use of the encryption and decryption oracles, and the success probability is almost 1. The attack recovers the entire 256-bit key in a single-key and nonce-respecting setting, breaking the 256-bit security claim against key-recovery attacks. We then extend the attack to various security models and discuss several countermeasures to see the feasibility of the security claim. Finally, we consider a theoretical question of whether achieving the security claim of Rocca is possible in the provable security paradigm. We present both negative and positive results to the question. https://tosc.iacr.org/index.php/ToSC/article/view/9852AEADRoccaDifferential cryptanalysisReleasing unverified plaintextsDecryption oracleIND-CCA |
spellingShingle | Akinori Hosoyamada Akiko Inoue Ryoma Ito Tetsu Iwata Kazuhiko Mimematsu Ferdinand Sibleyras Yosuke Todo Cryptanalysis of Rocca and Feasibility of Its Security Claim IACR Transactions on Symmetric Cryptology AEAD Rocca Differential cryptanalysis Releasing unverified plaintexts Decryption oracle IND-CCA |
title | Cryptanalysis of Rocca and Feasibility of Its Security Claim |
title_full | Cryptanalysis of Rocca and Feasibility of Its Security Claim |
title_fullStr | Cryptanalysis of Rocca and Feasibility of Its Security Claim |
title_full_unstemmed | Cryptanalysis of Rocca and Feasibility of Its Security Claim |
title_short | Cryptanalysis of Rocca and Feasibility of Its Security Claim |
title_sort | cryptanalysis of rocca and feasibility of its security claim |
topic | AEAD Rocca Differential cryptanalysis Releasing unverified plaintexts Decryption oracle IND-CCA |
url | https://tosc.iacr.org/index.php/ToSC/article/view/9852 |
work_keys_str_mv | AT akinorihosoyamada cryptanalysisofroccaandfeasibilityofitssecurityclaim AT akikoinoue cryptanalysisofroccaandfeasibilityofitssecurityclaim AT ryomaito cryptanalysisofroccaandfeasibilityofitssecurityclaim AT tetsuiwata cryptanalysisofroccaandfeasibilityofitssecurityclaim AT kazuhikomimematsu cryptanalysisofroccaandfeasibilityofitssecurityclaim AT ferdinandsibleyras cryptanalysisofroccaandfeasibilityofitssecurityclaim AT yosuketodo cryptanalysisofroccaandfeasibilityofitssecurityclaim |