International Association for Cryptologic Research

International Association
for Cryptologic Research


Cryptanalysis of Rocca and Feasibility of Its Security Claim

Akinori Hosoyamada , NTT Social Informatics Laboratories, Musashino, Japan
Akiko Inoue , NEC Corporation, Kawasaki, Japan
Ryoma Ito , National Institute of Information and Communications Technology, Koganei, Japan
Tetsu Iwata , Nagoya University, Nagoya, Japan
Kazuhiko Mimematsu , NEC Corporation, Kawasaki, Japan
Ferdinand Sibleyras , NTT Social Informatics Laboratories, Musashino, Japan
Yosuke Todo , NTT Social Informatics Laboratories, Musashino, Japan
DOI: 10.46586/tosc.v2022.i3.123-151
Search ePrint
Search Google
Abstract: Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (the security claim regarding distinguishing attacks was subsequently weakened in the full version in ePrint 2022/116). A notable aspect of the claim is the gap between the privacy and authenticity security. In particular, the security claim regarding key-recovery attacks allows an attacker to obtain multiple forgeries through the decryption oracle. In this paper, we first present a full key-recovery attack on Rocca. The data complexity of our attack is 2128 and the time complexity is about 2128, where the attack makes use of the encryption and decryption oracles, and the success probability is almost 1. The attack recovers the entire 256-bit key in a single-key and nonce-respecting setting, breaking the 256-bit security claim against key-recovery attacks. We then extend the attack to various security models and discuss several countermeasures to see the feasibility of the security claim. Finally, we consider a theoretical question of whether achieving the security claim of Rocca is possible in the provable security paradigm. We present both negative and positive results to the question.
  title={Cryptanalysis of Rocca and Feasibility of Its Security Claim},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2022, Issue 3},
  author={Akinori Hosoyamada and Akiko Inoue and Ryoma Ito and Tetsu Iwata and Kazuhiko Mimematsu and Ferdinand Sibleyras and Yosuke Todo},